From e15f5299de3bce12f36dd59fd0b66c1f8a3717ea Mon Sep 17 00:00:00 2001 From: Federico Ramirez Date: Fri, 5 Feb 2021 17:11:35 -0600 Subject: [PATCH] Update OL pci-dss profiles Signed-off-by: Federico Ramirez --- .../install_hids/rule.yml | 2 +- .../install_mcafee_hbss_accm/rule.yml | 2 +- .../install_mcafee_hbss_pa/rule.yml | 2 +- ol7/profiles/pci-dss.profile | 27 ++++++------------- ol8/profiles/pci-dss.profile | 5 ++-- 5 files changed, 13 insertions(+), 25 deletions(-) diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml index c12bbb35d06..50fc3d0f3cc 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhel7,rhel8,rhv4 +prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 title: 'Install Intrusion Detection Software' diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_accm/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_accm/rule.yml index 0707fe44f0b..c1a9ff533f3 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_accm/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_accm/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8 +prodtype: ol7,ol8,rhel7,rhel8 title: 'Install the Asset Configuration Compliance Module (ACCM)' diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_pa/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_pa/rule.yml index a237befa15b..0921a922907 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_pa/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_pa/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8 +prodtype: ol7,ol8,rhel7,rhel8 title: 'Install the Policy Auditor (PA) Module' diff --git a/ol7/profiles/pci-dss.profile b/ol7/profiles/pci-dss.profile index 275a60289c8..8103cf4ac05 100644 --- a/ol7/profiles/pci-dss.profile +++ b/ol7/profiles/pci-dss.profile @@ -1,8 +1,8 @@ documentation_complete: true -title: 'PCI-DSS v3 Control Baseline Draft for Oracle Linux 7' +title: 'PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7' -description: 'Ensures PCI-DSS v3 related security configuration settings are applied.' +description: 'Ensures PCI-DSS v3.2.1 related security configuration settings are applied.' selections: - var_account_disable_post_pw_expiration=90 @@ -34,7 +34,9 @@ selections: - file_groupowner_etc_passwd - file_permissions_etc_passwd - file_owner_grub2_cfg + - file_owner_efi_grub2_cfg - file_groupowner_grub2_cfg + - file_groupowner_efi_grub2_cfg - package_libreswan_installed - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs @@ -57,11 +59,6 @@ selections: - audit_rules_time_stime - audit_rules_time_clock_settime - audit_rules_time_watch_localtime - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - audit_rules_networkconfig_modification - audit_rules_mac_modification - audit_rules_dac_modification_chmod @@ -77,24 +74,15 @@ selections: - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog + - audit_rules_login_events - audit_rules_session_events - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification - audit_rules_privileged_commands - audit_rules_media_export - audit_rules_file_deletion_events - audit_rules_sysadmin_actions - audit_rules_immutable - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init + - audit_rules_kernel_module_loading - audit_rules_usergroup_modification - ensure_logrotate_activated - sshd_idle_timeout_value=15_minutes @@ -124,3 +112,4 @@ selections: - dconf_gnome_screensaver_lock_enabled - dconf_gnome_screensaver_mode_blank - service_chronyd_or_ntpd_enabled + - install_hids diff --git a/ol8/profiles/pci-dss.profile b/ol8/profiles/pci-dss.profile index e442b376338..11938730b83 100644 --- a/ol8/profiles/pci-dss.profile +++ b/ol8/profiles/pci-dss.profile @@ -80,9 +80,7 @@ selections: - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog + - audit_rules_login_events - audit_rules_session_events - audit_rules_unsuccessful_file_modification_creat - audit_rules_unsuccessful_file_modification_ftruncate @@ -141,3 +139,4 @@ selections: - configure_libreswan_crypto_policy - configure_ssh_crypto_policy - configure_kerberos_crypto_policy + - install_hids