Merge pull request ComplianceAsCode#11873 from Xeicker/update_ol9_pcidss

Update ol9 pcidss

linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+# platform = multi_platform_fedora,multi_platform_ol,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
 # reboot = false
 # strategy = configure
 # complexity = low

linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.pass.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora
 # packages = chrony
 
 

linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.pass.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_fedora
 # packages = chrony
 
 

linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml

@@ -15,6 +15,8 @@ severity: medium
 
 {{% if 'rhel' in product %}}
 platform: package[logrotate] and os_linux[rhel]>=9
+{{% elif 'ol' in product %}}
+platform: package[logrotate] and os_linux[ol]>=9
 {{% else %}}
 platform: package[logrotate]
 {{% endif %}}

linux_os/guide/system/network/network_nmcli_permissions/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_rhv,multi_platform_fedora
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv,multi_platform_fedora
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/system/network/network_nmcli_permissions/tests/correct_value.pass.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = polkit
+
+cat <<EOF > /etc/polkit-1/localauthority/20-org.d/test.pkla
+[Disable General User Access to NetworkManager]
+Identity=default
+Action=org.freedesktop.NetworkManager.*
+ResultAny=no
+ResultInactive=no
+ResultActive=auth_admin
+EOF

linux_os/guide/system/network/network_nmcli_permissions/tests/wrong_resultactive.fail.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = polkit
+
+cat <<EOF > /etc/polkit-1/localauthority/20-org.d/test.pkla
+[Disable General User Access to NetworkManager]
+Identity=default
+Action=org.freedesktop.NetworkManager.*
+ResultAny=no
+ResultInactive=no
+ResultActive=no
+EOF

products/ol9/profiles/pci-dss.profile

@@ -1,144 +1,66 @@
 documentation_complete: true
 
-reference: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+metadata:
+ version: '4.0'
 
-title: 'PCI-DSS v3.2.1 Control Baseline for Oracle Linux 9'
+reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
+
+title: 'PCI-DSS v4.0 Control Baseline for Oracle Linux 9'
 
 description: |-
- Ensures PCI-DSS v3.2.1 security configuration settings are applied.
+ Payment Card Industry - Data Security Standard (PCI-DSS) is a set of
+ security standards designed to ensure the secure handling of payment card
+ data, with the goal of preventing data breaches and protecting sensitive
+ financial information.
+
+ This profile ensures Oracle Linux 9 is configured in alignment
+ with PCI-DSS v4.0 requirements.
 
