ComplianceAsCode · Mab879 · Mar 31, 2025 · Mar 13, 2025 · Mar 13, 2025 · Mar 14, 2025
diff --git a/controls/anssi.yml b/controls/anssi.yml
@@ -1364,33 +1364,20 @@ controls:
       When authentication takes place through a remote application (network),
       the authentication protocol used by PAM must be secure (flow encryption,
       remote server authentication, anti-replay mechanisms, ...).
-    {{% if "rhel" in product or "ol" in families or "almalinux" in product %}}
     notes: |-
-      In {{{ full_name }}} systems, remote authentication is handled through sssd service.
-      PAM delegates requests for remote authentication to this service through a
-      local Unix socket. The sssd service can use IPA, AD or LDAP as a remote
-      database containing information required for authentication. In case IPA or  AD is configured through a documented way, the connection is secured by default. In case LDAP is configured manually, there are several configuration options which should be chedked.
-      {{% if product in ["rhel8"] %}}
-      An allternative solution is to use nss-pam-ldapd package.
-      In case this package is used, we make sure that SSL is turned on and certificate is configured.
-      {{% endif %}}
+      In systems where remote authentication is handled through sssd service, PAM delegates
+      requests for remote authentication to sssd service through a local Unix socket. The sssd
+      service can use IPA, AD or LDAP as a remote database containing information required for authentication.
+      In case LDAP is configured manually, there are several configuration options which should be chedked.
     status: automated
     rules:
       - package_sssd_installed
       - service_sssd_enabled
       - sssd_enable_pam_services
       - sssd_ldap_configure_tls_reqcert
       - sssd_ldap_start_tls
-      {{% if product in ["rhel8","ol8"] %}}
-      - ldap_client_start_tls
-      - ldap_client_tls_cacertpath
-      {{% endif %}}
     related_rules:
       - package_sssd-ipa_installed
-    {{% else %}}
-    notes: We cannot automate securing of remote PAM authentication in a general way.
-    status: manual
-    {{% endif %}}
 
   - id: R68
     title: Protecting stored passwords
@@ -1420,21 +1407,13 @@ controls:
       When the user databases are stored on a remote network service, NSS must
       be configured to establish a secure link that allows, at minimum, to
       authenticate the server and protect the communication channel.
-    {{% if "rhel" in product or "ol" in families or "almalinux" in product %}}
     notes: |-
       A nsswitch service connecting to remote database is provided by sssd. This is checked in requirement R67.
-      Another such service is winbind which is by default configured to connect
-      securely to Samba domains.
+      Another such service is winbind which is by default configured to connect securely to Samba domains.
       Other relevant services are NIS and Hesiod. These should not be used.
-    status: automated
-    {{% if product in ["rhel8","ol8"] %}}
-    rules:
-      - no_nis_in_nsswitch
-    {{% endif %}}
-    {{% else %}}
     status: pending
-    {{% endif %}}
-
+    related_rules:
+      - no_nis_in_nsswitch
 
   - id: R70
     title: Separation of System Accounts and Directory Administrator
@@ -1518,11 +1497,7 @@ controls:
     - audit_rules_time_stime
     - audit_rules_time_watch_localtime
 
-    {{% if product == "rhel10" %}}
-    - audit_rules_mac_modification_etc_selinux
-    {{% else %}}
     - audit_rules_mac_modification
-    {{% endif %}}
 
     - audit_rules_networkconfig_modification
 

diff --git a/controls/e8.yml b/controls/e8.yml
@@ -80,7 +80,7 @@ controls:
     -   id: 'hardening'
         levels:
             - base
-        title: 'General hardening of {{{ full_name }}}'
+        title: 'General hardening'
         rules:
             - var_system_crypto_policy=default_nosha1
             - configure_crypto_policy

