|
 |
dac76a |
From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Thu, 14 May 2020 16:46:07 +0200
|
|
|
dac76a |
Subject: [PATCH] reorder groups because of permissions verification
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
ssg/build_yaml.py | 6 ++++++
|
|
|
dac76a |
1 file changed, 6 insertions(+)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
|
|
|
dac76a |
index e3e138283c..c9f3179c08 100644
|
|
|
dac76a |
--- a/ssg/build_yaml.py
|
|
|
dac76a |
+++ b/ssg/build_yaml.py
|
|
|
dac76a |
@@ -700,6 +700,11 @@ def to_xml_element(self):
|
|
|
dac76a |
# audit_rules_privileged_commands, othervise the rule
|
|
|
dac76a |
# does not catch newly installed screeen binary during remediation
|
|
|
dac76a |
# and report fail
|
|
|
dac76a |
+ # the software group should come before the
|
|
|
dac76a |
+ # bootloader-grub2 group because of conflict between
|
|
|
dac76a |
+ # rules rpm_verify_permissions and file_permissions_grub2_cfg
|
|
|
dac76a |
+ # specific rules concerning permissions should
|
|
|
dac76a |
+ # be applied after the general rpm_verify_permissions
|
|
|
dac76a |
# The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS.
|
|
|
dac76a |
# the firewalld_activation must come before ruleset_modifications, othervise
|
|
|
dac76a |
# remediations for ruleset_modifications won't work
|
|
|
dac76a |
@@ -707,6 +712,7 @@ def to_xml_element(self):
|
|
|
dac76a |
# otherwise the remediation prints error although it is successful
|
|
|
dac76a |
priority_order = [
|
|
|
dac76a |
"accounts", "auditing",
|
|
|
dac76a |
+ "software", "bootloader-grub2",
|
|
|
dac76a |
"fips", "crypto",
|
|
|
dac76a |
"firewalld_activation", "ruleset_modifications",
|
|
|
dac76a |
"disabling_ipv6", "configuring_ipv6"
|