 selections:
- - var_password_pam_unix_remember=4
- - var_account_disable_post_pw_expiration=90
- - var_accounts_passwords_pam_faillock_deny=6
- - var_accounts_passwords_pam_faillock_unlock_time=1800
- - var_password_pam_minlen=7
- - var_password_pam_minclass=2
- - var_accounts_maximum_age_login_defs=90
- - var_auditd_num_logs=5
- - service_auditd_enabled
- - grub2_audit_argument
- - auditd_data_retention_num_logs
- - auditd_data_retention_max_log_file
- - auditd_data_retention_max_log_file_action
- - auditd_data_retention_space_left_action
- - auditd_data_retention_admin_space_left_action
- - auditd_data_retention_action_mail_acct
- - package_audispd-plugins_installed
- - auditd_audispd_syslog_plugin_activated
- - audit_rules_time_adjtimex
- - audit_rules_time_settimeofday
- - audit_rules_time_stime
- - audit_rules_time_clock_settime
- - audit_rules_time_watch_localtime
- - audit_rules_usergroup_modification_group
- - audit_rules_usergroup_modification_gshadow
- - audit_rules_usergroup_modification_opasswd
- - audit_rules_usergroup_modification_passwd
- - audit_rules_usergroup_modification_shadow
- - audit_rules_networkconfig_modification
- - file_permissions_var_log_audit
- - file_ownership_var_log_audit
- - audit_rules_mac_modification
- - audit_rules_dac_modification_chmod
- - audit_rules_dac_modification_chown
- - audit_rules_dac_modification_fchmod
- - audit_rules_dac_modification_fchmodat
- - audit_rules_dac_modification_fchown
- - audit_rules_dac_modification_fchownat
- - audit_rules_dac_modification_fremovexattr
- - audit_rules_dac_modification_fsetxattr
- - audit_rules_dac_modification_lchown
- - audit_rules_dac_modification_lremovexattr
- - audit_rules_dac_modification_lsetxattr
- - audit_rules_dac_modification_removexattr
- - audit_rules_dac_modification_setxattr
- - audit_rules_login_events
- - audit_rules_session_events
- - audit_rules_unsuccessful_file_modification_creat
- - audit_rules_unsuccessful_file_modification_ftruncate
- - audit_rules_unsuccessful_file_modification_open
- - audit_rules_unsuccessful_file_modification_open_by_handle_at
- - audit_rules_unsuccessful_file_modification_openat
- - audit_rules_unsuccessful_file_modification_truncate
- - audit_rules_privileged_commands
- - audit_rules_media_export
- - audit_rules_file_deletion_events_rename
- - audit_rules_file_deletion_events_renameat
- - audit_rules_file_deletion_events_rmdir
- - audit_rules_file_deletion_events_unlink
- - audit_rules_file_deletion_events_unlinkat
- - audit_rules_sysadmin_actions
- - audit_rules_kernel_module_loading_delete
- - audit_rules_kernel_module_loading_finit
- - audit_rules_kernel_module_loading_init
- - audit_rules_immutable
- - var_multiple_time_servers=rhel
- - service_chronyd_enabled
- - chronyd_specify_remote_server
- - rpm_verify_permissions
- - rpm_verify_hashes
- - install_hids
- - rsyslog_files_permissions
- - rsyslog_files_ownership
- - rsyslog_files_groupownership
- - ensure_logrotate_activated
- - package_aide_installed
- - aide_build_database
- - aide_periodic_cron_checking
- - account_unique_name
- - gid_passwd_group_same
- - accounts_password_all_shadowed
- - no_empty_passwords
- - display_login_attempts
- - account_disable_post_pw_expiration
- - var_authselect_profile=sssd
- - enable_authselect
- - accounts_passwords_pam_faillock_deny
- - accounts_passwords_pam_faillock_unlock_time
- - dconf_db_up_to_date
- - dconf_gnome_screensaver_idle_delay
- - dconf_gnome_session_idle_user_locks
- - dconf_gnome_screensaver_idle_activation_enabled
- - dconf_gnome_screensaver_lock_enabled
- - dconf_gnome_screensaver_mode_blank
- - sshd_use_directory_configuration
- - accounts_password_pam_minlen
- - accounts_password_pam_dcredit
- - accounts_password_pam_ucredit
- - accounts_password_pam_lcredit
- - accounts_password_pam_unix_remember
- - accounts_maximum_age_login_defs
- - ensure_oracle_gpgkey_installed
- - ensure_gpgcheck_globally_activated
- - ensure_gpgcheck_never_disabled
- - security_patches_up_to_date
- - package_opensc_installed
- - var_smartcard_drivers=cac
- - configure_opensc_card_drivers
- - force_opensc_card_drivers
- - package_pcsc-lite_installed
- - service_pcscd_enabled
- - sssd_enable_smartcards
- - set_password_hashing_algorithm_systemauth
- - set_password_hashing_algorithm_passwordauth
- - set_password_hashing_algorithm_logindefs
- - set_password_hashing_algorithm_libuserconf
- - file_owner_etc_shadow
- - file_groupowner_etc_shadow
- - file_permissions_etc_shadow
- - file_owner_etc_group
- - file_groupowner_etc_group
- - file_permissions_etc_group
- - file_owner_etc_passwd
- - file_groupowner_etc_passwd
- - file_permissions_etc_passwd
- - file_owner_grub2_cfg
- - file_groupowner_grub2_cfg
- - package_libreswan_installed
- - configure_crypto_policy
- - configure_bind_crypto_policy
- - configure_openssl_crypto_policy
- - configure_libreswan_crypto_policy
- - configure_ssh_crypto_policy
- - configure_kerberos_crypto_policy
+ - pcidss_4:all
+ - '!rpm_verify_permissions'
+ - '!package_audit-audispd-plugins_installed'
+ - '!service_ntp_enabled'
+ - '!ntpd_specify_remote_server'
+ - '!ntpd_specify_multiple_servers'
+ - '!set_ipv6_loopback_traffic'
+ - '!set_loopback_traffic'
+ - '!service_ntpd_enabled'
+ - '!package_ypserv_removed'
+ - '!package_ypbind_removed'
+ - '!package_talk_removed'
+ - '!package_talk-server_removed'
+ - '!package_xinetd_removed'
+ - '!package_rsh_removed'
+ - '!package_rsh-server_removed'
+ - '!service_chronyd_or_ntpd_enabled'
+ - '!install_PAE_kernel_on_x86-32'
+ - '!mask_nonessential_services'
+ - '!aide_periodic_checking_systemd_timer'
+ - '!nftables_ensure_default_deny_policy'
+ - '!cracklib_accounts_password_pam_lcredit'
+ - '!file_owner_at_allow'
+ - '!ensure_firewall_rules_for_open_ports'
+ - '!cracklib_accounts_password_pam_retry'
+ - '!gnome_gdm_disable_guest_login'
+ - '!sshd_use_strong_kex'
+ - '!sshd_use_approved_macs'
+ - '!group_unique_name'
+ - '!permissions_local_var_log'
+ - '!sshd_use_approved_ciphers'
+ - '!accounts_passwords_pam_tally2'
+ - '!ensure_suse_gpgkey_installed'
+ - '!ensure_redhat_gpgkey_installed'
+ - '!gnome_gdm_disable_unattended_automatic_login'
+ - '!accounts_passwords_pam_tally2_unlock_time'
+ - '!cracklib_accounts_password_pam_minlen'
+ - '!set_password_hashing_algorithm_commonauth'
+ - '!cracklib_accounts_password_pam_dcredit'
+ - '!ensure_shadow_group_empty'
+ - '!service_timesyncd_enabled'
+ # Not applicable to OL9, packages not available in OL9
+ - '!package_cryptsetup-luks_installed'
+ - '!package_dhcp_removed'
+ - '!service_rpcbind_disabled'
+ # Add oracle gpg key rule
+ - 'ensure_oracle_gpgkey_installed'