Enable ANSSI R69 rule for AlmaLinux

This commit is contained in:
Andrew Lukoshko 2024-06-11 09:14:18 +00:00
parent e430f844e6
commit 9085c9f9d9

View File

@ -66,7 +66,7 @@ index 2b00bd908..4fc431b04 100644
- ensure_gpgcheck_globally_activated - ensure_gpgcheck_globally_activated
- ensure_gpgcheck_local_packages - ensure_gpgcheck_local_packages
diff --git a/controls/anssi.yml b/controls/anssi.yml diff --git a/controls/anssi.yml b/controls/anssi.yml
index d02cd2523..54d70cfe3 100644 index d02cd2523..deec2f8e9 100644
--- a/controls/anssi.yml --- a/controls/anssi.yml
+++ b/controls/anssi.yml +++ b/controls/anssi.yml
@@ -1238,7 +1238,7 @@ controls: @@ -1238,7 +1238,7 @@ controls:
@ -112,6 +112,30 @@ index d02cd2523..54d70cfe3 100644
- id: R68 - id: R68
title: Protecting stored passwords title: Protecting stored passwords
@@ -1411,23 +1402,14 @@ controls:
When the user databases are stored on a remote network service, NSS must
be configured to establish a secure link that allows, at minimum, to
authenticate the server and protect the communication channel.
- {{% if "rhel" in product %}}
notes: |-
A nsswitch service connecting to remote database is provided by sssd. This is checked in requirement R67.
Another such service is winbind which is by default configured to connect
securely to Samba domains.
Other relevant services are NIS and Hesiod. These should not be used.
status: automated
- {{% if product in ["rhel7", "rhel8"] %}}
rules:
- no_nis_in_nsswitch
- {{% if product == "rhel7" %}}
- - no_hesiod_in_nsswitch
- {{% endif %}}
- {{% endif %}}
- {{% else %}}
- status: pending
- {{% endif %}}
- id: R70
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 48406c172..28ae0c5c2 100644 index 48406c172..28ae0c5c2 100644
--- a/controls/cis_rhel8.yml --- a/controls/cis_rhel8.yml