|
|
ff1465 |
From f027c56e45e703663c25dea18f78111d5d8a7e0f Mon Sep 17 00:00:00 2001
|
|
|
ff1465 |
From: Matthew Burket <mburket@redhat.com>
|
|
|
ff1465 |
Date: Thu, 19 Aug 2021 11:16:08 -0500
|
|
|
ff1465 |
Subject: [PATCH] Added rule for RHEL-08-010400
|
|
|
ff1465 |
|
|
|
ff1465 |
---
|
|
|
ff1465 |
.../ansible/shared.yml | 27 +++++++++++++
|
|
|
ff1465 |
.../bash/shared.sh | 33 +++++++++++++++
|
|
|
ff1465 |
.../oval/shared.xml | 30 ++++++++++++++
|
|
|
ff1465 |
.../sssd_certificate_verification/rule.yml | 40 +++++++++++++++++++
|
|
|
ff1465 |
.../tests/correct_value.pass.sh | 6 +++
|
|
|
ff1465 |
.../tests/correct_with_others_before.pass.sh | 6 +++
|
|
|
ff1465 |
.../tests/not_configured.fail.sh | 5 +++
|
|
|
ff1465 |
.../tests/partial_config.fail.sh | 6 +++
|
|
|
ff1465 |
.../tests/wrong_section.fail.sh | 6 +++
|
|
|
ff1465 |
.../tests/wrong_value.fail.sh | 6 +++
|
|
|
ff1465 |
...rtificate_verification_digest_function.var | 20 ++++++++++
|
|
|
ff1465 |
products/rhel8/profiles/stig.profile | 2 +
|
|
|
ff1465 |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
ff1465 |
.../data/profile_stability/rhel8/stig.profile | 4 +-
|
|
|
ff1465 |
.../profile_stability/rhel8/stig_gui.profile | 4 +-
|
|
|
ff1465 |
15 files changed, 193 insertions(+), 3 deletions(-)
|
|
|
ff1465 |
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
|
|
|
ff1465 |
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
|
|
|
ff1465 |
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
|
|
|
ff1465 |
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
|
|
|
ff1465 |
create mode 100644 linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
|
|
|
ff1465 |
|
|
|
ff1465 |
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..8e36f0974fd
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
|
|
|
ff1465 |
@@ -0,0 +1,27 @@
|
|
|
ff1465 |
+# platform = multi_platform_fedora,multi_platform_rhel
|
|
|
ff1465 |
+# reboot = false
|
|
|
ff1465 |
+# strategy = configure
|
|
|
ff1465 |
+# complexity = low
|
|
|
ff1465 |
+# disruption = medium
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+- name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf
|
|
|
ff1465 |
+ ini_file:
|
|
|
ff1465 |
+ path: /etc/sssd/sssd.conf
|
|
|
ff1465 |
+ section: sssd
|
|
|
ff1465 |
+ option: certificate_verification
|
|
|
ff1465 |
+ state: absent
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+- name: 'Ensure that "certificate_verification" is not set in /etc/sssd/conf.d/*.conf'
|
|
|
ff1465 |
+ ini_file:
|
|
|
ff1465 |
+ path: /etc/sssd/conf.d/*.conf
|
|
|
ff1465 |
+ section: sssd
|
|
|
ff1465 |
+ option: certificate_verification
|
|
|
ff1465 |
+ state: absent
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+- name: Ensure that "certificate_verification" is set
|
|
|
ff1465 |
+ ini_file:
|
|
|
ff1465 |
+ path: /etc/sssd/conf.d/certificate_verification.conf
|
|
|
ff1465 |
+ section: sssd
|
|
|
ff1465 |
+ option: certificate_verification
|
|
|
ff1465 |
+ value: "ocsp_dgst = sha1"
|
|
|
ff1465 |
+ state: present
|
|
|
ff1465 |
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..8f9e5514480
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
|
|
|
ff1465 |
@@ -0,0 +1,33 @@
|
|
|
ff1465 |
+# platform = multi_platform_rhel,multi_platform_fedora
|
|
|
ff1465 |
+# reboot = false
|
|
|
ff1465 |
+# strategy = configure
|
|
|
ff1465 |
+# complexity = low
|
|
|
ff1465 |
+# disruption = medium
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+# include our remediation functions library
|
|
|
ff1465 |
+. /usr/share/scap-security-guide/remediation_functions
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+{{{ bash_instantiate_variables("var_sssd_certificate_verification_digest_function") }}}
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+found=false
|
|
|
ff1465 |
+for f in /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf; do
|
|
|
