From 6950750cb11305da235cb2251d073fcb752ac748 Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 18:35:37 +0100 Subject: [PATCH] update anssi bp28 minimal profile for debian 12 Activate some rules that were previously disabled due to an incompatible prodtype. --- .../profiles/anssi_bp28_minimal.profile | 32 +++---------------- 1 file changed, 5 insertions(+), 27 deletions(-) diff --git a/products/debian12/profiles/anssi_bp28_minimal.profile b/products/debian12/profiles/anssi_bp28_minimal.profile index ded77a47463..2508a5d644d 100644 --- a/products/debian12/profiles/anssi_bp28_minimal.profile +++ b/products/debian12/profiles/anssi_bp28_minimal.profile @@ -15,55 +15,33 @@ selections: - anssi:all:minimal # PASS_MIN_LEN is handled by PAM on debian systems. - '!accounts_password_minlen_login_defs' + # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default + - 'package_pam_pwquality_installed' + # PAM honour login.defs file for algorithm + - 'set_password_hashing_algorithm_logindefs' # Following rules once had a prodtype incompatible with the debian12 product - - '!package_ypserv_removed' - - '!accounts_password_pam_dcredit' - '!accounts_passwords_pam_tally2_deny_root' - - '!security_patches_up_to_date' - - '!package_sendmail_removed' - '!ensure_redhat_gpgkey_installed' - - '!accounts_passwords_pam_faillock_deny' - - '!accounts_password_pam_unix_rounds_password_auth' - - '!accounts_passwords_pam_faillock_unlock_time' - - '!accounts_passwords_pam_faillock_interval' - - '!file_permissions_ungroupowned' - '!set_password_hashing_algorithm_systemauth' - - '!package_tftp-server_removed' - - '!package_rsh_removed' - '!package_dnf-automatic_installed' - - '!no_files_unowned_by_user' - '!accounts_passwords_pam_faillock_deny_root' - - '!accounts_password_pam_ocredit' - - '!accounts_password_pam_lcredit' - '!dnf-automatic_security_updates_only' - '!cracklib_accounts_password_pam_lcredit' - '!dnf-automatic_apply_updates' - '!cracklib_accounts_password_pam_ocredit' - - '!package_telnet-server_removed' - - '!package_talk_removed' - - '!accounts_password_pam_minlen' - - '!package_talk-server_removed' - - '!package_ypbind_removed' - '!accounts_password_pam_unix_rounds_system_auth' - '!timer_dnf-automatic_enabled' - '!accounts_passwords_pam_tally2' - '!cracklib_accounts_password_pam_ucredit' - - '!accounts_password_pam_unix_remember' - '!file_permissions_unauthorized_sgid' - '!ensure_gpgcheck_local_packages' - '!accounts_passwords_pam_tally2_unlock_time' - '!enable_authselect' - '!cracklib_accounts_password_pam_minlen' - - '!package_dhcp_removed' - - '!package_telnet_removed' - - '!dir_perms_world_writable_root_owned' - '!cracklib_accounts_password_pam_dcredit' - - '!package_xinetd_removed' - '!ensure_gpgcheck_globally_activated' - - '!package_tftp_removed' - - '!package_rsh-server_removed' - - '!accounts_password_pam_ucredit' - '!file_permissions_unauthorized_suid' - '!ensure_gpgcheck_never_disabled' - '!ensure_oracle_gpgkey_installed' +