-
Notifications
You must be signed in to change notification settings - Fork 686
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove unnecessary packages from ospp #4632
Conversation
These don't affect any security claims so we shouldn't check for them. Signed-off-by: Jiri Jaburek <jjaburek@redhat.com>
Thanks! |
@@ -191,18 +191,12 @@ selections: | |||
## Required Packages | |||
################################################################# | |||
|
|||
## RHEL 8 CCE-82995-2: Install cryptsetup-luks Package | |||
- package_cryptsetup-luks_installed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this one needed to ensure hard drives are encrypted at rest with LUKS?
Or rather, LUKS is the only FIPS 140-2 evaluated encryption at rest in RHEL. How do we ensure the system is configured with LUKS?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was told that OSPPv4.2(.1) doesn't have, and we don't claim, any HDD encryption, hence the package doesn't need to be installed.
@@ -270,12 +258,6 @@ selections: | |||
## RHEL 8 CCE-82943-2: Uninstall gssproxy Package | |||
- package_gssproxy_removed | |||
|
|||
## RHEL 8 CCE-82939-0: Uninstall geolite2-city Package | |||
- package_geolite2-city_removed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIRC, the geocity packages need to be explicitly removed to ensure the system does not contain geolocation capabilities.
Is there another way to ensure this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not aware of such requirement and I've been told their removal has no implication on OSPP claims. If you know of a specific SFR or other identifier, please do share.
These don't affect any security claims so we shouldn't check for them.