|
 |
f8899d |
diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
|
|
|
f8899d |
similarity index 100%
|
|
|
f8899d |
rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/oval/shared.xml
|
|
|
f8899d |
rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
|
|
|
f8899d |
diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
|
|
f8899d |
similarity index 99%
|
|
|
f8899d |
rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/rule.yml
|
|
|
f8899d |
rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
|
|
f8899d |
index 89ffe074e0..3df57621a3 100644
|
|
|
f8899d |
--- a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/rule.yml
|
|
|
f8899d |
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
|
|
f8899d |
@@ -49,7 +49,7 @@ ocil: |-
|
|
|
f8899d |
If the command does not return any output, then the boot parameter is
|
|
|
f8899d |
missing.
|
|
|
f8899d |
|
|
|
f8899d |
-platform: machine
|
|
|
f8899d |
+platform: grub2
|
|
|
f8899d |
|
|
|
f8899d |
template:
|
|
|
f8899d |
name: grub2_bootloader_argument
|
|
|
f8899d |
diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/boot_parameter.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/boot_parameter.pass.sh
|
|
|
f8899d |
similarity index 100%
|
|
|
f8899d |
rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/boot_parameter.pass.sh
|
|
|
f8899d |
rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/boot_parameter.pass.sh
|
|
|
f8899d |
diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/compiled.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/compiled.pass.sh
|
|
|
f8899d |
similarity index 100%
|
|
|
f8899d |
rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/compiled.pass.sh
|
|
|
f8899d |
rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/compiled.pass.sh
|
|
|
f8899d |
diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/compiled_but_overridden.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/compiled_but_overridden.fail.sh
|
|
|
f8899d |
similarity index 100%
|
|
|
f8899d |
rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/compiled_but_overridden.fail.sh
|
|
|
f8899d |
rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/compiled_but_overridden.fail.sh
|
|
|
f8899d |
diff --git a/linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/missing.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/missing.fail.sh
|
|
|
f8899d |
similarity index 100%
|
|
|
f8899d |
rename from linux_os/guide/system/software/integrity/kernel_trust_cpu_rng/tests/missing.fail.sh
|
|
|
f8899d |
rename to linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/tests/missing.fail.sh
|
|
|
f8899d |
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
|
|
f8899d |
index 5944383e39..687b948b34 100644
|
|
|
f8899d |
--- a/rhel8/profiles/ospp.profile
|
|
|
f8899d |
+++ b/rhel8/profiles/ospp.profile
|
|
|
f8899d |
@@ -134,7 +134,7 @@ selections:
|
|
|
f8899d |
- grub2_vsyscall_argument.role=unscored
|
|
|
f8899d |
- grub2_vsyscall_argument.severity=info
|
|
|
f8899d |
- grub2_pti_argument
|
|
|
f8899d |
- - kernel_trust_cpu_rng
|
|
|
f8899d |
+ - grub2_kernel_trust_cpu_rng
|
|
|
f8899d |
|
|
|
f8899d |
## Security Settings
|
|
|
f8899d |
- sysctl_kernel_kptr_restrict
|
|
|
f8899d |
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
f8899d |
index a11664fe28..8bbc01f0d5 100644
|
|
|
f8899d |
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
f8899d |
