From 9085c9f9d94d578ffb90c92da615bf89cd56178f Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Tue, 11 Jun 2024 09:14:18 +0000 Subject: [PATCH] Enable ANSSI R69 rule for AlmaLinux --- SOURCES/0001-Add-AlmaLinux-8-support.patch | 26 +++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/SOURCES/0001-Add-AlmaLinux-8-support.patch b/SOURCES/0001-Add-AlmaLinux-8-support.patch index 37f79c6..751a580 100644 --- a/SOURCES/0001-Add-AlmaLinux-8-support.patch +++ b/SOURCES/0001-Add-AlmaLinux-8-support.patch @@ -66,7 +66,7 @@ index 2b00bd908..4fc431b04 100644 - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages diff --git a/controls/anssi.yml b/controls/anssi.yml -index d02cd2523..54d70cfe3 100644 +index d02cd2523..deec2f8e9 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -1238,7 +1238,7 @@ controls: @@ -112,6 +112,30 @@ index d02cd2523..54d70cfe3 100644 - id: R68 title: Protecting stored passwords +@@ -1411,23 +1402,14 @@ controls: + When the user databases are stored on a remote network service, NSS must + be configured to establish a secure link that allows, at minimum, to + authenticate the server and protect the communication channel. +- {{% if "rhel" in product %}} + notes: |- + A nsswitch service connecting to remote database is provided by sssd. This is checked in requirement R67. + Another such service is winbind which is by default configured to connect + securely to Samba domains. + Other relevant services are NIS and Hesiod. These should not be used. + status: automated +- {{% if product in ["rhel7", "rhel8"] %}} + rules: + - no_nis_in_nsswitch +- {{% if product == "rhel7" %}} +- - no_hesiod_in_nsswitch +- {{% endif %}} +- {{% endif %}} +- {{% else %}} +- status: pending +- {{% endif %}} + + + - id: R70 diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 48406c172..28ae0c5c2 100644 --- a/controls/cis_rhel8.yml