ff1465 |
+ if [ ! -e "$f" ]; then
|
|
|
ff1465 |
+ continue
|
|
|
ff1465 |
+ fi
|
|
|
ff1465 |
+ cert=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1} f{nu=gensub("^\\s*certificate_verification\\s*=\\s*ocsp_dgst\\s*=\\s*(\\w+).*","\\1",1); if($0!=nu){cert=nu}} END{print cert}' "$f" )
|
|
|
ff1465 |
+ if [ -n "$cert" ] ; then
|
|
|
ff1465 |
+ if [ "$cert" != $var_sssd_certificate_verification_digest_function ] ; then
|
|
|
ff1465 |
+ sed -i "s/^certificate_verification\s*=.*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f"
|
|
|
ff1465 |
+ fi
|
|
|
ff1465 |
+ found=true
|
|
|
ff1465 |
+ fi
|
|
|
ff1465 |
+done
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+if ! $found ; then
|
|
|
ff1465 |
+ SSSD_CONF="/etc/sssd/conf.d/certificate_verification.conf"
|
|
|
ff1465 |
+ mkdir -p $( dirname $SSSD_CONF )
|
|
|
ff1465 |
+ touch $SSSD_CONF
|
|
|
ff1465 |
+ chown root:root $SSSD_CONF
|
|
|
ff1465 |
+ chmod 600 $SSSD_CONF
|
|
|
ff1465 |
+ echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> $SSSD_CONF
|
|
|
ff1465 |
+fi
|
|
|
ff1465 |
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml b/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..77736f54f03
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
|
|
|
ff1465 |
@@ -0,0 +1,30 @@
|
|
|
ff1465 |
+<def-group>
|
|
|
ff1465 |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
ff1465 |
+ {{{ oval_metadata("SSSD should be configured with the correct ocsp_dgst
|
|
|
ff1465 |
+ digest function") }}}
|
|
|
ff1465 |
+ <criteria>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ test_ref="test_{{{rule_id}}}" />
|
|
|
ff1465 |
+ </criteria>
|
|
|
ff1465 |
+ </definition>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ certificate_verification in sssd configuration" id="test_{{{rule_id}}}" version="1">
|
|
|
ff1465 |
+ <ind:object object_ref="obj_{{{rule_id}}}" />
|
|
|
ff1465 |
+ <ind:state state_ref="state_{{{rule_id}}}" />
|
|
|
ff1465 |
+ </ind:textfilecontent54_test>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ <ind:textfilecontent54_object id="obj_{{{rule_id}}}" version="1">
|
|
|
ff1465 |
+ <ind:filepath operation="pattern match">^/etc/sssd/(sssd|conf\.d/.*)\.conf$</ind:filepath>
|
|
|
ff1465 |
+ <ind:pattern operation="pattern match">^[\s]*\[sssd](?:[^\n\[]*\n+)+?[\s]*certificate_verification\s*=\s*ocsp_dgst\s*=\s*(\w+)$</ind:pattern>
|
|
|
ff1465 |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
ff1465 |
+ </ind:textfilecontent54_object>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ <ind:textfilecontent54_state comment="value of certificate_verification" id="state_{{{rule_id}}}" version="1">
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ var_ref="var_sssd_certificate_verification_digest_function" />
|
|
|
ff1465 |
+ </ind:textfilecontent54_state>
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ id="var_sssd_certificate_verification_digest_function" version="1" />
|
|
|
ff1465 |
+</def-group>
|
|
|
ff1465 |
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..182e75a2aab
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
|
|
|
ff1465 |
@@ -0,0 +1,40 @@
|
|
|
ff1465 |
+documentation_complete: true
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+prodtype: fedora,rhel8
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+title: 'Certificate certificate status checking in SSSD'
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+description: |-
|
|
|
ff1465 |
+ Multifactor solutions that require devices separate from information systems gaining access include,
|
|
|
ff1465 |
+ for example, hardware tokens providing time-based or challenge-response authenticators and smart cards.
|
|
|
ff1465 |
+ By configuring <tt>certificate_verification</tt> to <tt>ocsp_dgst=sha1</tt> sures that certificates for
|
|
|
ff1465 |
+ multifactor solutions are checked via Online Certificate Status Protocol (OCSP).
