Align ism_o profile with latest ISM SSP

[shaneboulden]

Description:

This PR aligns the ISM 'Official' profile closer with the latest Australian Cyber Security Centre (ACSC) SSP template. Significant changes include:

• Updated the profile description to include the risk-based ISM approach to security
• Aligned the profile closer with crypto requirements
• Added variables required for PAM password quality and sshd max auth attempts
• Updated profile refs

[openshift-ci-robot]

Hi @shaneboulden. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openscap-ci]

Changes identified:
Profiles:
 ism_o on rhel8

Show details

Profile ism_o on rhel8:
 Variable var_smartcard_drivers=cac removed from ism_o profile.
 Rule set_password_hashing_algorithm_systemauth, service_pcscd_enabled, package_pcsc-lite_installed, network_ipv6_static_address, sebool_authlogin_nsswitch_use_ldap, accounts_password_pam_ucredit, package_opensc_installed, package_subscription-manager_installed, dnf-automatic_apply_updates, set_password_hashing_algorithm_libuserconf, sebool_authlogin_radius, accounts_password_minlen_login_defs, accounts_password_pam_dcredit, configure_kerberos_crypto_policy, sssd_enable_smartcards, enable_dracut_fips_module, accounts_password_pam_minclass, enable_ldap_client, kerberos_disable_no_keytab, accounts_password_pam_maxrepeat, accounts_password_pam_ocredit, package_dnf-plugin-subscription-manager_installed, force_opensc_card_drivers, sebool_kerberos_enabled, set_password_hashing_algorithm_logindefs, configure_opensc_card_drivers, accounts_password_pam_lcredit, sshd_disable_gssapi_auth removed from ism_o profile.
 Variable var_accounts_maximum_age_login_defs=60, var_accounts_password_warn_age_login_defs=7, var_accounts_minimum_age_login_defs=1, sshd_max_auth_tries_value=5 added to ism_o profile.
 Rule file_permissions_sshd_private_key, sshd_disable_x11_forwarding, sshd_enable_warning_banner added to ism_o profile.

Recommended tests to execute:
 build_product rhel8
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml ism_o

[vojtapolasek]

/ok-to-test

[vojtapolasek]

Hello, thank you for changes. Please see review comments.

[vojtapolasek]

I think that this change is not needed, as there is no ntpd package on rhel8, only chrony.

[shaneboulden]

Ok, I'll update this

[vojtapolasek]

I think this is not needed because ciphers are configured by crypto-policies. You already use rule configure_crypto_policy so this should be covered. We even do not have rhel8 remediation for this rule.

[shaneboulden]

Thanks @vojtapolasek

The intent here was to align more closely with the ASD Approved Cryptographic Algorithms: https://www.cyber.gov.au/acsc/view-all-content/guidance/asd-approved-cryptographic-algorithms

You're right though - FIPS only permits these, so I think we're good here using the FIPS system-wide crypto policy.

I'll make these changes and rebase.

[shaneboulden]

/retest

[shaneboulden]

@vojtapolasek I've updated this PR and all tests are now passing. Are you able to take another look?

[vojtapolasek]

Looks good, thank you for the contribution.