From 78082a776beaf38add3f9915610b734721ed7b1f Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 28 Aug 2024 09:52:28 +0200 Subject: [PATCH 1/7] Include authselect variable in pcidss control file Signed-off-by: Marcus Burghardt --- controls/pcidss_4.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml index 644c313138b..31c5e493504 100644 --- a/controls/pcidss_4.yml +++ b/controls/pcidss_4.yml @@ -2047,6 +2047,7 @@ controls: status: automated rules: - enable_authselect + - var_authselect_profile=sssd - accounts_passwords_pam_faillock_deny - var_accounts_passwords_pam_faillock_deny=10 - accounts_passwords_pam_faillock_unlock_time From 6a750c0fba0dc97edb3da529e7640e0c4a56c855 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 28 Aug 2024 09:54:16 +0200 Subject: [PATCH 2/7] Inform correct hashing algorithm for pcidss rhel10 Signed-off-by: Marcus Burghardt --- products/rhel10/profiles/pci-dss.profile | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/products/rhel10/profiles/pci-dss.profile b/products/rhel10/profiles/pci-dss.profile index 1f958e6f084..66da2a896b2 100644 --- a/products/rhel10/profiles/pci-dss.profile +++ b/products/rhel10/profiles/pci-dss.profile @@ -24,14 +24,16 @@ description: |- selections: - pcidss_4:all - # audit-audispd-plugins package does not exist in RHEL 10 (based on RHEL 9) - # use only package_audispd-plugins_installed - - '!package_audit-audispd-plugins_installed' + - var_password_hashing_algorithm=yescrypt + - var_password_hashing_algorithm_pam=yescrypt + # More tests are needed to identify which rule is conflicting with rpm_verify_permissions. # https://github.com/ComplianceAsCode/content/issues/11285 - '!rpm_verify_permissions' - # these rules do not apply to RHEL 10 + # audit-audispd-plugins package does not exist in RHEL 10 (based on RHEL 9) + # use only package_audispd-plugins_installed - '!package_audit-audispd-plugins_installed' + # these rules do not apply to RHEL 10 - '!service_ntp_enabled' - '!ntpd_specify_remote_server' - '!ntpd_specify_multiple_servers' From 0bc85f2b52b72812ece600c84d28c0b4948345b7 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 28 Aug 2024 10:10:17 +0200 Subject: [PATCH 3/7] Clean comments based on RHEL 9 Signed-off-by: Marcus Burghardt --- products/rhel10/profiles/pci-dss.profile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/products/rhel10/profiles/pci-dss.profile b/products/rhel10/profiles/pci-dss.profile index 66da2a896b2..dbaeeda8a7d 100644 --- a/products/rhel10/profiles/pci-dss.profile +++ b/products/rhel10/profiles/pci-dss.profile @@ -30,9 +30,7 @@ selections: # More tests are needed to identify which rule is conflicting with rpm_verify_permissions. # https://github.com/ComplianceAsCode/content/issues/11285 - '!rpm_verify_permissions' - # audit-audispd-plugins package does not exist in RHEL 10 (based on RHEL 9) - # use only package_audispd-plugins_installed - - '!package_audit-audispd-plugins_installed' + # these rules do not apply to RHEL 10 - '!service_ntp_enabled' - '!ntpd_specify_remote_server' @@ -40,6 +38,7 @@ selections: - '!set_ipv6_loopback_traffic' - '!set_loopback_traffic' - '!service_ntpd_enabled' + - '!package_audit-audispd-plugins_installed' - '!package_ypserv_removed' - '!package_ypbind_removed' - '!package_talk_removed' From 0f22bba7a650587ab906ee2ee774da85f9e77e53 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 28 Aug 2024 10:39:41 +0200 Subject: [PATCH 4/7] Confirm rules not applicable to RHEL 10 Signed-off-by: Marcus Burghardt --- products/rhel10/profiles/pci-dss.profile | 47 +++++++++++++----------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/products/rhel10/profiles/pci-dss.profile b/products/rhel10/profiles/pci-dss.profile index dbaeeda8a7d..1c549eb60e0 100644 --- a/products/rhel10/profiles/pci-dss.profile +++ b/products/rhel10/profiles/pci-dss.profile @@ -32,12 +32,6 @@ selections: - '!rpm_verify_permissions' # these rules do not apply to RHEL 10 - - '!service_ntp_enabled' - - '!ntpd_specify_remote_server' - - '!ntpd_specify_multiple_servers' - - '!set_ipv6_loopback_traffic' - - '!set_loopback_traffic' - - '!service_ntpd_enabled' - '!package_audit-audispd-plugins_installed' - '!package_ypserv_removed' - '!package_ypbind_removed' @@ -46,28 +40,37 @@ selections: - '!package_xinetd_removed' - '!package_rsh_removed' - '!package_rsh-server_removed' - # Following are incompatible with the rhel10 product (based on