Enable generic rules for RHEL9 #7147
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
matejak
changed the title
matejak
changed the title
|
@Jakuje Could you please check out whether the smart card rules modification makes sense? |
|
|
||
| title: 'Force opensc To Use Defined Smart Card Driver' | ||
|
|
||
| description: |- | ||
| The OpenSC smart card tool can auto-detect smart card drivers; however by | ||
| The OpenSC smart card middleware can auto-detect smart card drivers; however by | ||
| forcing the smart card driver in use by your organization, opensc will no longer | ||
| autodetect or use other drivers unless specified. This helps to prevent | ||
| users from using unauthorized smart cards. The default smart card driver for this |
There was a problem hiding this comment.
on the following line, you have also the /etc/opensc-<i>ARCH</i>.conf, which is already fixed in the previous rule. Please, change it also here. I just checked and on normal x86_64 it should work on since RHEL7.
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
| <i>ARCH</i> is the architecture of your operating system) file. Look for a | ||
| line similar to: | ||
| To configure the OpenSC driver, edit the <tt>/etc/opensc.conf</tt>. | ||
| Look for a line similar to: | ||
| <pre># card_drivers = old, internal;</pre> |
There was a problem hiding this comment.
Actually, since RHEL 7.7 we ship minimal opensc.conf which does not have these example lines. Even though your remediation scripts still work, the instructions here no longer work. It should probably say "add the following line into the file in the "app default" block so it will look like
app default {
[...]
card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};
}
This is the case also for the other occurrences modifying this file.
The other option might be to use the same steps as in the scripts using opensc-tool --set-conf-entry.
| the architecture of your operating system: | ||
| <pre>$ grep card_drivers /etc/opensc-<i>ARCH</i></pre> | ||
| as the smart card driver, run the following command: | ||
| <pre>$ grep card_drivers /etc/opensc.conf</pre> | ||
| The output should return something similar to: | ||
| <pre>card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};</pre> |
There was a problem hiding this comment.
The verification steps might also use the opensc-tool --get-conf-entry to make it less complicated. But that is not mandatory
linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
Show resolved
Hide resolved
|
/retest |
Those rules interact with components on a low-level basis, so they are likely to work on RHEL9.
SMEs have confirmed that there are no major changes compared to RHEL8, and have suggested minor description adjustments not specific to RHEL9.
Those rules are not needed on RHEL9
The locking commands are still supported: https://www.mankier.com/1/tmux#Options
All configurations are valid even in the latest upstream: https://chrony.tuxfamily.org/doc/4.1/chrony.conf.html
snmp, grub2, gdm and high-level FIPS mode interface are mature and can be considered stable by default.
...ccounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml
Show resolved
Hide resolved
linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml
Show resolved
Hide resolved
vojtapolasek
added
backported-into-stabilization
Enable generic rules for RHEL9 (cherry picked from commit 47a6d0a)
Those rules interact with components on a low-level basis, so they are likely to work on RHEL9.
See individual commits for more details.
Fixes: #7147