Bring back oval_feed_url and enable ANSSI R67 rule for AlmaLinux

2024-06-10 14:52:38 +00:00 · 2024-06-10 14:52:38 +00:00 · e430f844e6
commit e430f844e6
parent d563de6142
1 changed files with 38 additions and 3 deletions
--- a/SOURCES/0001-Add-AlmaLinux-8-support.patch
+++ b/SOURCES/0001-Add-AlmaLinux-8-support.patch
@ -66,7 +66,7 @@ index 2b00bd908..4fc431b04 100644
 - ensure_gpgcheck_globally_activated
 - ensure_gpgcheck_local_packages
 diff --git a/controls/anssi.yml b/controls/anssi.yml
-index d02cd2523..b00619dfa 100644
+index d02cd2523..54d70cfe3 100644
 --- a/controls/anssi.yml
 +++ b/controls/anssi.yml
@@ -1238,7 +1238,7 @@ controls:
@ -78,6 +78,40 @@ index d02cd2523..b00619dfa 100644
     - ensure_oracle_gpgkey_installed
 
   - id: R60
+@@ -1356,16 +1356,13 @@ controls:
+       When authentication takes place through a remote application (network),
+       the authentication protocol used by PAM must be secure (flow encryption,
+       remote server authentication, anti-replay mechanisms, ...).
+-    {{% if "rhel" in product %}}
+     notes: |-
+       In RHEL systems, remote authentication is handled through sssd service.
+       PAM delegates requests for remote authentication to this service through a
+       local Unix socket. The sssd service can use IPA, AD or LDAP as a remote
+       database containing information required for authentication. In case IPA or  AD is configured through a documented way, the connection is secured by default. In case LDAP is configured manually, there are several configuration options which should be chedked.
+-      {{% if product in ["rhel7", "rhel8"] %}}
+       An allternative solution is to use nss-pam-ldapd package.
+       In case this package is used, we make sure that SSL is turned on and certificate is configured.
+-      {{% endif %}}
+     status: automated
+     rules:
+       - package_sssd_installed
+@@ -1373,16 +1370,10 @@ controls:
+       - sssd_enable_pam_services
+       - sssd_ldap_configure_tls_reqcert
+       - sssd_ldap_start_tls
+-      {{% if product in ["rhel7", "rhel8"] %}}
+       - ldap_client_start_tls
+       - ldap_client_tls_cacertpath
+-      {{% endif %}}
+     related_rules:
+       - package_sssd-ipa_installed
+-    {{% else %}}
+-    notes: We cannot automate securing of remote PAM authentication in a general way.
+-    status: manual
+-    {{% endif %}}
+ 
+   - id: R68
+     title: Protecting stored passwords
 diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
 index 48406c172..28ae0c5c2 100644
 --- a/controls/cis_rhel8.yml
@ -19330,10 +19364,10 @@ index 000000000..08c87ea68
 +</Group>
 diff --git a/products/almalinux8/product.yml b/products/almalinux8/product.yml
 new file mode 100644
-index 000000000..fadfc608a
+index 000000000..536dc8a7c
 --- /dev/null
 +++ b/products/almalinux8/product.yml
-@@ -0,0 +1,51 @@
+@@ -0,0 +1,52 @@
 +product: almalinux8
 +full_name: AlmaLinux 8
 +type: platform
@ -19362,6 +19396,7 @@ index 000000000..fadfc608a
 +
 +release_key_fingerprint: "5E9B8F5617B5066CE92057C3488FCF7C3ABB34F8"
 +auxiliary_key_fingerprint: "BC5EDDCADF502C077F1582882AE81E8ACED7258B"
+oval_feed_url: "https://security.almalinux.org/oval/org.almalinux.alsa-8.xml.bz2"
 +
 +groups:
 +  dedicated_ssh_keyowner: