From e17fc6cd1e4a953a3a926c8759dfdc19f2095d62 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 27 Aug 2024 11:30:54 -0500 Subject: [PATCH 1/7] Exclude more package rules for RHEL 10 HIPAA --- products/rhel10/profiles/hipaa.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/products/rhel10/profiles/hipaa.profile b/products/rhel10/profiles/hipaa.profile index 93169b66927..e18b9f9e5d3 100644 --- a/products/rhel10/profiles/hipaa.profile +++ b/products/rhel10/profiles/hipaa.profile @@ -44,3 +44,6 @@ selections: - '!package_xinetd_removed' - '!package_rsh_removed' - '!package_rsh-server_removed' + - '!package_tcp_wrappers_removed' + - '!package_xinetd_removed' + - '!service_xinetd_disabled' From d2f79ca860e9f8606d089cd8ebd2c1853ccf7223 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 27 Aug 2024 11:31:46 -0500 Subject: [PATCH 2/7] Exclude auditd_audispd_syslog_plugin_activated from RHEL 10 HIPAA Since Audit 3.0+ auditd_audispd is no longer used. --- products/rhel10/profiles/hipaa.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/products/rhel10/profiles/hipaa.profile b/products/rhel10/profiles/hipaa.profile index e18b9f9e5d3..7ec2de8d632 100644 --- a/products/rhel10/profiles/hipaa.profile +++ b/products/rhel10/profiles/hipaa.profile @@ -39,6 +39,7 @@ selections: - '!sshd_use_approved_ciphers' - '!accounts_passwords_pam_tally2' - '!package_audit-audispd-plugins_installed' + - '!auditd_audispd_syslog_plugin_activated' - '!package_ypserv_removed' - '!package_ypbind_removed' - '!package_xinetd_removed' From d85a1f9bc678704ef8db13f301be7f3ecb56dd82 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 27 Aug 2024 11:33:05 -0500 Subject: [PATCH 3/7] Remove SSH 2 Config From RHEL 10 HIPAA SSH 2 is long dead, time to remove the rule from this profile --- products/rhel10/profiles/hipaa.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/products/rhel10/profiles/hipaa.profile b/products/rhel10/profiles/hipaa.profile index 7ec2de8d632..9d97583cd1f 100644 --- a/products/rhel10/profiles/hipaa.profile +++ b/products/rhel10/profiles/hipaa.profile @@ -48,3 +48,4 @@ selections: - '!package_tcp_wrappers_removed' - '!package_xinetd_removed' - '!service_xinetd_disabled' + - '!sshd_allow_only_protocol2' From c80880c2b0a6d3ca5ca72e5cb6b6bef81d557aa3 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 27 Aug 2024 11:33:38 -0500 Subject: [PATCH 4/7] Allow kerb5 Auth for RHEL 10 HIPAA There is no basis for this in RHEL 10. --- products/rhel10/profiles/hipaa.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/products/rhel10/profiles/hipaa.profile b/products/rhel10/profiles/hipaa.profile index 9d97583cd1f..0d23e366fef 100644 --- a/products/rhel10/profiles/hipaa.profile +++ b/products/rhel10/profiles/hipaa.profile @@ -49,3 +49,5 @@ selections: - '!package_xinetd_removed' - '!service_xinetd_disabled' - '!sshd_allow_only_protocol2' + - '!sshd_disable_kerb_auth' + - '!sshd_disable_gssapi_auth' From 0cc4c4291c9f19cb22d22ed0317550234fe79bb3 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 27 Aug 2024 11:33:58 -0500 Subject: [PATCH 5/7] Add variables to HIPAA control --- controls/hipaa.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/controls/hipaa.yml b/controls/hipaa.yml index a2eaad9c65d..a56a0cf4831 100644 --- a/controls/hipaa.yml +++ b/controls/hipaa.yml @@ -533,6 +533,7 @@ controls: - restrict_serial_port_logins - securetty_root_login_console_only - enable_authselect + - var_authselect_profile=sssd - file_groupowner_grub2_cfg - file_groupowner_user_cfg - file_owner_grub2_cfg @@ -944,6 +945,8 @@ controls: - selinux_confinement_of_daemons - selinux_policytype - selinux_state + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing - dconf_gnome_remote_access_credential_prompt - dconf_gnome_remote_access_encryption status: automated @@ -1138,6 +1141,7 @@ controls: levels: - required rules: + - var_audit_failure_mode=panic - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod @@ -1736,6 +1740,7 @@ controls: - sshd_allow_only_protocol2 - sshd_disable_compression - sshd_disable_empty_passwords + - sshd_disable_empty_passwords - sshd_disable_gssapi_auth - sshd_disable_kerb_auth - sshd_disable_rhosts_rsa From 6f74d6e8372d76c91050d49a0e66238ceb0326fd Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 27 Aug 2024 11:34:50 -0500 Subject: [PATCH 6/7] Remove sshd_set_keepalive_0 from RHEL 10 control file sshd_set_keepalive and sshd_set_keepalive_0 conflict so I removed sshd_set_keepalive_0 since it was not in the RHEL 9 profile. --- controls/hipaa.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/hipaa.yml b/controls/hipaa.yml index a56a0cf4831..8be51ba9e8d 100644 --- a/controls/hipaa.yml +++ b/controls/hipaa.yml @@ -641,7 +641,7 @@ controls: - sshd_enable_warning_banner - sshd_enable_warning_banner_net - sshd_set_keepalive - - sshd_set_keepalive_0 + - var_sshd_set_keepalive=1 - sshd_use_approved_ciphers - sshd_use_approved_macs - sshd_use_priv_separation From fc2c9ff06d2736129d6a9c44b932f7326f9a715a Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 28 Aug 2024 13:08:11 -0500 Subject: [PATCH 7/7] Fix double sshd_disable_empty_passwords in controls/hipaa.yml --- controls/hipaa.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/controls/hipaa.yml b/controls/hipaa.yml index 8be51ba9e8d..6588de244fd 100644 --- a/controls/hipaa.yml +++ b/controls/hipaa.yml @@ -1740,7 +1740,6 @@ controls: - sshd_allow_only_protocol2 - sshd_disable_compression - sshd_disable_empty_passwords - - sshd_disable_empty_passwords - sshd_disable_gssapi_auth - sshd_disable_kerb_auth - sshd_disable_rhosts_rsa