Bring back oval_feed_url and enable ANSSI R67 rule for AlmaLinux
This commit is contained in:
parent
d563de6142
commit
e430f844e6
@ -66,7 +66,7 @@ index 2b00bd908..4fc431b04 100644
|
|||||||
- ensure_gpgcheck_globally_activated
|
- ensure_gpgcheck_globally_activated
|
||||||
- ensure_gpgcheck_local_packages
|
- ensure_gpgcheck_local_packages
|
||||||
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
||||||
index d02cd2523..b00619dfa 100644
|
index d02cd2523..54d70cfe3 100644
|
||||||
--- a/controls/anssi.yml
|
--- a/controls/anssi.yml
|
||||||
+++ b/controls/anssi.yml
|
+++ b/controls/anssi.yml
|
||||||
@@ -1238,7 +1238,7 @@ controls:
|
@@ -1238,7 +1238,7 @@ controls:
|
||||||
@ -78,6 +78,40 @@ index d02cd2523..b00619dfa 100644
|
|||||||
- ensure_oracle_gpgkey_installed
|
- ensure_oracle_gpgkey_installed
|
||||||
|
|
||||||
- id: R60
|
- id: R60
|
||||||
|
@@ -1356,16 +1356,13 @@ controls:
|
||||||
|
When authentication takes place through a remote application (network),
|
||||||
|
the authentication protocol used by PAM must be secure (flow encryption,
|
||||||
|
remote server authentication, anti-replay mechanisms, ...).
|
||||||
|
- {{% if "rhel" in product %}}
|
||||||
|
notes: |-
|
||||||
|
In RHEL systems, remote authentication is handled through sssd service.
|
||||||
|
PAM delegates requests for remote authentication to this service through a
|
||||||
|
local Unix socket. The sssd service can use IPA, AD or LDAP as a remote
|
||||||
|
database containing information required for authentication. In case IPA or AD is configured through a documented way, the connection is secured by default. In case LDAP is configured manually, there are several configuration options which should be chedked.
|
||||||
|
- {{% if product in ["rhel7", "rhel8"] %}}
|
||||||
|
An allternative solution is to use nss-pam-ldapd package.
|
||||||
|
In case this package is used, we make sure that SSL is turned on and certificate is configured.
|
||||||
|
- {{% endif %}}
|
||||||
|
status: automated
|
||||||
|
rules:
|
||||||
|
- package_sssd_installed
|
||||||
|
@@ -1373,16 +1370,10 @@ controls:
|
||||||
|
- sssd_enable_pam_services
|
||||||
|
- sssd_ldap_configure_tls_reqcert
|
||||||
|
- sssd_ldap_start_tls
|
||||||
|
- {{% if product in ["rhel7", "rhel8"] %}}
|
||||||
|
- ldap_client_start_tls
|
||||||
|
- ldap_client_tls_cacertpath
|
||||||
|
- {{% endif %}}
|
||||||
|
related_rules:
|
||||||
|
- package_sssd-ipa_installed
|
||||||
|
- {{% else %}}
|
||||||
|
- notes: We cannot automate securing of remote PAM authentication in a general way.
|
||||||
|
- status: manual
|
||||||
|
- {{% endif %}}
|
||||||
|
|
||||||
|
- id: R68
|
||||||
|
title: Protecting stored passwords
|
||||||
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
||||||
index 48406c172..28ae0c5c2 100644
|
index 48406c172..28ae0c5c2 100644
|
||||||
--- a/controls/cis_rhel8.yml
|
--- a/controls/cis_rhel8.yml
|
||||||
@ -19330,10 +19364,10 @@ index 000000000..08c87ea68
|
|||||||
+</Group>
|
+</Group>
|
||||||
diff --git a/products/almalinux8/product.yml b/products/almalinux8/product.yml
|
diff --git a/products/almalinux8/product.yml b/products/almalinux8/product.yml
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..fadfc608a
|
index 000000000..536dc8a7c
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/products/almalinux8/product.yml
|
+++ b/products/almalinux8/product.yml
|
||||||
@@ -0,0 +1,51 @@
|
@@ -0,0 +1,52 @@
|
||||||
+product: almalinux8
|
+product: almalinux8
|
||||||
+full_name: AlmaLinux 8
|
+full_name: AlmaLinux 8
|
||||||
+type: platform
|
+type: platform
|
||||||
@ -19362,6 +19396,7 @@ index 000000000..fadfc608a
|
|||||||
+
|
+
|
||||||
+release_key_fingerprint: "5E9B8F5617B5066CE92057C3488FCF7C3ABB34F8"
|
+release_key_fingerprint: "5E9B8F5617B5066CE92057C3488FCF7C3ABB34F8"
|
||||||
+auxiliary_key_fingerprint: "BC5EDDCADF502C077F1582882AE81E8ACED7258B"
|
+auxiliary_key_fingerprint: "BC5EDDCADF502C077F1582882AE81E8ACED7258B"
|
||||||
|
+oval_feed_url: "https://security.almalinux.org/oval/org.almalinux.alsa-8.xml.bz2"
|
||||||
+
|
+
|
||||||
+groups:
|
+groups:
|
||||||
+ dedicated_ssh_keyowner:
|
+ dedicated_ssh_keyowner:
|
||||||
|
Loading…
Reference in New Issue
Block a user