From ad9445f5cb6ff61021fff881b09ff875b8a9972d Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 4 Dec 2018 10:05:23 +0100 Subject: [PATCH 1/2] Remove dropped packages rules from RHEL8 profiles --- rhel8/profiles/hipaa.profile | 5 ----- rhel8/profiles/ospp.profile | 1 - 2 files changed, 6 deletions(-) diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile index 44a8a849bb..9008e96f27 100644 --- a/rhel8/profiles/hipaa.profile +++ b/rhel8/profiles/hipaa.profile @@ -34,22 +34,17 @@ selections: - sshd_disable_root_login - libreswan_approved_tunnels - no_rsh_trust_files - - package_rsh_removed - package_rsh-server_removed - package_talk_removed - package_talk-server_removed - package_telnet_removed - package_telnet-server_removed - package_xinetd_removed - - package_ypbind_removed - - package_ypserv_removed - service_crond_enabled - service_rexec_disabled - service_rlogin_disabled - - service_rsh_disabled - service_telnet_disabled - service_xinetd_disabled - - service_ypbind_disabled - service_zebra_disabled - use_kerberos_security_all_exports - disable_host_auth diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index 7811f6908f..0a1ec8a6a5 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -194,7 +194,6 @@ - audit_rules_etc_group_openat - audit_rules_etc_group_open_by_handle_at - package_abrt_removed - - package_sendmail_removed - mount_option_dev_shm_nodev - mount_option_dev_shm_noexec - mount_option_dev_shm_nosuid From 00ff79b9cedf03abf2aec7e1ab13fed5712c8301 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 4 Dec 2018 11:05:16 +0100 Subject: [PATCH 2/2] Smartcards auth in RHEL8 should be done via sssd - pam_pkcs11 was removed from RHEL8 - piggy-backing fix: also enable pcsc-lite for Fedora --- fedora/templates/csv/packages_installed.csv | 1 + rhel8/profiles/pci-dss.profile | 8 +++++++- rhel8/templates/csv/packages_installed.csv | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/fedora/templates/csv/packages_installed.csv b/fedora/templates/csv/packages_installed.csv index 4abfd53340..7bbf4d93e5 100644 --- a/fedora/templates/csv/packages_installed.csv +++ b/fedora/templates/csv/packages_installed.csv @@ -9,6 +9,7 @@ libreswan ntp opensc openssh-server +pcsc-lite vsftpd postfix screen diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile index a81849ac41..3fef39b0eb 100644 --- a/rhel8/profiles/pci-dss.profile +++ b/rhel8/profiles/pci-dss.profile @@ -113,7 +113,13 @@ - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - security_patches_up_to_date - - smartcard_auth + - package_opensc_installed + - var_smartcard_drivers=cac + - configure_opensc_nss_db + - configure_opensc_card_drivers + - force_opensc_card_drivers + - service_pcscd_enabled + - sssd_enable_smartcards - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_libuserconf diff --git a/rhel8/templates/csv/packages_installed.csv b/rhel8/templates/csv/packages_installed.csv index e5c22d4bf3..248bac87b7 100644 --- a/rhel8/templates/csv/packages_installed.csv +++ b/rhel8/templates/csv/packages_installed.csv @@ -9,6 +9,7 @@ libreswan ntp opensc openssh-server +pcsc-lite vsftpd postfix tmux