diff --git a/controls/hipaa.yml b/controls/hipaa.yml
@@ -117,11 +117,7 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
-            {{% if product == "rhel10" %}}
-            - audit_rules_mac_modification_etc_selinux
-            {{% else %}}
             - audit_rules_mac_modification
-            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
@@ -282,11 +278,7 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
-            {{% if product == "rhel10" %}}
-            - audit_rules_mac_modification_etc_selinux
-            {{% else %}}
             - audit_rules_mac_modification
-            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
@@ -478,11 +470,7 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
-            {{% if product == "rhel10" %}}
-            - audit_rules_mac_modification_etc_selinux
-            {{% else %}}
             - audit_rules_mac_modification
-            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
@@ -1212,11 +1200,7 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
-            {{% if product == "rhel10" %}}
-            - audit_rules_mac_modification_etc_selinux
-            {{% else %}}
             - audit_rules_mac_modification
-            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
@@ -1352,11 +1336,7 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
-            {{% if product == "rhel10" %}}
-            - audit_rules_mac_modification_etc_selinux
-            {{% else %}}
             - audit_rules_mac_modification
-            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
@@ -1522,11 +1502,7 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
-            {{% if product == "rhel10" %}}
-            - audit_rules_mac_modification_etc_selinux
-            {{% else %}}
             - audit_rules_mac_modification
-            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
@@ -1620,11 +1596,7 @@ controls:
             - audit_rules_privileged_commands_unix_chkpwd
             - audit_rules_privileged_commands_userhelper
             - audit_rules_immutable
-            {{% if product == "rhel10" %}}
-            - audit_rules_mac_modification_etc_selinux
-            {{% else %}}
             - audit_rules_mac_modification
-            {{% endif %}}
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification

diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
@@ -2861,11 +2861,7 @@ controls:
         - base
       status: automated
       rules:
-        {{% if product == "rhel10" %}}
-        - audit_rules_mac_modification_etc_selinux
-        {{% else %}}
         - audit_rules_mac_modification
-        {{% endif %}}
         - audit_rules_dac_modification_chmod
         - audit_rules_dac_modification_chown
         - audit_rules_dac_modification_fchmod

@@ -15,6 +15,9 @@ selections:
     - anssi:all:enhanced
     - var_password_hashing_algorithm=SHA512
     - var_password_pam_unix_rounds=65536
+    # An alternative solution for R67 is using nss-pam-ldapd package, in this case ensures SSL and certificate configuration
+    - ldap_client_start_tls
+    - ldap_client_tls_cacertpath
     # Following rules once had a prodtype incompatible with the ol8 product
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!timer_logrotate_enabled'

@@ -15,6 +15,9 @@ selections:
     - anssi:all:high
     - var_password_hashing_algorithm=SHA512
     - var_password_pam_unix_rounds=65536
+    # An alternative solution for R67 is using nss-pam-ldapd package, in this case ensures SSL and certificate configuration
+    - ldap_client_start_tls
+    - ldap_client_tls_cacertpath
     # Following rules once had a prodtype incompatible with the ol8 product
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!timer_logrotate_enabled'

@@ -15,6 +15,9 @@ selections:
     - anssi:all:intermediary
     - var_password_hashing_algorithm=SHA512
     - var_password_pam_unix_rounds=65536
+    # An alternative solution for R67 is using nss-pam-ldapd package, in this case ensures SSL and certificate configuration
+    - ldap_client_start_tls
+    - ldap_client_tls_cacertpath
     # Following rules once had a prodtype incompatible with the ol8 product
     - '!cracklib_accounts_password_pam_minlen'
     - '!accounts_passwords_pam_tally2_deny_root'

@@ -70,6 +70,9 @@ selections:
     - '!package_xinetd_removed'
     - '!package_ypbind_removed'
     - '!package_ypserv_removed'
+    # RHEL 10 uses a different rule for auditing changes to selinux configuration (R73)
+    - '!audit_rules_mac_modification'
+    - audit_rules_mac_modification_etc_selinux
     # these rules are failing when they are remediated with Ansible, removing them temporarily until they are fixed
     - '!accounts_password_pam_retry'
     # These rules are being modified and they are causing trouble in their current state (R67)

