From da2433c25c3f4665a57a8de8e08aa2f999dd696c Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 30 Nov 2018 15:17:27 +0100 Subject: [PATCH 1/6] Drop deprecated or removed packages in RHEL8 --- rhel8/templates/csv/packages_removed.csv | 5 ----- 1 file changed, 5 deletions(-) diff --git a/rhel8/templates/csv/packages_removed.csv b/rhel8/templates/csv/packages_removed.csv index 7b180610a48f..eba50cea20e7 100644 --- a/rhel8/templates/csv/packages_removed.csv +++ b/rhel8/templates/csv/packages_removed.csv @@ -21,10 +21,8 @@ mcstrans mdadm net-snmp nfs-utils -ntp ntpdate oddjob -openldap-servers openssh-server portreserve prelink @@ -32,7 +30,6 @@ qpid-cpp-server quagga quota-nld rhnsd -rsh rsh-server samba samba-common @@ -52,6 +49,4 @@ tftp-server vsftpd xinetd xorg-x11-server-common -ypbind -ypserv systemd From f652cc9e8d3737dc5053695df7ead8ae58438e9c Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 30 Nov 2018 16:35:13 +0100 Subject: [PATCH 2/6] Remove rules not applicable to RHEL8 These packages are not available for RHEL8 --- .../openldap_server/package_openldap-servers_removed/rule.yml | 2 +- .../guide/services/obsolete/nis/package_ypbind_removed/rule.yml | 2 +- .../services/obsolete/nis/service_ypbind_disabled/rule.yml | 2 +- .../services/obsolete/r_services/package_rsh_removed/rule.yml | 2 +- .../services/obsolete/r_services/service_rsh_disabled/rule.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml index e6627f24ae37..92ede6fa0754 100644 --- a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml +++ b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: rhel6,rhel7 title: 'Uninstall openldap-servers Package' diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml index a3d9bfcd57c1..6842a32be625 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,ol7 +prodtype: rhel6,rhel7,ol7 title: 'Remove NIS Client' diff --git a/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml b/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml index d6fc0456f91b..077439c2096b 100644 --- a/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: rhel6,rhel7 title: 'Disable ypbind Service' diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml index 02ddddbfd652..71192acc0860 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8 +prodtype: rhel6,rhel7 title: 'Uninstall rsh Package' diff --git a/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml b/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml index 78b994e83745..86a09442e8ee 100644 --- a/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,ol7 +prodtype: rhel6,rhel7,ol7 title: 'Disable rsh Service' From de69cc154ecd2af43d327153f4da517378a6041e Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 4 Dec 2018 10:05:23 +0100 Subject: [PATCH 3/6] Remove dropped packages rules from RHEL8 profiles --- rhel8/profiles/hipaa.profile | 5 ----- 1 file changed, 5 deletions(-) diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile index feb98007cfe1..c68e76165915 100644 --- a/rhel8/profiles/hipaa.profile +++ b/rhel8/profiles/hipaa.profile @@ -34,22 +34,17 @@ selections: - sshd_disable_root_login - libreswan_approved_tunnels - no_rsh_trust_files - - package_rsh_removed - package_rsh-server_removed - package_talk_removed - package_talk-server_removed - package_telnet_removed - package_telnet-server_removed - package_xinetd_removed - - package_ypbind_removed - - package_ypserv_removed - service_crond_enabled - service_rexec_disabled - service_rlogin_disabled - - service_rsh_disabled - service_telnet_disabled - service_xinetd_disabled - - service_ypbind_disabled - service_zebra_disabled - use_kerberos_security_all_exports - disable_host_auth From af92ef41fbf8f14b2b64ae9cfb4cb6021c87fcf9 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 4 Dec 2018 11:05:16 +0100 Subject: [PATCH 4/6] Smartcards auth in RHEL8 should be done via sssd - pam_pkcs11 was removed from RHEL8 - piggy-backing fix: also enable pcsc-lite for Fedora --- fedora/templates/csv/packages_installed.csv | 1 + rhel8/profiles/pci-dss.profile | 8 +++++++- rhel8/templates/csv/packages_installed.csv | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/fedora/templates/csv/packages_installed.csv