Bug #27375
Updated by Lucas FRANCOIS 13 days ago
This is a meta ticket that list the improvement that has been made as part of RHEL8 development
* all logins.defs management should go through file_augeas_audit (like 4.5.1.3)
<pre>
_audit_items = [
rudder.Method {
method = "file_augeas"
params = {
path = "/etc/login.defs"
script = r"""check /files/etc/login.defs/PASS_WARN_AGE >= ${login_defs_pass_warn_age}"""
}
}
]
_enforce_items = [
rudder.Method {
method = "file_augeas"
params = {
path = "/etc/login.defs"
script = r"""set /files/etc/login.defs/PASS_WARN_AGE ${login_defs_pass_warn_age}"""
if_script = r"""check /files/etc/login.defs/PASS_WARN_AGE < ${login_defs_pass_warn_age}"""
}
}
]
</pre>
* gdm configuration should use file_lines_absent (like for 1.8.10)
<pre>
_1_8_10 = hardening.Leaf {
_item_nb = "1.8.10"
id = "70b29b74-4688-4b4c-b052-dddb8e5b6312"
_audit_items = [rudder.Method {
method = "file_lines_absent"
params = {
path = "/etc/gdm/custom.conf"
lines = "^\s*Enable\s*=\s*true"
}
}]
}
</pre>
* confusion in key-value for _inet_interfaces = loopback-only_
* control on firewall had a wrong command - check https://issues.rudder.io/issues/27345 (todo: fix in RHEL9)
* ssh check on denygroups denyuser was not made https://issues.rudder.io/issues/27340
ssh could benefit from file_augeas, but we check the output of sshd -T; so maybe we ought to write it in a file ?