From 93a82b0dd8dcccdd0ffb7de77c86207336ba8d1b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 25 Sep 2024 09:59:59 +0200
Subject: [PATCH 1/2] enable Ansible remediation for rhel10 product

---
 .../system/network/network_nmcli_permissions/ansible/shared.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/network/network_nmcli_permissions/ansible/shared.yml b/linux_os/guide/system/network/network_nmcli_permissions/ansible/shared.yml
index c2816c906b4..045befe2ba3 100644
--- a/linux_os/guide/system/network/network_nmcli_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/network/network_nmcli_permissions/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv,multi_platform_fedora
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 10,multi_platform_ol,multi_platform_rhv,multi_platform_fedora
 # reboot = false
 # strategy = restrict
 # complexity = low

From 1fefa5afef48b98351fd13aabc0a7296c8eb5844 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 25 Sep 2024 10:00:24 +0200
Subject: [PATCH 2/2] exclude some problematic rules from ism_o rhel10 profiles

see comments
---
 products/rhel10/profiles/ism_o.profile            | 15 +++++++++++++++
 products/rhel10/profiles/ism_o_secret.profile     | 15 +++++++++++++++
 products/rhel10/profiles/ism_o_top_secret.profile | 15 +++++++++++++++
 3 files changed, 45 insertions(+)

diff --git a/products/rhel10/profiles/ism_o.profile b/products/rhel10/profiles/ism_o.profile
index 163d0a26e55..75ff703df10 100644
--- a/products/rhel10/profiles/ism_o.profile
+++ b/products/rhel10/profiles/ism_o.profile
@@ -28,3 +28,18 @@ extends: e8
 
 selections:
     - ism_o:all:base
+    # these rules do not work properly on RHEL 10 for now
+    - '!enable_dracut_fips_module'
+    - '!firewalld_sshd_port_enabled'
+    - '!require_singleuser_auth'
+    - '!enable_fips_mode'
+    # tally2 is deprecated, replaced by faillock
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!audit_rules_login_events_tallylog'
+    # lastlog is not used in RHEL 10
+    - '!audit_rules_login_events_lastlog'
+    # this rule is currently failing on some systemd services, probably because of require_emergency_target_auth and require_singleuser_auth rules
+    - '!rpm_verify_hashes'
+    # this rule should not be needed anymore on RHEL 10, but investigation is recommended
+    - '!openssl_use_strong_entropy'
diff --git a/products/rhel10/profiles/ism_o_secret.profile b/products/rhel10/profiles/ism_o_secret.profile
index 15d8b7d9db1..03730dadcc9 100644
--- a/products/rhel10/profiles/ism_o_secret.profile
+++ b/products/rhel10/profiles/ism_o_secret.profile
@@ -30,3 +30,18 @@ extends: e8
 
 selections:
     - ism_o:all:secret
+    # these rules do not work properly on RHEL 10 for now
+    - '!enable_dracut_fips_module'
+    - '!firewalld_sshd_port_enabled'
+    - '!require_singleuser_auth'
+    - '!enable_fips_mode'
+    # tally2 is deprecated, replaced by faillock
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!audit_rules_login_events_tallylog'
+    # lastlog is not used in RHEL 10
+    - '!audit_rules_login_events_lastlog'
+    # this rule is currently failing on some systemd services, probably because of require_emergency_target_auth and require_singleuser_auth rules
+    - '!rpm_verify_hashes'
+    # this rule should not be needed anymore on RHEL 10, but investigation is recommended
+    - '!openssl_use_strong_entropy'
diff --git a/products/rhel10/profiles/ism_o_top_secret.profile b/products/rhel10/profiles/ism_o_top_secret.profile
index 38673d3e183..cfaa853b5ab 100644
--- a/products/rhel10/profiles/ism_o_top_secret.profile
+++ b/products/rhel10/profiles/ism_o_top_secret.profile
@@ -28,3 +28,18 @@ extends: e8
 
 selections:
     - ism_o:all:top_secret
+    # these rules do not work properly on RHEL 10 for now
+    - '!enable_dracut_fips_module'
+    - '!firewalld_sshd_port_enabled'
+    - '!require_singleuser_auth'
+    - '!enable_fips_mode'
+    # tally2 is deprecated, replaced by faillock
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!audit_rules_login_events_tallylog'
+    # lastlog is not used in RHEL 10
+    - '!audit_rules_login_events_lastlog'
+    # this rule is currently failing on some systemd services, probably because of require_emergency_target_auth and require_singleuser_auth rules
+    - '!rpm_verify_hashes'
+    # this rule should not be needed anymore on RHEL 10, but investigation is recommended
+    - '!openssl_use_strong_entropy'