exclude some problematic rules from ism_o rhel10 profiles

vojtapolasek · vojtapolasek · commit 1fefa5afef48 · 2024-09-25T10:00:24.000+02:00
see comments
diff --git a/products/rhel10/profiles/ism_o.profile b/products/rhel10/profiles/ism_o.profile
@@ -28,3 +28,18 @@ extends: e8
 
 selections:
     - ism_o:all:base
+    # these rules do not work properly on RHEL 10 for now
+    - '!enable_dracut_fips_module'
+    - '!firewalld_sshd_port_enabled'
+    - '!require_singleuser_auth'
+    - '!enable_fips_mode'
+    # tally2 is deprecated, replaced by faillock
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!audit_rules_login_events_tallylog'
+    # lastlog is not used in RHEL 10
+    - '!audit_rules_login_events_lastlog'
+    # this rule is currently failing on some systemd services, probably because of require_emergency_target_auth and require_singleuser_auth rules
+    - '!rpm_verify_hashes'
+    # this rule should not be needed anymore on RHEL 10, but investigation is recommended
+    - '!openssl_use_strong_entropy'
diff --git a/products/rhel10/profiles/ism_o_secret.profile b/products/rhel10/profiles/ism_o_secret.profile
@@ -30,3 +30,18 @@ extends: e8
 
 selections:
     - ism_o:all:secret
+    # these rules do not work properly on RHEL 10 for now
+    - '!enable_dracut_fips_module'
+    - '!firewalld_sshd_port_enabled'
+    - '!require_singleuser_auth'
+    - '!enable_fips_mode'
+    # tally2 is deprecated, replaced by faillock
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!audit_rules_login_events_tallylog'
+    # lastlog is not used in RHEL 10
+    - '!audit_rules_login_events_lastlog'
+    # this rule is currently failing on some systemd services, probably because of require_emergency_target_auth and require_singleuser_auth rules
+    - '!rpm_verify_hashes'
+    # this rule should not be needed anymore on RHEL 10, but investigation is recommended
+    - '!openssl_use_strong_entropy'
diff --git a/products/rhel10/profiles/ism_o_top_secret.profile b/products/rhel10/profiles/ism_o_top_secret.profile
@@ -28,3 +28,18 @@ extends: e8
 
 selections:
     - ism_o:all:top_secret
+    # these rules do not work properly on RHEL 10 for now
+    - '!enable_dracut_fips_module'
+    - '!firewalld_sshd_port_enabled'
+    - '!require_singleuser_auth'
+    - '!enable_fips_mode'
+    # tally2 is deprecated, replaced by faillock
+    - '!accounts_passwords_pam_tally2_deny_root'
+    - '!accounts_passwords_pam_tally2_unlock_time'
+    - '!audit_rules_login_events_tallylog'
+    # lastlog is not used in RHEL 10
+    - '!audit_rules_login_events_lastlog'
+    # this rule is currently failing on some systemd services, probably because of require_emergency_target_auth and require_singleuser_auth rules
+    - '!rpm_verify_hashes'
+    # this rule should not be needed anymore on RHEL 10, but investigation is recommended
+    - '!openssl_use_strong_entropy'
