|
 |
aa23b3 |
From 5f4e807cb6e54744ad69cd1e7d622c85ae4e8803 Mon Sep 17 00:00:00 2001
|
|
|
aa23b3 |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
aa23b3 |
Date: Thu, 21 Nov 2019 16:28:23 +0100
|
|
|
aa23b3 |
Subject: [PATCH 1/2] Updated the e8 profile for RHEL8.
|
|
|
aa23b3 |
|
|
|
aa23b3 |
- removed obsolete SSHD settings.
|
|
|
aa23b3 |
- added rules for crypto policies.
|
|
|
aa23b3 |
---
|
|
|
aa23b3 |
rhel8/profiles/e8.profile | 6 ++++--
|
|
|
aa23b3 |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
aa23b3 |
|
|
|
aa23b3 |
diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile
|
|
|
aa23b3 |
index 53b4c156e2..f0f19a4708 100644
|
|
|
aa23b3 |
--- a/rhel8/profiles/e8.profile
|
|
|
aa23b3 |
+++ b/rhel8/profiles/e8.profile
|
|
|
aa23b3 |
@@ -123,14 +123,16 @@ selections:
|
|
|
aa23b3 |
- sshd_print_last_log
|
|
|
aa23b3 |
- sshd_use_priv_separation
|
|
|
aa23b3 |
- sshd_do_not_permit_user_env
|
|
|
aa23b3 |
- - sshd_disable_rhosts_rsa
|
|
|
aa23b3 |
- sshd_disable_rhosts
|
|
|
aa23b3 |
- - sshd_allow_only_protocol2
|
|
|
aa23b3 |
- sshd_set_loglevel_info
|
|
|
aa23b3 |
- sshd_disable_empty_passwords
|
|
|
aa23b3 |
- sshd_disable_user_known_hosts
|
|
|
aa23b3 |
- sshd_enable_strictmodes
|
|
|
aa23b3 |
|
|
|
aa23b3 |
+ - var_system_crypto_policy=default
|
|
|
aa23b3 |
+ - configure_crypto_policy
|
|
|
aa23b3 |
+ - configure_ssh_crypto_policy
|
|
|
aa23b3 |
+
|
|
|
aa23b3 |
### Application whitelisting
|
|
|
aa23b3 |
- package_fapolicyd_installed
|
|
|
aa23b3 |
- service_fapolicyd_enabled
|
|
|
aa23b3 |
|
|
|
aa23b3 |
From 659326a1d4db99dc30c4807b5b5ce4c97db37709 Mon Sep 17 00:00:00 2001
|
|
|
aa23b3 |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
aa23b3 |
Date: Mon, 25 Nov 2019 16:42:37 +0100
|
|
|
aa23b3 |
Subject: [PATCH 2/2] Update the crypto policy and rationale.
|
|
|
aa23b3 |
|
|
|
aa23b3 |
---
|
|
|
aa23b3 |
rhel8/profiles/e8.profile | 5 ++++-
|
|
|
aa23b3 |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
aa23b3 |
|
|
|
aa23b3 |
diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile
|
|
|
aa23b3 |
index f0f19a4708..f78e908482 100644
|
|
|
aa23b3 |
--- a/rhel8/profiles/e8.profile
|
|
|
aa23b3 |
+++ b/rhel8/profiles/e8.profile
|
|
|
aa23b3 |
@@ -129,7 +129,10 @@ selections:
|
|
|
aa23b3 |
- sshd_disable_user_known_hosts
|
|
|
aa23b3 |
- sshd_enable_strictmodes
|
|
|
aa23b3 |
|
|
|
aa23b3 |
- - var_system_crypto_policy=default
|
|
|
aa23b3 |
+ # The E8 profile bans usage of SHA-1, and as of 11/2019 the FUTURE crypto policy is the only one that ensures this.
|
|
|
aa23b3 |
+ # TODO: Re-evaluate after another crypto policies become available.
|
|
|
aa23b3 |
+ # See also: https://www.cyber.gov.au/ism/guidelines-using-cryptography
|
|
|
aa23b3 |
+ - var_system_crypto_policy=future
|
|
|
aa23b3 |
- configure_crypto_policy
|
|
|
aa23b3 |
- configure_ssh_crypto_policy
|
|
|
aa23b3 |
|