Ensured ensure_almalinux_gpgkey_installed is not found in non-AlmaLin…

…ux profiles by negating it
ComplianceAsCode · Jan 23, 2025 · 5d7d0fe · 5d7d0fe
1 parent df5577b
commit 5d7d0fe
Show file tree

Hide file tree

Showing 47 changed files with 52 additions and 5 deletions.
diff --git a/products/debian12/profiles/anssi_bp28_enhanced.profile b/products/debian12/profiles/anssi_bp28_enhanced.profile
@@ -65,4 +65,5 @@ selections:
   - '!file_permissions_unauthorized_suid'
   - '!ensure_gpgcheck_never_disabled'
   - '!ensure_oracle_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
   - '!package_dracut-fips-aesni_installed'
diff --git a/products/debian12/profiles/anssi_bp28_high.profile b/products/debian12/profiles/anssi_bp28_high.profile
@@ -65,4 +65,5 @@ selections:
   - '!file_permissions_unauthorized_suid'
   - '!ensure_gpgcheck_never_disabled'
   - '!ensure_oracle_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
   - '!package_dracut-fips-aesni_installed'
diff --git a/products/debian12/profiles/anssi_bp28_intermediary.profile b/products/debian12/profiles/anssi_bp28_intermediary.profile
@@ -57,3 +57,4 @@ selections:
   - '!file_permissions_unauthorized_suid'
   - '!ensure_gpgcheck_never_disabled'
   - '!ensure_oracle_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
diff --git a/products/debian12/profiles/anssi_bp28_minimal.profile b/products/debian12/profiles/anssi_bp28_minimal.profile
@@ -44,4 +44,5 @@ selections:
   - '!file_permissions_unauthorized_suid'
   - '!ensure_gpgcheck_never_disabled'
   - '!ensure_oracle_gpgkey_installed'
-
+  - '!ensure_almalinux_gpgkey_installed'
+
diff --git a/products/ol10/profiles/anssi_bp28_enhanced.profile b/products/ol10/profiles/anssi_bp28_enhanced.profile
@@ -21,6 +21,7 @@ selections:
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!install_PAE_kernel_on_x86-32'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!package_dracut-fips-aesni_installed'
     - '!cracklib_accounts_password_pam_lcredit'
     - '!cracklib_accounts_password_pam_ocredit'

diff --git a/products/ol10/profiles/anssi_bp28_high.profile b/products/ol10/profiles/anssi_bp28_high.profile
@@ -22,6 +22,7 @@ selections:
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!install_PAE_kernel_on_x86-32'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!aide_periodic_checking_systemd_timer'
     - '!package_dracut-fips-aesni_installed'
     - '!cracklib_accounts_password_pam_lcredit'

diff --git a/products/ol10/profiles/anssi_bp28_intermediary.profile b/products/ol10/profiles/anssi_bp28_intermediary.profile
@@ -28,6 +28,7 @@ selections:
     - '!cracklib_accounts_password_pam_ocredit'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!sudo_add_umask'
     # this rule is not automated anymore
     - '!security_patches_up_to_date'

diff --git a/products/ol10/profiles/anssi_bp28_minimal.profile b/products/ol10/profiles/anssi_bp28_minimal.profile
@@ -28,6 +28,7 @@ selections:
     - '!cracklib_accounts_password_pam_ocredit'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!security_patches_up_to_date'
     # these packages do not exist in ol10 (R62)
     - '!package_dhcp_removed'

diff --git a/products/ol10/profiles/e8.profile b/products/ol10/profiles/e8.profile
@@ -19,6 +19,7 @@ selections:
     - e8:all
 
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - ensure_oracle_gpgkey_installed
 
