|
 |
575137 |
From ad9445f5cb6ff61021fff881b09ff875b8a9972d Mon Sep 17 00:00:00 2001
|
|
|
575137 |
From: Watson Sato <wsato@redhat.com>
|
|
|
575137 |
Date: Tue, 4 Dec 2018 10:05:23 +0100
|
|
|
575137 |
Subject: [PATCH 1/2] Remove dropped packages rules from RHEL8 profiles
|
|
|
575137 |
|
|
|
575137 |
---
|
|
|
575137 |
rhel8/profiles/hipaa.profile | 5 -----
|
|
|
575137 |
rhel8/profiles/ospp.profile | 1 -
|
|
|
575137 |
2 files changed, 6 deletions(-)
|
|
|
575137 |
|
|
|
575137 |
diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
|
|
|
575137 |
index 44a8a849bb..9008e96f27 100644
|
|
|
575137 |
--- a/rhel8/profiles/hipaa.profile
|
|
|
575137 |
+++ b/rhel8/profiles/hipaa.profile
|
|
|
575137 |
@@ -34,22 +34,17 @@ selections:
|
|
|
575137 |
- sshd_disable_root_login
|
|
|
575137 |
- libreswan_approved_tunnels
|
|
|
575137 |
- no_rsh_trust_files
|
|
|
575137 |
- - package_rsh_removed
|
|
|
575137 |
- package_rsh-server_removed
|
|
|
575137 |
- package_talk_removed
|
|
|
575137 |
- package_talk-server_removed
|
|
|
575137 |
- package_telnet_removed
|
|
|
575137 |
- package_telnet-server_removed
|
|
|
575137 |
- package_xinetd_removed
|
|
|
575137 |
- - package_ypbind_removed
|
|
|
575137 |
- - package_ypserv_removed
|
|
|
575137 |
- service_crond_enabled
|
|
|
575137 |
- service_rexec_disabled
|
|
|
575137 |
- service_rlogin_disabled
|
|
|
575137 |
- - service_rsh_disabled
|
|
|
575137 |
- service_telnet_disabled
|
|
|
575137 |
- service_xinetd_disabled
|
|
|
575137 |
- - service_ypbind_disabled
|
|
|
575137 |
- service_zebra_disabled
|
|
|
575137 |
- use_kerberos_security_all_exports
|
|
|
575137 |
- disable_host_auth
|
|
|
575137 |
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
|
|
575137 |
index 7811f6908f..0a1ec8a6a5 100644
|
|
|
575137 |
--- a/rhel8/profiles/ospp.profile
|
|
|
575137 |
+++ b/rhel8/profiles/ospp.profile
|
|
|
575137 |
@@ -194,7 +194,6 @@
|
|
|
575137 |
- audit_rules_etc_group_openat
|
|
|
575137 |
- audit_rules_etc_group_open_by_handle_at
|
|
|
575137 |
- package_abrt_removed
|
|
|
575137 |
- - package_sendmail_removed
|
|
|
575137 |
- mount_option_dev_shm_nodev
|
|
|
575137 |
- mount_option_dev_shm_noexec
|
|
|
575137 |
- mount_option_dev_shm_nosuid
|
|
|
575137 |
|
|
|
575137 |
From 00ff79b9cedf03abf2aec7e1ab13fed5712c8301 Mon Sep 17 00:00:00 2001
|
|
|
575137 |
From: Watson Sato <wsato@redhat.com>
|
|
|
575137 |
Date: Tue, 4 Dec 2018 11:05:16 +0100
|
|
|
575137 |
Subject: [PATCH 2/2] Smartcards auth in RHEL8 should be done via sssd
|
|
|
575137 |
|
|
|
575137 |
- pam_pkcs11 was removed from RHEL8
|
|
|
575137 |
- piggy-backing fix: also enable pcsc-lite for Fedora
|
|
|
575137 |
---
|
|
|
575137 |
fedora/templates/csv/packages_installed.csv | 1 +
|
|
|
575137 |
rhel8/profiles/pci-dss.profile | 8 +++++++-
|
|
|
575137 |
rhel8/templates/csv/packages_installed.csv | 1 +
|
|
|
575137 |
3 files changed, 9 insertions(+), 1 deletion(-)
|
|
|
575137 |
|
|
|
575137 |
diff --git a/fedora/templates/csv/packages_installed.csv b/fedora/templates/csv/packages_installed.csv
|
|
|
575137 |
index 4abfd53340..7bbf4d93e5 100644
|
|
|
575137 |
--- a/fedora/templates/csv/packages_installed.csv
|
|
|
575137 |
+++ b/fedora/templates/csv/packages_installed.csv
|
|
|
575137 |
@@ -9,6 +9,7 @@ libreswan
|
|
|
575137 |
ntp
|
|
|
575137 |
opensc
|
|
|
575137 |
openssh-server
|
|
|
575137 |
+pcsc-lite
|
|
|
575137 |
vsftpd
|
|
|
575137 |
postfix
|
|
|
575137 |
screen
|
|
|
575137 |
diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile
|
|
|
575137 |
index a81849ac41..3fef39b0eb 100644
|
|
|
575137 |
--- a/rhel8/profiles/pci-dss.profile
|
|
|
575137 |
+++ b/rhel8/profiles/pci-dss.profile
|
|
|
575137 |
@@ -113,7 +113,13 @@
|
|
|
575137 |
- ensure_gpgcheck_globally_activated
|
|
|
575137 |
- ensure_gpgcheck_never_disabled
|
|
|
575137 |
- security_patches_up_to_date
|
|
|
575137 |
- - smartcard_auth
|
|
|
575137 |
+ - package_opensc_installed
|
|
|
575137 |
+ - var_smartcard_drivers=cac
|
|
|
575137 |
+ - configure_opensc_nss_db
|
|
|
575137 |
+ - configure_opensc_card_drivers
|
|
|
575137 |
+ - force_opensc_card_drivers
|
|
|
575137 |
+ - service_pcscd_enabled
|
|
|
575137 |
+ - sssd_enable_smartcards
|
|
|
575137 |
- set_password_hashing_algorithm_systemauth
|
|
|
575137 |
- set_password_hashing_algorithm_logindefs
|
|
|
575137 |
- set_password_hashing_algorithm_libuserconf
|
|
|
575137 |
diff --git a/rhel8/templates/csv/packages_installed.csv b/rhel8/templates/csv/packages_installed.csv
|
|
|
575137 |
index e5c22d4bf3..248bac87b7 100644
|
|
|
575137 |
--- a/rhel8/templates/csv/packages_installed.csv
|
|
|
575137 |
+++ b/rhel8/templates/csv/packages_installed.csv
|
|
|
575137 |
@@ -9,6 +9,7 @@ libreswan
|
|
|
575137 |
ntp
|
|
|
575137 |
opensc
|
|
|
575137 |
openssh-server
|
|
|
575137 |
+pcsc-lite
|
|
|
575137 |
vsftpd
|
|
|
575137 |
postfix
|
|
|
575137 |
tmux
|