Bring back oval_feed_url and enable ANSSI R67 rule for AlmaLinux

This commit is contained in:
Andrew Lukoshko 2024-06-10 14:52:38 +00:00
parent d563de6142
commit e430f844e6

View File

@ -66,7 +66,7 @@ index 2b00bd908..4fc431b04 100644
- ensure_gpgcheck_globally_activated
- ensure_gpgcheck_local_packages
diff --git a/controls/anssi.yml b/controls/anssi.yml
index d02cd2523..b00619dfa 100644
index d02cd2523..54d70cfe3 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -1238,7 +1238,7 @@ controls:
@ -78,6 +78,40 @@ index d02cd2523..b00619dfa 100644
- ensure_oracle_gpgkey_installed
- id: R60
@@ -1356,16 +1356,13 @@ controls:
When authentication takes place through a remote application (network),
the authentication protocol used by PAM must be secure (flow encryption,
remote server authentication, anti-replay mechanisms, ...).
- {{% if "rhel" in product %}}
notes: |-
In RHEL systems, remote authentication is handled through sssd service.
PAM delegates requests for remote authentication to this service through a
local Unix socket. The sssd service can use IPA, AD or LDAP as a remote
database containing information required for authentication. In case IPA or AD is configured through a documented way, the connection is secured by default. In case LDAP is configured manually, there are several configuration options which should be chedked.
- {{% if product in ["rhel7", "rhel8"] %}}
An allternative solution is to use nss-pam-ldapd package.
In case this package is used, we make sure that SSL is turned on and certificate is configured.
- {{% endif %}}
status: automated
rules:
- package_sssd_installed
@@ -1373,16 +1370,10 @@ controls:
- sssd_enable_pam_services
- sssd_ldap_configure_tls_reqcert
- sssd_ldap_start_tls
- {{% if product in ["rhel7", "rhel8"] %}}
- ldap_client_start_tls
- ldap_client_tls_cacertpath
- {{% endif %}}
related_rules:
- package_sssd-ipa_installed
- {{% else %}}
- notes: We cannot automate securing of remote PAM authentication in a general way.
- status: manual
- {{% endif %}}
- id: R68
title: Protecting stored passwords
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 48406c172..28ae0c5c2 100644
--- a/controls/cis_rhel8.yml
@ -19330,10 +19364,10 @@ index 000000000..08c87ea68
+</Group>
diff --git a/products/almalinux8/product.yml b/products/almalinux8/product.yml
new file mode 100644
index 000000000..fadfc608a
index 000000000..536dc8a7c
--- /dev/null
+++ b/products/almalinux8/product.yml
@@ -0,0 +1,51 @@
@@ -0,0 +1,52 @@
+product: almalinux8
+full_name: AlmaLinux 8
+type: platform
@ -19362,6 +19396,7 @@ index 000000000..fadfc608a
+
+release_key_fingerprint: "5E9B8F5617B5066CE92057C3488FCF7C3ABB34F8"
+auxiliary_key_fingerprint: "BC5EDDCADF502C077F1582882AE81E8ACED7258B"
+oval_feed_url: "https://security.almalinux.org/oval/org.almalinux.alsa-8.xml.bz2"
+
+groups:
+ dedicated_ssh_keyowner: