Merge pull request #12558 from Xeicker/na_rules_ol

Remove not applicable rules for OL8 & OL9
ComplianceAsCode · Nov 8, 2024 · 64926d6 · 64926d6
2 parents caa42c4 + 57f2fdc
commit 64926d6
Show file tree

Hide file tree

Showing 9 changed files with 24 additions and 22 deletions.
diff --git a/products/ol8/profiles/anssi_bp28_enhanced.profile b/products/ol8/profiles/anssi_bp28_enhanced.profile
@@ -34,3 +34,9 @@ selections:
     - '!cracklib_accounts_password_pam_dcredit'
     - '!grub2_page_alloc_shuffle_argument'
     - '!package_kea_removed'
+    # disable R45: Enable AppArmor security profiles
+    - '!apparmor_configured'
+    - '!all_apparmor_profiles_enforced'
+    - '!grub2_enable_apparmor'
+    - '!package_apparmor_installed'
+    - '!package_pam_apparmor_installed'
diff --git a/products/ol8/profiles/anssi_bp28_high.profile b/products/ol8/profiles/anssi_bp28_high.profile
@@ -35,3 +35,9 @@ selections:
     - '!cracklib_accounts_password_pam_dcredit'
     - '!grub2_page_alloc_shuffle_argument'
     - '!package_kea_removed'
+    # disable R45: Enable AppArmor security profiles
+    - '!apparmor_configured'
+    - '!all_apparmor_profiles_enforced'
+    - '!grub2_enable_apparmor'
+    - '!package_apparmor_installed'
+    - '!package_pam_apparmor_installed'
diff --git a/products/ol8/profiles/default.profile b/products/ol8/profiles/default.profile
@@ -38,20 +38,15 @@ selections:
     - sebool_selinuxuser_ping
     - package_pigz_removed
     - dconf_gnome_screensaver_lock_locked
-    - package_ntpdate_removed
     - file_groupowner_efi_user_cfg
-    - ntpd_specify_multiple_servers
     - file_groupownership_sshd_pub_key
     - audit_rules_unsuccessful_file_modification_renameat
     - package_abrt-plugin-rhtsupport_removed
     - sebool_selinuxuser_share_music
     - file_groupowner_var_log_syslog
-    - service_netfs_disabled
     - file_groupownership_audit_configuration
     - auditd_audispd_configure_remote_server
     - file_ownership_sshd_pub_key
-    - package_ntp_installed
-    - package_cron_installed
     - file_groupowner_etc_issue
     - sebool_abrt_anon_write
     - dconf_gnome_screensaver_idle_activation_locked
@@ -130,7 +125,6 @@ selections:
     - package_inetutils-telnetd_removed
     - audit_rules_successful_file_modification_openat
     - audit_rules_unsuccessful_file_modification_fchmod
-    - service_ntpd_enabled
     - avahi_disable_publishing
     - audit_rules_successful_file_modification_fchmod
     - sudo_custom_logfile
@@ -181,7 +175,6 @@ selections:
     - file_owner_user_cfg
     - audit_rules_successful_file_modification_lchown
     - sshd_set_maxstartups
-    - service_cron_enabled
     - file_permissions_efi_user_cfg
     - audit_rules_successful_file_modification_unlink
     - file_permissions_user_cfg
@@ -202,7 +195,6 @@ selections:
     - file_permissions_var_log_syslog
     - audit_rules_etc_passwd_open_by_handle_at
     - file_owner_var_log_syslog
-    - service_ip6tables_enabled
     - auditd_data_retention_space_left
     - audit_rules_unsuccessful_file_modification_open_o_trunc_write
     - package_tar_installed
@@ -362,7 +354,6 @@ selections:
     - no_root_webbrowsing
     - audit_rules_etc_gshadow_open
     - sebool_mock_enable_homedirs
-    - ntpd_specify_remote_server
     - audit_rules_successful_file_modification_openat_o_creat
     - sshd_enable_x11_forwarding
     - dconf_gnome_screensaver_user_info

diff --git a/products/ol8/profiles/hipaa.profile b/products/ol8/profiles/hipaa.profile
@@ -52,7 +52,6 @@ selections:
     - service_rlogin_disabled
     - service_telnet_disabled
     - service_xinetd_disabled
-    - service_zebra_disabled
     - use_kerberos_security_all_exports
     - var_authselect_profile=sssd
     - enable_authselect

