Ubuntu Security Certifications

usg-cisbenchmark: feature - disable specific rules

Bug #1864175 reported by Arif Ali on 2020-02-21

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu Security Certifications	Fix Released	Wishlist	Richard Maciel Costa

Bug Description

From customer,

It would be useful to disable a specific test, as a test may not be something that we would need testing as part of the security certification

If they can document, why the test is not required, that is reasonable.

Revision history for this message

James Page (james-page) wrote on 2020-02-21:

+1 on this feature - having the ability to configure the harden tool to skip a particular set of hardening rules because a workload needs to configure the server in a way that means they cannot be applied would be useful - maybe an /etc/usg/ configuration file or dotdee directory of some sort?

This could be used by charms to disable specific rules to allow the tool to be re-run post deployment without impacting on functionality of the deployed workloads.

summary:	- It would be useful to disable any specific rules + usg-cisharden: feature - disable specific rules
summary:	- usg-cisharden: feature - disable specific rules + usg-benchmark: feature - disable specific rules
summary:	- usg-benchmark: feature - disable specific rules + usg-cisbenchmark: feature - disable specific rules

Revision history for this message

Richard Maciel Costa (richardmaciel) wrote on 2020-04-13:

A possible workaround to this issue is to this issue is to manually open the script module responsible for the rule to be executed and remove it from the list of rules which will be executed.

The aforementioned list can be found at the end of the module source code, attributed to one of the keys of the associative array "rulehash". The keys are named according to the profile selected, so if you selected lvl1_server profile, the key used is "lvl1_server". Note that, since some rules are common to all profiles, they can be set in the "common" variable, which will be used as a base ruleset for all the keys.

As an example, if the user wants to remove the rule 2.2.6 from execution, he/she can remove the string "2.2.6" from the list of rules set to the "common" variable in the ruleset-2.x module file.

Changed in ubuntu-security-certifications:
assignee:	nobody → Richard Maciel Costa (richardmaciel)
importance:	Undecided → Wishlist
status:	New → Triaged

Gábor Mészáros (gabor.meszaros) on 2020-05-15

information type:	Public → Public Security
information type:	Public Security → Public

Revision history for this message

Richard Maciel Costa (richardmaciel) wrote on 2021-02-04:

Version 18.04.10 of the ubuntu-security-guides now provides a way to execute only a subset of the rules.

Changed in ubuntu-security-certifications:
status:	Triaged → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.