New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Align ism_o profile with latest ISM SSP #6878
Conversation
Hi @shaneboulden. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Changes identified: Show detailsProfile ism_o on rhel8: Recommended tests to execute: |
/ok-to-test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello, thank you for changes. Please see review comments.
rhel8/profiles/ism_o.profile
Outdated
@@ -117,13 +91,13 @@ selections: | |||
- rsyslog_remote_tls | |||
- rsyslog_remote_tls_cacert | |||
- package_chrony_installed | |||
- service_chronyd_enabled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that this change is not needed, as there is no ntpd package on rhel8, only chrony.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I'll update this
rhel8/profiles/ism_o.profile
Outdated
- enable_fips_mode | ||
- var_system_crypto_policy=fips | ||
- configure_crypto_policy | ||
- sshd_use_approved_ciphers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is not needed because ciphers are configured by crypto-policies. You already use rule configure_crypto_policy so this should be covered. We even do not have rhel8 remediation for this rule.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @vojtapolasek
The intent here was to align more closely with the ASD Approved Cryptographic Algorithms: https://www.cyber.gov.au/acsc/view-all-content/guidance/asd-approved-cryptographic-algorithms
You're right though - FIPS only permits these, so I think we're good here using the FIPS system-wide crypto policy.
I'll make these changes and rebase.
/retest |
@vojtapolasek I've updated this PR and all tests are now passing. Are you able to take another look? |
Looks good, thank you for the contribution. |
Description:
This PR aligns the ISM 'Official' profile closer with the latest Australian Cyber Security Centre (ACSC) SSP template. Significant changes include: