From 12ac229c2fabedf1846c3936bf8038dfcb7d5c71 Mon Sep 17 00:00:00 2001 From: Armando Acosta Date: Wed, 15 Jan 2025 17:18:51 -0600 Subject: [PATCH 1/7] Update anssi profiles for OL8 Signed-off-by: Armando Acosta --- products/ol8/profiles/anssi_bp28_enhanced.profile | 2 ++ products/ol8/profiles/anssi_bp28_high.profile | 2 ++ products/ol8/profiles/anssi_bp28_intermediary.profile | 2 ++ products/ol8/profiles/anssi_bp28_minimal.profile | 2 ++ 4 files changed, 8 insertions(+) diff --git a/products/ol8/profiles/anssi_bp28_enhanced.profile b/products/ol8/profiles/anssi_bp28_enhanced.profile index ec8407c05cb..5359e7b3f8c 100644 --- a/products/ol8/profiles/anssi_bp28_enhanced.profile +++ b/products/ol8/profiles/anssi_bp28_enhanced.profile @@ -13,6 +13,8 @@ description: |- selections: - anssi:all:enhanced + - var_password_hashing_algorithm=SHA512 + - var_password_pam_unix_rounds=65536 # Following rules once had a prodtype incompatible with the ol8 product - '!accounts_passwords_pam_tally2_deny_root' - '!timer_logrotate_enabled' diff --git a/products/ol8/profiles/anssi_bp28_high.profile b/products/ol8/profiles/anssi_bp28_high.profile index 9f6b42e0d25..8096c3a6333 100644 --- a/products/ol8/profiles/anssi_bp28_high.profile +++ b/products/ol8/profiles/anssi_bp28_high.profile @@ -13,6 +13,8 @@ description: |- selections: - anssi:all:high + - var_password_hashing_algorithm=SHA512 + - var_password_pam_unix_rounds=65536 # Following rules once had a prodtype incompatible with the ol8 product - '!accounts_passwords_pam_tally2_deny_root' - '!timer_logrotate_enabled' diff --git a/products/ol8/profiles/anssi_bp28_intermediary.profile b/products/ol8/profiles/anssi_bp28_intermediary.profile index 97172289d37..69655c2ab56 100644 --- a/products/ol8/profiles/anssi_bp28_intermediary.profile +++ b/products/ol8/profiles/anssi_bp28_intermediary.profile @@ -13,6 +13,8 @@ description: |- selections: - anssi:all:intermediary + - var_password_hashing_algorithm=SHA512 + - var_password_pam_unix_rounds=65536 # Following rules once had a prodtype incompatible with the ol8 product - '!cracklib_accounts_password_pam_minlen' - '!accounts_passwords_pam_tally2_deny_root' diff --git a/products/ol8/profiles/anssi_bp28_minimal.profile b/products/ol8/profiles/anssi_bp28_minimal.profile index 5796299ff12..2efbac85f47 100644 --- a/products/ol8/profiles/anssi_bp28_minimal.profile +++ b/products/ol8/profiles/anssi_bp28_minimal.profile @@ -13,6 +13,8 @@ description: |- selections: - anssi:all:minimal + - var_password_hashing_algorithm=SHA512 + - var_password_pam_unix_rounds=65536 # Following rules once had a prodtype incompatible with the ol8 product - '!cracklib_accounts_password_pam_minlen' - '!accounts_passwords_pam_tally2_deny_root' From 13951ccea4ff3e27395598cd89bd14197a512803 Mon Sep 17 00:00:00 2001 From: Armando Acosta Date: Wed, 15 Jan 2025 17:48:02 -0600 Subject: [PATCH 2/7] Update ospp profile for OL8 Signed-off-by: Armando Acosta --- products/ol8/profiles/ospp.profile | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/products/ol8/profiles/ospp.profile b/products/ol8/profiles/ospp.profile index 856313e08db..de855c52c40 100644 --- a/products/ol8/profiles/ospp.profile +++ b/products/ol8/profiles/ospp.profile @@ -187,8 +187,6 @@ selections: - package_openssh-clients_installed - package_policycoreutils-python-utils_installed - package_rsyslog_installed - - package_rsyslog-gnutls_installed - - package_audispd-plugins_installed - package_chrony_installed - package_gnutls-utils_installed @@ -216,6 +214,8 @@ selections: - var_accounts_max_concurrent_login_sessions=10 - accounts_max_concurrent_login_sessions - securetty_root_login_console_only + - var_authselect_profile=minimal + - enable_authselect - var_password_pam_unix_remember=5 - accounts_password_pam_unix_remember - use_pam_wheel_for_su @@ -299,7 +299,7 @@ selections: ## Disable Unauthenticated Login (such as Guest Accounts) ## FIA_UAU.1 - require_singleuser_auth - - grub2_disable_interactive_boot + - grub2_disable_recovery - grub2_uefi_password - no_empty_passwords @@ -410,10 +410,6 @@ selections: # Enable dnf-automatic Timer - timer_dnf-automatic_enabled - # Configure TLS for remote logging - - rsyslog_remote_tls - - rsyslog_remote_tls_cacert - # Prevent Kerberos use by system daemons - kerberos_disable_no_keytab From 34d402089b8ca99cfe9fb3773704171b1971aa4c Mon Sep 17 00:00:00 2001 From: Armando Acosta Date: Wed, 15 Jan 2025 17:52:28 -0600 Subject: [PATCH 3/7] Update cui profile for OL8 Signed-off-by: Armando Acosta --- products/ol8/profiles/cui.