make sysctl_user_max_user_namespaces enforcing in RHEL9 OSPP
Resolves: rhbz#2083716
This commit is contained in:
parent
ac5b9ee8a7
commit
3c0a847089
@ -0,0 +1,27 @@
|
|||||||
|
From b18adf58035b2c2ce1d4259bccb52d364bf7a6a0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||||
|
Date: Fri, 1 Jul 2022 15:22:03 +0200
|
||||||
|
Subject: [PATCH] Enforce rule sysctl_user_max_user_namespaces in RHEL 9 OSPP
|
||||||
|
|
||||||
|
Removal of the role and severity attributes will cause that
|
||||||
|
the rule will start to be evaluated and remediation will
|
||||||
|
actually disable the user namespaces on the target system.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083716
|
||||||
|
---
|
||||||
|
products/rhel9/profiles/ospp.profile | 2 --
|
||||||
|
1 file changed, 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||||
|
index 1fad0031749..136bb163646 100644
|
||||||
|
--- a/products/rhel9/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||||||
|
@@ -135,8 +135,6 @@ selections:
|
||||||
|
- sysctl_kernel_yama_ptrace_scope
|
||||||
|
- sysctl_kernel_perf_event_paranoid
|
||||||
|
- sysctl_user_max_user_namespaces
|
||||||
|
- - sysctl_user_max_user_namespaces.role=unscored
|
||||||
|
- - sysctl_user_max_user_namespaces.severity=info
|
||||||
|
- sysctl_kernel_unprivileged_bpf_disabled
|
||||||
|
- sysctl_net_core_bpf_jit_harden
|
||||||
|
- service_kdump_disabled
|
@ -27,6 +27,7 @@ Requires: xml-common, openscap-scanner >= 1.2.5
|
|||||||
Patch0: scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch
|
Patch0: scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch
|
||||||
Patch1: scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch
|
Patch1: scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch
|
||||||
Patch2: scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch
|
Patch2: scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch
|
||||||
|
Patch3: scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
The scap-security-guide project provides a guide for configuration of the
|
The scap-security-guide project provides a guide for configuration of the
|
||||||
@ -106,6 +107,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
|||||||
- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
|
- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
|
||||||
- Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154)
|
- Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154)
|
||||||
- Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049)
|
- Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049)
|
||||||
|
- make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716)
|
||||||
|
|
||||||
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
|
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
|
||||||
- Rebase to a new upstream release (RHBZ#2070563)
|
- Rebase to a new upstream release (RHBZ#2070563)
|
||||||
|
Loading…
Reference in New Issue
Block a user