RHEL9) - - '!service_chronyd_or_ntpd_enabled' + + - '!service_ntp_enabled' + - '!service_ntpd_enabled' + - '!service_timesyncd_enabled' + - '!ntpd_specify_remote_server' + - '!ntpd_specify_multiple_servers' + + - '!accounts_passwords_pam_tally2' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!cracklib_accounts_password_pam_dcredit' + - '!cracklib_accounts_password_pam_lcredit' + - '!cracklib_accounts_password_pam_minlen' + - '!cracklib_accounts_password_pam_retry' + - '!ensure_firewall_rules_for_open_ports' + - '!ensure_shadow_group_empty' + - '!ensure_suse_gpgkey_installed' - '!install_PAE_kernel_on_x86-32' - '!mask_nonessential_services' - - '!aide_periodic_checking_systemd_timer' - '!nftables_ensure_default_deny_policy' - - '!cracklib_accounts_password_pam_lcredit' + - '!set_ipv6_loopback_traffic' + - '!set_loopback_traffic' + - '!set_password_hashing_algorithm_commonauth' + + # Following are incompatible with the rhel10 product (based on RHEL9) + - '!service_chronyd_or_ntpd_enabled' + - '!aide_periodic_checking_systemd_timer' - '!file_owner_at_allow' - - '!ensure_firewall_rules_for_open_ports' - - '!cracklib_accounts_password_pam_retry' - '!gnome_gdm_disable_guest_login' + - '!gnome_gdm_disable_unattended_automatic_login' + - '!permissions_local_var_log' - '!sshd_use_strong_kex' - '!sshd_use_approved_macs' - - '!permissions_local_var_log' - '!sshd_use_approved_ciphers' - - '!accounts_passwords_pam_tally2' - - '!ensure_suse_gpgkey_installed' - - '!gnome_gdm_disable_unattended_automatic_login' - - '!accounts_passwords_pam_tally2_unlock_time' - - '!cracklib_accounts_password_pam_minlen' - - '!set_password_hashing_algorithm_commonauth' - - '!cracklib_accounts_password_pam_dcredit' - - '!ensure_shadow_group_empty' - - '!service_timesyncd_enabled' - '!security_patches_up_to_date' From 2aa0b6c9f1421fd4624c4a046739b7e6da77a4a9 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 28 Aug 2024 11:05:30 +0200 Subject: [PATCH 5/7] Remove ip6tables rule from pcidss RHEL 10 It is managed by firewalld. Signed-off-by: Marcus Burghardt --- products/rhel10/profiles/pci-dss.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/products/rhel10/profiles/pci-dss.profile b/products/rhel10/profiles/pci-dss.profile index 1c549eb60e0..48c335c8adc 100644 --- a/products/rhel10/profiles/pci-dss.profile +++ b/products/rhel10/profiles/pci-dss.profile @@ -60,6 +60,7 @@ selections: - '!mask_nonessential_services' - '!nftables_ensure_default_deny_policy' - '!set_ipv6_loopback_traffic' + - '!set_ip6tables_default_rule' - '!set_loopback_traffic' - '!set_password_hashing_algorithm_commonauth' From ba21b9cbea37763c812fa7bd823e7134dee2df40 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 28 Aug 2024 11:16:54 +0200 Subject: [PATCH 6/7] Remove exclusion for rules already compatible with RHEL 10 Signed-off-by: Marcus Burghardt --- products/rhel10/profiles/pci-dss.profile | 2 -- 1 file changed, 2 deletions(-) diff --git a/products/rhel10/profiles/pci-dss.profile b/products/rhel10/profiles/pci-dss.profile index 48c335c8adc..45f5033ae05 100644 --- a/products/rhel10/profiles/pci-dss.profile +++ b/products/rhel10/profiles/pci-dss.profile @@ -67,8 +67,6 @@ selections: # Following are incompatible with the rhel10 product (based on RHEL9) - '!service_chronyd_or_ntpd_enabled' - '!aide_periodic_checking_systemd_timer' - - '!file_owner_at_allow' - - '!gnome_gdm_disable_guest_login' - '!gnome_gdm_disable_unattended_automatic_login' - '!permissions_local_var_log' - '!sshd_use_strong_kex' From 136edc4bbbdea2f5a6c503cef197a7d0306c5441 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 28 Aug 2024 12:02:41 +0200 Subject: [PATCH 7/7] Update profile stability references for pci-dss Signed-off-by: Marcus Burghardt --- tests/data/profile_stability/rhel8/pci-dss.profile | 1 + tests/data/profile_stability/rhel9/pci-dss.profile | 1 + 2 files changed, 2 insertions(+) diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile index ff8e7131428..e8e1992dc5a 100644 --- a/tests/data/profile_stability/rhel8/pci-dss.profile +++ b/tests/data/profile_stability/rhel8/pci-dss.profile @@ -289,6 +289,7 @@ selections: - var_password_pam_dcredit=1 - var_password_pam_lcredit=1 - var_password_pam_minlen=12 +- var_authselect_profile=sssd - var_accounts_passwords_pam_faillock_deny=10 - var_accounts_passwords_pam_faillock_unlock_time=1800 - var_password_pam_tally2=10 diff --git a/tests/data/profile_stability/rhel9/pci-dss.profile b/tests/data/profile_stability/rhel9/pci-dss.profile index e0fc9148f4a..aae368bafba 100644 --- a/tests/data/profile_stability/rhel9/pci-dss.profile +++ b/tests/data/profile_stability/rhel9/pci-dss.profile @@ -281,6 +281,7 @@ selections: - var_password_pam_dcredit=1 - var_password_pam_lcredit=1 - var_password_pam_minlen=12 +- var_authselect_profile=sssd - var_accounts_passwords_pam_faillock_deny=10 - var_accounts_passwords_pam_faillock_unlock_time=1800 - var_password_pam_tally2=10