Merge pull request #12347 from marcusburghardt/pcidss_rhel10

Review PCI-DSS requirements and rules for RHEL 10

Author: Mab879

controls/pcidss_4.yml

@@ -2047,6 +2047,7 @@ controls:
       status: automated
       rules:
         - enable_authselect
+        - var_authselect_profile=sssd
         - accounts_passwords_pam_faillock_deny
         - var_accounts_passwords_pam_faillock_deny=10
         - accounts_passwords_pam_faillock_unlock_time

products/rhel10/profiles/pci-dss.profile

@@ -24,49 +24,52 @@ description: |-
 
 selections:
     - pcidss_4:all
-    # audit-audispd-plugins package does not exist in RHEL 10 (based on RHEL 9)
-    # use only package_audispd-plugins_installed
-    - '!package_audit-audispd-plugins_installed'
+    - var_password_hashing_algorithm=yescrypt
+    - var_password_hashing_algorithm_pam=yescrypt
+
     # More tests are needed to identify which rule is conflicting with rpm_verify_permissions.
     # https://github.com/ComplianceAsCode/content/issues/11285
     - '!rpm_verify_permissions'
+
     # these rules do not apply to RHEL 10
     - '!package_audit-audispd-plugins_installed'
-    - '!service_ntp_enabled'
-    - '!ntpd_specify_remote_server'
-    - '!ntpd_specify_multiple_servers'
-    - '!set_ipv6_loopback_traffic'
-    - '!set_loopback_traffic'
-    - '!service_ntpd_enabled'
     - '!package_ypserv_removed'
     - '!package_ypbind_removed'
     - '!package_talk_removed'
     - '!package_talk-server_removed'
     - '!package_xinetd_removed'
     - '!package_rsh_removed'
     - '!package_rsh-server_removed'
-    # Following are incompatible with the rhel10 product (based on RHEL9)
-    - '!service_chronyd_or_ntpd_enabled'
+
+    - '!service_ntp_enabled'
+    - '!service_ntpd_enabled'
+    - '!service_timesyncd_enabled'
+    - '!ntpd_specify_remote_server'
+    - '!ntpd_specify_multiple_servers'
+
+    - '!accounts_passwords_pam_tally2'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!cracklib_accounts_password_pam_dcredit'
+    - '!cracklib_accounts_password_pam_lcredit'
+    - '!cracklib_accounts_password_pam_minlen'
+    - '!cracklib_accounts_password_pam_retry'
+    - '!ensure_firewall_rules_for_open_ports'
+    - '!ensure_shadow_group_empty'
+    - '!ensure_suse_gpgkey_installed'
     - '!install_PAE_kernel_on_x86-32'
     - '!mask_nonessential_services'
-    - '!aide_periodic_checking_systemd_timer'
     - '!nftables_ensure_default_deny_policy'
-    - '!cracklib_accounts_password_pam_lcredit'
-    - '!file_owner_at_allow'
-    - '!ensure_firewall_rules_for_open_ports'
-    - '!cracklib_accounts_password_pam_retry'
-    - '!gnome_gdm_disable_guest_login'
+    - '!set_ipv6_loopback_traffic'
+    - '!set_ip6tables_default_rule'
+    - '!set_loopback_traffic'
+    - '!set_password_hashing_algorithm_commonauth'
+
+    # Following are incompatible with the rhel10 product (based on RHEL9)
+    - '!service_chronyd_or_ntpd_enabled'
+    - '!aide_periodic_checking_systemd_timer'
+    - '!gnome_gdm_disable_unattended_automatic_login'
+    - '!permissions_local_var_log'
     - '!sshd_use_strong_kex'
     - '!sshd_use_approved_macs'
-    - '!permissions_local_var_log'
     - '!sshd_use_approved_ciphers'
-    - '!accounts_passwords_pam_tally2'
-    - '!ensure_suse_gpgkey_installed'
-    - '!gnome_gdm_disable_unattended_automatic_login'
-    - '!accounts_passwords_pam_tally2_unlock_time'
-    - '!cracklib_accounts_password_pam_minlen'
-    - '!set_password_hashing_algorithm_commonauth'
-    - '!cracklib_accounts_password_pam_dcredit'
-    - '!ensure_shadow_group_empty'
-    - '!service_timesyncd_enabled'
     - '!security_patches_up_to_date'

tests/data/profile_stability/rhel8/pci-dss.profile

@@ -289,6 +289,7 @@ selections:
 - var_password_pam_dcredit=1
 - var_password_pam_lcredit=1
 - var_password_pam_minlen=12
+- var_authselect_profile=sssd
 - var_accounts_passwords_pam_faillock_deny=10
 - var_accounts_passwords_pam_faillock_unlock_time=1800
 - var_password_pam_tally2=10

tests/data/profile_stability/rhel9/pci-dss.profile

@@ -281,6 +281,7 @@ selections:
 - var_password_pam_dcredit=1
 - var_password_pam_lcredit=1
 - var_password_pam_minlen=12
+- var_authselect_profile=sssd
 - var_accounts_passwords_pam_faillock_deny=10
 - var_accounts_passwords_pam_faillock_unlock_time=1800
 - var_password_pam_tally2=10