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+rationale: |-
|
|
|
ff1465 |
+ Enusring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP)
|
|
|
ff1465 |
+ ensures the security of the system.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+severity: medium
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+identifiers:
|
|
|
ff1465 |
+ cce@rhel8: CCE-86120-3
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+references:
|
|
|
ff1465 |
+ disa: CCI-001948
|
|
|
ff1465 |
+ nist: IA-2(11)
|
|
|
ff1465 |
+ srg: SRG-OS-000375-GPOS-00160,SRG-OS-000377-GPOS-00162
|
|
|
ff1465 |
+ stigid@rhel8: RHEL-08-010400
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ocil_clause: 'certificate_verification in sssd is not configured'
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ocil: |-
|
|
|
ff1465 |
+ Check to see if Online Certificate Status Protocol (OCSP)
|
|
|
ff1465 |
+ is enabled and using the proper digest value on the system with the following command:
|
|
|
ff1465 |
+ $ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#"
|
|
|
ff1465 |
+ If configured properly, output should look like
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ certificate_verification = ocsp_dgst=sha1
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+ The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
|
|
|
ff1465 |
+ $ sudo systemctl restart sssd.service
|
|
|
ff1465 |
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..24c19f44fdc
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+# packages = sssd-common
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+mkdir -p /etc/sssd/conf.d
|
|
|
ff1465 |
+touch /etc/sssd/sssd.conf
|
|
|
ff1465 |
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
|
|
|
ff1465 |
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..982450fc81b
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+# packages = sssd-common
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+mkdir -p /etc/sssd/conf.d
|
|
|
ff1465 |
+touch /etc/sssd/sssd.conf
|
|
|
ff1465 |
+echo -e "[sssd]\ndifferent_option = test\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
|
|
|
ff1465 |
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..ed011f9d4bc
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,5 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+# packages = sssd-common
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+mkdir -p /etc/sssd/conf.d
|
|
|
ff1465 |
+touch /etc/sssd/sssd.conf
|
|
|
ff1465 |
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..3c7c468b9d5
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+# packages = sssd-common
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+mkdir -p /etc/sssd/conf.d
|
|
|
ff1465 |
+touch /etc/sssd/sssd.conf
|
|
|
ff1465 |
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=" >> /etc/sssd/sssd.conf
|
|
|
ff1465 |
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..635ca4bebcc
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+# packages = sssd-common
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+mkdir -p /etc/sssd/conf.d
|
|
|
ff1465 |
+touch /etc/sssd/sssd.conf
|
|
|
ff1465 |
+echo -e "[ssd]\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
|
|
|
ff1465 |
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..93f363edc04
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
|
|
|
ff1465 |
@@ -0,0 +1,6 @@
|
|
|
ff1465 |
+#!/bin/bash
|
|
|
ff1465 |
+# packages = sssd-common
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+mkdir -p /etc/sssd/conf.d
|
|
|
ff1465 |
+touch /etc/sssd/sssd.conf
|
|
|
ff1465 |
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha256" >> /etc/sssd/sssd.conf
|
|
|
ff1465 |
diff --git a/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var b/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
|
|
|
ff1465 |
new file mode 100644
|
|
|
ff1465 |
index 00000000000..cdbd0a13576
|
|
|
ff1465 |
--- /dev/null
|
|
|
ff1465 |
+++ b/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
|
|
|
ff1465 |
@@ -0,0 +1,20 @@
|
|
|
ff1465 |
+documentation_complete: true
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+title: 'SSSD certificate_verification option'
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+description: |-
|
|
|
ff1465 |
+ Value of the certificate_verification option in
|
|
|
ff1465 |
+ the SSSD config.
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+type: string
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+operator: equals
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+interactive: true
|
|
|
ff1465 |
+
|
|
|
ff1465 |