diff --git a/products/ol8/profiles/standard.profile b/products/ol8/profiles/standard.profile
@@ -73,11 +73,9 @@ selections:
     - service_abrtd_disabled
     - service_atd_disabled
     - service_autofs_disabled
-    - service_ntpdate_disabled
     - service_oddjobd_disabled
     - service_rdisc_disabled
     - service_rsyslog_enabled
-    - service_qpidd_disabled
     - partition_for_var_log
     - partition_for_var_log_audit
     - configure_crypto_policy

diff --git a/products/ol9/profiles/anssi_bp28_enhanced.profile b/products/ol9/profiles/anssi_bp28_enhanced.profile
@@ -42,3 +42,9 @@ selections:
     - '!cracklib_accounts_password_pam_dcredit'
     - '!package_xinetd_removed'
     - '!package_kea_removed'
+    # disable R45: Enable AppArmor security profiles
+    - '!apparmor_configured'
+    - '!all_apparmor_profiles_enforced'
+    - '!grub2_enable_apparmor'
+    - '!package_apparmor_installed'
+    - '!package_pam_apparmor_installed'
diff --git a/products/ol9/profiles/anssi_bp28_high.profile b/products/ol9/profiles/anssi_bp28_high.profile
@@ -43,3 +43,9 @@ selections:
     - '!cracklib_accounts_password_pam_dcredit'
     - '!package_xinetd_removed'
     - '!package_kea_removed'
+    # disable R45: Enable AppArmor security profiles
+    - '!apparmor_configured'
+    - '!all_apparmor_profiles_enforced'
+    - '!grub2_enable_apparmor'
+    - '!package_apparmor_installed'
+    - '!package_pam_apparmor_installed'
diff --git a/products/ol9/profiles/default.profile b/products/ol9/profiles/default.profile
@@ -37,10 +37,8 @@ selections:
     - sshd_set_max_sessions
     - sudoers_no_root_target
     - package_inetutils-telnetd_removed
-    - service_ntpd_enabled
     - kernel_disable_entropy_contribution_for_solid_state_drives
     - avahi_disable_publishing
-    - package_ntpdate_removed
     - sudo_custom_logfile
     - file_groupowner_efi_user_cfg
     - sshd_use_priv_separation
@@ -52,7 +50,6 @@ selections:
     - sshd_enable_warning_banner_net
     - file_groupowner_var_log_syslog
     - grub2_systemd_debug-shell_argument_absent
-    - service_netfs_disabled
     - ftp_limit_users
     - file_groupownership_sshd_private_key
     - kernel_module_ipv6_option_disabled
@@ -61,11 +58,9 @@ selections:
     - firewalld-backend
     - rsyslog_accept_remote_messages_tcp
     - file_ownership_sshd_pub_key
-    - package_ntp_installed
     - service_rngd_enabled
     - enable_dconf_user_profile
     - harden_sshd_ciphers_opensshserver_conf_crypto_policy
-    - package_cron_installed
     - sshd_enable_gssapi_auth
     - partition_for_dev_shm
     - ftp_configure_firewall
@@ -97,7 +92,6 @@ selections:
     - account_passwords_pam_faillock_audit
     - sshd_set_maxstartups
     - accounts_root_gid_zero
-    - service_cron_enabled
     - sshd_enable_x11_forwarding
     - service_sshd_disabled
     - sshd_disable_rhosts_rsa
@@ -127,4 +121,3 @@ selections:
     - package_telnetd-ssl_removed
     - file_owner_var_log_syslog
     - sshd_limit_user_access
-    - service_ip6tables_enabled
diff --git a/products/ol9/profiles/standard.profile b/products/ol9/profiles/standard.profile
@@ -70,14 +70,11 @@ selections:
     - audit_rules_unsuccessful_file_modification
     - audit_rules_usergroup_modification
     - package_rsyslog_installed
-    - service_abrtd_disabled
     - service_atd_disabled
     - service_autofs_disabled
-    - service_ntpdate_disabled
     - service_oddjobd_disabled
     - service_rdisc_disabled
     - service_rsyslog_enabled
-    - service_qpidd_disabled
     - partition_for_var_log
     - partition_for_var_log_audit
     - configure_crypto_policy