Merge pull request ComplianceAsCode#11873 from Xeicker/update_ol9_pcidss

Update ol9 pcidss

linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+# platform = multi_platform_fedora,multi_platform_ol,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
 # reboot = false
 # strategy = configure
 # complexity = low

linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.pass.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora
 # packages = chrony
 
 

linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.pass.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora
 # packages = chrony
 
 

linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml

@@ -15,6 +15,8 @@ severity: medium
 
 {{% if 'rhel' in product %}}
 platform: package[logrotate] and os_linux[rhel]>=9
+{{% elif 'ol' in product %}}
+platform: package[logrotate] and os_linux[ol]>=9
 {{% else %}}
 platform: package[logrotate]
 {{% endif %}}

linux_os/guide/system/network/network_nmcli_permissions/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_rhv,multi_platform_fedora
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv,multi_platform_fedora
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/system/network/network_nmcli_permissions/tests/correct_value.pass.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = polkit
+
+cat <<EOF > /etc/polkit-1/localauthority/20-org.d/test.pkla
+[Disable General User Access to NetworkManager]
+Identity=default
+Action=org.freedesktop.NetworkManager.*
+ResultAny=no
+ResultInactive=no
+ResultActive=auth_admin
+EOF

linux_os/guide/system/network/network_nmcli_permissions/tests/wrong_resultactive.fail.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = polkit
+
+cat <<EOF > /etc/polkit-1/localauthority/20-org.d/test.pkla
+[Disable General User Access to NetworkManager]
+Identity=default
+Action=org.freedesktop.NetworkManager.*
+ResultAny=no
+ResultInactive=no
+ResultActive=no
+EOF

products/ol9/profiles/pci-dss.profile

@@ -1,144 +1,66 @@
 documentation_complete: true
 
-reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+metadata:
+    version: '4.0'
 
-title: 'PCI-DSS v3.2.1 Control Baseline for Oracle Linux 9'
+reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
+
+title: 'PCI-DSS v4.0 Control Baseline for Oracle Linux 9'
 
 description: |-
-    Ensures PCI-DSS v3.2.1 security configuration settings are applied.
+    Payment Card Industry - Data Security Standard (PCI-DSS) is a set of
+    security standards designed to ensure the secure handling of payment card
+    data, with the goal of preventing data breaches and protecting sensitive
+    financial information.
+
+    This profile ensures Oracle Linux 9 is configured in alignment
+    with PCI-DSS v4.0 requirements.
 
