Skip to content

Remove outdated waivers#626

Merged
matusmarhefka merged 8 commits into
RHSecurityCompliance:mainfrom
jan-cerny:outdated_waivers_0.1.81
May 21, 2026
Merged

Remove outdated waivers#626
matusmarhefka merged 8 commits into
RHSecurityCompliance:mainfrom
jan-cerny:outdated_waivers_0.1.81

Conversation

@jan-cerny

@jan-cerny jan-cerny commented May 21, 2026

Copy link
Copy Markdown
Contributor

During the 0.1.81 release stabilization multiple outdated waivers were found. The waived tests no longer manifest.

For more details, please read commit messages of every commit.

jcerny@fedora:~/work/git/contest/scripts (main)$ ./find_invalid_waivers.py new_results.json.gz 
2026-05-21 11:52:08 find_invalid_waivers.py:191: lib.waive.collect_waivers:150: using /home/jcerny/work/git/contest/conf/waivers for waiving
===============================================================
The following waivers are no longer valid, they either did not
match any test results or only matched the 'pass' test results:
===============================================================

/hardening/host-os/.+/chrony_set_nts
    rhel == 10.2 and arch == 's390x'

/static-checks/html-links/https://www.iso.org/contents/data/standard/05/45/54534.html
/static-checks/html-links/https://fossies.org/linux/Linux-PAM-docs/doc/sag/Linux-PAM_SAG.pdf
    "URL returned error: 403" in note

/static-checks/html-links/https://www.cyber.mil/stigs/downloads/.*
    "Connection reset by peer" in note

/hardening/host-os/.+/service_rngd_enabled
    rhel == 8

/scanning/disa-alignment/.+/configure_libreswan_crypto_policy
    rhel == 8

/scanning/hummingbird/.+/accounts_umask_etc_(bashrc|profile)
    True

/scanning/disa-alignment/.*/coredump_disable_.+
    True

/scanning/boot-errors/(e8|ism_o|ism_o_secret|ism_o_top_secret)/.*Failed to start Crash recovery kernel arming.*
/scanning/boot-errors/(e8|ism_o|ism_o_secret|ism_o_top_secret)/.*kdump.service.*
    True

/scanning/boot-errors/(cis|cis_workstation_l2|pci-dss|stig|hipaa)/auditd.*Email option is specified but /usr/lib/sendmail doesn't seem executable.*
    rhel == 10

/scanning/boot-errors/(cis|cis_workstation_l2|pci-dss)/auditd.*Email option is specified but /usr/lib/sendmail doesn't seem executable.*
    rhel == 9

/scanning/boot-errors/stig/chronyd.*(Could not connect|certificate verification|TLS handshake|no selectable sources|timed out).*
    True

/hardening/ansible/with-gui/stig_gui
/scanning/boot-errors/stig
/scanning/disa-alignment/ansible
/hardening/oscap/with-gui/stig_gui
/hardening/ansible/stig
/hardening/oscap/stig
    rhel == 9 and status == 'error'

/hardening/container/bootc-image-builder/stig/configure_crypto_policy
/hardening/container/anaconda-ostree/stig/configure_crypto_policy
/hardening/anaconda/stig/configure_crypto_policy
/hardening/anaconda/with-gui/stig_gui/configure_crypto_policy
    rhel == 9

/scanning/boot-errors/stig/systemd-tmpfiles: Failed to copy files to.*
    rhel == 9

jan-cerny added 8 commits May 21, 2026 12:02
@jan-cerny
Remove waiver for chrony_set_nts
9786bff 
The issue with rule chrony_set_nts doesn't occur anymore because
this rule has been removed from RHEL 10 profiles by
ComplianceAsCode/content#14613
@jan-cerny
Remove waiver for DISA misalignment in configure_libreswan_crypto_policy
18def2d 
The rule configure_libreswan_crypto_policy has been aligned with DISA
by ComplianceAsCode/content#14477 and is no
longer reported by the DISA alignment tests.
@jan-cerny
Remove waivers for umask rules in hummingbird
b9917ef 
Remove waivers for rule accounts_umask_etc_bashrc and
accounts_umask_etc_profile. These rules started passing
because hummingbird has changed the default umask value
in their images, see
https://gitlab.com/redhat/hummingbird/rpms/-/merge_requests/2016
@jan-cerny
Remove waivers for coredump rules in DISA alignment tests
1a37dfb 
The rules `coredump_disable_backtraces` and `coredump_disable_storage`
are misaligned with DISA's content, see
ComplianceAsCode/content#13676

However, the rules are never evaluated because they are marked as
conflicting with rule `sysctl_kernel_core_pattern`.
The `conflicts` statement has been added to the rules in
ComplianceAsCode/content@92a35be

Since these rules aren't evaluated, they aren't examined by the
`disa-alignment` test, therefore they don't show up in the test
results and the waiver is superfluous.
@jan-cerny
Remove waivers for kdump in E8 and ISM profiles
3eb08c1 
The linked issue ComplianceAsCode/content#14558
has been fixed upstream. The test didn't fail in the latest
stabilization run.
@jan-cerny
Remove waiver for the auditd fail
676af2d 
The linked issue ComplianceAsCode/content#14560
has been fixed upstream and the issue doesn't manifest in the
stabilization test run.
@jan-cerny
Remove chronyd time out waivers
209c83f 
The referenced issue ComplianceAsCode/content#14563
has been fixed upstream and the fail didn't happen in the latest
stabilization test run.
@jan-cerny
Remove waivers for RHEL 9 STIG
29c02a5 
The linked issues ComplianceAsCode/content#14669
and ComplianceAsCode/content#14582
have been fixed and the tests don't error in the stabilization run
on RHEL 9.
@matusmarhefka matusmarhefka merged commit 76bc006 into RHSecurityCompliance:main May 21, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matusmarhefka matusmarhefka matusmarhefka approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @matusmarhefka