Skip to content
Snippets Groups Projects
Commit e40174f4 authored by Cynthia "Arty" Ng's avatar Cynthia "Arty" Ng 💬
Browse files

Merge branch 'eread/add-frontmattertitle-vale-rule-and-fix-errors' into 'main'

Add new FrontmatterTitle Vale rule and fix errors raised by new rule

See merge request !9908
parents ef061346 d0b92d71
No related branches found
No related tags found
Loading
Pipeline #1554138886 passed with warnings
Showing
with 65 additions and 28 deletions
......@@ -503,7 +503,6 @@
/content/handbook/resellers/training.md @akramer @ecepulis
/content/handbook/sales/ @akramer @jakebielecki
/content/handbook/sales/account-planning/ @lschoenfeld @akramer @emelier
/content/handbook/sales/assistance-from-investors.md @jakebielecki
/content/handbook/sales/build-value-with-customers.md @akramer
/content/handbook/sales/channel/ @ecepulis
/content/handbook/sales/club/ @kdemarest @kagarrett
......
# Error: handbook.FrontmatterTitle
#
# Ensures that 'title:' exists in page frontmatter
#
---
extends: script
message: "Page must have title specified in frontmatter."
link: https://gitlab.com/gitlab-com/content-sites/docsy-gitlab/-/blob/main/content/docs/frontmatter.md
level: error
scope: raw
script: |
text := import("text")
matches := []
frontmatterDelimiterCount := 0
frontmatter := ""
for line in text.split(scope, "\n") {
// If we've matched '---' once, start storing the frontmatter content
if frontmatterDelimiterCount == 1 {
frontmatter += line
}
// If we've matched '---' twice, we don't need any more content
if frontmatterDelimiterCount == 2 {
break
}
// Note if we've located a frontmatter delimiter.
if text.re_match("^---", line) {
frontmatterDelimiterCount++
}
}
if !text.re_match("[tT]itle: ", frontmatter) {
matches = append(matches, { begin: 1, end: 1 })
}
---
noindex: true
redirect_to: './'
description: "usage ping got rem"
---
---
tile: 'Cells: Organization migration'
title: 'Cells: Organization migration'
status: proposed
creation-date: "2024-05-01"
authors: [ "@dbalexandre", "@mkozono" ]
......@@ -11,8 +11,6 @@ participating-stages: ["~devops::data stores", "~devops::systems"]
toc_hide: true
---
# Cells: Organization migration
## Summary
When we reach production and can operate organizations on new [cells](../cells), we need to be able to move [organizations](https://docs.gitlab.com/ee/user/organization/) from GitLab.com into a cell or between any two cells. [The Org Mover project](https://gitlab.com/groups/gitlab-org/-/epics/12857) provides a CLI orchestrator tool that makes the process of moving organization data from one cell to another a breeze. It’s designed to ensure no data loss or corruption with minimal downtime.
......
# Cost of Observability Stack
---
title: Cost of Observability Stack
---
## Elastic Cloud Costs (Snowflake)
......
# Promotion Document Style Guide
---
title: Promotion Document Style Guide
---
Assembling a case for promotion can be a time-consuming process. The tips and style principles in this guide will help you prepare a document that presents the evidence clearly, requiring fewer review cycles.
......
---
title: READMEs
---
---
title: Automation
---
# Background
---
title: Background
---
[Security Content Automation Protocol](https://en.wikipedia.org/wiki/Security_Content_Automation_Protocol) is a a US standard maintained by NIST, and is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance of information systems. it is most often used for compliance scanning, i.e. to measure IT systems against specific compliance standards like CIS or PCI-DSS.
[OpenSCAP](https://www.open-scap.org/getting-started/) is a very popular [open-source](https://github.com/OpenSCAP) ecosystem for SCAP scanning and is maintained by Red Hat. It is the most common way to conduct SCAP scanning and assessment.
# SCAP modules
## SCAP modules
Each SCAP (Security Content Automation Protocol) module has a specific function to help automate security checks, assessments, and vulnerability management. Here’s a breakdown of the key SCAP modules and what each one does:
## 1. **XCCDF (Extensible Configuration Checklist Description Format)**
### 1. **XCCDF (Extensible Configuration Checklist Description Format)**
- **Purpose**: XCCDF is used to create security checklists, benchmarks, and configuration guidance.
- **Function**: It defines security policies as XML documents that include rules, checks, and remediation guidance. XCCDF files are structured to represent security profiles, with each profile containing rules for configuration and compliance.
- **Example Use**: A benchmark to verify that SSH settings align with best practices would be defined in an XCCDF file.
## 2. **OVAL (Open Vulnerability and Assessment Language)**
### 2. **OVAL (Open Vulnerability and Assessment Language)**
- **Purpose**: OVAL provides a standard way to represent system configuration information, state, and vulnerability data.
- **Function**: OVAL definitions describe security checks for specific configurations, patches, or vulnerabilities. It allows scanners to evaluate system compliance and find vulnerabilities by checking if specific conditions are met.
