From 4e3edd39d00ee337619b8508847355601ec0bba0 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Mon, 8 Apr 2024 15:41:12 +0200
Subject: [PATCH] DISA Alignment waivers update

RHEL8 waivers are relevant also for RHEL9, thus upstream issues were
updated and with that also the condition in waivers.
All the misalignemnt newcomer issues were added to unknown issues where
will wait for their investigation.
---
 conf/waivers/10-unknown   | 22 ++++++++++++++++++++++
 conf/waivers/20-long-term |  4 +---
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/conf/waivers/10-unknown b/conf/waivers/10-unknown
index 25d781f1..4a49a829 100644
--- a/conf/waivers/10-unknown
+++ b/conf/waivers/10-unknown
@@ -124,6 +124,28 @@
 /hardening/host-os/oscap/.+/sysctl_net_ipv4_conf_default_log_martians
     Match(True, sometimes=True)
 
+# DISA Alignment waivers
+#
+# https://github.com/ComplianceAsCode/content/issues/11804
+/scanning/disa-alignment/.*/harden_sshd_ciphers_openssh_conf_crypto_policy
+# https://github.com/ComplianceAsCode/content/issues/11692
+/scanning/disa-alignment/.*/accounts_password_pam_pwhistory_remember_system_auth
+# https://github.com/ComplianceAsCode/content/issues/11695
+/scanning/disa-alignment/.*/service_pcscd_enabled
+# https://github.com/ComplianceAsCode/content/issues/11698
+/scanning/disa-alignment/.*/no_shelllogin_for_systemaccounts
+# https://github.com/ComplianceAsCode/content/issues/11778
+/scanning/disa-alignment/.*/file_permission_user_init_files_root
+# https://github.com/ComplianceAsCode/content/issues/11700
+/scanning/disa-alignment/.*/accounts_umask_etc_bashrc
+# https://github.com/ComplianceAsCode/content/issues/11802
+/scanning/disa-alignment/.*/CCE-88173-0
+# https://github.com/ComplianceAsCode/content/issues/11703
+/scanning/disa-alignment/.*/file_permissions_library_dirs
+# https://github.com/ComplianceAsCode/content/issues/11803
+/scanning/disa-alignment/.*/CCE-90811-1
+    rhel == 9
+
 # HTML links
 #
 # https://github.com/ComplianceAsCode/content/issues/11801
diff --git a/conf/waivers/20-long-term b/conf/waivers/20-long-term
index 3eaad839..09d68c40 100644
--- a/conf/waivers/20-long-term
+++ b/conf/waivers/20-long-term
@@ -124,11 +124,9 @@
 /scanning/disa-alignment/.*/accounts_password_pam_pwhistory_remember_password_auth
 # https://github.com/ComplianceAsCode/content/issues/11197 (DISA issue)
 /scanning/disa-alignment/.*/display_login_attempts
-    rhel == 8
+    rhel == 8 or rhel == 9
 # https://github.com/ComplianceAsCode/content/issues/11649 (DISA issue)
 /scanning/disa-alignment/.*/installed_OS_is_vendor_supported
-# https://github.com/ComplianceAsCode/content/issues/11650
-/scanning/disa-alignment/.*/kernel_module_tipc_disabled
     rhel == 9
 
 # sssd_enable_pam_services is missing Ansible remediation