From aa816fcdb60d05c89940d8d681bdffaa3629c1fa Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 21 Nov 2023 15:58:42 +0100 Subject: [PATCH 1/8] return prodtype to ntpd_specify_multiple_servers --- .../guide/services/ntp/ntpd_specify_multiple_servers/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/rule.yml b/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/rule.yml index c005b2bbf22..f80e041c9e4 100644 --- a/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/rule.yml +++ b/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15 +prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Specify Additional Remote NTP Servers' From 2cae03153fa988930e9a5340b70e543751c6b9a3 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 21 Nov 2023 15:59:40 +0100 Subject: [PATCH 2/8] return prodtype to ntpd_specify_remote_server --- linux_os/guide/services/ntp/ntpd_specify_remote_server/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/services/ntp/ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/ntpd_specify_remote_server/rule.yml index 82995d27b5a..4e3390d2001 100644 --- a/linux_os/guide/services/ntp/ntpd_specify_remote_server/rule.yml +++ b/linux_os/guide/services/ntp/ntpd_specify_remote_server/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15 +prodtype: alinux2,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 title: 'Specify a Remote NTP Server' From 71e21cf8ce75513d0f7f4bf271f865f9b6abf37e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 21 Nov 2023 16:00:13 +0100 Subject: [PATCH 3/8] add back prodtype and warning to service_ntp_enabled --- linux_os/guide/services/ntp/service_ntp_enabled/rule.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml b/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml index 50858ef7233..9ae0181ed2c 100644 --- a/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: debian10,debian11,debian12,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 +prodtype: debian10,debian11,debian12,rhel8,rhel9,sle12,sle15,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204 title: 'Enable the NTP Daemon' @@ -49,3 +49,10 @@ template: name: service_enabled vars: servicename: ntp + +{{% if prodtype in ["rhel8", "rhel9"] %}} +warnings: + - general: + The 
ntp
package is not available in {{{ full_name }}}. Please + consider the 
chrony
package instead. +{{% endif %}} From 34f9eef7d7c7284a050664f1972436349739e802 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 21 Nov 2023 16:01:02 +0100 Subject: [PATCH 4/8] add prodtype and warning to package-audit-audispd-plugins_installed --- .../package_audit-audispd-plugins_installed/rule.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/auditing/package_audit-audispd-plugins_installed/rule.yml b/linux_os/guide/system/auditing/package_audit-audispd-plugins_installed/rule.yml index cc2d17d263c..50990e0119c 100644 --- a/linux_os/guide/system/auditing/package_audit-audispd-plugins_installed/rule.yml +++ b/linux_os/guide/system/auditing/package_audit-audispd-plugins_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol9,rhel9,sle12,sle15,ubuntu2004 +prodtype: fedora,ol9,rhel8,rhel9,sle12,sle15,ubuntu2004 title: 'Ensure the default plugins for the audit dispatcher are Installed' @@ -34,3 +34,10 @@ template: pkgname@ubuntu1604: audispd-plugins pkgname@ubuntu1804: audispd-plugins pkgname@ubuntu2004: audispd-plugins + +{{% if prodtype in ["rhel8", "rhel9"] %}} +warnings: + - general: + This package is not available in {{{ full_name }}}. The correct package + is called audispd-plugins. +{{% endif %}} From 172b1a3932b275c006c2674097a92caf62815464 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 21 Nov 2023 16:01:57 +0100 Subject: [PATCH 5/8] add back prodtypes to set_ipv6_loopback_traffic --- .../iptables_activation/set_ipv6_loopback_traffic/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml index ea0528167e6..039cd72a594 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Set configuration for IPv6 loopback traffic' From 2daaaf272d4ae7179a048508ed77c8bd0c9e4b8b Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 21 Nov 2023 16:02:33 +0100 Subject: [PATCH 6/8] add back prodtype to set_loopback_traffic --- .../iptables_activation/set_loopback_traffic/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml index 002b305e2f1..ef476d9bc46 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,rhel8,rhel9,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Set configuration for loopback traffic' From 1bd1d72cec9909ee9b9f7e95cf5852a9fe69d000 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 21 Nov 2023 16:03:03 +0100 Subject: [PATCH 7/8] modify rhel8 and rhel9 pci-dss profiles to exclude rules which do not apply modify profile stability test data for rhel8 --- products/rhel8/profiles/pci-dss.profile | 7 +++++++ products/rhel9/profiles/pci-dss.profile | 7 +++++++ tests/data/profile_stability/rhel8/pci-dss.profile | 2 -- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile index 544cbe020b7..87456a29063 100644 --- a/products/rhel8/profiles/pci-dss.profile +++ b/products/rhel8/profiles/pci-dss.profile @@ -25,3 +25,10 @@ selections: # More tests are needed to identify which rule is conflicting with rpm_verify_permissions. # https://github.com/ComplianceAsCode/content/issues/11285 - '!rpm_verify_permissions' + # these rules does not apply to RHEL but it has to keep the prodtype for historical reasons + - '!package_audit-audispd-plugins_installed' + - '!service_ntp_enabled' + - '!ntpd_specify_remote_server' + - '!ntpd_specify_multiple_servers' + - '!set_ipv6_loopback_traffic' + - '!set_loopback_traffic' diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile index 54c369cab65..1053c40854e 100644 --- a/products/rhel9/profiles/pci-dss.profile +++ b/products/rhel9/profiles/pci-dss.profile @@ -28,3 +28,10 @@ selections: # More tests are needed to identify which rule is conflicting with rpm_verify_permissions. # https://github.com/ComplianceAsCode/content/issues/11285 - '!rpm_verify_permissions' + # these rules does not apply to RHEL but it has to keep the prodtype for historical reasons + - '!package_audit-audispd-plugins_installed' + - '!service_ntp_enabled' + - '!ntpd_specify_remote_server' + - '!ntpd_specify_multiple_servers' + - '!set_ipv6_loopback_traffic' + - '!set_loopback_traffic' diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile index 466aa3a1fbb..ae0d3969eef 100644 --- a/tests/data/profile_stability/rhel8/pci-dss.profile +++ b/tests/data/profile_stability/rhel8/pci-dss.profile @@ -52,7 +52,6 @@ selections: - dconf_gnome_session_idle_user_locks - sshd_set_maxstartups - audit_rules_time_stime -- ntpd_specify_remote_server - accounts_password_pam_pwhistory_remember_system_auth - service_rpcbind_disabled - chronyd_run_as_chrony_user @@ -200,7 +199,6 @@ selections: - package_telnet_removed - audit_sudo_log_events - package_ypbind_removed -- ntpd_specify_multiple_servers - dconf_gnome_screensaver_idle_activation_enabled - sysctl_net_ipv4_tcp_syncookies - sshd_set_max_auth_tries From 1c077d69e620aecbb20cd18c42afdc02ecd5a555 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 22 Nov 2023 11:19:04 +0100 Subject: [PATCH 8/8] display warning for service_ntp_enabled also for sle15 --- linux_os/guide/services/ntp/service_ntp_enabled/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml b/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml index 9ae0181ed2c..357f6dd2fbf 100644 --- a/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_ntp_enabled/rule.yml @@ -50,7 +50,7 @@ template: vars: servicename: ntp -{{% if prodtype in ["rhel8", "rhel9"] %}} +{{% if prodtype in ["rhel8", "rhel9", "sle15"] %}} warnings: - general: The 
ntp
package is not available in {{{ full_name }}}. Please