From 5d5ca0a3da8fa8e7f9a71569b5d3be99895410e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 16 Apr 2024 07:29:45 +0000 Subject: [PATCH 1/2] correct tests and instructions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/1_host_configuration.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index 86247a8..4435b50 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -243,12 +243,12 @@ check_1_1_8() { local id="1.1.8" local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)" local remediation - remediation="Install auditd. Add -w $(get_service_file containerd.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart." + remediation="Install auditd. Add -w $(get_service_file containerd.sock) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart." local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions." local check="$id - $desc" starttestjson "$id" "$desc" - file="$(get_service_file containerd.socket)" + file="$(get_service_file containerd.sock)" if [ -e "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then From 12f085d42f9b38dd723dbf3fb6c2f7b7377836a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 16 Apr 2024 08:23:14 +0000 Subject: [PATCH 2/2] update SLSA action MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .github/workflows/slsa.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/slsa.yml b/.github/workflows/slsa.yml index 192a6e2..28c8ac9 100644 --- a/.github/workflows/slsa.yml +++ b/.github/workflows/slsa.yml @@ -16,11 +16,16 @@ jobs: hashes: ${{ steps.hash.outputs.hashes }} runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV shell: bash - name: Checkout repository - uses: actions/checkout@27135e314dd1818f797af1db9dae03a9f045786b # master + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Build artifacts run: | @@ -33,7 +38,7 @@ jobs: echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT" - name: Upload ${{ env.REPOSITORY_NAME }}.sha256 - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: ${{ env.REPOSITORY_NAME }}.sha256 path: ${{ env.REPOSITORY_NAME }}.sha256 @@ -46,17 +51,17 @@ jobs: actions: read id-token: write contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }} release: - needs: [build, provenance] permissions: actions: read id-token: write contents: write + needs: [build, provenance] runs-on: ubuntu-latest if: startsWith(github.ref, 'refs/tags/') steps: @@ -64,12 +69,12 @@ jobs: shell: bash - name: Download ${{ env.REPOSITORY_NAME }}.sha256 - uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ env.REPOSITORY_NAME }}.sha256 - name: Upload asset - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 + uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4 with: files: | ${{ env.REPOSITORY_NAME }}.sha256