Waive sshd key rules in bootc tests

jan-cerny · Jan 7, 2025 · 335f0ca · 335f0ca
1 parent c0b68d6
commit 335f0ca
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/conf/waivers/30-permanent b/conf/waivers/30-permanent
@@ -100,4 +100,21 @@
 /static-checks/nist-validation/ssg-(rhel\d+|cs\d+)-ds/SRC-118
     rhel >= 9
 
+# bootc waivers
+
+# The rules related to SSH keys fail because SSH host keys don't exist
+# at container build time, they are generated by the sshd-keygen service only
+# once the system is deployed by executing /usr/libexec/openssh/sshd-keygen
+# script. We inform users in rules by warning text saying that remediation
+# is not possible at bootable container build time because SSH host keys are
+# generated post-deployment. The warning has been introduced by
+# https://github.com/ComplianceAsCode/content/pull/12755.
+/hardening/container/bootc-image-builder/.+/file_groupownership_sshd_private_key
+/hardening/container/bootc-image-builder/.+/file_groupownership_sshd_pub_key
+/hardening/container/bootc-image-builder/.+/file_ownership_sshd_private_key
+/hardening/container/bootc-image-builder/.+/file_ownership_sshd_pub_key
+/hardening/container/bootc-image-builder/.+/file_permissions_sshd_private_key
+/hardening/container/bootc-image-builder/.+/file_permissions_sshd_pub_key
+    True
+
 # vim: syntax=python