Bring back oval_feed_url and enable ANSSI R67 rule for AlmaLinux
This commit is contained in:
parent
d563de6142
commit
e430f844e6
@ -66,7 +66,7 @@ index 2b00bd908..4fc431b04 100644
|
||||
- ensure_gpgcheck_globally_activated
|
||||
- ensure_gpgcheck_local_packages
|
||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||
index d02cd2523..b00619dfa 100644
|
||||
index d02cd2523..54d70cfe3 100644
|
||||
--- a/controls/anssi.yml
|
||||
+++ b/controls/anssi.yml
|
||||
@@ -1238,7 +1238,7 @@ controls:
|
||||
@ -78,6 +78,40 @@ index d02cd2523..b00619dfa 100644
|
||||
- ensure_oracle_gpgkey_installed
|
||||
|
||||
- id: R60
|
||||
@@ -1356,16 +1356,13 @@ controls:
|
||||
When authentication takes place through a remote application (network),
|
||||
the authentication protocol used by PAM must be secure (flow encryption,
|
||||
remote server authentication, anti-replay mechanisms, ...).
|
||||
- {{% if "rhel" in product %}}
|
||||
notes: |-
|
||||
In RHEL systems, remote authentication is handled through sssd service.
|
||||
PAM delegates requests for remote authentication to this service through a
|
||||
local Unix socket. The sssd service can use IPA, AD or LDAP as a remote
|
||||
database containing information required for authentication. In case IPA or AD is configured through a documented way, the connection is secured by default. In case LDAP is configured manually, there are several configuration options which should be chedked.
|
||||
- {{% if product in ["rhel7", "rhel8"] %}}
|
||||
An allternative solution is to use nss-pam-ldapd package.
|
||||
In case this package is used, we make sure that SSL is turned on and certificate is configured.
|
||||
- {{% endif %}}
|
||||
status: automated
|
||||
rules:
|
||||
- package_sssd_installed
|
||||
@@ -1373,16 +1370,10 @@ controls:
|
||||
- sssd_enable_pam_services
|
||||
- sssd_ldap_configure_tls_reqcert
|
||||
- sssd_ldap_start_tls
|
||||
- {{% if product in ["rhel7", "rhel8"] %}}
|
||||
- ldap_client_start_tls
|
||||
- ldap_client_tls_cacertpath
|
||||
- {{% endif %}}
|
||||
related_rules:
|
||||
- package_sssd-ipa_installed
|
||||
- {{% else %}}
|
||||
- notes: We cannot automate securing of remote PAM authentication in a general way.
|
||||
- status: manual
|
||||
- {{% endif %}}
|
||||
|
||||
- id: R68
|
||||
title: Protecting stored passwords
|
||||
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
||||
index 48406c172..28ae0c5c2 100644
|
||||
--- a/controls/cis_rhel8.yml
|
||||
@ -19330,10 +19364,10 @@ index 000000000..08c87ea68
|
||||
+</Group>
|
||||
diff --git a/products/almalinux8/product.yml b/products/almalinux8/product.yml
|
||||
new file mode 100644
|
||||
index 000000000..fadfc608a
|
||||
index 000000000..536dc8a7c
|
||||
--- /dev/null
|
||||
+++ b/products/almalinux8/product.yml
|
||||
@@ -0,0 +1,51 @@
|
||||
@@ -0,0 +1,52 @@
|
||||
+product: almalinux8
|
||||
+full_name: AlmaLinux 8
|
||||
+type: platform
|
||||
@ -19362,6 +19396,7 @@ index 000000000..fadfc608a
|
||||
+
|
||||
+release_key_fingerprint: "5E9B8F5617B5066CE92057C3488FCF7C3ABB34F8"
|
||||
+auxiliary_key_fingerprint: "BC5EDDCADF502C077F1582882AE81E8ACED7258B"
|
||||
+oval_feed_url: "https://security.almalinux.org/oval/org.almalinux.alsa-8.xml.bz2"
|
||||
+
|
||||
+groups:
|
||||
+ dedicated_ssh_keyowner:
|
||||
|
Loading…
Reference in New Issue
Block a user