Remove unnecessary packages from ospp #4632
Conversation
These don't affect any security claims so we shouldn't check for them. Signed-off-by: Jiri Jaburek <jjaburek@redhat.com>
|
Thanks! |
| @@ -191,18 +191,12 @@ selections: | |||
| ## Required Packages | |||
| ################################################################# | |||
|
|
|||
| ## RHEL 8 CCE-82995-2: Install cryptsetup-luks Package | |||
| - package_cryptsetup-luks_installed | |||
There was a problem hiding this comment.
Isn't this one needed to ensure hard drives are encrypted at rest with LUKS?
Or rather, LUKS is the only FIPS 140-2 evaluated encryption at rest in RHEL. How do we ensure the system is configured with LUKS?
There was a problem hiding this comment.
I was told that OSPPv4.2(.1) doesn't have, and we don't claim, any HDD encryption, hence the package doesn't need to be installed.
| @@ -270,12 +258,6 @@ selections: | |||
| ## RHEL 8 CCE-82943-2: Uninstall gssproxy Package | |||
| - package_gssproxy_removed | |||
|
|
|||
| ## RHEL 8 CCE-82939-0: Uninstall geolite2-city Package | |||
| - package_geolite2-city_removed | |||
There was a problem hiding this comment.
IIRC, the geocity packages need to be explicitly removed to ensure the system does not contain geolocation capabilities.
Is there another way to ensure this?
There was a problem hiding this comment.
I'm not aware of such requirement and I've been told their removal has no implication on OSPP claims. If you know of a specific SFR or other identifier, please do share.
These don't affect any security claims so we shouldn't check for them.