     - var_system_crypto_policy=default_policy

diff --git a/products/ol10/profiles/hipaa.profile b/products/ol10/profiles/hipaa.profile
@@ -35,6 +35,7 @@ selections:
     - '!dconf_gnome_remote_access_encryption'
     - '!ensure_suse_gpgkey_installed'
     - '!ensure_fedora_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!grub2_uefi_admin_username'
     - '!grub2_uefi_pass'
     - '!service_ypbind_disabled'

diff --git a/products/ol10/profiles/pci-dss.profile b/products/ol10/profiles/pci-dss.profile
@@ -46,6 +46,7 @@ selections:
     - '!ensure_firewall_rules_for_open_ports'
     - '!ensure_shadow_group_empty'
     - '!ensure_suse_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!install_PAE_kernel_on_x86-32'
     - '!mask_nonessential_services'
     - '!nftables_ensure_default_deny_policy'

diff --git a/products/ol7/profiles/anssi_nt28_enhanced.profile b/products/ol7/profiles/anssi_nt28_enhanced.profile
@@ -21,6 +21,7 @@ selections:
     - '!rsyslog_remote_tls'
     - '!timer_logrotate_enabled'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!package_dnf-automatic_installed'
     - '!audit_rules_privileged_commands_rmmod'
     - '!grub2_mds_argument'

diff --git a/products/ol7/profiles/anssi_nt28_high.profile b/products/ol7/profiles/anssi_nt28_high.profile
@@ -23,6 +23,7 @@ selections:
     - '!kernel_config_legacy_vsyscall_none'
     - '!kernel_config_hardened_usercopy_fallback'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!aide_periodic_checking_systemd_timer'
     - '!kernel_config_gcc_plugin_latent_entropy'
     - '!package_dnf-automatic_installed'

diff --git a/products/ol7/profiles/anssi_nt28_intermediary.profile b/products/ol7/profiles/anssi_nt28_intermediary.profile
@@ -17,6 +17,7 @@ selections:
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!sysctl_kernel_unprivileged_bpf_disabled'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!package_dnf-automatic_installed'
     - '!grub2_mds_argument'
     - '!dnf-automatic_security_updates_only'

diff --git a/products/ol7/profiles/anssi_nt28_minimal.profile b/products/ol7/profiles/anssi_nt28_minimal.profile
@@ -27,5 +27,6 @@ selections:
     - '!cracklib_accounts_password_pam_ocredit'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!enable_authselect'
     - '!package_kea_removed'
diff --git a/products/ol8/profiles/anssi_bp28_enhanced.profile b/products/ol8/profiles/anssi_bp28_enhanced.profile
@@ -17,6 +17,7 @@ selections:
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!timer_logrotate_enabled'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!audit_rules_privileged_commands_rmmod'
     - '!grub2_mds_argument'
     - '!audit_rules_privileged_commands_modprobe'

diff --git a/products/ol8/profiles/anssi_bp28_high.profile b/products/ol8/profiles/anssi_bp28_high.profile
@@ -17,6 +17,7 @@ selections:
     - '!accounts_passwords_pam_tally2_deny_root'
     - '!timer_logrotate_enabled'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!aide_periodic_checking_systemd_timer'
     - '!audit_rules_privileged_commands_rmmod'
     - '!grub2_mds_argument'

diff --git a/products/ol8/profiles/anssi_bp28_intermediary.profile b/products/ol8/profiles/anssi_bp28_intermediary.profile
@@ -27,4 +27,5 @@ selections:
     - '!grub2_page_alloc_shuffle_argument'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!package_kea_removed'
diff --git a/products/ol8/profiles/anssi_bp28_minimal.profile b/products/ol8/profiles/anssi_bp28_minimal.profile
@@ -23,4 +23,5 @@ selections:
     - '!cracklib_accounts_password_pam_ocredit'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!package_kea_removed'
diff --git a/products/ol9/profiles/anssi_bp28_enhanced.profile b/products/ol9/profiles/anssi_bp28_enhanced.profile
@@ -20,6 +20,7 @@ selections:
     - '!install_PAE_kernel_on_x86-32'
     - '!partition_for_boot'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!sudo_add_ignore_dot'
     - '!audit_rules_privileged_commands_rmmod'
     - '!audit_rules_privileged_commands_modprobe'