@@ -74,6 +74,9 @@ selections:
     - '!package_xinetd_removed'
     - '!package_ypbind_removed'
     - '!package_ypserv_removed'
+    # RHEL 10 uses a different rule for auditing changes to selinux configuration (R73)
+    - '!audit_rules_mac_modification'
+    - audit_rules_mac_modification_etc_selinux
     # these rules are failing when they are remediated with Ansible, removing them temporarily until they are fixed
     - '!accounts_password_pam_retry'
     # These rules are being modified and they are causing trouble in their current state (R67)

@@ -24,6 +24,12 @@ description: |-
 
 selections:
     - hipaa:all
+
+    # RHEL 10 uses a different rule for auditing changes to selinux configuration
+    # HIPAA 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d) and 164.312(e)
+    - '!audit_rules_mac_modification'
+    - audit_rules_mac_modification_etc_selinux
+
     - '!coreos_disable_interactive_boot'
     - '!coreos_audit_option'
     - '!coreos_nousb_kernel_argument'

@@ -27,6 +27,10 @@ selections:
     - var_password_hashing_algorithm=yescrypt
     - var_password_hashing_algorithm_pam=yescrypt
 
+    # RHEL 10 uses a different rule for auditing changes to selinux configuration (PCI-DSSv4 - 10.3.4)
+    - '!audit_rules_mac_modification'
+    - audit_rules_mac_modification_etc_selinux
+
     # More tests are needed to identify which rule is conflicting with rpm_verify_permissions.
     # https://github.com/ComplianceAsCode/content/issues/11285
     - '!rpm_verify_permissions'

@@ -24,12 +24,21 @@ selections:
     - var_password_hashing_algorithm=SHA512
     - var_password_pam_unix_rounds=65536
     - '!timer_logrotate_enabled'
+
     # disable R45: Enable AppArmor security profiles
     - '!apparmor_configured'
     - '!all_apparmor_profiles_enforced'
     - '!grub2_enable_apparmor'
     - '!package_apparmor_installed'
     - '!package_pam_apparmor_installed'
+
+    # An alternative solution for R67 is using nss-pam-ldapd package, in this case ensures SSL and certificate configuration
+    - ldap_client_start_tls
+    - ldap_client_tls_cacertpath
+
+    # Ensure nis is not used for RHEL 8 in R69
+    - no_nis_in_nsswitch
+
     # Following rules once had a prodtype incompatible with the rhel8 product
     - '!cracklib_accounts_password_pam_minlen'
     - '!sysctl_fs_protected_fifos'

@@ -23,15 +23,25 @@ selections:
     - anssi:all:high
     - var_password_hashing_algorithm=SHA512
     - var_password_pam_unix_rounds=65536
+
     # the following rule renders UEFI systems unbootable
     - '!sebool_secure_mode_insmod'
     - '!timer_logrotate_enabled'
+
     # disable R45: Enable AppArmor security profiles
     - '!apparmor_configured'
     - '!all_apparmor_profiles_enforced'
     - '!grub2_enable_apparmor'
     - '!package_apparmor_installed'
     - '!package_pam_apparmor_installed'
+
+    # An alternative solution for R67 is using nss-pam-ldapd package, in this case ensures SSL and certificate configuration
+    - ldap_client_start_tls
+    - ldap_client_tls_cacertpath
+
+    # Ensure nis is not used for RHEL 8 in R69
+    - no_nis_in_nsswitch
+
     # Following rules once had a prodtype incompatible with the rhel8 product
     - '!kernel_config_gcc_plugin_structleak_byref_all'
     - '!accounts_passwords_pam_tally2_deny_root'

@@ -23,6 +23,14 @@ selections:
   - anssi:all:intermediary
   - var_password_hashing_algorithm=SHA512
   - var_password_pam_unix_rounds=65536
+
+  # An alternative solution for R67 is using nss-pam-ldapd package, in this case ensures SSL and certificate configuration
+  - ldap_client_start_tls
+  - ldap_client_tls_cacertpath
+
+  # Ensure nis is not used for RHEL 8 in R69
+  - no_nis_in_nsswitch
+
   # Following rules once had a prodtype incompatible with the rhel8 product
   - '!cracklib_accounts_password_pam_minlen'
   - '!accounts_passwords_pam_tally2_deny_root'