DISA Alignment waivers update

RHEL8 waivers are relevant also for RHEL9, thus upstream issues were updated and with that also the condition in waivers. All the misalignemnt newcomer issues were added to unknown issues where will wait for their investigation.
RHSecurityCompliance · Apr 8, 2024 · 4e3edd3 · 4e3edd3
1 parent b5cc82c
commit 4e3edd3
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 3 deletions.
diff --git a/conf/waivers/10-unknown b/conf/waivers/10-unknown
@@ -124,6 +124,28 @@
 /hardening/host-os/oscap/.+/sysctl_net_ipv4_conf_default_log_martians
     Match(True, sometimes=True)
 
+# DISA Alignment waivers
+#
+# https://github.com/ComplianceAsCode/content/issues/11804
+/scanning/disa-alignment/.*/harden_sshd_ciphers_openssh_conf_crypto_policy
+# https://github.com/ComplianceAsCode/content/issues/11692
+/scanning/disa-alignment/.*/accounts_password_pam_pwhistory_remember_system_auth
+# https://github.com/ComplianceAsCode/content/issues/11695
+/scanning/disa-alignment/.*/service_pcscd_enabled
+# https://github.com/ComplianceAsCode/content/issues/11698
+/scanning/disa-alignment/.*/no_shelllogin_for_systemaccounts
+# https://github.com/ComplianceAsCode/content/issues/11778
+/scanning/disa-alignment/.*/file_permission_user_init_files_root
+# https://github.com/ComplianceAsCode/content/issues/11700
+/scanning/disa-alignment/.*/accounts_umask_etc_bashrc
+# https://github.com/ComplianceAsCode/content/issues/11802
+/scanning/disa-alignment/.*/CCE-88173-0
+# https://github.com/ComplianceAsCode/content/issues/11703
+/scanning/disa-alignment/.*/file_permissions_library_dirs
+# https://github.com/ComplianceAsCode/content/issues/11803
+/scanning/disa-alignment/.*/CCE-90811-1
+    rhel == 9
+
 # HTML links
 #
 # https://github.com/ComplianceAsCode/content/issues/11801

diff --git a/conf/waivers/20-long-term b/conf/waivers/20-long-term
@@ -124,11 +124,9 @@
 /scanning/disa-alignment/.*/accounts_password_pam_pwhistory_remember_password_auth
 # https://github.com/ComplianceAsCode/content/issues/11197 (DISA issue)
 /scanning/disa-alignment/.*/display_login_attempts
-    rhel == 8
+    rhel == 8 or rhel == 9
 # https://github.com/ComplianceAsCode/content/issues/11649 (DISA issue)
 /scanning/disa-alignment/.*/installed_OS_is_vendor_supported
-# https://github.com/ComplianceAsCode/content/issues/11650
-/scanning/disa-alignment/.*/kernel_module_tipc_disabled
     rhel == 9
 
 # sssd_enable_pam_services is missing Ansible remediation