diff --git a/products/ol9/profiles/anssi_bp28_high.profile b/products/ol9/profiles/anssi_bp28_high.profile
@@ -20,6 +20,7 @@ selections:
     - '!install_PAE_kernel_on_x86-32'
     - '!partition_for_boot'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!aide_periodic_checking_systemd_timer'
     - '!sudo_add_ignore_dot'
     - '!audit_rules_privileged_commands_rmmod'

diff --git a/products/ol9/profiles/anssi_bp28_intermediary.profile b/products/ol9/profiles/anssi_bp28_intermediary.profile
@@ -29,6 +29,7 @@ selections:
     - '!enable_pam_namespace'
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!sudo_add_umask'
     - '!sudo_add_ignore_dot'
     - '!sudo_add_env_reset'

diff --git a/products/ol9/profiles/anssi_bp28_minimal.profile b/products/ol9/profiles/anssi_bp28_minimal.profile
@@ -25,5 +25,6 @@ selections:
   - '!cracklib_accounts_password_pam_ocredit'
   - '!accounts_passwords_pam_tally2_unlock_time'
   - '!ensure_redhat_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
   - '!package_xinetd_removed'
   - '!package_kea_removed'
diff --git a/products/rhcos4/profiles/anssi_bp28_enhanced.profile b/products/rhcos4/profiles/anssi_bp28_enhanced.profile
@@ -117,3 +117,4 @@ selections:
     - '!ensure_gpgcheck_globally_activated'
     - '!sysctl_net_ipv6_conf_all_autoconf'
     - '!ensure_oracle_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
diff --git a/products/rhcos4/profiles/anssi_bp28_high.profile b/products/rhcos4/profiles/anssi_bp28_high.profile
@@ -153,3 +153,4 @@ selections:
     - '!ensure_gpgcheck_globally_activated'
     - '!sysctl_net_ipv6_conf_all_autoconf'
     - '!ensure_oracle_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
diff --git a/products/rhcos4/profiles/anssi_bp28_intermediary.profile b/products/rhcos4/profiles/anssi_bp28_intermediary.profile
@@ -104,3 +104,4 @@ selections:
   - '!ensure_gpgcheck_globally_activated'
   - '!sysctl_net_ipv6_conf_all_autoconf'
   - '!ensure_oracle_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
diff --git a/products/rhcos4/profiles/anssi_bp28_minimal.profile b/products/rhcos4/profiles/anssi_bp28_minimal.profile
@@ -63,3 +63,4 @@ selections:
   - '!file_permissions_unauthorized_suid'
   - '!ensure_gpgcheck_never_disabled'
   - '!ensure_oracle_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
diff --git a/products/rhel10/profiles/anssi_bp28_enhanced.profile b/products/rhel10/profiles/anssi_bp28_enhanced.profile
@@ -39,8 +39,9 @@ selections:
     - '!cracklib_accounts_password_pam_dcredit'
     # umask is configured at a different place in RHEL 10
     - '!sudo_add_umask'
-    # Oracle key is not relevant on RHEL 10
+    # Non-Red Hat keys are irrelevant on RHEL 10
     - '!ensure_oracle_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     # this rule is not automated anymore
     - '!security_patches_up_to_date'
     # There is only chrony package on RHEL 10, no ntpd

diff --git a/products/rhel10/profiles/anssi_bp28_high.profile b/products/rhel10/profiles/anssi_bp28_high.profile
@@ -43,8 +43,9 @@ selections:
     - '!cracklib_accounts_password_pam_dcredit'
     # umask is configured at a different place in RHEL 10
     - '!sudo_add_umask'
-    # Oracle key is not relevant on RHEL 10
+    # Non-Red Hat keys are irrelevant on RHEL 10
     - '!ensure_oracle_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     # this rule is not automated anymore
     - '!security_patches_up_to_date'
     # There is only chrony package on RHEL 10, no ntpd

