Add missing OCIL to PCI-DSS rules#14783
Conversation
Three rules referenced by the PCI-DSS controls were missing OCIL (manual check) content, leaving them without questionnaire text in the generated benchmarks: - audit_rules_session_events - chronyd_or_ntpd_specify_multiple_servers - disable_prelink Add an ocil_clause and ocil block to each, mirroring the style of sibling rules (audit_rules_usergroup_modification, chronyd_or_ntpd_specify_remote_server). The OCIL describes how to manually verify each rule's expected state. Verified the OCIL renders by building the data streams: session_events and chronyd_or_ntpd_specify_multiple_servers in ssg-rhel8-ds.xml, and disable_prelink in ssg-sle15-ds.xml. Fixes: ComplianceAsCode#4913 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Hi @eran132. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds OCIL (manual check) guidance to several security rules so auditors have clear, standardized verification steps.
Changes:
- Added
ocil_clauseandocilsections to the disable prelinking rule. - Added
ocil_clauseandocilsections to the multiple NTP servers rule. - Added
ocil_clauseandocilsections to the audit session events rule.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| linux_os/guide/system/software/integrity/disable_prelink/rule.yml | Adds OCIL text describing how to confirm prelinking is disabled (or package absent). |
| linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml | Adds OCIL text describing how to verify multiple NTP sources are configured. |
| linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml | Adds OCIL text describing how to verify audit rules covering session event files. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <pre>$ grep PRELINKING /etc/sysconfig/prelink</pre> | ||
| If prelinking is disabled, the output should contain the following line: | ||
| <pre>PRELINKING=no</pre> | ||
| Alternatively, if the <tt>prelink</tt> package is not installed, prelinking is | ||
| not enabled and the rule is also satisfied. |
There was a problem hiding this comment.
Good call — applied in f424103. The OCIL now checks rpm -q prelink first and only greps /etc/sysconfig/prelink when the package is installed, which mirrors the OVAL check's OR structure (package not installed OR PRELINKING=no).
| In the file, there should be multiple lines similar to the following: | ||
| <pre>server <i>ntpserver</i></pre> |
There was a problem hiding this comment.
Thanks — I looked at the rule's OVAL before deciding. The check (shared/checks/oval/chronyd_specify_multiple_servers.xml) matches only server directives with the pattern ^([\s]*server[\s]+.+$){2,}$; it does not count pool lines. Keeping the OCIL to server keeps the manual check aligned with the automated check — if the OCIL told auditors to count pool entries, a system could pass the manual review while still failing the scan. This also matches the sibling rule chronyd_or_ntpd_specify_remote_server, whose OCIL references server only.
| <pre>auditctl -l | grep -E '(/var/run/utmp|/var/log/btmp|/var/log/wtmp)'</pre> | ||
| If the system is configured to watch for these events, lines should be returned for | ||
| each file specified (and with <tt>-p wa</tt> for each). |
There was a problem hiding this comment.
The returned auditctl -l lines include the permission flags inline (e.g. -w /var/run/utmp -p wa -k session), and the OCIL already directs the reviewer to confirm -p wa is present for each file, so the procedure does verify both the watched paths and the wa permissions. I kept the phrasing consistent with the established sibling rule audit_rules_usergroup_modification, whose OCIL uses the same auditctl -l | grep -E ... approach with an explicit perm=wa confirmation note.
Address review feedback: check whether the prelink package is installed before grepping /etc/sysconfig/prelink. This matches the OVAL check's OR structure (package not installed OR PRELINKING=no) and avoids a missing /etc/sysconfig/prelink looking like a failure when prelink is absent. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Description:
ocilandocil_clausefields to three rules that were missing OCIL (manual check) content:audit_rules_session_eventschronyd_or_ntpd_specify_multiple_serversdisable_prelinkaudit_rules_usergroup_modificationfor the audit watch,chronyd_or_ntpd_specify_remote_serverfor the NTP rule) and describes how to manually verify the rule's expected state.Rationale:
These rules are pulled into the PCI-DSS profiles but had no OCIL, so the generated benchmarks contained no questionnaire text for a manual reviewer.
Fixes Some rules in PCI-DSS profile are missing OCIL (RHEL8) #4913
Review Hints:
rule.ymlfiles); no checks or remediations are touched.audit_rules_session_eventsandchronyd_or_ntpd_specify_multiple_serversappear inbuild/ssg-rhel8-ds.xml(./build_product rhel8 --datastream).disable_prelinkis not applicable to RHEL 8 (theprelinkpackage isn't shipped there), so I verified it inbuild/ssg-sle15-ds.xml(./build_product sle15 --datastream --rule-id disable_prelink), where its OCIL text andocil_clauserender as expected.🤖 Generated with Claude Code