Skip to content

Commit 64fcfd4

Browse files
vojtapolasekvojtapolasek
committed
update default profile to keep rules in the data stream
1 parent 3160aac commit 64fcfd4

3 files changed

Lines changed: 7 additions & 18 deletions

File tree

products/rhel8/profiles/default.profile

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -734,3 +734,6 @@ selections:
734734
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
735735
- harden_sshd_macs_opensshserver_conf_crypto_policy
736736
- sysctl_crypto_fips_enabled
737+
- configure_gnutls_tls_crypto_policy
738+
- configure_openssl_tls_crypto_policy
739+
- sshd_use_approved_kex_ordered_stig

tests/data/profile_stability/rhel8/stig.profile

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -140,8 +140,6 @@ clean_components_post_updating
140140
configure_bind_crypto_policy
141141
configure_crypto_policy
142142
configure_firewalld_ports
143-
configure_gnutls_tls_crypto_policy
144-
configure_kerberos_crypto_policy
145143
configure_libreswan_crypto_policy
146144
configure_usbguard_auditbackend
147145
configured_firewalld_default_deny
@@ -173,7 +171,6 @@ disable_users_coredumps
173171
disallow_bypass_password_sudo
174172
display_login_attempts
175173
enable_authselect
176-
enable_dracut_fips_module
177174
enable_fips_mode
178175
enable_gpgcheck_for_all_repositories
179176
encrypt_partitions
@@ -207,6 +204,7 @@ file_permissions_var_log
207204
file_permissions_var_log_audit
208205
file_permissions_var_log_messages
209206
fips_crypto_subpolicy
207+
fips_custom_stig_sub_policy
210208
firewalld-backend
211209
gnome_gdm_disable_automatic_login
212210
grub2_admin_username
@@ -219,10 +217,6 @@ grub2_pti_argument
219217
grub2_uefi_admin_username
220218
grub2_uefi_password
221219
grub2_vsyscall_argument
222-
harden_sshd_ciphers_openssh_conf_crypto_policy
223-
harden_sshd_ciphers_opensshserver_conf_crypto_policy
224-
harden_sshd_macs_openssh_conf_crypto_policy
225-
harden_sshd_macs_opensshserver_conf_crypto_policy
226220
install_smartcard_packages
227221
installed_OS_is_vendor_supported
228222
kerberos_disable_no_keytab
@@ -370,7 +364,6 @@ sudo_require_reauthentication
370364
sudo_restrict_privilege_elevation_to_authorized
371365
sudoers_default_includedir
372366
sudoers_validate_passwd
373-
sysctl_crypto_fips_enabled
374367
sysctl_fs_protected_hardlinks
375368
sysctl_fs_protected_symlinks
376369
sysctl_kernel_core_pattern
@@ -448,7 +441,7 @@ var_ssh_client_rekey_limit_time=1hour
448441
var_sshd_set_keepalive=1
449442
var_sssd_certificate_verification_digest_function=sha1
450443
var_sudo_timestamp_timeout=always_prompt
451-
var_system_crypto_policy=fips
444+
var_system_crypto_policy=fips_stig
452445
var_time_service_set_maxpoll=18_hours
453446
var_user_initialization_files_regex=all_dotfiles
454447
wireless_disable_interfaces

tests/data/profile_stability/rhel8/stig_gui.profile

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -140,8 +140,6 @@ clean_components_post_updating
140140
configure_bind_crypto_policy
141141
configure_crypto_policy
142142
configure_firewalld_ports
143-
configure_gnutls_tls_crypto_policy
144-
configure_kerberos_crypto_policy
145143
configure_libreswan_crypto_policy
146144
configure_usbguard_auditbackend
147145
configured_firewalld_default_deny
@@ -173,7 +171,6 @@ disable_users_coredumps
173171
disallow_bypass_password_sudo
174172
display_login_attempts
175173
enable_authselect
176-
enable_dracut_fips_module
177174
enable_fips_mode
178175
enable_gpgcheck_for_all_repositories
179176
encrypt_partitions
@@ -207,6 +204,7 @@ file_permissions_var_log
207204
file_permissions_var_log_audit
208205
file_permissions_var_log_messages
209206
fips_crypto_subpolicy
207+
fips_custom_stig_sub_policy
210208
firewalld-backend
211209
gnome_gdm_disable_automatic_login
212210
grub2_admin_username
@@ -219,10 +217,6 @@ grub2_pti_argument
219217
grub2_uefi_admin_username
220218
grub2_uefi_password
221219
grub2_vsyscall_argument
222-
harden_sshd_ciphers_openssh_conf_crypto_policy
223-
harden_sshd_ciphers_opensshserver_conf_crypto_policy
224-
harden_sshd_macs_openssh_conf_crypto_policy
225-
harden_sshd_macs_opensshserver_conf_crypto_policy
226220
install_smartcard_packages
227221
installed_OS_is_vendor_supported
228222
kerberos_disable_no_keytab
@@ -368,7 +362,6 @@ sudo_require_reauthentication
368362
sudo_restrict_privilege_elevation_to_authorized
369363
sudoers_default_includedir
370364
sudoers_validate_passwd
371-
sysctl_crypto_fips_enabled
372365
sysctl_fs_protected_hardlinks
373366
sysctl_fs_protected_symlinks
374367
sysctl_kernel_core_pattern
@@ -446,7 +439,7 @@ var_ssh_client_rekey_limit_time=1hour
446439
var_sshd_set_keepalive=1
447440
var_sssd_certificate_verification_digest_function=sha1
448441
var_sudo_timestamp_timeout=always_prompt
449-
var_system_crypto_policy=fips
442+
var_system_crypto_policy=fips_stig
450443
var_time_service_set_maxpoll=18_hours
451444
var_user_initialization_files_regex=all_dotfiles
452445
wireless_disable_interfaces

0 commit comments

Comments
 (0)