Blame SOURCES/scap-security-guide-0.1.48-e8_polish.patch

aa23b3
From 5f4e807cb6e54744ad69cd1e7d622c85ae4e8803 Mon Sep 17 00:00:00 2001
aa23b3
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
aa23b3
Date: Thu, 21 Nov 2019 16:28:23 +0100
aa23b3
Subject: [PATCH 1/2] Updated the e8 profile for RHEL8.
aa23b3
aa23b3
- removed obsolete SSHD settings.
aa23b3
- added rules for crypto policies.
aa23b3
---
aa23b3
 rhel8/profiles/e8.profile | 6 ++++--
aa23b3
 1 file changed, 4 insertions(+), 2 deletions(-)
aa23b3
aa23b3
diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile
aa23b3
index 53b4c156e2..f0f19a4708 100644
aa23b3
--- a/rhel8/profiles/e8.profile
aa23b3
+++ b/rhel8/profiles/e8.profile
aa23b3
@@ -123,14 +123,16 @@ selections:
aa23b3
   - sshd_print_last_log
aa23b3
   - sshd_use_priv_separation
aa23b3
   - sshd_do_not_permit_user_env
aa23b3
-  - sshd_disable_rhosts_rsa
aa23b3
   - sshd_disable_rhosts
aa23b3
-  - sshd_allow_only_protocol2
aa23b3
   - sshd_set_loglevel_info
aa23b3
   - sshd_disable_empty_passwords
aa23b3
   - sshd_disable_user_known_hosts
aa23b3
   - sshd_enable_strictmodes
aa23b3
 
aa23b3
+  - var_system_crypto_policy=default
aa23b3
+  - configure_crypto_policy
aa23b3
+  - configure_ssh_crypto_policy
aa23b3
+
aa23b3
   ### Application whitelisting
aa23b3
   - package_fapolicyd_installed
aa23b3
   - service_fapolicyd_enabled
aa23b3
aa23b3
From 659326a1d4db99dc30c4807b5b5ce4c97db37709 Mon Sep 17 00:00:00 2001
aa23b3
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
aa23b3
Date: Mon, 25 Nov 2019 16:42:37 +0100
aa23b3
Subject: [PATCH 2/2] Update the crypto policy and rationale.
aa23b3
aa23b3
---
aa23b3
 rhel8/profiles/e8.profile | 5 ++++-
aa23b3
 1 file changed, 4 insertions(+), 1 deletion(-)
aa23b3
aa23b3
diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile
aa23b3
index f0f19a4708..f78e908482 100644
aa23b3
--- a/rhel8/profiles/e8.profile
aa23b3
+++ b/rhel8/profiles/e8.profile
aa23b3
@@ -129,7 +129,10 @@ selections:
aa23b3
   - sshd_disable_user_known_hosts
aa23b3
   - sshd_enable_strictmodes
aa23b3
 
aa23b3
-  - var_system_crypto_policy=default
aa23b3
+  # The E8 profile bans usage of SHA-1, and as of 11/2019 the FUTURE crypto policy is the only one that ensures this.
aa23b3
+  # TODO: Re-evaluate after another crypto policies become available.
aa23b3
+  # See also: https://www.cyber.gov.au/ism/guidelines-using-cryptography
aa23b3
+  - var_system_crypto_policy=future
aa23b3
   - configure_crypto_policy
aa23b3
   - configure_ssh_crypto_policy
aa23b3