+options:
|
|
|
ff1465 |
+ sha1: sha1
|
|
|
ff1465 |
+ sha256: sha256
|
|
|
ff1465 |
+ sha384: sha384
|
|
|
ff1465 |
+ sha512: sha512
|
|
|
ff1465 |
+ default: sha1
|
|
|
ff1465 |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
ff1465 |
index 9dc9360e899..5b1f709faaf 100644
|
|
|
ff1465 |
--- a/products/rhel8/profiles/stig.profile
|
|
|
ff1465 |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
ff1465 |
@@ -70,6 +70,7 @@ selections:
|
|
|
ff1465 |
- var_auditd_disk_error_action=halt
|
|
|
ff1465 |
- var_auditd_max_log_file_action=syslog
|
|
|
ff1465 |
- var_auditd_disk_full_action=halt
|
|
|
ff1465 |
+ - var_sssd_certificate_verification_digest_function=sha1
|
|
|
ff1465 |
|
|
|
ff1465 |
### Enable / Configure FIPS
|
|
|
ff1465 |
- enable_fips_mode
|
|
|
ff1465 |
@@ -275,6 +276,7 @@ selections:
|
|
|
ff1465 |
- install_smartcard_packages
|
|
|
ff1465 |
|
|
|
ff1465 |
# RHEL-08-010400
|
|
|
ff1465 |
+ - sssd_certificate_verification
|
|
|
ff1465 |
|
|
|
ff1465 |
# RHEL-08-010410
|
|
|
ff1465 |
- package_opensc_installed
|
|
|
ff1465 |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
ff1465 |
index 3b24e19da06..81f94f7dbca 100644
|
|
|
ff1465 |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
ff1465 |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
ff1465 |
@@ -236,7 +236,6 @@ CCE-86116-1
|
|
|
ff1465 |
CCE-86117-9
|
|
|
ff1465 |
CCE-86118-7
|
|
|
ff1465 |
CCE-86119-5
|
|
|
ff1465 |
-CCE-86120-3
|
|
|
ff1465 |
CCE-86121-1
|
|
|
ff1465 |
CCE-86122-9
|
|
|
ff1465 |
CCE-86123-7
|
|
|
ff1465 |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
ff1465 |
index e9ba0f0adbf..baef93bba64 100644
|
|
|
ff1465 |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
ff1465 |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
ff1465 |
@@ -342,6 +342,7 @@ selections:
|
|
|
ff1465 |
- sshd_set_keepalive_0
|
|
|
ff1465 |
- sshd_use_strong_rng
|
|
|
ff1465 |
- sshd_x11_use_localhost
|
|
|
ff1465 |
+- sssd_certificate_verification
|
|
|
ff1465 |
- sssd_enable_certmap
|
|
|
ff1465 |
- sssd_enable_smartcards
|
|
|
ff1465 |
- sssd_offline_cred_expiration
|
|
|
ff1465 |
@@ -410,6 +411,7 @@ selections:
|
|
|
ff1465 |
- sshd_approved_macs=stig
|
|
|
ff1465 |
- sshd_approved_ciphers=stig
|
|
|
ff1465 |
- sshd_idle_timeout_value=10_minutes
|
|
|
ff1465 |
+- var_accounts_authorized_local_users_regex=rhel8
|
|
|
ff1465 |
- var_accounts_passwords_pam_faillock_deny=3
|
|
|
ff1465 |
- var_accounts_passwords_pam_faillock_fail_interval=900
|
|
|
ff1465 |
- var_accounts_passwords_pam_faillock_unlock_time=never
|
|
|
ff1465 |
@@ -425,7 +427,7 @@ selections:
|
|
|
ff1465 |
- var_auditd_disk_error_action=halt
|
|
|
ff1465 |
- var_auditd_max_log_file_action=syslog
|
|
|
ff1465 |
- var_auditd_disk_full_action=halt
|
|
|
ff1465 |
-- var_accounts_authorized_local_users_regex=rhel8
|
|
|
ff1465 |
+- var_sssd_certificate_verification_digest_function=sha1
|
|
|
ff1465 |
- var_system_crypto_policy=fips
|
|
|
ff1465 |
- var_sudo_timestamp_timeout=always_prompt
|
|
|
ff1465 |
title: DISA STIG for Red Hat Enterprise Linux 8
|
|
|
ff1465 |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
ff1465 |
index c8540f9392e..237f66c721f 100644
|
|
|
ff1465 |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
ff1465 |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
ff1465 |
@@ -353,6 +353,7 @@ selections:
|
|
|
ff1465 |
- sshd_set_keepalive_0
|
|
|
ff1465 |
- sshd_use_strong_rng
|
|
|
ff1465 |
- sshd_x11_use_localhost
|
|
|
ff1465 |
+- sssd_certificate_verification
|
|
|
ff1465 |
- sssd_enable_certmap
|
|
|
ff1465 |
- sssd_enable_smartcards
|
|
|
ff1465 |
- sssd_offline_cred_expiration
|
|
|
ff1465 |
@@ -420,6 +421,7 @@ selections:
|
|
|
ff1465 |
- sshd_approved_macs=stig
|
|
|
ff1465 |
- sshd_approved_ciphers=stig
|
|
|
ff1465 |
- sshd_idle_timeout_value=10_minutes
|
|
|
ff1465 |
+- var_accounts_authorized_local_users_regex=rhel8
|
|
|
ff1465 |
- var_accounts_passwords_pam_faillock_deny=3
|
|
|
ff1465 |
- var_accounts_passwords_pam_faillock_fail_interval=900
|
|
|
ff1465 |
- var_accounts_passwords_pam_faillock_unlock_time=never
|
|
|
ff1465 |
@@ -435,7 +437,7 @@ selections:
|
|
|
ff1465 |
- var_auditd_disk_error_action=halt
|
|
|
ff1465 |
- var_auditd_max_log_file_action=syslog
|
|
|
ff1465 |
- var_auditd_disk_full_action=halt
|
|
|
ff1465 |
-- var_accounts_authorized_local_users_regex=rhel8
|
|
|
ff1465 |
+- var_sssd_certificate_verification_digest_function=sha1
|
|
|
ff1465 |
- var_system_crypto_policy=fips
|
|
|
ff1465 |
- var_sudo_timestamp_timeout=always_prompt
|
|
|
ff1465 |
title: DISA STIG with GUI for Red Hat Enterprise Linux 8
|