- **Example Use**: An OVAL check might confirm that a particular version of a package is installed, or that a configuration file contains certain values.
## 3. **CPE (Common Platform Enumeration)**
### 3. **CPE (Common Platform Enumeration)**
- **Purpose**: CPE is a standardized naming scheme to identify information technology systems, platforms, and applications.
- **Function**: CPE names uniquely identify specific platforms, operating systems, or applications, enabling SCAP tools to apply relevant checks based on the target system.
- **Example Use**: A CPE identifier might specify a system as "cpe:/o:redhat:enterprise_linux:8" to apply checks specific to Red Hat Enterprise Linux 8.
## 4. **CVE (Common Vulnerabilities and Exposures)**
### 4. **CVE (Common Vulnerabilities and Exposures)**
- **Purpose**: CVE provides a unique identifier for publicly known vulnerabilities.
- **Function**: Each CVE ID refers to a specific vulnerability, describing the affected software and the nature of the issue. CVE identifiers help track vulnerabilities across databases and security tools.
- **Example Use**: CVE-2021-34527 (PrintNightmare) is an identifier that refers to a specific Windows vulnerability, allowing security tools to recognize and reference it in scans and reports.
## How These Modules Work Together
### How These Modules Work Together
- **XCCDF** defines what should be checked and provides remediation guidance.
- **OVAL** performs the actual checks by evaluating system state and configurations.
......@@ -42,11 +43,11 @@ Each SCAP (Security Content Automation Protocol) module has a specific function
These modules collectively enable SCAP tools to perform consistent and automated security assessments across diverse systems and platforms.
# How this applies to GitLab systems
## How this applies to GitLab systems
At GitLab we primarily deploy our production application through containers. OpenSCAP can be ran against a wide variety of deployment options, but mainly it is ran against operating systems and container images. We run OpenSCAP against our container images to validate their compliance.
# Getting Started with OpenSCAP Compliance Scanning
## Getting Started with OpenSCAP Compliance Scanning
1. Choose your module based on your intent (XCCDF, OVAL, CPE, CVE)
2. [Source your SCAP content](https://static.open-scap.org/openscap-1.3/oscap_user_manual.html#2.1.%20Getting%20SCAP%20content) (e.g. XCCDF files are part of the `ssg` family of packages)
......@@ -67,14 +68,14 @@ oscap-podman c8d01adc0698 xccdf eval --report /tmp/ubi9-min-scap-cis-2.html --pr
# This evaluates the container image c8d01adc0698 against the CIS benchmark that exists in ssg-rhel9-ds-1.2.xml and outputs the file to /tmp/
```
## Practical Steps
### Practical Steps
We will
1. Setup OpenSCAP on an Ubuntu 24.04 system
2. evaluate the RedHat 9 UBI image against the CIS benchmark
### Prep the system
#### Prep the system
On an Ubuntu 24.04 system:
......@@ -85,7 +86,7 @@ On an Ubuntu 24.04 system:
1. These are installed by `ssg-base` and `ssg-nondebian`
5. There is a bootstrap script [here](https://gitlab.com/dwilmoth/scap-bootstrapping) for ease of setup.
### Commands
#### Commands
```bash
# Pull the latest container image
......@@ -97,12 +98,12 @@ oscap-podman c8d01adc0698 xccdf eval --report /tmp/ubi9-min-scap-cis-2.html --pr
# Open the final HTML file in your brower
```
# Other Points
## Other Points
- OpenSCAP can be used for a variety of standards and formats. For example, US Department of Defense [Security Technical Implementation Guides (STIGs)](https://public.cyber.mil/stigs/) are some of the strictest configuration standards that are publicly available. STIGs can be used with OpenSCAP.
- OpenSCAP can generate [different kinds of reports and scripts](https://static.open-scap.org/openscap-1.3/oscap_user_manual.html#_generating_reports_guides_and_scripts), not just HTML. Depending on the specific system it can generate the exact commands necessary to remediate failures.
# References
## References
- [this video](https://www.youtube.com/watch?v=nQmIcK1vvYc)from RedHat
- [Red Hat article on OpenSCAP](https://www.redhat.com/en/blog/container-vulnerabilities-openscap)
......
......@@ -35,8 +35,8 @@ fi
## lint all markdown files if .vale files are changed, otherwise only lint the changed markdown files
if [ -n "$MODIFIED_VALE_FILES" ]; then
echo "Vale files have changed. Linting all markdown file..."
vale --output=.vale/vale-json.tmpl --minAlertLevel suggestion --glob='{content,assets,layouts}/**/*.md' . > vale-codequality.json
vale --minAlertLevel error --output=.vale/vale.tmpl --glob='{content,assets,layouts}/**/*.md' .
vale --output=.vale/vale-json.tmpl --minAlertLevel suggestion content/**/*.md > vale-codequality.json
vale --minAlertLevel error --output=.vale/vale.tmpl content/**/*.md
elif [ -n "$MODIFIED_MD_FILES" ]; then
echo "Linting changed files: $MODIFIED_MD_FILES"
vale --output=.vale/vale-json.tmpl --minAlertLevel suggestion $MODIFIED_MD_FILES > vale-codequality.json
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment