Add docs for create srg export #7976
Conversation
Also created a macro for fix text on audit rules that watch files.
Mab879
added
Documentation
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL definition file for rule 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date' has changed from 'security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' to 'security-data-oval-com.redhat.rhsa-RHEL8.xml'.
OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
To ensure the failed password attempt policy is configured correctly, run the following command:
$ grep pam_faillock /etc/pam.d/system-auth
The output should show deny=.
- Is it the case that that is not the case?
+ Is it the case that limiting the number of failed logon attempts for users is not configured?
OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs:
--- old datastream
+++ new datastream
@@ -2,5 +2,5 @@
attempts, run the following command:
$ grep even_deny_root /etc/pam.d/system-auth
The output should show even_deny_root.
- Is it the case that that is not the case?
+ Is it the case that limiting the number of failed logon attempts for the root user is not configured?
|
|
|
||
| ocil: |- | ||
| To ensure that even the <tt>root</tt> account is locked after a defined number of failed password | ||
| attempts, run the following command: | ||
| <pre>$ grep even_deny_root /etc/pam.d/system-auth</pre> | ||
| The output should show <tt>even_deny_root</tt>. | ||
|
|
||
| fix: |- |
There was a problem hiding this comment.
Is the intention, then, to have fix be manual steps to remediate something? Can't we somehow derive this from the "Ansible" or "bash" remediations?
There was a problem hiding this comment.
Is the intention, then, to have fix be manual steps to remediate something?
Currently, yes
Can't we somehow derive this from the "Ansible" or "bash" remediations?
Possibly. I believe that we will still need to this key in some cases. But for cases where there are bash remediations we might be able to use those.
|
@Mab879: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
marcusburghardt
added
RHEL8
Description:
Add docs for SRG export and in the process work for the RHEL8 STIG.
Rationale:
Improve documentation for the SRG export.