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
f8899d |
@@ -84,6 +84,7 @@ selections:
|
|
|
f8899d |
- grub2_audit_argument
|
|
|
f8899d |
- grub2_audit_backlog_limit_argument
|
|
|
f8899d |
- grub2_disable_interactive_boot
|
|
|
f8899d |
+- grub2_kernel_trust_cpu_rng
|
|
|
f8899d |
- grub2_page_poison_argument
|
|
|
f8899d |
- grub2_pti_argument
|
|
|
f8899d |
- grub2_slub_debug_argument
|
|
|
f8899d |
@@ -97,7 +98,6 @@ selections:
|
|
|
f8899d |
- kernel_module_firewire-core_disabled
|
|
|
f8899d |
- kernel_module_sctp_disabled
|
|
|
f8899d |
- kernel_module_tipc_disabled
|
|
|
f8899d |
-- kernel_trust_cpu_rng
|
|
|
f8899d |
- mount_option_boot_nodev
|
|
|
f8899d |
- mount_option_boot_nosuid
|
|
|
f8899d |
- mount_option_dev_shm_nodev
|
|
|
f8899d |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
f8899d |
index 5add9d462f..e1915d648b 100644
|
|
|
f8899d |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
f8899d |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
f8899d |
@@ -29,6 +29,8 @@ selections:
|
|
|
f8899d |
- accounts_password_minlen_login_defs
|
|
|
f8899d |
- accounts_password_pam_dcredit
|
|
|
f8899d |
- accounts_password_pam_difok
|
|
|
f8899d |
+- accounts_password_pam_enforce_local
|
|
|
f8899d |
+- accounts_password_pam_enforce_root
|
|
|
f8899d |
- accounts_password_pam_lcredit
|
|
|
f8899d |
- accounts_password_pam_maxclassrepeat
|
|
|
f8899d |
- accounts_password_pam_maxrepeat
|
|
|
f8899d |
@@ -39,6 +41,7 @@ selections:
|
|
|
f8899d |
- accounts_password_set_max_life_existing
|
|
|
f8899d |
- accounts_password_set_min_life_existing
|
|
|
f8899d |
- accounts_passwords_pam_faillock_deny
|
|
|
f8899d |
+- accounts_passwords_pam_faillock_enforce_local
|
|
|
f8899d |
- accounts_passwords_pam_faillock_interval
|
|
|
f8899d |
- accounts_passwords_pam_faillock_unlock_time
|
|
|
f8899d |
- accounts_umask_etc_bashrc
|
|
|
f8899d |
@@ -103,6 +106,7 @@ selections:
|
|
|
f8899d |
- grub2_audit_argument
|
|
|
f8899d |
- grub2_audit_backlog_limit_argument
|
|
|
f8899d |
- grub2_disable_interactive_boot
|
|
|
f8899d |
+- grub2_kernel_trust_cpu_rng
|
|
|
f8899d |
- grub2_page_poison_argument
|
|
|
f8899d |
- grub2_pti_argument
|
|
|
f8899d |
- grub2_slub_debug_argument
|
|
|
f8899d |
@@ -116,7 +120,6 @@ selections:
|
|
|
f8899d |
- kernel_module_firewire-core_disabled
|
|
|
f8899d |
- kernel_module_sctp_disabled
|
|
|
f8899d |
- kernel_module_tipc_disabled
|
|
|
f8899d |
-- kernel_trust_cpu_rng
|
|
|
f8899d |
- mount_option_boot_nodev
|
|
|
f8899d |
- mount_option_boot_nosuid
|
|
|
f8899d |
- mount_option_dev_shm_nodev
|
|
|
f8899d |
@@ -195,6 +198,7 @@ selections:
|
|
|
f8899d |
- service_systemd-coredump_disabled
|
|
|
f8899d |
- service_usbguard_enabled
|
|
|
f8899d |
- smartcard_configure_cert_checking
|
|
|
f8899d |
+- ssh_client_rekey_limit
|
|
|
f8899d |
- sshd_disable_empty_passwords
|
|
|
f8899d |
- sshd_disable_gssapi_auth
|
|
|
f8899d |
- sshd_disable_kerb_auth
|
|
|
f8899d |
@@ -272,8 +276,4 @@ selections:
|
|
|
f8899d |
- grub2_vsyscall_argument.severity=info
|
|
|
f8899d |
- sysctl_user_max_user_namespaces.role=unscored
|
|
|
f8899d |
- sysctl_user_max_user_namespaces.severity=info
|
|
|
f8899d |
-- ssh_client_rekey_limit
|
|
|
f8899d |
-- accounts_passwords_pam_faillock_enforce_local
|
|
|
f8899d |
-- accounts_password_pam_enforce_local
|
|
|
f8899d |
-- accounts_password_pam_enforce_root
|
|
|
f8899d |
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
|