 selections:
-    - var_password_pam_unix_remember=4
-    - var_account_disable_post_pw_expiration=90
-    - var_accounts_passwords_pam_faillock_deny=6
-    - var_accounts_passwords_pam_faillock_unlock_time=1800
-    - var_password_pam_minlen=7
-    - var_password_pam_minclass=2
-    - var_accounts_maximum_age_login_defs=90
-    - var_auditd_num_logs=5
-    - service_auditd_enabled
-    - grub2_audit_argument
-    - auditd_data_retention_num_logs
-    - auditd_data_retention_max_log_file
-    - auditd_data_retention_max_log_file_action
-    - auditd_data_retention_space_left_action
-    - auditd_data_retention_admin_space_left_action
-    - auditd_data_retention_action_mail_acct
-    - package_audispd-plugins_installed
-    - auditd_audispd_syslog_plugin_activated
-    - audit_rules_time_adjtimex
-    - audit_rules_time_settimeofday
-    - audit_rules_time_stime
-    - audit_rules_time_clock_settime
-    - audit_rules_time_watch_localtime
-    - audit_rules_usergroup_modification_group
-    - audit_rules_usergroup_modification_gshadow
-    - audit_rules_usergroup_modification_opasswd
-    - audit_rules_usergroup_modification_passwd
-    - audit_rules_usergroup_modification_shadow
-    - audit_rules_networkconfig_modification
-    - file_permissions_var_log_audit
-    - file_ownership_var_log_audit
-    - audit_rules_mac_modification
-    - audit_rules_dac_modification_chmod
-    - audit_rules_dac_modification_chown
-    - audit_rules_dac_modification_fchmod
-    - audit_rules_dac_modification_fchmodat
-    - audit_rules_dac_modification_fchown
-    - audit_rules_dac_modification_fchownat
-    - audit_rules_dac_modification_fremovexattr
-    - audit_rules_dac_modification_fsetxattr
-    - audit_rules_dac_modification_lchown
-    - audit_rules_dac_modification_lremovexattr
-    - audit_rules_dac_modification_lsetxattr
-    - audit_rules_dac_modification_removexattr
-    - audit_rules_dac_modification_setxattr
-    - audit_rules_login_events
-    - audit_rules_session_events
-    - audit_rules_unsuccessful_file_modification_creat
-    - audit_rules_unsuccessful_file_modification_ftruncate
-    - audit_rules_unsuccessful_file_modification_open
-    - audit_rules_unsuccessful_file_modification_open_by_handle_at
-    - audit_rules_unsuccessful_file_modification_openat
-    - audit_rules_unsuccessful_file_modification_truncate
-    - audit_rules_privileged_commands
-    - audit_rules_media_export
-    - audit_rules_file_deletion_events_rename
-    - audit_rules_file_deletion_events_renameat
-    - audit_rules_file_deletion_events_rmdir
-    - audit_rules_file_deletion_events_unlink
-    - audit_rules_file_deletion_events_unlinkat
-    - audit_rules_sysadmin_actions
-    - audit_rules_kernel_module_loading_delete
-    - audit_rules_kernel_module_loading_finit
-    - audit_rules_kernel_module_loading_init
-    - audit_rules_immutable
-    - var_multiple_time_servers=rhel
-    - service_chronyd_enabled
-    - chronyd_specify_remote_server
-    - rpm_verify_permissions
-    - rpm_verify_hashes
-    - install_hids
-    - rsyslog_files_permissions
-    - rsyslog_files_ownership
-    - rsyslog_files_groupownership
-    - ensure_logrotate_activated
-    - package_aide_installed
-    - aide_build_database
-    - aide_periodic_cron_checking
-    - account_unique_name
-    - gid_passwd_group_same
-    - accounts_password_all_shadowed
-    - no_empty_passwords
-    - display_login_attempts
-    - account_disable_post_pw_expiration
-    - var_authselect_profile=sssd
-    - enable_authselect
-    - accounts_passwords_pam_faillock_deny
-    - accounts_passwords_pam_faillock_unlock_time
-    - dconf_db_up_to_date
-    - dconf_gnome_screensaver_idle_delay
-    - dconf_gnome_session_idle_user_locks
-    - dconf_gnome_screensaver_idle_activation_enabled
-    - dconf_gnome_screensaver_lock_enabled
-    - dconf_gnome_screensaver_mode_blank
-    - sshd_use_directory_configuration
-    - accounts_password_pam_minlen
-    - accounts_password_pam_dcredit
-    - accounts_password_pam_ucredit
-    - accounts_password_pam_lcredit
-    - accounts_password_pam_unix_remember
-    - accounts_maximum_age_login_defs
-    - ensure_oracle_gpgkey_installed
-    - ensure_gpgcheck_globally_activated
-    - ensure_gpgcheck_never_disabled
-    - security_patches_up_to_date
-    - package_opensc_installed
-    - var_smartcard_drivers=cac
-    - configure_opensc_card_drivers
-    - force_opensc_card_drivers
-    - package_pcsc-lite_installed
-    - service_pcscd_enabled
-    - sssd_enable_smartcards
-    - set_password_hashing_algorithm_systemauth
-    - set_password_hashing_algorithm_passwordauth
-    - set_password_hashing_algorithm_logindefs
-    - set_password_hashing_algorithm_libuserconf
-    - file_owner_etc_shadow
-    - file_groupowner_etc_shadow
-    - file_permissions_etc_shadow
-    - file_owner_etc_group
-    - file_groupowner_etc_group
-    - file_permissions_etc_group
-    - file_owner_etc_passwd
-    - file_groupowner_etc_passwd
-    - file_permissions_etc_passwd
-    - file_owner_grub2_cfg
-    - file_groupowner_grub2_cfg
-    - package_libreswan_installed
-    - configure_crypto_policy
-    - configure_bind_crypto_policy
-    - configure_openssl_crypto_policy
-    - configure_libreswan_crypto_policy
-    - configure_ssh_crypto_policy
-    - configure_kerberos_crypto_policy
+    - pcidss_4:all
+    - '!rpm_verify_permissions'
+    - '!package_audit-audispd-plugins_installed'
+    - '!service_ntp_enabled'
+    - '!ntpd_specify_remote_server'
+    - '!ntpd_specify_multiple_servers'
+    - '!set_ipv6_loopback_traffic'
+    - '!set_loopback_traffic'
+    - '!service_ntpd_enabled'
+    - '!package_ypserv_removed'
+    - '!package_ypbind_removed'
+    - '!package_talk_removed'
+    - '!package_talk-server_removed'
+    - '!package_xinetd_removed'
+    - '!package_rsh_removed'
+    - '!package_rsh-server_removed'
+    - '!service_chronyd_or_ntpd_enabled'
+    - '!install_PAE_kernel_on_x86-32'
+    - '!mask_nonessential_services'
+    - '!aide_periodic_checking_systemd_timer'
+    - '!nftables_ensure_default_deny_policy'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!file_owner_at_allow'
+    - '!ensure_firewall_rules_for_open_ports'
+    - '!cracklib_accounts_password_pam_retry'
+    - '!gnome_gdm_disable_guest_login'
+    - '!sshd_use_strong_kex'
+    - '!sshd_use_approved_macs'
+    - '!group_unique_name'
+    - '!permissions_local_var_log'
+    - '!sshd_use_approved_ciphers'
+    - '!accounts_passwords_pam_tally2'
+    - '!ensure_suse_gpgkey_installed'
+    - '!ensure_redhat_gpgkey_installed'
+    - '!gnome_gdm_disable_unattended_automatic_login'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!set_password_hashing_algorithm_commonauth'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!ensure_shadow_group_empty'
+    - '!service_timesyncd_enabled'
+    # Not applicable to OL9, packages not available in OL9
+    - '!package_cryptsetup-luks_installed'
+    - '!package_dhcp_removed'
+    - '!service_rpcbind_disabled'
+    # Add oracle gpg key rule
+    - 'ensure_oracle_gpgkey_installed'