New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable generic rules for RHEL9 #7147
Conversation
Skipping CI for Draft Pull Request. |
@Jakuje Could you please check out whether the smart card rules modification makes sense? |
|
||
title: 'Force opensc To Use Defined Smart Card Driver' | ||
|
||
description: |- | ||
The OpenSC smart card tool can auto-detect smart card drivers; however by | ||
The OpenSC smart card middleware can auto-detect smart card drivers; however by | ||
forcing the smart card driver in use by your organization, opensc will no longer | ||
autodetect or use other drivers unless specified. This helps to prevent | ||
users from using unauthorized smart cards. The default smart card driver for this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
on the following line, you have also the /etc/opensc-<i>ARCH</i>.conf
, which is already fixed in the previous rule. Please, change it also here. I just checked and on normal x86_64 it should work on since RHEL7.
<i>ARCH</i> is the architecture of your operating system) file. Look for a | ||
line similar to: | ||
To configure the OpenSC driver, edit the <tt>/etc/opensc.conf</tt>. | ||
Look for a line similar to: | ||
<pre># card_drivers = old, internal;</pre> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, since RHEL 7.7 we ship minimal opensc.conf
which does not have these example lines. Even though your remediation scripts still work, the instructions here no longer work. It should probably say "add the following line into the file in the "app default" block so it will look like
app default {
[...]
card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};
}
This is the case also for the other occurrences modifying this file.
The other option might be to use the same steps as in the scripts using opensc-tool --set-conf-entry
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
the architecture of your operating system: | ||
<pre>$ grep card_drivers /etc/opensc-<i>ARCH</i></pre> | ||
as the smart card driver, run the following command: | ||
<pre>$ grep card_drivers /etc/opensc.conf</pre> | ||
The output should return something similar to: | ||
<pre>card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};</pre> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The verification steps might also use the opensc-tool --get-conf-entry
to make it less complicated. But that is not mandatory
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just one question, see comment.
linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
Show resolved
Hide resolved
/retest |
Those rules interact with components on a low-level basis, so they are likely to work on RHEL9.
SMEs have confirmed that there are no major changes compared to RHEL8, and have suggested minor description adjustments not specific to RHEL9.
Those rules are not needed on RHEL9
The locking commands are still supported: https://www.mankier.com/1/tmux#Options
All configurations are valid even in the latest upstream: https://chrony.tuxfamily.org/doc/4.1/chrony.conf.html
snmp, grub2, gdm and high-level FIPS mode interface are mature and can be considered stable by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ran ssg test suite on rules which have Fedora in their prodtype. I used Fedora 34. There are 2 rules which are problematic, see comments.
I suggest rather leaving them out now.
...ccounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml
Show resolved
Hide resolved
linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Merging, found errors have to be solved outside this PR.
Enable generic rules for RHEL9 (cherry picked from commit 47a6d0a)
Those rules interact with components on a low-level basis, so they are likely to work on RHEL9.
See individual commits for more details.
Fixes: #7147