b/fedora/templates/csv/packages_installed.csv index 4abfd533404e..7bbf4d93e5b2 100644 --- a/fedora/templates/csv/packages_installed.csv +++ b/fedora/templates/csv/packages_installed.csv @@ -9,6 +9,7 @@ libreswan ntp opensc openssh-server +pcsc-lite vsftpd postfix screen diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile index 86a40c6086b4..a6209bedcf63 100644 --- a/rhel8/profiles/pci-dss.profile +++ b/rhel8/profiles/pci-dss.profile @@ -112,7 +112,13 @@ selections: - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - - smartcard_auth + - package_opensc_installed + - var_smartcard_drivers=cac + - configure_opensc_nss_db + - configure_opensc_card_drivers + - force_opensc_card_drivers + - service_pcscd_enabled + - sssd_enable_smartcards - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_libuserconf diff --git a/rhel8/templates/csv/packages_installed.csv b/rhel8/templates/csv/packages_installed.csv index e5c22d4bf33e..248bac87b744 100644 --- a/rhel8/templates/csv/packages_installed.csv +++ b/rhel8/templates/csv/packages_installed.csv @@ -9,6 +9,7 @@ libreswan ntp opensc openssh-server +pcsc-lite vsftpd postfix tmux From 37e698aa14c0de467f90e2b0e2a22be3b7cba2cb Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 4 Dec 2018 11:16:12 +0100 Subject: [PATCH 5/6] Remove smartcard_auth from RHEL8 RHEL8 doesn't have pam_pkcs11 package --- .../smart_card_login/smartcard_auth/anaconda/shared.anaconda | 2 +- .../smart_card_login/smartcard_auth/bash/shared.sh | 2 +- .../smart_card_login/smartcard_auth/oval/shared.xml | 1 - .../screen_locking/smart_card_login/smartcard_auth/rule.yml | 2 +- 4 files changed, 3 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/anaconda/shared.anaconda b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/anaconda/shared.anaconda index f0e8811290a6..9b7cd3a21d47 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/anaconda/shared.anaconda +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/anaconda/shared.anaconda @@ -1,3 +1,3 @@ -# platform = multi_platform_rhel, multi_platform_ol +# platform = Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,multi_platform_ol package --add=pam_pkcs11 --add=esc diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh index 87fc9299c8bc..1a0f0a2b3bac 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 8,multi_platform_ol +# platform = Red Hat Enterprise Linux 7,multi_platform_ol . /usr/share/scap-security-guide/remediation_functions # Install required packages diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml index c311edc1313c..fd2c8dd39334 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml @@ -5,7 +5,6 @@ Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 - Red Hat Enterprise Linux 8 multi_platform_ol Enable Smart Card logins diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml index de29f7fc19ec..08538e2fb173 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,fedora,ol7 +prodtype: rhel6,rhel7,fedora,ol7 title: 'Enable Smart Card Login' From 737a42b2d001ff91e0a4425cafa299ebc508aa9e Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 4 Dec 2018 11:25:02 +0100 Subject: [PATCH 6/6] Remove install_smartcard_packages from RHEL8 RHEL8 doesn't have pam_pkcs11 package --- .../smart_card_login/install_smartcard_packages/bash/shared.sh | 2 +- .../smart_card_login/install_smartcard_packages/oval/shared.xml | 1 - .../smart_card_login/install_smartcard_packages/rule.yml | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/bash/shared.sh index 7765d23615d8..c80eb64d91e3 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel +# platform = Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions package_install esc diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml index 23c2341fa96e..45e99801290a 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml @@ -4,7 +4,6 @@ Install needed packages for smartcard use. Red Hat Enterprise Linux 7 - Red Hat Enterprise Linux 8 The RPM packages esc pam_pkcs11 and authconfig-gtk must be installed. diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml index 63c570e07674..262ec5ce577d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8 +prodtype: rhel7 title: 'Install Smart Card Packages For Multifactor Authentication'