Merge pull request #12347 from marcusburghardt/pcidss_rhel10

Review PCI-DSS requirements and rules for RHEL 10
ComplianceAsCode · Aug 28, 2024 · 6e02c99 · 6e02c99
2 parents 77e614a + 136edc4
commit 6e02c99
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 27 deletions.
diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
@@ -2047,6 +2047,7 @@ controls:
       status: automated
       rules:
         - enable_authselect
+        - var_authselect_profile=sssd
         - accounts_passwords_pam_faillock_deny
         - var_accounts_passwords_pam_faillock_deny=10
         - accounts_passwords_pam_faillock_unlock_time

diff --git a/products/rhel10/profiles/pci-dss.profile b/products/rhel10/profiles/pci-dss.profile
@@ -24,49 +24,52 @@ description: |-
 
 selections:
     - pcidss_4:all
-    # audit-audispd-plugins package does not exist in RHEL 10 (based on RHEL 9)
-    # use only package_audispd-plugins_installed
-    - '!package_audit-audispd-plugins_installed'
+    - var_password_hashing_algorithm=yescrypt
+    - var_password_hashing_algorithm_pam=yescrypt
+
     # More tests are needed to identify which rule is conflicting with rpm_verify_permissions.
     # https://github.com/ComplianceAsCode/content/issues/11285
     - '!rpm_verify_permissions'
+
     # these rules do not apply to RHEL 10
     - '!package_audit-audispd-plugins_installed'
-    - '!service_ntp_enabled'
-    - '!ntpd_specify_remote_server'
-    - '!ntpd_specify_multiple_servers'
-    - '!set_ipv6_loopback_traffic'
-    - '!set_loopback_traffic'
-    - '!service_ntpd_enabled'
     - '!package_ypserv_removed'
     - '!package_ypbind_removed'
     - '!package_talk_removed'
     - '!package_talk-server_removed'
     - '!package_xinetd_removed'
     - '!package_rsh_removed'
     - '!package_rsh-server_removed'
-    # Following are incompatible with the rhel10 product (based on RHEL9)
-    - '!service_chronyd_or_ntpd_enabled'
+
+    - '!service_ntp_enabled'
+    - '!service_ntpd_enabled'
+    - '!service_timesyncd_enabled'
+    - '!ntpd_specify_remote_server'
+    - '!ntpd_specify_multiple_servers'
+
+    - '!accounts_passwords_pam_tally2'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!cracklib_accounts_password_pam_retry'
+    - '!ensure_firewall_rules_for_open_ports'
+    - '!ensure_shadow_group_empty'
+    - '!ensure_suse_gpgkey_installed'
     - '!install_PAE_kernel_on_x86-32'
     - '!mask_nonessential_services'
-    - '!aide_periodic_checking_systemd_timer'
     - '!nftables_ensure_default_deny_policy'
-    - '!cracklib_accounts_password_pam_lcredit'
-    - '!file_owner_at_allow'
-    - '!ensure_firewall_rules_for_open_ports'
-    - '!cracklib_accounts_password_pam_retry'
-    - '!gnome_gdm_disable_guest_login'
+    - '!set_ipv6_loopback_traffic'
+    - '!set_ip6tables_default_rule'
+    - '!set_loopback_traffic'
+    - '!set_password_hashing_algorithm_commonauth'
+
+    # Following are incompatible with the rhel10 product (based on RHEL9)
+    - '!service_chronyd_or_ntpd_enabled'
+    - '!aide_periodic_checking_systemd_timer'
+    - '!gnome_gdm_disable_unattended_automatic_login'
+    - '!permissions_local_var_log'
     - '!sshd_use_strong_kex'
     - '!sshd_use_approved_macs'
-    - '!permissions_local_var_log'
     - '!sshd_use_approved_ciphers'
-    - '!accounts_passwords_pam_tally2'
-    - '!ensure_suse_gpgkey_installed'
-    - '!gnome_gdm_disable_unattended_automatic_login'
-    - '!accounts_passwords_pam_tally2_unlock_time'
-    - '!cracklib_accounts_password_pam_minlen'
-    - '!set_password_hashing_algorithm_commonauth'
-    - '!cracklib_accounts_password_pam_dcredit'
-    - '!ensure_shadow_group_empty'
-    - '!service_timesyncd_enabled'
     - '!security_patches_up_to_date'
diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
@@ -289,6 +289,7 @@ selections:
 - var_password_pam_dcredit=1
 - var_password_pam_lcredit=1
 - var_password_pam_minlen=12
+- var_authselect_profile=sssd
 - var_accounts_passwords_pam_faillock_deny=10
 - var_accounts_passwords_pam_faillock_unlock_time=1800
 - var_password_pam_tally2=10

diff --git a/tests/data/profile_stability/rhel9/pci-dss.profile b/tests/data/profile_stability/rhel9/pci-dss.profile
@@ -281,6 +281,7 @@ selections:
 - var_password_pam_dcredit=1
 - var_password_pam_lcredit=1
 - var_password_pam_minlen=12
+- var_authselect_profile=sssd
 - var_accounts_passwords_pam_faillock_deny=10
 - var_accounts_passwords_pam_faillock_unlock_time=1800
 - var_password_pam_tally2=10