diff --git a/products/rhel10/profiles/anssi_bp28_intermediary.profile b/products/rhel10/profiles/anssi_bp28_intermediary.profile
@@ -35,8 +35,9 @@ selections:
     - '!cracklib_accounts_password_pam_ocredit'
     # umask is configured at a different place in RHEL 10
     - '!sudo_add_umask'
-    # Oracle key is not relevant on RHEL 10
+    # Non-Red Hat keys are irrelevant on RHEL 10
     - '!ensure_oracle_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     # this rule is not automated anymore
     - '!security_patches_up_to_date'
     # these packages do not exist in rhel10 (R62)

diff --git a/products/rhel10/profiles/anssi_bp28_minimal.profile b/products/rhel10/profiles/anssi_bp28_minimal.profile
@@ -33,8 +33,9 @@ selections:
     - '!cracklib_accounts_password_pam_dcredit'
     - '!cracklib_accounts_password_pam_lcredit'
     - '!cracklib_accounts_password_pam_ocredit'
-    # Oracle key is not relevant on RHEL 10
+    # Non-Red Hat keys are irrelevant on RHEL 10
     - '!ensure_oracle_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     # this rule is not automated anymore
     - '!security_patches_up_to_date'
     # these packages do not exist in rhel10 (R62)

diff --git a/products/rhel8/profiles/anssi_bp28_enhanced.profile b/products/rhel8/profiles/anssi_bp28_enhanced.profile
@@ -49,4 +49,5 @@ selections:
     - '!accounts_passwords_pam_tally2_unlock_time'
     - '!audit_rules_privileged_commands_insmod'
     - '!ensure_oracle_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!package_kea_removed'
diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
@@ -56,4 +56,5 @@ selections:
     - '!cracklib_accounts_password_pam_dcredit'
     - '!grub2_page_alloc_shuffle_argument'
     - '!ensure_oracle_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!package_kea_removed'
diff --git a/products/rhel8/profiles/anssi_bp28_intermediary.profile b/products/rhel8/profiles/anssi_bp28_intermediary.profile
@@ -37,4 +37,5 @@ selections:
   - '!grub2_page_alloc_shuffle_argument'
   - '!accounts_passwords_pam_tally2_unlock_time'
   - '!ensure_oracle_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
   - '!package_kea_removed'
diff --git a/products/rhel8/profiles/anssi_bp28_minimal.profile b/products/rhel8/profiles/anssi_bp28_minimal.profile
@@ -33,4 +33,5 @@ selections:
   - '!cracklib_accounts_password_pam_ocredit'
   - '!accounts_passwords_pam_tally2_unlock_time'
   - '!ensure_oracle_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
   - '!package_kea_removed'
diff --git a/products/rhel9/profiles/anssi_bp28_enhanced.profile b/products/rhel9/profiles/anssi_bp28_enhanced.profile
@@ -47,6 +47,7 @@ selections:
     - '!cracklib_accounts_password_pam_minlen'
     - '!cracklib_accounts_password_pam_dcredit'
     - '!ensure_oracle_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!package_kea_removed'
     # RHEL9 unified the paths for grub2 files. These rules are selected in control file by R29.
     - '!file_groupowner_efi_grub2_cfg'

diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
@@ -50,6 +50,7 @@ selections:
     - '!cracklib_accounts_password_pam_minlen'
     - '!cracklib_accounts_password_pam_dcredit'
     - '!ensure_oracle_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!package_kea_removed'
     # disable R45: Enable AppArmor security profiles
     - '!apparmor_configured'

