-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update ANSSI R67 requirement #11642
Update ANSSI R67 requirement #11642
Conversation
734f67f
to
c0da518
Compare
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
Two rules are failing in testing-farm tests:
The issue seems legit, but needs more investigation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please take a took at the CI failures.
During investigation of a different requirement, I found out that this requirement needs few more rules for the case of nss-pam-ldapd in RHEL 7. Marking as draft for now. |
c0da518
to
0181947
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please update the components files.
b10d52a
to
b236970
Compare
@vojtapolasek this comment is still valid. |
So the audit_rules_privileged_commands is fixed by second remediation. The fail is caused by installation of sssd which brings bunch of privileged commands.
The rule service_sssd_enabled fails I think because the sssd service fails to start. This is because there are no sssd domains configured. This I think deserves a warning to the rule. I will add it. Do you agree? |
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_ldap_client_start_tls'.
--- xccdf_org.ssgproject.content_rule_ldap_client_start_tls
+++ xccdf_org.ssgproject.content_rule_ldap_client_start_tls
@@ -298,6 +298,9 @@
[reference]:
SRG-OS-000250-GPOS-00093
+[reference]:
+R67
+
[rationale]:
Without cryptographic integrity protections, information can be altered by
unauthorized users without detection. The ssl directive specifies whether
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath'.
--- xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath
+++ xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath
@@ -215,6 +215,9 @@
[reference]:
PR.PT-3
+[reference]:
+R67
+
[rationale]:
The tls_cacertdir or tls_cacertfile directives are required when
tls_checkpeer is configured (which is the default for openldap versions 2.1 and
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath'
--- xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath
+++ xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath
@@ -1 +1 @@
-
+oval:ssg-package_nss-pam-ldapd:def:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_sssd_installed'.
--- xccdf_org.ssgproject.content_rule_package_sssd_installed
+++ xccdf_org.ssgproject.content_rule_package_sssd_installed
@@ -155,5 +155,8 @@
[reference]:
PR.AC-7
+[reference]:
+R67
+
[ident]:
CCE-82444-1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_sssd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_sssd_enabled
+++ xccdf_org.ssgproject.content_rule_service_sssd_enabled
@@ -7,6 +7,9 @@
The sssd service can be enabled with the following command:
$ sudo systemctl enable sssd.service
+
+[warning]:
+The service requires a valid sssd configuration. If the configuration is not present, the service will fail to start and consequently this rule will will be reported as failing. The configuration shipped in your distribution package might not be sufficient. Manual modification of configuration files might be required.
[reference]:
1
@@ -158,5 +161,8 @@
[reference]:
PR.AC-7
+[reference]:
+R67
+
[ident]:
CCE-82440-9
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services'.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -178,6 +178,9 @@
[reference]:
SRG-OS-000377-GPOS-00162
+[reference]:
+R67
+
[rationale]:
Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert'.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
@@ -20,6 +20,9 @@
[reference]:
SRG-OS-000250-GPOS-00093
+[reference]:
+R67
+
[rationale]:
Without a valid certificate presented to the LDAP client backend, the identity of a
server can be forged compromising LDAP remote access sessions.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls'.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
@@ -290,6 +290,9 @@
[reference]:
SRG-OS-000250-GPOS-00093
+[reference]:
+R67
+
[rationale]:
Without cryptographic integrity protections, information can be
altered by unauthorized users without detection. The ssl directive specifies |
The failures still look valid:
|
@Mab879 I think this comment explains it. Any additional questions? |
457a966
to
4f1ae38
Compare
Those make sense. I would feel a bit more comfortable if we their was a PR with these waivers before we merge. I don't to fail everyone's CI for days. |
Originally the platform was ipplicable only in case sssd was configured to use active directory. There are two cases when sssd can use LDAP. When ldap is specified explicitly or when using ipa. However, it is not recommended to add manual settings to the sssd configuration when ipa is used.
the rule does not make sense if nss-pam-ldapd package is not installed
4f1ae38
to
812469a
Compare
Code Climate has analyzed commit 812469a and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.3% (0.0% change). View more on Code Climate. |
@Mab879 I rebased and now the test is passing because there is double remediation used and this fixes the failing rule. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Waving the SLES 15 Automatus as these rules are not in SLES 15.
Description:
Rationale: