From 11105b3c436a130ba67e645febfe0bd9ae646e1e Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Mon, 15 Apr 2024 18:04:40 -0600
Subject: [PATCH 1/4] ol8 anssi add kernel_config rules

better to document expected failures than don't give any result

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 products/ol8/profiles/anssi_bp28_high.profile | 26 -------------------
 1 file changed, 26 deletions(-)

diff --git a/products/ol8/profiles/anssi_bp28_high.profile b/products/ol8/profiles/anssi_bp28_high.profile
index ed5981d021e..2c1dd6e76e0 100644
--- a/products/ol8/profiles/anssi_bp28_high.profile
+++ b/products/ol8/profiles/anssi_bp28_high.profile
@@ -14,49 +14,23 @@ description: |-
 selections:
     - anssi:all:high
     # Following rules once had a prodtype incompatible with the ol8 product
-    - '!kernel_config_gcc_plugin_structleak_byref_all'
     - '!accounts_passwords_pam_tally2_deny_root'
-    - '!kernel_config_refcount_full'
     - '!timer_logrotate_enabled'
-    - '!kernel_config_legacy_vsyscall_none'
-    - '!kernel_config_hardened_usercopy_fallback'
     - '!ensure_redhat_gpgkey_installed'
     - '!aide_periodic_checking_systemd_timer'
-    - '!kernel_config_gcc_plugin_latent_entropy'
     - '!audit_rules_privileged_commands_rmmod'
     - '!grub2_mds_argument'
     - '!audit_rules_privileged_commands_modprobe'
     - '!package_dracut-fips-aesni_installed'
-    - '!kernel_config_bug_on_data_corruption'
     - '!cracklib_accounts_password_pam_lcredit'
     - '!sysctl_fs_protected_regular'
-    - '!kernel_config_stackprotector_strong'
     - '!cracklib_accounts_password_pam_ocredit'
-    - '!kernel_config_sched_stack_end_check'
-    - '!kernel_config_gcc_plugin_stackleak'
     - '!audit_rules_privileged_commands_insmod'
-    - '!kernel_config_legacy_vsyscall_emulate'
-    - '!kernel_config_arm64_sw_ttbr0_pan'
-    - '!kernel_config_page_poisoning'
     - '!chronyd_configure_pool_and_server'
     - '!accounts_passwords_pam_tally2'
     - '!cracklib_accounts_password_pam_ucredit'
-    - '!kernel_config_vmap_stack'
-    - '!kernel_config_legacy_vsyscall_xonly'
-    - '!kernel_config_gcc_plugin_randstruct'
     - '!accounts_passwords_pam_tally2_unlock_time'
-    - '!kernel_config_stackprotector'
-    - '!kernel_config_slab_freelist_hardened'
-    - '!kernel_config_gcc_plugin_structleak'
     - '!cracklib_accounts_password_pam_minlen'
-    - '!kernel_config_debug_wx'
     - '!sysctl_fs_protected_fifos'
-    - '!kernel_config_strict_kernel_rwx'
-    - '!kernel_config_fortify_source'
     - '!cracklib_accounts_password_pam_dcredit'
-    - '!kernel_config_slab_merge_default'
-    - '!kernel_config_slab_freelist_random'
-    - '!kernel_config_hardened_usercopy'
     - '!grub2_page_alloc_shuffle_argument'
-    - '!kernel_config_strict_module_rwx'
-    - '!kernel_config_modify_ldt_syscall'

From f3c1d8e62202f3b51aad0c2031d279f7bb65d310 Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Mon, 15 Apr 2024 18:08:29 -0600
Subject: [PATCH 2/4] ol8 cjis delete password_minlen_login_defs var

This profile doesn't include the rule that uses this variable

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 products/ol8/profiles/cjis.profile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/products/ol8/profiles/cjis.profile b/products/ol8/profiles/cjis.profile
index 6c51f52d70c..552500cf012 100644
--- a/products/ol8/profiles/cjis.profile
+++ b/products/ol8/profiles/cjis.profile
@@ -58,7 +58,6 @@ selections:
     - accounts_password_all_shadowed
     - no_empty_passwords
     - display_login_attempts
-    - var_accounts_password_minlen_login_defs=12
     - var_accounts_maximum_age_login_defs=90
     - var_password_pam_unix_remember=10
     - var_account_disable_post_pw_expiration=0

From 52d674c07c20a631e340f34921ef91afda26d778 Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Mon, 15 Apr 2024 18:09:27 -0600
Subject: [PATCH 3/4] ol8 e8 add authselect rule

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 products/ol8/profiles/e8.profile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/products/ol8/profiles/e8.profile b/products/ol8/profiles/e8.profile
index 76fc9ea4a93..17d661ed63f 100644
--- a/products/ol8/profiles/e8.profile
+++ b/products/ol8/profiles/e8.profile
@@ -69,6 +69,8 @@ selections:
   - file_ownership_library_dirs
 
   ### Passwords
+  - var_authselect_profile=sssd
+  - enable_authselect
   - no_empty_passwords
 
   ### Partitioning

From 9b29a3eac3b69ef9abca0c9fdfe53dc1ca0d9246 Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Mon, 15 Apr 2024 18:13:15 -0600
Subject: [PATCH 4/4] ol8 hipaa remove sshd_use_priv_separation

This option was deprecated in openssh

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 products/ol8/profiles/hipaa.profile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/products/ol8/profiles/hipaa.profile b/products/ol8/profiles/hipaa.profile
index 508369fc24b..2a9456b3aea 100644
--- a/products/ol8/profiles/hipaa.profile
+++ b/products/ol8/profiles/hipaa.profile
@@ -66,7 +66,6 @@ selections:
     - sshd_enable_warning_banner
     - var_sshd_set_keepalive=0
     - sshd_set_keepalive_0
-    - sshd_use_priv_separation
     - encrypt_partitions
     - var_system_crypto_policy=fips
     - configure_crypto_policy