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/products/ol8/profiles/cui.profile b/products/ol8/profiles/cui.profile index df69c781c98..ee3bf2bdb55 100644 --- a/products/ol8/profiles/cui.profile +++ b/products/ol8/profiles/cui.profile @@ -25,3 +25,4 @@ extends: ospp selections: - inactivity_timeout_value=10_minutes + - var_system_crypto_policy=fips From 875e9123fda7a584b67ca5e28621b0c841d3f0dd Mon Sep 17 00:00:00 2001 From: Armando Acosta Date: Wed, 15 Jan 2025 17:56:12 -0600 Subject: [PATCH 4/7] Update ism_o profile for OL8 Signed-off-by: Armando Acosta --- products/ol8/profiles/ism_o.profile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/products/ol8/profiles/ism_o.profile b/products/ol8/profiles/ism_o.profile index 3b8c90242f6..f798940e5e7 100644 --- a/products/ol8/profiles/ism_o.profile +++ b/products/ol8/profiles/ism_o.profile @@ -57,3 +57,10 @@ selections: # Packages not available in OL - "!package_libdnf-plugin-subscription-manager_installed" - "!package_subscription-manager_installed" + + # These rules are introduced by ism_o control + - "!grub2_enable_fips_mode" + - "!package_pcsc-lite-ccid_installed" + - "!system_booted_in_fips_mode" + - "var_password_hashing_algorithm_pam=sha512" + - "enable_fips_mode" From 78a970e9774a228b831125488dce03415fcef4f1 Mon Sep 17 00:00:00 2001 From: Armando Acosta Date: Wed, 15 Jan 2025 18:13:51 -0600 Subject: [PATCH 5/7] Update stig profile for OL8 Signed-off-by: Armando Acosta --- products/ol8/profiles/stig.profile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile index 8ef98ba15da..4b46bd70c69 100644 --- a/products/ol8/profiles/stig.profile +++ b/products/ol8/profiles/stig.profile @@ -19,6 +19,7 @@ selections: - var_password_pam_difok=8 - var_password_pam_maxrepeat=3 - var_password_hashing_algorithm=SHA512 + - var_password_hashing_algorithm_pam=sha512 - var_password_pam_maxclassrepeat=4 - var_password_pam_minclass=4 - var_accounts_minimum_age_login_defs=1 @@ -61,6 +62,7 @@ selections: - var_sssd_certificate_verification_digest_function=sha1 - login_banner_text=dod_banners - var_authselect_profile=sssd + - var_multiple_time_servers=stig ### Enable / Configure FIPS - enable_fips_mode @@ -467,7 +469,7 @@ selections: - accounts_have_homedir_login_defs # OL08-00-010770 - - file_permission_user_init_files + - file_permission_user_init_files_root # OL08-00-010780 - no_files_unowned_by_user From e376f60f0a9b861782cb439b75f0e29315e796f6 Mon Sep 17 00:00:00 2001 From: Armando Acosta Date: Wed, 15 Jan 2025 18:18:16 -0600 Subject: [PATCH 6/7] Update stig_gui profile for OL8 Signed-off-by: Armando Acosta --- products/ol8/profiles/stig_gui.profile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/products/ol8/profiles/stig_gui.profile b/products/ol8/profiles/stig_gui.profile index e5e2dc7a83e..fbdcb184ae4 100644 --- a/products/ol8/profiles/stig_gui.profile +++ b/products/ol8/profiles/stig_gui.profile @@ -20,3 +20,10 @@ extends: stig selections: - '!xwindows_remove_packages' - '!xwindows_runlevel_target' + + # OL08-00-040284 + # Limiting user namespaces cause issues with user apps, such as Firefox and Cheese + - '!sysctl_user_max_user_namespaces' + + # locking of idle sessions is handled by screensaver when GUI is present, the following rule is therefore redundant + - '!logind_session_timeout' From 17c5fa36eb7c31bd7761e0120236d529c686b54c Mon Sep 17 00:00:00 2001 From: Armando Acosta Date: Mon, 20 Jan 2025 17:33:11 -0600 Subject: [PATCH 7/7] Update pci-dss profile for OL8 Signed-off-by: Armando Acosta --- products/ol8/profiles/pci-dss.profile | 1 - products/ol9/profiles/pci-dss.profile | 1 - 2 files changed, 2 deletions(-) diff --git a/products/ol8/profiles/pci-dss.profile b/products/ol8/profiles/pci-dss.profile index 009ccf95f01..c0bcba3b17d 100644 --- a/products/ol8/profiles/pci-dss.profile +++ b/products/ol8/profiles/pci-dss.profile @@ -54,5 +54,4 @@ selections: - '!ensure_almalinux_gpgkey_installed' - 'ensure_oracle_gpgkey_installed' # Rules not applicable to OL8 - - '!package_dhcp_removed' - '!install_PAE_kernel_on_x86-32' diff --git a/products/ol9/profiles/pci-dss.profile b/products/ol9/profiles/pci-dss.profile index ca75232ab40..5ced39f6067 100644 --- a/products/ol9/profiles/pci-dss.profile +++ b/products/ol9/profiles/pci-dss.profile @@ -61,7 +61,6 @@ selections: - '!service_timesyncd_enabled' # Not applicable to OL9, packages not available in OL9 - '!package_cryptsetup-luks_installed' - - '!package_dhcp_removed' - '!service_rpcbind_disabled' # Add oracle gpg key rule - 'ensure_oracle_gpgkey_installed'