Skip to content

Adding Debian 13 CIS controls to the benchmark#14684

Open
scdarva wants to merge 5 commits intoComplianceAsCode:masterfrom
scdarva:debian-13-cis
Open

Adding Debian 13 CIS controls to the benchmark#14684
scdarva wants to merge 5 commits intoComplianceAsCode:masterfrom
scdarva:debian-13-cis

Conversation

@scdarva
Copy link
Copy Markdown

@scdarva scdarva commented Apr 29, 2026

Description:

As currently Debian 13 has missing CIS benchmarks from this project, pull request is specifically to add initial set of CIS controls

Rationale:

To start populating Debian 13 CIS controls. Adding them all in one go is a quite of a task, especially as it does require generate new checks

Review Hints:

  • If the scope of the pull request is too small, please comment and then it can be increased, otherwise I didn't want to make a pull request that is adding a huge block of code, that is problematic to review

@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Apr 29, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 29, 2026

Hi @scdarva. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@jan-cerny jan-cerny added Debian Debian product related. CIS CIS Benchmark related. New Profile Issues or pull requests related to new Profiles. labels Apr 29, 2026
@jan-cerny jan-cerny added this to the 0.1.81 milestone Apr 29, 2026
jan-cerny
jan-cerny reviewed May 4, 2026
View reviewed changes
Comment thread controls/cis_debian13.yml Outdated
# - l2_server
# rules:
# - configure_gpg_key_access
# status: automated No newline at end of file
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing new line character at the end of file

Copy link
Copy Markdown
Author

@scdarva scdarva May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for noticing, added it.

Also added more controls. Those that are commented out and have TODO are not implemented, as they need to be implemented later on.

@jan-cerny jan-cerny self-assigned this May 7, 2026
jan-cerny
jan-cerny requested changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the CI fail is legit, you need to update the product stability data with the CIS reference:

diff --git a/tests/data/product_stability/debian13.yml b/tests/data/product_stability/debian13.yml
index e96a439170..23007ed4bf 100644
--- a/tests/data/product_stability/debian13.yml
+++ b/tests/data/product_stability/debian13.yml
@@ -81,6 +81,7 @@ reference_uris:
   app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
   app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security
   bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf
+  cis: https://www.cisecurity.org/cis-benchmarks/
   cis-csc: https://www.cisecurity.org/controls/
   cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf
   cobit5: https://www.isaca.org/resources/cobit

@scdarva
Copy link
Copy Markdown
Author

scdarva commented May 7, 2026

Added test adjustment as suggested, had no idea about their functionalities

@scdarva scdarva requested a review from jan-cerny May 7, 2026 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@jan-cerny jan-cerny

Labels

CIS CIS Benchmark related. Debian Debian product related. needs-ok-to-test Used by openshift-ci bot. New Profile Issues or pull requests related to new Profiles.

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

2 participants

@scdarva @jan-cerny