diff --git a/products/rhel9/profiles/anssi_bp28_intermediary.profile b/products/rhel9/profiles/anssi_bp28_intermediary.profile
@@ -40,4 +40,5 @@ selections:
   - '!sudo_add_ignore_dot'
   - '!sudo_add_env_reset'
   - '!ensure_oracle_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
   - '!package_kea_removed'
diff --git a/products/rhel9/profiles/anssi_bp28_minimal.profile b/products/rhel9/profiles/anssi_bp28_minimal.profile
@@ -33,4 +33,5 @@ selections:
   - '!cracklib_accounts_password_pam_ocredit'
   - '!accounts_passwords_pam_tally2_unlock_time'
   - '!ensure_oracle_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
   - '!package_kea_removed'
diff --git a/products/sle12/profiles/anssi_bp28_enhanced.profile b/products/sle12/profiles/anssi_bp28_enhanced.profile
@@ -34,6 +34,7 @@ selections:
     - '!sysctl_kernel_unprivileged_bpf_disabled'
     - '!accounts_passwords_pam_faillock_deny'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!accounts_passwords_pam_faillock_unlock_time'
     - '!accounts_passwords_pam_faillock_interval'
     - '!grub2_mds_argument'

diff --git a/products/sle12/profiles/anssi_bp28_high.profile b/products/sle12/profiles/anssi_bp28_high.profile
@@ -38,6 +38,7 @@ selections:
     - '!kernel_config_hardened_usercopy_fallback'
     - '!accounts_passwords_pam_faillock_deny'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!accounts_passwords_pam_faillock_unlock_time'
     - '!accounts_passwords_pam_faillock_interval'
     - '!kernel_config_gcc_plugin_latent_entropy'

diff --git a/products/sle12/profiles/anssi_bp28_intermediary.profile b/products/sle12/profiles/anssi_bp28_intermediary.profile
@@ -34,6 +34,7 @@ selections:
   - '!sysctl_kernel_unprivileged_bpf_disabled'
   - '!accounts_passwords_pam_faillock_deny'
   - '!ensure_redhat_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
   - '!accounts_passwords_pam_faillock_unlock_time'
   - '!accounts_passwords_pam_faillock_interval'
   - '!grub2_mds_argument'

diff --git a/products/sle12/profiles/anssi_bp28_minimal.profile b/products/sle12/profiles/anssi_bp28_minimal.profile
@@ -35,6 +35,7 @@ selections:
   - '!accounts_password_pam_ocredit'
   - '!accounts_password_pam_lcredit'
   - '!ensure_redhat_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
   - '!accounts_passwords_pam_faillock_deny'
   - '!accounts_passwords_pam_faillock_unlock_time'
   - '!accounts_passwords_pam_faillock_interval'

diff --git a/products/sle15/profiles/anssi_bp28_enhanced.profile b/products/sle15/profiles/anssi_bp28_enhanced.profile
@@ -34,6 +34,7 @@ selections:
     - '!sysctl_kernel_unprivileged_bpf_disabled'
     - '!accounts_passwords_pam_faillock_deny'
     - '!ensure_redhat_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!accounts_passwords_pam_faillock_unlock_time'
     - '!accounts_passwords_pam_faillock_interval'
     - '!sysctl_kernel_yama_ptrace_scope'

diff --git a/products/sle15/profiles/anssi_bp28_high.profile b/products/sle15/profiles/anssi_bp28_high.profile
@@ -82,4 +82,5 @@ selections:
     - '!sysctl_net_ipv6_conf_all_autoconf'
     - '!grub2_pti_argument'
     - '!ensure_oracle_gpgkey_installed'
+    - '!ensure_almalinux_gpgkey_installed'
     - '!package_kea_removed'
diff --git a/products/sle15/profiles/anssi_bp28_intermediary.profile b/products/sle15/profiles/anssi_bp28_intermediary.profile
@@ -54,4 +54,5 @@ selections:
   - '!sysctl_net_ipv6_conf_all_autoconf'
   - '!grub2_pti_argument'
   - '!ensure_oracle_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
   - '!package_kea_removed'
diff --git a/products/sle15/profiles/anssi_bp28_minimal.profile b/products/sle15/profiles/anssi_bp28_minimal.profile
@@ -41,5 +41,6 @@ selections:
   - '!accounts_password_pam_ucredit'
   - '!accounts_password_pam_minlen'
   - '!ensure_oracle_gpgkey_installed'
+  - '!ensure_almalinux_gpgkey_installed'
   - '!enable_authselect'
   - '!package_kea_removed'