From e430f844e6ed5c84ed7d60070ea5e7079d595bd6 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Mon, 10 Jun 2024 14:52:38 +0000 Subject: [PATCH] Bring back oval_feed_url and enable ANSSI R67 rule for AlmaLinux --- SOURCES/0001-Add-AlmaLinux-8-support.patch | 41 ++++++++++++++++++++-- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/SOURCES/0001-Add-AlmaLinux-8-support.patch b/SOURCES/0001-Add-AlmaLinux-8-support.patch index fbf3406..37f79c6 100644 --- a/SOURCES/0001-Add-AlmaLinux-8-support.patch +++ b/SOURCES/0001-Add-AlmaLinux-8-support.patch @@ -66,7 +66,7 @@ index 2b00bd908..4fc431b04 100644 - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages diff --git a/controls/anssi.yml b/controls/anssi.yml -index d02cd2523..b00619dfa 100644 +index d02cd2523..54d70cfe3 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -1238,7 +1238,7 @@ controls: @@ -78,6 +78,40 @@ index d02cd2523..b00619dfa 100644 - ensure_oracle_gpgkey_installed - id: R60 +@@ -1356,16 +1356,13 @@ controls: + When authentication takes place through a remote application (network), + the authentication protocol used by PAM must be secure (flow encryption, + remote server authentication, anti-replay mechanisms, ...). +- {{% if "rhel" in product %}} + notes: |- + In RHEL systems, remote authentication is handled through sssd service. + PAM delegates requests for remote authentication to this service through a + local Unix socket. The sssd service can use IPA, AD or LDAP as a remote + database containing information required for authentication. In case IPA or AD is configured through a documented way, the connection is secured by default. In case LDAP is configured manually, there are several configuration options which should be chedked. +- {{% if product in ["rhel7", "rhel8"] %}} + An allternative solution is to use nss-pam-ldapd package. + In case this package is used, we make sure that SSL is turned on and certificate is configured. +- {{% endif %}} + status: automated + rules: + - package_sssd_installed +@@ -1373,16 +1370,10 @@ controls: + - sssd_enable_pam_services + - sssd_ldap_configure_tls_reqcert + - sssd_ldap_start_tls +- {{% if product in ["rhel7", "rhel8"] %}} + - ldap_client_start_tls + - ldap_client_tls_cacertpath +- {{% endif %}} + related_rules: + - package_sssd-ipa_installed +- {{% else %}} +- notes: We cannot automate securing of remote PAM authentication in a general way. +- status: manual +- {{% endif %}} + + - id: R68 + title: Protecting stored passwords diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 48406c172..28ae0c5c2 100644 --- a/controls/cis_rhel8.yml @@ -19330,10 +19364,10 @@ index 000000000..08c87ea68 + diff --git a/products/almalinux8/product.yml b/products/almalinux8/product.yml new file mode 100644 -index 000000000..fadfc608a +index 000000000..536dc8a7c --- /dev/null +++ b/products/almalinux8/product.yml -@@ -0,0 +1,51 @@ +@@ -0,0 +1,52 @@ +product: almalinux8 +full_name: AlmaLinux 8 +type: platform @@ -19362,6 +19396,7 @@ index 000000000..fadfc608a + +release_key_fingerprint: "5E9B8F5617B5066CE92057C3488FCF7C3ABB34F8" +auxiliary_key_fingerprint: "BC5EDDCADF502C077F1582882AE81E8ACED7258B" ++oval_feed_url: "https://security.almalinux.org/oval/org.almalinux.alsa-8.xml.bz2" + +groups: + dedicated_ssh_keyowner: