ash-linux-formula
ash-linux-formula copied to clipboard
plus3it
Automated System Hardening (ash-linux) is a Salt formula to apply SCAP benchmarks to Linux systems
**Is your feature request related to a problem? Please describe.** Efforts to be proactive in supporting migrations to RHEL 9, need to add hardening-support for RHEL 9 and related distros...
**Describe the bug** If not running the entirety of the ash-linux-formula – specifically triggerable if invoking watchmaker with `--exclude-states ash-linux.el8.VendorSTIG.remediate` – this state will fail due to `file not found`...
**Is your feature request related to a problem? Please describe.** The oscap content shipped as part to the overall watchmaker content contains more content than is executed in the default...
**Describe the bug** If the hardened AMI does not have separate `/` and `/boot` filesystems, the `fips_enable` action's default of adding a `/boot` partition may result in FIPS-related reboot-failures **Severity**...
**Is your feature request related to a problem? Please describe.** Research to see whether `ash-linux.el7.VendorSTIG.report` can be updated to produce output that is compatible with [STIG-viewer](https://public.cyber.mil/stigs/srg-stig-tools/) **Describe the solution you'd...
**Is your feature request related to a problem? Please describe.** Last time EL7 hardening-content was updated, the `stig_rule_SV-93705r3_rule` was not yet published. Systems scanned with more-recent profiles flag this missing...
**Describe the bug** After running relevant formula-content, `DefaultZone` value in `/etc/firewalld/firewalld.conf` still set to `public` Note: may be consequence of #247 **To Reproduce** Steps to reproduce the behavior: 1. Launch...
By default, NetworkManager is assuming partial ownership of eth0: ~~~ # nmcli dev DEVICE TYPE STATE CONNECTION eth0 ethernet connected System eth0 lo loopback unmanaged -- ~~~ NetworkManager will tell...
Vendor-STIG contents prescribe: > To disable support for (ipv6) add the following line to /etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d): > > net.ipv6.conf.all.disable_ipv6 = 1 > > This disables IPv6...