skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Files

  1.   575137e6a33f80e1d70ec7248ee82b9a9e1a9913
  2.   SOURCES
  3.   unselect_dropped_packages.patch
Blob Blame History Raw 
From ad9445f5cb6ff61021fff881b09ff875b8a9972d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 4 Dec 2018 10:05:23 +0100
Subject: [PATCH 1/2] Remove dropped packages rules from RHEL8 profiles

---
 rhel8/profiles/hipaa.profile | 5 -----
 rhel8/profiles/ospp.profile  | 1 -
 2 files changed, 6 deletions(-)

diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
index 44a8a849bb..9008e96f27 100644
--- a/rhel8/profiles/hipaa.profile
+++ b/rhel8/profiles/hipaa.profile
@@ -34,22 +34,17 @@ selections:
     - sshd_disable_root_login
     - libreswan_approved_tunnels
     - no_rsh_trust_files
-    - package_rsh_removed
     - package_rsh-server_removed
     - package_talk_removed
     - package_talk-server_removed
     - package_telnet_removed
     - package_telnet-server_removed
     - package_xinetd_removed
-    - package_ypbind_removed
-    - package_ypserv_removed
     - service_crond_enabled
     - service_rexec_disabled
     - service_rlogin_disabled
-    - service_rsh_disabled
     - service_telnet_disabled
     - service_xinetd_disabled
-    - service_ypbind_disabled
     - service_zebra_disabled
     - use_kerberos_security_all_exports
     - disable_host_auth
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 7811f6908f..0a1ec8a6a5 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -194,7 +194,6 @@
     - audit_rules_etc_group_openat
     - audit_rules_etc_group_open_by_handle_at
     - package_abrt_removed
-    - package_sendmail_removed
     - mount_option_dev_shm_nodev
     - mount_option_dev_shm_noexec
     - mount_option_dev_shm_nosuid

From 00ff79b9cedf03abf2aec7e1ab13fed5712c8301 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 4 Dec 2018 11:05:16 +0100
Subject: [PATCH 2/2] Smartcards auth in RHEL8 should be done via sssd

- pam_pkcs11 was removed from RHEL8
- piggy-backing fix: also enable pcsc-lite for Fedora
---
 fedora/templates/csv/packages_installed.csv | 1 +
 rhel8/profiles/pci-dss.profile              | 8 +++++++-
 rhel8/templates/csv/packages_installed.csv  | 1 +
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/fedora/templates/csv/packages_installed.csv b/fedora/templates/csv/packages_installed.csv
index 4abfd53340..7bbf4d93e5 100644
--- a/fedora/templates/csv/packages_installed.csv
+++ b/fedora/templates/csv/packages_installed.csv
@@ -9,6 +9,7 @@ libreswan
 ntp
 opensc
 openssh-server
+pcsc-lite
 vsftpd
 postfix
 screen
diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile
index a81849ac41..3fef39b0eb 100644
--- a/rhel8/profiles/pci-dss.profile
+++ b/rhel8/profiles/pci-dss.profile
@@ -113,7 +113,13 @@
     - ensure_gpgcheck_globally_activated
     - ensure_gpgcheck_never_disabled
     - security_patches_up_to_date
-    - smartcard_auth
+    - package_opensc_installed
+    - var_smartcard_drivers=cac
+    - configure_opensc_nss_db
+    - configure_opensc_card_drivers
+    - force_opensc_card_drivers
+    - service_pcscd_enabled
+    - sssd_enable_smartcards
     - set_password_hashing_algorithm_systemauth
     - set_password_hashing_algorithm_logindefs
     - set_password_hashing_algorithm_libuserconf
diff --git a/rhel8/templates/csv/packages_installed.csv b/rhel8/templates/csv/packages_installed.csv
index e5c22d4bf3..248bac87b7 100644
--- a/rhel8/templates/csv/packages_installed.csv
+++ b/rhel8/templates/csv/packages_installed.csv
@@ -9,6 +9,7 @@ libreswan
 ntp
 opensc
 openssh-server
+pcsc-lite
 vsftpd
 postfix
 tmux

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation