From 54c0d5dc78b388a1495f9a584882fbb0ebba34bc Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 23 2020 23:06:09 +0000 Subject: import scap-security-guide-0.1.48-7.el8 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..570e1bc --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/scap-security-guide-0.1.48.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata new file mode 100644 index 0000000..21a0c5b --- /dev/null +++ b/.scap-security-guide.metadata @@ -0,0 +1 @@ +a8f9874a8f1df4c66e45daa6fa6c41d1ac8df934 SOURCES/scap-security-guide-0.1.48.tar.bz2 diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch new file mode 100644 index 0000000..d26c4b2 --- /dev/null +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -0,0 +1,105 @@ +From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 17 Jan 2020 19:01:22 +0100 +Subject: [PATCH] Disable profiles that are not in good shape for RHEL8 + +They raise too many errors and fails. +Also disable tables for profiles that are not built. +--- + rhel8/CMakeLists.txt | 2 -- + rhel8/profiles/cjis.profile | 2 +- + rhel8/profiles/cui.profile | 2 +- + rhel8/profiles/hipaa.profile | 2 +- + rhel8/profiles/rhelh-stig.profile | 2 +- + rhel8/profiles/rhelh-vpp.profile | 2 +- + rhel8/profiles/rht-ccp.profile | 2 +- + rhel8/profiles/standard.profile | 2 +- + 9 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt +index 40f2b2b0f..492a8dae1 100644 +--- a/rhel8/CMakeLists.txt ++++ b/rhel8/CMakeLists.txt +@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") + ssg_build_html_table_by_ref(${PRODUCT} "pcidss") + ssg_build_html_table_by_ref(${PRODUCT} "anssi") + +-ssg_build_html_nistrefs_table(${PRODUCT} "standard") + ssg_build_html_nistrefs_table(${PRODUCT} "ospp") + ssg_build_html_nistrefs_table(${PRODUCT} "stig") + + # Uncomment when anssi profiles are marked documentation_complete: true + #ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal") +diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile +index 05ea9cdd6..9c55ac5b1 100644 +--- a/rhel8/profiles/cjis.profile ++++ b/rhel8/profiles/cjis.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Criminal Justice Information Services (CJIS) Security Policy' + +diff --git a/rhel8/profiles/cui.profile b/rhel8/profiles/cui.profile +index eb62252a4..e8f369708 100644 +--- a/rhel8/profiles/cui.profile ++++ b/rhel8/profiles/cui.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' + +diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile +index 8d20f9019..d641b56fe 100644 +--- a/rhel8/profiles/hipaa.profile ++++ b/rhel8/profiles/hipaa.profile +@@ -1,4 +1,4 @@ +-documentation_complete: True ++documentation_complete: false + + title: 'Health Insurance Portability and Accountability Act (HIPAA)' + +diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile +index 1efca5f44..c3d0b0964 100644 +--- a/rhel8/profiles/rhelh-stig.profile ++++ b/rhel8/profiles/rhelh-stig.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)' + +diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile +index 2baee6d66..8592d7aaf 100644 +--- a/rhel8/profiles/rhelh-vpp.profile ++++ b/rhel8/profiles/rhelh-vpp.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)' + +diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile +index c84579592..164ec98c4 100644 +--- a/rhel8/profiles/rht-ccp.profile ++++ b/rhel8/profiles/rht-ccp.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' + +diff --git a/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile +index a63ae2cf3..da669bb84 100644 +--- a/rhel8/profiles/standard.profile ++++ b/rhel8/profiles/standard.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' + +-- +2.21.1 + diff --git a/SOURCES/scap-security-guide-0.1.49-add-cce-openssh-server.patch b/SOURCES/scap-security-guide-0.1.49-add-cce-openssh-server.patch new file mode 100644 index 0000000..6ebcb93 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.49-add-cce-openssh-server.patch @@ -0,0 +1,21 @@ +From 3c7332c8245fe3f356557619f59a9218a50e7dfa Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 11 Feb 2020 13:53:46 +0100 +Subject: [PATCH] Add CCE identifier for openssh-server installed + +--- + .../guide/services/ssh/package_openssh-server_installed/rule.yml | 1 + + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +index ba013ec509..cecd6514fb 100644 +--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml ++++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +@@ -17,6 +17,7 @@ severity: medium + + identifiers: + cce@rhel7: 80215-7 ++ cce@rhel8: 83303-8 + + references: + disa: 2418,2420,2421,2422 diff --git a/SOURCES/scap-security-guide-0.1.49-add-few-srg-mappings.patch b/SOURCES/scap-security-guide-0.1.49-add-few-srg-mappings.patch new file mode 100644 index 0000000..cc90f9e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.49-add-few-srg-mappings.patch @@ -0,0 +1,150 @@ +From af199c3ea2772fd30b47410c2b7aeff08d54103e Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 5 Feb 2020 10:23:44 +0100 +Subject: [PATCH 1/4] Add and fix few entries of SRG mapping. + +--- + .../network-uncommon/kernel_module_dccp_disabled/rule.yml | 1 + + .../permissions/partitions/mount_option_var_log_nodev/rule.yml | 1 + + .../dconf_gnome_screensaver_lock_delay/rule.yml | 2 +- + .../dconf_gnome_screensaver_lock_enabled/rule.yml | 2 +- + 4 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml +index 1b42b7233b..4dcbc458d1 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml +@@ -37,6 +37,7 @@ references: + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 + cis-csc: 11,14,3,9 ++ srg: SRG-OS-000096-GPOS-00050 + + {{{ complete_ocil_entry_module_disable(module="dccp") }}} + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml +index 298f17d2d8..d1ec9f644e 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml +@@ -28,6 +28,7 @@ identifiers: + references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 + nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 ++ srg: SRG-OS-000368-GPOS-00154 + + platform: machine + +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +index b20323c1af..39aa044941 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +@@ -34,7 +34,7 @@ references: + nist-csf: PR.AC-7 + ospp: FMT_MOF_EXT.1 + pcidss: Req-8.1.8 +- srg: OS-SRG-000029-GPOS-00010 ++ srg: SRG-OS-000029-GPOS-00010 + stigid@rhel7: "010110" + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9' + isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +index 0380f0149f..7742b8d862 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +@@ -35,7 +35,7 @@ references: + nist-csf: PR.AC-7 + ospp: FMT_MOF_EXT.1 + pcidss: Req-8.1.8 +- srg: SRG-OS-000028-GPOS-00009,OS-SRG-000030-GPOS-00011 ++ srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011 + stigid@rhel7: "010060" + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9' + isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 + +From 2dd70b7464873b0996e788d546d7c557e5c702d1 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 5 Feb 2020 10:33:54 +0100 +Subject: [PATCH 2/4] Map strong entopy rules to SRG-OS-000480-GPOS-00227 + +The SRG is about configuring the system in accordance with security +baselines defined by DoD, including STIG,NSA guides, CTOs and DTMs. +--- + .../guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml | 1 + + .../integrity/crypto/openssl_use_strong_entropy/rule.yml | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml +index 4bfb72702b..62b2d01924 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml +@@ -25,6 +25,7 @@ identifiers: + + references: + ospp: FIA_AFL.1 ++ srg: SRG-OS-000480-GPOS-00227 + + ocil: |- + To determine whether the SSH service is configured to use strong entropy seed, +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +index 8a958e93b0..47dc8953e4 100644 +--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +@@ -25,6 +25,7 @@ identifiers: + + references: + ospp: FIA_AFL.1 ++ srg: SRG-OS-000480-GPOS-00227 + + ocil: |- + To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation + +From 31101d115f8eb436a6a7e9462235e921a2727517 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 5 Feb 2020 11:12:02 +0100 +Subject: [PATCH 3/4] Same SRG mapping as + package_subscription-manager_installed + +The package provides an interface for automation of package updates +--- + .../package_dnf-plugin-subscription-manager_installed/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml +index 6b0144fd54..8f081d9a3c 100644 +--- a/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_dnf-plugin-subscription-manager_installed/rule.yml +@@ -20,6 +20,7 @@ identifiers: + + references: + ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2 ++ srg: SRG-OS-000366-GPOS-00153 + + ocil_clause: 'the package is not installed' + + +From 477eb05fa4b105c9c49973c23d8875d1714a487d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 5 Feb 2020 11:14:35 +0100 +Subject: [PATCH 4/4] Map package_pigz_removed to ADSLR SRG item + +From rule's rationale: +Binaries in pigz package are compiled without sufficient stack +protection and its ADSLR is weak. +--- + .../system/software/system-tools/package_pigz_removed/rule.yml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml +index 595b78e768..bb724d916d 100644 +--- a/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_pigz_removed/rule.yml +@@ -18,6 +18,9 @@ severity: low + identifiers: + cce@rhel8: 82397-1 + ++references: ++ srg: SRG-OS-000433-GPOS-00192 ++ + {{{ complete_ocil_entry_package(package="pigz") }}} + + template: diff --git a/SOURCES/scap-security-guide-0.1.49-add-rsyslog-to-stig.patch b/SOURCES/scap-security-guide-0.1.49-add-rsyslog-to-stig.patch new file mode 100644 index 0000000..f31b1eb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.49-add-rsyslog-to-stig.patch @@ -0,0 +1,23 @@ +From 716cccfe5a253be61e2b2f46b972ae2153a09ad2 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 4 Feb 2020 17:38:45 +0100 +Subject: [PATCH] Add rules to configure rsyslog TLS + +--- + rhel8/profiles/stig.profile | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index d85e18e9d0..821cc26914 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -33,3 +33,9 @@ selections: + - encrypt_partitions + - sysctl_net_ipv4_tcp_syncookies + - clean_components_post_updating ++ ++ # Configure TLS for remote logging ++ - package_rsyslog_installed ++ - package_rsyslog-gnutls_installed ++ - rsyslog_remote_tls ++ - rsyslog_remote_tls_cacert diff --git a/SOURCES/scap-security-guide-0.1.49-add-stig-kickstart.patch b/SOURCES/scap-security-guide-0.1.49-add-stig-kickstart.patch new file mode 100644 index 0000000..3540734 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.49-add-stig-kickstart.patch @@ -0,0 +1,184 @@ +From 3d061cb6cb61ef8dc7bccc873bf338041687842e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 3 Feb 2020 21:23:59 +0100 +Subject: [PATCH] Add Kickstart file for STIG profile + +Based on OSPP KS +--- + rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 167 ++++++++++++++++++++++++++ + 1 file changed, 167 insertions(+) + create mode 100644 rhel8/kickstart/ssg-rhel8-stig-ks.cfg + +diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg +new file mode 100644 +index 0000000000..8c970dd6ff +--- /dev/null ++++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg +@@ -0,0 +1,167 @@ ++# SCAP Security Guide STIG profile kickstart for Red Hat Enterprise Linux 8 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --bootproto dhcp ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. ++# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# to see how to create encrypted password form for different plaintext password ++rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Refer to e.g. ++# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw ++# to see how to create encrypted password form for different plaintext password ++bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow ++# Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var/tmp Located On Separate Partition ++logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" ++# Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" ++logvol swap --name=swap --vgname=VolGroup --size=2016 ++ ++# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) ++# content - security policies - on the installed system.This add-on has been enabled by default ++# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this ++# functionality will automatically be installed. However, by default, no policies are enforced, ++# meaning that no checks are performed during or after installation unless specifically configured. ++# ++# Important ++# Applying a security policy is not necessary on all systems. This screen should only be used ++# when a specific policy is mandated by your organization rules or government regulations. ++# Unlike most other commands, this add-on does not accept regular options, but uses key-value ++# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. ++# Values can be optionally enclosed in single quotes (') or double quotes ("). ++# ++# The following keys are recognized by the add-on: ++# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. ++# - If the content-type is scap-security-guide, the add-on will use content provided by the ++# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect. ++# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location. ++# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream. ++# xccdf-id - ID of the benchmark you want to use. ++# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive. ++# profile - ID of the profile to be applied. Use default to apply the default profile. ++# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url. ++# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. ++# ++# The following is an example %addon org_fedora_oscap section which uses content from the ++# scap-security-guide on the installation media: ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_stig ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.49-drop-rsyslog-rules.patch b/SOURCES/scap-security-guide-0.1.49-drop-rsyslog-rules.patch new file mode 100644 index 0000000..c3437cd --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.49-drop-rsyslog-rules.patch @@ -0,0 +1,36 @@ +From 3d8e47f0bd6fc1ddf8f33b788f52a23f348f24b7 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek + +Date: Mon, 3 Feb 2020 11:37:50 +0100 +Subject: remove rsyslog rules from ospp + +--- + rhel8/profiles/ospp.profile | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index ef3ced501..fb653de9d 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -178,8 +178,6 @@ selections: + - package_audispd-plugins_installed + - package_scap-security-guide_installed + - package_audit_installed +- - package_rsyslog_installed +- - package_rsyslog-gnutls_installed + - package_gnutls-utils_installed + - package_nss-tools_installed + +@@ -391,8 +389,7 @@ selections: + - timer_dnf-automatic_enabled + + # Configure TLS for remote logging +- - rsyslog_remote_tls +- - rsyslog_remote_tls_cacert ++ # temporarily dropped + + # Prevent Kerberos use by system daemons + - kerberos_disable_no_keytab +-- +2.25.0 + diff --git a/SOURCES/scap-security-guide-0.1.49-fix-remaining-srgs.patch b/SOURCES/scap-security-guide-0.1.49-fix-remaining-srgs.patch new file mode 100644 index 0000000..6d06f2c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.49-fix-remaining-srgs.patch @@ -0,0 +1,49 @@ +From ccd6b36cbb7ad3046fa09bdbf3aab84b1212d213 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 6 Feb 2020 11:29:31 +0100 +Subject: [PATCH] Map missing SRG rules + +--- + .../guide/system/software/gnome/dconf_db_up_to_date/rule.yml | 3 +++ + .../system-tools/package_gnutls-utils_installed/rule.yml | 1 + + .../software/system-tools/package_nss-tools_installed/rule.yml | 1 + + 3 files changed, 5 insertions(+) + +diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml +index 3017b789f8..3e0b4fa2d1 100644 +--- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml ++++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml +@@ -20,6 +20,9 @@ identifiers: + cce@rhel8: 81003-6 + cce@rhel7: 81004-4 + ++references: ++ srg: SRG-OS-000480-GPOS-00227 ++ + ocil_clause: 'The system-wide dconf databases are up-to-date with regards to respective keyfiles' + + ocil: |- +diff --git a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml +index ebb8ad95f0..1374900664 100644 +--- a/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_gnutls-utils_installed/rule.yml +@@ -21,6 +21,7 @@ identifiers: + + references: + ospp: FMT_SMF_EXT.1 ++ srg: SRG-OS-000480-GPOS-00227 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml +index 32c9c32893..5d0d679a1a 100644 +--- a/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_nss-tools_installed/rule.yml +@@ -19,6 +19,7 @@ identifiers: + + references: + ospp: FMT_SMF_EXT.1 ++ srg: SRG-OS-000480-GPOS-00227 + + ocil_clause: 'the package is not installed' + diff --git a/SOURCES/scap-security-guide-0.1.49-max-path-len-skip-logs.patch b/SOURCES/scap-security-guide-0.1.49-max-path-len-skip-logs.patch new file mode 100644 index 0000000..6c1df7e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.49-max-path-len-skip-logs.patch @@ -0,0 +1,49 @@ +From 840fb94f9b371f6555536de2c32953c967c1122a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 21 Jan 2020 14:17:00 +0100 +Subject: [PATCH 1/2] Don't check for path len of logs directory + +The logs are not part of the tarball, nor used to build the content. +--- + tests/ensure_paths_are_short.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tests/ensure_paths_are_short.py b/tests/ensure_paths_are_short.py +index 5d4e27cb91..18d4c662ff 100755 +--- a/tests/ensure_paths_are_short.py ++++ b/tests/ensure_paths_are_short.py +@@ -13,6 +13,10 @@ def main(): + ssg_root = os.path.abspath(os.path.join(os.path.dirname(__file__), "..")) + max_path = "" + for dir_, _, files in os.walk(ssg_root): ++ # Don't check for path len of log files ++ # They are not shipped nor used during build ++ if "tests/logs/" in dir_: ++ continue + for file_ in files: + path = os.path.relpath(os.path.join(dir_, file_), ssg_root) + if len(path) > len(max_path): + +From 8d29c78efc51cc2c2da0e436b3cd9a2edb5342bc Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 21 Jan 2020 15:05:17 +0100 +Subject: [PATCH 2/2] Skip only only tests/logs/ from project root + +--- + tests/ensure_paths_are_short.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tests/ensure_paths_are_short.py b/tests/ensure_paths_are_short.py +index 18d4c662ff..b9e985fea0 100755 +--- a/tests/ensure_paths_are_short.py ++++ b/tests/ensure_paths_are_short.py +@@ -15,7 +15,8 @@ def main(): + for dir_, _, files in os.walk(ssg_root): + # Don't check for path len of log files + # They are not shipped nor used during build +- if "tests/logs/" in dir_: ++ current_relative_path = os.path.relpath(dir_, ssg_root) ++ if current_relative_path.startswith("tests/logs/"): + continue + for file_ in files: + path = os.path.relpath(os.path.join(dir_, file_), ssg_root) diff --git a/SOURCES/scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch b/SOURCES/scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch new file mode 100644 index 0000000..8243778 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch @@ -0,0 +1,593 @@ +From e0f1e2096d0f33fa94e3f78a5038e929b0039c32 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Mon, 27 Jan 2020 11:51:53 +0100 +Subject: [PATCH 1/6] Add a rule for the openssl strong entropy wrapper. + +--- + .../openssl_use_strong_entropy/rule.yml | 65 +++++++++++++++++++ + rhel8/profiles/ospp.profile | 1 + + shared/references/cce-redhat-avail.txt | 1 - + 3 files changed, 66 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml + +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +new file mode 100644 +index 0000000000..e9ea8ed338 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +@@ -0,0 +1,65 @@ ++documentation_complete: true ++ ++# TODO: The plan is not to need this for RHEL>=8.4 ++prodtype: rhel8 ++ ++title: 'OpenSSL uses strong entropy source' ++ ++description: |- ++ To set up an openssl wrapper that adds a -rand /dev/random option to the openssl invocation, ++ save the following shell snippet to the /etc/profile.d/cc-config.sh: ++
++    # provide a default -rand /dev/random option to openssl commands that
++    # support it
++
++    # written inefficiently for maximum shell compatibility
++    openssl()
++    (
++      openssl_bin=/usr/bin/openssl
++
++      case "$*" in
++        # if user specified -rand, honor it
++        *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
++      esac
++
++      cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
++      for i in `$openssl_bin list -commands`; do
++        if $openssl_bin list -options "$i" | grep -q '^rand '; then
++          cmds=" $i $cmds"
++        fi
++      done
++
++      case "$cmds" in
++        *\ "$1"\ *)
++          cmd="$1"; shift
++          exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
++      esac
++
++      exec $openssl_bin "$@"
++    )
++    
++ ++rationale: |- ++ The openssl default configuration uses less robust entropy sources for seeding. ++ The referenced script is sourced to every login shell, and it transparently adds an option ++ that enforces strong entropy to every openssl invocation, ++ which makes openssl more secure by default. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82721-2 ++ ++references: ++ ospp: FIA_AFL.1 ++ ++ocil: |- ++ To determine whether the openssl wrapper is configured correcrlty, ++ make sure that the /etc/profile.d/cc-config.sh file contains contents ++ that are included in the rule's description. ++ ++ocil_clause: |- ++ there is no /etc/profile.d/cc-config.sh file, or its contents don't match those in the description ++ ++warnings: ++ - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available." +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 63aea526b7..ef3ced5010 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -59,6 +59,7 @@ selections: + - sshd_enable_warning_banner + - sshd_rekey_limit + - sshd_use_strong_rng ++ - openssl_use_strong_entropy + + # Time Server + - chronyd_client_only +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 4cb08794f4..1733872dfa 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -248,6 +248,5 @@ + CCE-82719-6 + CCE-82720-4 +-CCE-82721-2 + CCE-82722-0 + CCE-82723-8 + CCE-82724-6 + +From bbd0f8b1234858a4abeece07d7d188bb07d3d077 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 27 Jan 2020 19:35:06 +0100 +Subject: [PATCH 2/6] create checks, remediations, + +--- + .../ansible/shared.yml | 12 +++++++ + .../openssl_use_strong_entropy/bash/shared.sh | 5 +++ + .../oval/shared.xml | 34 +++++++++++++++++++ + .../openssl_use_strong_entropy/rule.yml | 29 +--------------- + shared/macros.jinja | 34 ++++++++++++++++++- + 5 files changed, 85 insertions(+), 29 deletions(-) + create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml + create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml + +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml +new file mode 100644 +index 0000000000..3ce26d6525 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml +@@ -0,0 +1,12 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: "copy a file with shell snippet to configure openssl strong entropy" ++ copy: ++ dest: /etc/profile.d/cc-config.sh ++ content: |+ ++ {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}} ++ +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh +new file mode 100644 +index 0000000000..db5c331ce7 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh +@@ -0,0 +1,5 @@ ++# platform = Red Hat Enterprise Linux 8 ++ ++cat > /etc/profile.d/cc-config.sh <<- 'EOM' ++{{{ openssl_strong_entropy_config_file() }}} ++EOM +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml +new file mode 100644 +index 0000000000..b441b7ae6e +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml +@@ -0,0 +1,34 @@ ++ ++ ++ ++ Configure Openssl to use strong entropy ++ ++ Red Hat Enterprise Linux 8 ++ multi_platform_fedora ++ ++ OpenSSL should be configured to generate random data with strong entropy. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/profile.d/cc-config.sh ++ SHA-256 ++ ++ ++ ++ /etc/profile.d/cc-config.sh ++ SHA-256 ++ 6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af ++ ++ +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +index e9ea8ed338..3b01da01af 100644 +--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +@@ -9,34 +9,7 @@ description: |- + To set up an openssl wrapper that adds a -rand /dev/random option to the openssl invocation, + save the following shell snippet to the /etc/profile.d/cc-config.sh: +
+-    # provide a default -rand /dev/random option to openssl commands that
+-    # support it
+-
+-    # written inefficiently for maximum shell compatibility
+-    openssl()
+-    (
+-      openssl_bin=/usr/bin/openssl
+-
+-      case "$*" in
+-        # if user specified -rand, honor it
+-        *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+-      esac
+-
+-      cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+-      for i in `$openssl_bin list -commands`; do
+-        if $openssl_bin list -options "$i" | grep -q '^rand '; then
+-          cmds=" $i $cmds"
+-        fi
+-      done
+-
+-      case "$cmds" in
+-        *\ "$1"\ *)
+-          cmd="$1"; shift
+-          exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+-      esac
+-
+-      exec $openssl_bin "$@"
+-    )
++    {{{ openssl_strong_entropy_config_file() | indent(4) }}}
+     
+ + rationale: |- +diff --git a/shared/macros.jinja b/shared/macros.jinja +index 77f8eb31c7..8a25acc937 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -618,10 +618,42 @@ ocil_clause: "the correct value is not returned" + + + {{% macro body_of_warning_about_dependent_rule(rule_id, why) -%}} +- When selecting this rule in a profile, ++ When selecting this rule in a profile, + {{%- if why %}} + make sure that rule with ID {{{ rule_id }}} is selected as well: {{{ why }}} + {{%- else %}} + rule {{{ rule_id }}} has to be selected as well. + {{%- endif %}} + {{% endmacro %}} ++ ++{{% macro openssl_strong_entropy_config_file() -%}} ++# provide a default -rand /dev/random option to openssl commands that ++# support it ++ ++# written inefficiently for maximum shell compatibility ++openssl() ++( ++ openssl_bin=/usr/bin/openssl ++ ++ case "$*" in ++ # if user specified -rand, honor it ++ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; ++ esac ++ ++ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` ++ for i in `$openssl_bin list -commands`; do ++ if $openssl_bin list -options "$i" | grep -q '^rand '; then ++ cmds=" $i $cmds" ++ fi ++ done ++ ++ case "$cmds" in ++ *\ "$1"\ *) ++ cmd="$1"; shift ++ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; ++ esac ++ ++ exec $openssl_bin "$@" ++) ++ ++{{%- endmacro %}} + +From efaa2c9cbbe09af6b319f487ec05f646290a05a1 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 28 Jan 2020 13:42:40 +0100 +Subject: [PATCH 3/6] add tests + +--- + .../tests/correct.pass.sh | 34 +++++++++++++++++++ + .../tests/file_missing.fail.sh | 5 +++ + .../tests/file_modified.fail.sh | 5 +++ + 3 files changed, 44 insertions(+) + create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh + +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh +new file mode 100644 +index 0000000000..0bffab3c81 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh +@@ -0,0 +1,34 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++cat > /etc/profile.d/cc-config.sh <<- 'EOM' ++# provide a default -rand /dev/random option to openssl commands that ++# support it ++ ++# written inefficiently for maximum shell compatibility ++openssl() ++( ++ openssl_bin=/usr/bin/openssl ++ ++ case "$*" in ++ # if user specified -rand, honor it ++ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; ++ esac ++ ++ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` ++ for i in `$openssl_bin list -commands`; do ++ if $openssl_bin list -options "$i" | grep -q '^rand '; then ++ cmds=" $i $cmds" ++ fi ++ done ++ ++ case "$cmds" in ++ *\ "$1"\ *) ++ cmd="$1"; shift ++ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; ++ esac ++ ++ exec $openssl_bin "$@" ++) ++EOM +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh +new file mode 100644 +index 0000000000..c1d526902c +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++rm -f /etc/profile.d/cc-config.sh +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh +new file mode 100644 +index 0000000000..313d14a37f +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++echo "wrong data" > /etc/profile.d/cc-config.sh + +From 223194744d54d0400ab1d2981761166580a4f017 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 29 Jan 2020 11:12:46 +0100 +Subject: [PATCH 4/6] remove blank=true from jinja macro as rhel6 and rhel7 do + not support it + +--- + .../crypto/openssl_use_strong_entropy/ansible/shared.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml +index 3ce26d6525..bdc530f9f5 100644 +--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml +@@ -8,5 +8,5 @@ + copy: + dest: /etc/profile.d/cc-config.sh + content: |+ +- {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}} ++ {{{ openssl_strong_entropy_config_file()|indent(8) }}} + + +From bd41dcc77b326ed4bc352fe15d083ca6b144855f Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 30 Jan 2020 14:25:31 +0100 +Subject: [PATCH 5/6] reword rationale, change file name + +from cc-config.sh to openssl-rand.sh +change title of oval +--- + .../openssl_use_strong_entropy/ansible/shared.yml | 2 +- + .../openssl_use_strong_entropy/bash/shared.sh | 2 +- + .../openssl_use_strong_entropy/oval/shared.xml | 11 ++++------- + .../crypto/openssl_use_strong_entropy/rule.yml | 14 +++++--------- + .../tests/correct.pass.sh | 2 +- + .../tests/file_missing.fail.sh | 2 +- + .../tests/file_modified.fail.sh | 2 +- + 7 files changed, 14 insertions(+), 21 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml +index bdc530f9f5..6ee232892d 100644 +--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml +@@ -6,7 +6,7 @@ + + - name: "copy a file with shell snippet to configure openssl strong entropy" + copy: +- dest: /etc/profile.d/cc-config.sh ++ dest: /etc/profile.d/openssl-rand.sh + content: |+ + {{{ openssl_strong_entropy_config_file()|indent(8) }}} + +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh +index db5c331ce7..d8c9935005 100644 +--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh +@@ -1,5 +1,5 @@ + # platform = Red Hat Enterprise Linux 8 + +-cat > /etc/profile.d/cc-config.sh <<- 'EOM' ++cat > /etc/profile.d/openssl-rand.sh <<- 'EOM' + {{{ openssl_strong_entropy_config_file() }}} + EOM +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml +index b441b7ae6e..847754f36d 100644 +--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml +@@ -1,11 +1,8 @@ + + + +- Configure Openssl to use strong entropy +- +- Red Hat Enterprise Linux 8 +- multi_platform_fedora +- ++ Configure OpenSSL to use strong entropy ++ {{{- oval_affected(products) }}} + OpenSSL should be configured to generate random data with strong entropy. + + +@@ -22,12 +19,12 @@ + + + +- /etc/profile.d/cc-config.sh ++ /etc/profile.d/openssl-rand.sh + SHA-256 + + + +- /etc/profile.d/cc-config.sh ++ /etc/profile.d/openssl-rand.sh + SHA-256 + 6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af + +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +index 3b01da01af..dd82336532 100644 +--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +@@ -7,19 +7,15 @@ title: 'OpenSSL uses strong entropy source' + + description: |- + To set up an openssl wrapper that adds a -rand /dev/random option to the openssl invocation, +- save the following shell snippet to the /etc/profile.d/cc-config.sh: ++ save the following shell snippet to the /etc/profile.d/openssl-rand.sh: +
+     {{{ openssl_strong_entropy_config_file() | indent(4) }}}
+     
+ + rationale: |- +- The openssl default configuration uses less robust entropy sources for seeding. +- The referenced script is sourced to every login shell, and it transparently adds an option +- that enforces strong entropy to every openssl invocation, +- which makes openssl more secure by default. ++ This rule ensures that openssl always uses SP800-90A compliant random number generator. + + severity: medium +- + identifiers: + cce@rhel8: 82721-2 + +@@ -27,12 +23,12 @@ references: + ospp: FIA_AFL.1 + + ocil: |- +- To determine whether the openssl wrapper is configured correcrlty, +- make sure that the /etc/profile.d/cc-config.sh file contains contents ++ To determine whether the openssl wrapper is configured correctly, ++ make sure that the /etc/profile.d/openssl-rand.sh file contains contents + that are included in the rule's description. + + ocil_clause: |- +- there is no /etc/profile.d/cc-config.sh file, or its contents don't match those in the description ++ there is no /etc/profile.d/openssl-rand.sh file, or its contents don't match those in the description + + warnings: + - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available." +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh +index 0bffab3c81..d7f3ce8c87 100644 +--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh +@@ -2,7 +2,7 @@ + # platform = Red Hat Enterprise Linux 8 + # profiles = xccdf_org.ssgproject.content_profile_ospp + +-cat > /etc/profile.d/cc-config.sh <<- 'EOM' ++cat > /etc/profile.d/openssl-rand.sh <<- 'EOM' + # provide a default -rand /dev/random option to openssl commands that + # support it + +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh +index c1d526902c..64a580da91 100644 +--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh +@@ -2,4 +2,4 @@ + # platform = Red Hat Enterprise Linux 8 + # profiles = xccdf_org.ssgproject.content_profile_ospp + +-rm -f /etc/profile.d/cc-config.sh ++rm -f /etc/profile.d/openssl-rand.sh +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh +index 313d14a37f..2c812e874b 100644 +--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh +@@ -2,4 +2,4 @@ + # platform = Red Hat Enterprise Linux 8 + # profiles = xccdf_org.ssgproject.content_profile_ospp + +-echo "wrong data" > /etc/profile.d/cc-config.sh ++echo "wrong data" > /etc/profile.d/openssl-rand.sh + +From 679bd9cd08f962b3a88197817c199bd90a47f8d7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 31 Jan 2020 16:34:48 +0100 +Subject: [PATCH 6/6] Rule and remediation wording improvements. + +--- + .../openssl_use_strong_entropy/ansible/shared.yml | 3 +-- + .../crypto/openssl_use_strong_entropy/rule.yml | 15 ++++++++++----- + 2 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml +index 6ee232892d..25afb8e27f 100644 +--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml +@@ -4,9 +4,8 @@ + # complexity = low + # disruption = low + +-- name: "copy a file with shell snippet to configure openssl strong entropy" ++- name: "Put a file with shell wrapper to configure OpenSSL to always use strong entropy" + copy: + dest: /etc/profile.d/openssl-rand.sh + content: |+ + {{{ openssl_strong_entropy_config_file()|indent(8) }}} +- +diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +index dd82336532..8a958e93b0 100644 +--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +@@ -6,14 +6,18 @@ prodtype: rhel8 + title: 'OpenSSL uses strong entropy source' + + description: |- +- To set up an openssl wrapper that adds a -rand /dev/random option to the openssl invocation, +- save the following shell snippet to the /etc/profile.d/openssl-rand.sh: ++ By default, OpenSSL doesn't always use a SP800-90A compliant random number generator. ++ A way to configure OpenSSL to always use a strong source is to setup a wrapper that ++ defines a shell function that shadows the actual openssl binary, ++ and that ensures that the -rand /dev/random option is added to every openssl invocation. ++ ++ To do so, place the following shell snippet exactly as-is to /etc/profile.d/openssl-rand.sh: +
+     {{{ openssl_strong_entropy_config_file() | indent(4) }}}
+     
+ + rationale: |- +- This rule ensures that openssl always uses SP800-90A compliant random number generator. ++ This rule ensures that openssl invocations always uses SP800-90A compliant random number generator as a default behavior. + + severity: medium + identifiers: +@@ -23,8 +27,9 @@ references: + ospp: FIA_AFL.1 + + ocil: |- +- To determine whether the openssl wrapper is configured correctly, +- make sure that the /etc/profile.d/openssl-rand.sh file contains contents ++ To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation ++ uses a SP800-90A compliant entropy source, ++ make sure that the /etc/profile.d/openssl-rand.sh file contents exactly match those + that are included in the rule's description. + + ocil_clause: |- diff --git a/SOURCES/scap-security-guide-0.1.49-split-audit-rules.patch b/SOURCES/scap-security-guide-0.1.49-split-audit-rules.patch new file mode 100644 index 0000000..70760f0 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.49-split-audit-rules.patch @@ -0,0 +1,1951 @@ +From dd25ef669719bffe40f3024dbc949e421779f106 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 9 Dec 2019 16:25:50 +0100 +Subject: [PATCH] Split audit rules for OSPP + +--- + docs/manual/developer_guide.adoc | 7 + + .../policy_rules/audit_access_failed/rule.yml | 53 +++++++ + .../tests/correct_rules.pass.sh | 1 + + .../audit_access_success/rule.yml | 58 ++++++++ + .../tests/correct_rules.pass.sh | 1 + + .../audit_basic_configuration/rule.yml | 66 +++++++++ + .../tests/correct_rules.pass.sh | 3 + + .../tests/file_missing.fail.sh | 3 + + .../tests/file_not_identical.fail.sh | 4 + + .../policy_rules/audit_create_failed/rule.yml | 66 +++++++++ + .../tests/correct_rules.pass.sh | 1 + + .../audit_create_success/rule.yml | 59 ++++++++ + .../tests/correct_rules.pass.sh | 1 + + .../policy_rules/audit_delete_failed/rule.yml | 58 ++++++++ + .../tests/correct_rules.pass.sh | 1 + + .../audit_delete_success/rule.yml | 57 ++++++++ + .../tests/correct_rules.pass.sh | 1 + + .../tests/failed_delete_rules.fail.sh | 1 + + .../tests/no_rule.fail.sh | 1 + + .../audit_immutable_login_uids/rule.yml | 54 +++++++ + .../tests/correct_rules.pass.sh | 1 + + .../policy_rules/audit_modify_failed/rule.yml | 66 +++++++++ + .../tests/correct_rules.pass.sh | 1 + + .../audit_modify_success/rule.yml | 61 ++++++++ + .../tests/correct_rules.pass.sh | 1 + + .../policy_rules/audit_module_load/rule.yml | 58 ++++++++ + .../tests/correct_rules.pass.sh | 1 + + .../policy_rules/audit_ospp_general/rule.yml | 138 ++++++++++++++++++ + .../tests/correct_rules.pass.sh | 1 + + .../audit_owner_change_failed/rule.yml | 59 ++++++++ + .../tests/correct_rules.pass.sh | 1 + + .../audit_owner_change_success/rule.yml | 60 ++++++++ + .../tests/correct_rules.pass.sh | 1 + + .../audit_perm_change_failed/rule.yml | 58 ++++++++ + .../tests/correct_rules.pass.sh | 1 + + .../audit_perm_change_success/rule.yml | 57 ++++++++ + .../tests/correct_rules.pass.sh | 1 + + .../audit_rules_for_ospp/oval/shared.xml | 8 +- + rhel8/profiles/ospp.profile | 17 ++- + shared/macros-ansible.jinja | 15 ++ + shared/macros-bash.jinja | 11 ++ + shared/macros-oval.jinja | 41 ++++++ + shared/references/cce-redhat-avail.txt | 11 -- + .../template_ANSIBLE_audit_file_contents | 11 ++ + .../template_BASH_audit_file_contents | 14 ++ + .../template_OVAL_audit_file_contents | 7 + + ssg/templates.py | 20 +++ + tests/shared/audit/10-base-config.rules | 13 ++ + tests/shared/audit/11-loginuid.rules | 3 + + .../audit/30-ospp-v42-1-create-failed.rules | 13 ++ + .../audit/30-ospp-v42-1-create-success.rules | 7 + + .../audit/30-ospp-v42-2-modify-failed.rules | 13 ++ + .../audit/30-ospp-v42-2-modify-success.rules | 7 + + .../audit/30-ospp-v42-3-access-failed.rules | 5 + + .../audit/30-ospp-v42-3-access-success.rules | 4 + + .../audit/30-ospp-v42-4-delete-failed.rules | 5 + + .../audit/30-ospp-v42-4-delete-success.rules | 3 + + .../30-ospp-v42-5-perm-change-failed.rules | 5 + + .../30-ospp-v42-5-perm-change-success.rules | 3 + + .../30-ospp-v42-6-owner-change-failed.rules | 5 + + .../30-ospp-v42-6-owner-change-success.rules | 3 + + tests/shared/audit/30-ospp-v42.rules | 80 ++++++++++ + tests/shared/audit/43-module-load.rules | 6 + + 63 files changed, 1376 insertions(+), 16 deletions(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh + create mode 100644 shared/templates/template_ANSIBLE_audit_file_contents + create mode 100644 shared/templates/template_BASH_audit_file_contents + create mode 100644 shared/templates/template_OVAL_audit_file_contents + create mode 100644 tests/shared/audit/10-base-config.rules + create mode 100644 tests/shared/audit/11-loginuid.rules + create mode 100644 tests/shared/audit/30-ospp-v42-1-create-failed.rules + create mode 100644 tests/shared/audit/30-ospp-v42-1-create-success.rules + create mode 100644 tests/shared/audit/30-ospp-v42-2-modify-failed.rules + create mode 100644 tests/shared/audit/30-ospp-v42-2-modify-success.rules + create mode 100644 tests/shared/audit/30-ospp-v42-3-access-failed.rules + create mode 100644 tests/shared/audit/30-ospp-v42-3-access-success.rules + create mode 100644 tests/shared/audit/30-ospp-v42-4-delete-failed.rules + create mode 100644 tests/shared/audit/30-ospp-v42-4-delete-success.rules + create mode 100644 tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules + create mode 100644 tests/shared/audit/30-ospp-v42-5-perm-change-success.rules + create mode 100644 tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules + create mode 100644 tests/shared/audit/30-ospp-v42-6-owner-change-success.rules + create mode 100644 tests/shared/audit/30-ospp-v42.rules + create mode 100644 tests/shared/audit/43-module-load.rules + +diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc +index 4cccea23d..76c1c1021 100644 +--- a/docs/manual/developer_guide.adoc ++++ b/docs/manual/developer_guide.adoc +@@ -1449,6 +1449,13 @@ audit_rules_privileged_commands:: + ** *path* - the path of the privileged command - eg. `/usr/bin/mount` + * Languages: Ansible, Bash, OVAL + ++audit_file_contents:: ++* Ensure that audit `.rules` file specified by parameter `filepath` contains the contents specified in parameter `contents`. ++* Parameters: ++** *filepath* - path to audit rules file, e.g.: `/etc/audit/rules.d/10-base-config.rules` ++** *contents* - expected contents of the file ++* Languages: Ansible, Bash, OVAL ++ + audit_rules_unsuccessful_file_modification:: + * Ensure there is an Audit rule to record unsuccessful attempts to access files + * Parameters: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml +new file mode 100644 +index 000000000..6172751f1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml +@@ -0,0 +1,53 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure auditing of unsuccessful file accesses' ++ ++{{% set file_contents_audit_access_failed = ++"## Unsuccessful file access (any other opens) This has to go last. ++-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access ++-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access ++-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access ++-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access ++" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to access a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_access_failed|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++ ++rationale: |- ++ Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82833-5 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_access_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules ++ contents: |+ ++ {{{ file_contents_audit_access_failed|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..ce7c7a0dd +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42-3-access-failed.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml +new file mode 100644 +index 000000000..8d0625a1d +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml +@@ -0,0 +1,58 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure auditing of successful file accesses' ++ ++{{% set file_contents_audit_access_success = ++"## Successful file access (any other opens) This has to go last. ++## These next two are likely to result in a whole lot of events ++-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access ++-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access ++" %}} ++ ++description: |- ++ Ensure that successful attempts to access a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_access_success|indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++ ++rationale: |- ++ Auditing of successful attempts to access a file helps in investigation of activities performed on the system. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82834-3 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_access_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules ++ contents: |+ ++ {{{ file_contents_audit_access_success|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..7092f2c47 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml +new file mode 100644 +index 000000000..24cac20a2 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml +@@ -0,0 +1,66 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure basic parameters of Audit system' ++ ++{{% set file_contents_audit_base_config = ++"## First rule - delete all ++-D ++ ++## Increase the buffers to survive stress events. ++## Make this bigger for busy systems ++-b 8192 ++ ++## This determine how long to wait in burst of events ++--backlog_wait_time 60000 ++ ++## Set failure mode to syslog ++-f 1 ++ ++" %}} ++ ++description: |- ++ Perform basic configuration of Audit system. ++ Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_base_config|indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/10-base-config.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ ++rationale: |- ++ Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82827-7 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000365-GPOS-00152,SRG-OS-000475-GPOS-00220 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/10-base-config.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_base_config|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/10-base-config.rules ++ contents: |+ ++ {{{ file_contents_audit_base_config|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..2335ce458 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/correct_rules.pass.sh +@@ -0,0 +1,3 @@ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++cp $SHARED/audit/10-base-config.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh +new file mode 100644 +index 000000000..aa506a736 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_missing.fail.sh +@@ -0,0 +1,3 @@ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++rm -f /etc/audit/rules.d/10-base-config.rules +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh +new file mode 100644 +index 000000000..4e7ce04c5 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/tests/file_not_identical.fail.sh +@@ -0,0 +1,4 @@ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++cp /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d/ ++echo "some additional text" >> /etc/audit/rules.d/10-base-config.rules +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml +new file mode 100644 +index 000000000..7cd677661 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml +@@ -0,0 +1,66 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure auditing of unsuccessful file creations' ++ ++{{% set file_contents_audit_create_failed = ++"## Unsuccessful file creation (open with O_CREAT) ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to create a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_create_failed|indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82374-0 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_create_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules ++ contents: |+ ++ {{{ file_contents_audit_create_failed|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..9a7fe431a +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml +new file mode 100644 +index 000000000..4c933ec50 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml +@@ -0,0 +1,59 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure auditing of successful file creations' ++ ++{{% set file_contents_audit_create_success = ++"## Successful file creation (open with O_CREAT) ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++" %}} ++ ++description: |- ++ Ensure that successful attempts to create a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_create_success |indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ ++rationale: |- ++ Auditing of successful attempts to create a file helps in investigation of actions which happened on the system. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82829-3 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_create_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-success.rules ++ contents: |+ ++ {{{ file_contents_audit_create_success|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..dcc4afe73 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42-1-create-success.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml +new file mode 100644 +index 000000000..b9084f217 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml +@@ -0,0 +1,58 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure auditing of unsuccessful file deletions' ++ ++{{% set file_contents_audit_delete_failed = ++"## Unsuccessful file delete ++-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete ++-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete ++" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to delete a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_delete_failed|indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82835-0 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000467-GPOS-00211 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_delete_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules ++ contents: |+ ++ {{{ file_contents_audit_delete_failed|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..9ae890203 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml +new file mode 100644 +index 000000000..7d445d751 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml +@@ -0,0 +1,57 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure auditing of successful file deletions' ++ ++{{% set file_contents_audit_delete_success = ++"## Successful file delete ++-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete ++" %}} ++ ++description: |- ++ Ensure that successful attempts to delete a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_delete_success|indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++ ++rationale: |- ++ Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82836-8 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-OS-000467-GPOS-00211 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_delete_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules ++ contents: |+ ++ {{{ file_contents_audit_delete_success|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..0a348baf6 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42-4-delete-success.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh +new file mode 100644 +index 000000000..9ae890203 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/failed_delete_rules.fail.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh +new file mode 100644 +index 000000000..3acb94ab6 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/tests/no_rule.fail.sh +@@ -0,0 +1 @@ ++rm -f /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules. +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +new file mode 100644 +index 000000000..eb87848e8 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +@@ -0,0 +1,54 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure immutable Audit login UIDs' ++ ++{{% set file_contents_audit_immutable_login = ++"## Make the loginuid immutable. This prevents tampering with the auid. ++--loginuid-immutable ++ ++" %}} ++ ++description: |- ++ Configure kernel to prevent modification of login UIDs once they are set. Changing login UUIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_immutable_login|indent }}}    
++ ++ The Audit provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/11-loginuid.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/11-loginuid.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++rationale: |- ++ If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82828-5 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/11-loginuid.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_immutable_login|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/11-loginuid.rules ++ contents: |+ ++ {{{ file_contents_audit_immutable_login|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..42178a67d +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/11-loginuid.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml +new file mode 100644 +index 000000000..e9a24d9f5 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml +@@ -0,0 +1,66 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure auditing of unsuccessful file modifications' ++ ++{{% set file_contents_audit_modify_failed = ++"## Unsuccessful file modifications (open for write or truncate) ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to modify a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_modify_failed|indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82830-1 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_modify_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules ++ contents: |+ ++ {{{ file_contents_audit_modify_failed|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..58a11a63c +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42-2-modify-failed.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml +new file mode 100644 +index 000000000..71c313ece +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml +@@ -0,0 +1,61 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure auditing of successful file modifications' ++ ++{{% set file_contents_audit_modify_success = ++"## Successful file modifications (open for write or truncate) ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++" %}} ++ ++description: |- ++ Ensure that successful attempts to modify a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_modify_success|indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++ ++rationale: |- ++ Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82832-7 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_modify_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules ++ contents: |+ ++ {{{ file_contents_audit_modify_success|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..163ffa5db +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42-2-modify-success.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml +new file mode 100644 +index 000000000..30be01ce0 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml +@@ -0,0 +1,58 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure auditing of loading and unloading of kernel modules' ++ ++{{% set file_contents_audit_module_load = ++"## These rules watch for kernel module insertion. By monitoring ++## the syscall, we do not need any watches on programs. ++-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load ++-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load ++-a always,exit -F arch=b32 -S delete_module -F key=module-unload ++-a always,exit -F arch=b64 -S delete_module -F key=module-unload ++" %}} ++ ++description: |- ++ Ensure that loading and unloading of kernel modules is audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_module_load|indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/43-module-load.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/43-module-load.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ ++rationale: |- ++ Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82838-4 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000475-GPOS-00220 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/43-module-load.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_module_load|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/43-module-load.rules ++ contents: |+ ++ {{{ file_contents_audit_module_load|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..c2d651e4c +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/43-module-load.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml +new file mode 100644 +index 000000000..0649e0682 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml +@@ -0,0 +1,138 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Perform general configuration of Audit for OSPP' ++ ++{{% set file_contents_audit_ospp_general = ++"## The purpose of these rules is to meet the requirements for Operating ++## System Protection Profile (OSPP)v4.2. These rules depends on having ++## the following rule files copied to /etc/audit/rules.d: ++## ++## 10-base-config.rules, 11-loginuid.rules, ++## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, ++## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, ++## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, ++## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, ++## 30-ospp-v42-5-perm-change-failed.rules, ++## 30-ospp-v42-5-perm-change-success.rules, ++## 30-ospp-v42-6-owner-change-failed.rules, ++## 30-ospp-v42-6-owner-change-success.rules ++## ++## original copies may be found in /usr/share/audit/sample-rules/ ++ ++ ++## User add delete modify. This is covered by pam. However, someone could ++## open a file and directly create or modify a user, so we'll watch passwd and ++## shadow for writes ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify ++ ++## User enable and disable. This is entirely handled by pam. ++ ++## Group add delete modify. This is covered by pam. However, someone could ++## open a file and directly create or modify a user, so we'll watch group and ++## gshadow for writes ++-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify ++-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify ++ ++ ++## Use of special rights for config changes. This would be use of setuid ++## programs that relate to user accts. This is not all setuid apps because ++## requirements are only for ones that affect system configuration. ++-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++ ++## Privilege escalation via su or sudo. This is entirely handled by pam. ++ ++## Audit log access ++-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail ++## Attempts to Alter Process and Session Initiation Information ++-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session ++-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session ++-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session ++ ++## Attempts to modify MAC controls ++-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy ++ ++## Software updates. This is entirely handled by rpm. ++ ++## System start and shutdown. This is entirely handled by systemd ++ ++## Kernel Module loading. This is handled in 43-module-load.rules ++ ++## Application invocation. The requirements list an optional requirement ++## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to ++## state results from that policy. This would be handled entirely by ++## that daemon. ++ ++" %}} ++ ++description: |- ++ Configure some basic Audit parameters specific for OSPP profile. ++ In particular, configure Audit to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration. ++ Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls. ++ ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_ospp_general|indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/30-ospp-v42.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++ ++ ++rationale: |- ++ Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with Audit logs, malicious access to files storing information about system users and groups etc. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82373-2 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000241-GPOS-00091,SRG-OS-000476-GPOS-00221,SRG-OS-000327-GPOS-00127,SRG-OS-000475-GPOS-00220,SRG-OS-000239-GPOS-00089,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_ospp_general|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42.rules ++ contents: |+ ++ {{{ file_contents_audit_ospp_general|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..dcf3a88a6 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml +new file mode 100644 +index 000000000..1068fb8a9 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml +@@ -0,0 +1,59 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure auditing of unsuccessful ownership changes' ++ ++{{% set file_contents_audit_owner_change_failed = ++"## Unsuccessful ownership change ++-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change ++-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change ++-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change ++-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change ++" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to change an ownership of files or directories are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_owner_change_failed|indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++ ++rationale: |- ++ Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82384-9 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_owner_change_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules ++ contents: |+ ++ {{{ file_contents_audit_owner_change_failed|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..b5227b4c5 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42-6-owner-change-failed.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml +new file mode 100644 +index 000000000..6ffa0e4fc +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml +@@ -0,0 +1,60 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure auditing of successful ownership changes' ++ ++{{% set file_contents_audit_owner_change_success = ++"## Successful ownership change ++-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change ++-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change ++" %}} ++ ++description: |- ++ Ensure that successful attempts to change an ownership of files or directories are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_owner_change_success|indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules /etc/audit/rules.d/
++    
++ ++ The file has the following SHA-256 checksum: ++
7eb41a6aaf6737c2571b6424fae7fa53af4b41a9115b6c5732a5778ccd9900ad
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++ ++rationale: |- ++ Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82385-6 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_owner_change_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules ++ contents: |+ ++ {{{ file_contents_audit_owner_change_success|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..27eaf4a1f +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42-6-owner-change-success.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml +new file mode 100644 +index 000000000..7be6299cb +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml +@@ -0,0 +1,58 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure auditing of unsuccessful permission changes' ++ ++{{% set file_contents_audit_perm_change_failed = ++"## Unsuccessful permission change ++-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change ++-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change ++" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to change file or directory permissions are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_perm_change_failed|indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82837-6 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_perm_change_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules ++ contents: |+ ++ {{{ file_contents_audit_perm_change_failed|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..149fda66d +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42-5-perm-change-failed.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml +new file mode 100644 +index 000000000..e2a247370 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml +@@ -0,0 +1,57 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure auditing of successful permission changes' ++ ++{{% set file_contents_audit_perm_change_success = ++"## Successful permission change ++-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change ++" %}} ++ ++description: |- ++ Ensure that successful attempts to modify permissions of iles or directories are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_perm_change_success|indent }}}    
++ ++ The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules. ++ To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory: ++
++    cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules /etc/audit/rules.d/
++    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++ ++rationale: |- ++ Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82383-1 ++ ++references: ++ ospp: FAU_GEN.1.1.c ++ nist: AU-2(a) ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_perm_change_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules ++ contents: |+ ++ {{{ file_contents_audit_perm_change_success|indent(12) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh +new file mode 100644 +index 000000000..cfa6c3f90 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/tests/correct_rules.pass.sh +@@ -0,0 +1 @@ ++cp $SHARED/audit/30-ospp-v42-5-perm-change-success.rules /etc/audit/rules.d/ +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml +index 9e5b6032f..d25ea0840 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml +@@ -1,15 +1,15 @@ + {{% macro audit_file_compare_criterion(file_id) %}} +- ++ + {{% endmacro %}} + + {{% macro audit_file_compare_test(file_id) %}} + +- ++ id="test_compare_{{{ file_id }}}_old" version="1"> ++ + + +- ++ + /etc/audit/rules.d/{{{ file_id }}}.rules + (?:.*\n)* + 1 +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index ef3ced501..5d3713ec7 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -377,7 +377,22 @@ selections: + ## AU-2(a) / FAU_GEN.1.1.c + ## Audit Kernel Module Loading and Unloading Events (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c +- - audit_rules_for_ospp ++ - audit_basic_configuration ++ - audit_immutable_login_uids ++ - audit_create_failed ++ - audit_create_success ++ - audit_modify_failed ++ - audit_modify_success ++ - audit_access_failed ++ - audit_access_success ++ - audit_delete_failed ++ - audit_delete_success ++ - audit_perm_change_failed ++ - audit_perm_change_success ++ - audit_owner_change_failed ++ - audit_owner_change_success ++ - audit_ospp_general ++ - audit_module_load + + ## Enable Automatic Software Updates + ## SI-2 / FMT_MOF_EXT.1 +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index f752e7a2b..c7fa22113 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -202,3 +202,18 @@ + {{%- macro ansible_coredump_config_set(msg='', parameter='', value='') %}} + {{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} + {{%- endmacro %}} ++ ++{{# ++ Generates an Ansible task that puts 'contents' into a file at 'filepath' ++ Parameters: ++ - filepath - filepath of the file to check ++ - contents - contents that should be in the file ++#}} ++{{%- macro ansible_file_contents(filepath='', contents='') %}} ++- name: "Put contents into {{{ filepath }}} according to policy" ++ copy: ++ dest: "{{{ filepath }}}" ++ content: |+ ++ {{{ contents|indent(8) }}} ++ force: yes ++{{%- endmacro %}} +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index dc7fd2558..bc522fc1e 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -509,3 +509,14 @@ if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "{{{ pam_file }}}" + sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "{{{ pam_file }}}" + fi + {{%- endmacro -%}} ++ ++{{# ++ Generates bash script code that puts 'contents' into a file at 'filepath' ++ Parameters: ++ - filepath - filepath of the file to check ++ - contents - contents that should be in the file ++#}} ++{{%- macro bash_file_contents(filepath='', contents='') %}} ++cat << 'EOF' > {{{ filepath }}} ++{{{ contents }}}EOF ++{{%- endmacro %}} +diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja +index 5f391efdc..11752785f 100644 +--- a/shared/macros-oval.jinja ++++ b/shared/macros-oval.jinja +@@ -448,3 +448,44 @@ + ^.*[\s]+{{{ option }}}=.*({{{ value }}}).*([\s]+.*$|$) + + {{%- endmacro -%}} ++ ++{{# ++ Macro which generates OVAL definition, test and object that check for contents ++ of the file. ++ Parameters: ++ - filepath - filepath of the file to check ++ - contents - contents that should be in the file ++#}} ++{{%- macro oval_file_contents(filepath='', filepath_id='', contents='') -%}} ++ ++ ++ ++ Check that contents of {{{ filepath }}} are as expected ++ {{{- oval_affected(products) }}} ++ Inspects the contents of {{{ filepath }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{ filepath }}} ++ ^.*$ ++ 1 ++ ++ ++ ++ {{{ contents }}} ++ ++ ++ ++{{%- endmacro %}} +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 1733872df..a961f0ec0 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -103,17 +103,6 @@ CCE-82823-6 + CCE-82824-4 + CCE-82825-1 + CCE-82826-9 +-CCE-82827-7 +-CCE-82828-5 +-CCE-82829-3 +-CCE-82830-1 +-CCE-82832-7 +-CCE-82833-5 +-CCE-82834-3 +-CCE-82835-0 +-CCE-82836-8 +-CCE-82837-6 +-CCE-82838-4 + CCE-82839-2 + CCE-82841-8 + CCE-82842-6 +diff --git a/shared/templates/template_ANSIBLE_audit_file_contents b/shared/templates/template_ANSIBLE_audit_file_contents +new file mode 100644 +index 000000000..c28527454 +--- /dev/null ++++ b/shared/templates/template_ANSIBLE_audit_file_contents +@@ -0,0 +1,11 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++{{{ ++ ansible_file_contents( ++ filepath=FILEPATH, ++ contents=CONTENTS, ++ ) ++}}} +diff --git a/shared/templates/template_BASH_audit_file_contents b/shared/templates/template_BASH_audit_file_contents +new file mode 100644 +index 000000000..f264be6f1 +--- /dev/null ++++ b/shared/templates/template_BASH_audit_file_contents +@@ -0,0 +1,14 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++{{{ ++ bash_file_contents( ++ filepath=FILEPATH, ++ contents=CONTENTS, ++ ) ++}}} ++ ++augenrules --load +diff --git a/shared/templates/template_OVAL_audit_file_contents b/shared/templates/template_OVAL_audit_file_contents +new file mode 100644 +index 000000000..02e1b661d +--- /dev/null ++++ b/shared/templates/template_OVAL_audit_file_contents +@@ -0,0 +1,7 @@ ++{{{ ++ oval_file_contents( ++ filepath=FILEPATH, ++ filepath_id=FILEPATH_ID, ++ contents=CONTENTS ++ ) ++}}} +diff --git a/ssg/templates.py b/ssg/templates.py +index 8a96c8ed4..e5ed4890b 100644 +--- a/ssg/templates.py ++++ b/ssg/templates.py +@@ -1,8 +1,10 @@ ++from __future__ import absolute_import + from __future__ import print_function + + import os + import sys + import re ++from xml.sax.saxutils import unescape + + import ssg.build_yaml + +@@ -93,6 +95,10 @@ def audit_rules_privileged_commands(data, lang): + data["path"] = path.replace("/", "\\/") + return data + ++@template(["ansible", "bash", "oval"]) ++def audit_rules_rule_file(data, lang): ++ return data ++ + + @template(["ansible", "bash", "oval"]) + def audit_rules_unsuccessful_file_modification(data, lang): +@@ -124,6 +130,20 @@ def audit_rules_usergroup_modification(data, lang): + return data + + ++@template(["ansible", "bash", "oval"]) ++def audit_file_contents(data, lang): ++ if lang == "oval": ++ pathid = re.sub(r'[-\./]', '_', data["filepath"]) ++ # remove root slash made into '_' ++ pathid = pathid[1:] ++ data["filepath_id"] = pathid ++ ++ # The build system converts "<",">" and "&" for us ++ if lang == "bash" or lang == "ansible": ++ data["contents"] = unescape(data["contents"]) ++ return data ++ ++ + def _file_owner_groupowner_permissions_regex(data): + data["is_directory"] = data["filepath"].endswith("/") + if "missing_file_pass" not in data: +diff --git a/tests/shared/audit/10-base-config.rules b/tests/shared/audit/10-base-config.rules +new file mode 100644 +index 000000000..b86d66f9d +--- /dev/null ++++ b/tests/shared/audit/10-base-config.rules +@@ -0,0 +1,13 @@ ++## First rule - delete all ++-D ++ ++## Increase the buffers to survive stress events. ++## Make this bigger for busy systems ++-b 8192 ++ ++## This determine how long to wait in burst of events ++--backlog_wait_time 60000 ++ ++## Set failure mode to syslog ++-f 1 ++ +diff --git a/tests/shared/audit/11-loginuid.rules b/tests/shared/audit/11-loginuid.rules +new file mode 100644 +index 000000000..9b0a3e98a +--- /dev/null ++++ b/tests/shared/audit/11-loginuid.rules +@@ -0,0 +1,3 @@ ++## Make the loginuid immutable. This prevents tampering with the auid. ++--loginuid-immutable ++ +diff --git a/tests/shared/audit/30-ospp-v42-1-create-failed.rules b/tests/shared/audit/30-ospp-v42-1-create-failed.rules +new file mode 100644 +index 000000000..6aca1b943 +--- /dev/null ++++ b/tests/shared/audit/30-ospp-v42-1-create-failed.rules +@@ -0,0 +1,13 @@ ++## Unsuccessful file creation (open with O_CREAT) ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +diff --git a/tests/shared/audit/30-ospp-v42-1-create-success.rules b/tests/shared/audit/30-ospp-v42-1-create-success.rules +new file mode 100644 +index 000000000..4141e3c60 +--- /dev/null ++++ b/tests/shared/audit/30-ospp-v42-1-create-success.rules +@@ -0,0 +1,7 @@ ++## Successful file creation (open with O_CREAT) ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +diff --git a/tests/shared/audit/30-ospp-v42-2-modify-failed.rules b/tests/shared/audit/30-ospp-v42-2-modify-failed.rules +new file mode 100644 +index 000000000..ffe5bfd61 +--- /dev/null ++++ b/tests/shared/audit/30-ospp-v42-2-modify-failed.rules +@@ -0,0 +1,13 @@ ++## Unsuccessful file modifications (open for write or truncate) ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +diff --git a/tests/shared/audit/30-ospp-v42-2-modify-success.rules b/tests/shared/audit/30-ospp-v42-2-modify-success.rules +new file mode 100644 +index 000000000..5617e018a +--- /dev/null ++++ b/tests/shared/audit/30-ospp-v42-2-modify-success.rules +@@ -0,0 +1,7 @@ ++## Successful file modifications (open for write or truncate) ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +diff --git a/tests/shared/audit/30-ospp-v42-3-access-failed.rules b/tests/shared/audit/30-ospp-v42-3-access-failed.rules +new file mode 100644 +index 000000000..a5aad3a95 +--- /dev/null ++++ b/tests/shared/audit/30-ospp-v42-3-access-failed.rules +@@ -0,0 +1,5 @@ ++## Unsuccessful file access (any other opens) This has to go last. ++-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access ++-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access ++-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access ++-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +diff --git a/tests/shared/audit/30-ospp-v42-3-access-success.rules b/tests/shared/audit/30-ospp-v42-3-access-success.rules +new file mode 100644 +index 000000000..0c8a6b657 +--- /dev/null ++++ b/tests/shared/audit/30-ospp-v42-3-access-success.rules +@@ -0,0 +1,4 @@ ++## Successful file access (any other opens) This has to go last. ++## These next two are likely to result in a whole lot of events ++-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access ++-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +diff --git a/tests/shared/audit/30-ospp-v42-4-delete-failed.rules b/tests/shared/audit/30-ospp-v42-4-delete-failed.rules +new file mode 100644 +index 000000000..946c9cc17 +--- /dev/null ++++ b/tests/shared/audit/30-ospp-v42-4-delete-failed.rules +@@ -0,0 +1,5 @@ ++## Unsuccessful file delete ++-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete ++-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +diff --git a/tests/shared/audit/30-ospp-v42-4-delete-success.rules b/tests/shared/audit/30-ospp-v42-4-delete-success.rules +new file mode 100644 +index 000000000..7955cdf85 +--- /dev/null ++++ b/tests/shared/audit/30-ospp-v42-4-delete-success.rules +@@ -0,0 +1,3 @@ ++## Successful file delete ++-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete +diff --git a/tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules b/tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules +new file mode 100644 +index 000000000..49b9299d5 +--- /dev/null ++++ b/tests/shared/audit/30-ospp-v42-5-perm-change-failed.rules +@@ -0,0 +1,5 @@ ++## Unsuccessful permission change ++-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change ++-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +diff --git a/tests/shared/audit/30-ospp-v42-5-perm-change-success.rules b/tests/shared/audit/30-ospp-v42-5-perm-change-success.rules +new file mode 100644 +index 000000000..52cbac873 +--- /dev/null ++++ b/tests/shared/audit/30-ospp-v42-5-perm-change-success.rules +@@ -0,0 +1,3 @@ ++## Successful permission change ++-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change +diff --git a/tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules b/tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules +new file mode 100644 +index 000000000..44e7148c2 +--- /dev/null ++++ b/tests/shared/audit/30-ospp-v42-6-owner-change-failed.rules +@@ -0,0 +1,5 @@ ++## Unsuccessful ownership change ++-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change ++-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change ++-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change ++-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change +diff --git a/tests/shared/audit/30-ospp-v42-6-owner-change-success.rules b/tests/shared/audit/30-ospp-v42-6-owner-change-success.rules +new file mode 100644 +index 000000000..056b706fc +--- /dev/null ++++ b/tests/shared/audit/30-ospp-v42-6-owner-change-success.rules +@@ -0,0 +1,3 @@ ++## Successful ownership change ++-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change ++-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change +diff --git a/tests/shared/audit/30-ospp-v42.rules b/tests/shared/audit/30-ospp-v42.rules +new file mode 100644 +index 000000000..3dced1725 +--- /dev/null ++++ b/tests/shared/audit/30-ospp-v42.rules +@@ -0,0 +1,80 @@ ++## The purpose of these rules is to meet the requirements for Operating ++## System Protection Profile (OSPP)v4.2. These rules depends on having ++## the following rule files copied to /etc/audit/rules.d: ++## ++## 10-base-config.rules, 11-loginuid.rules, ++## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, ++## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, ++## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, ++## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, ++## 30-ospp-v42-5-perm-change-failed.rules, ++## 30-ospp-v42-5-perm-change-success.rules, ++## 30-ospp-v42-6-owner-change-failed.rules, ++## 30-ospp-v42-6-owner-change-success.rules ++## ++## original copies may be found in /usr/share/audit/sample-rules/ ++ ++ ++## User add delete modify. This is covered by pam. However, someone could ++## open a file and directly create or modify a user, so we'll watch passwd and ++## shadow for writes ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify ++ ++## User enable and disable. This is entirely handled by pam. ++ ++## Group add delete modify. This is covered by pam. However, someone could ++## open a file and directly create or modify a user, so we'll watch group and ++## gshadow for writes ++-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify ++-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify ++ ++ ++## Use of special rights for config changes. This would be use of setuid ++## programs that relate to user accts. This is not all setuid apps because ++## requirements are only for ones that affect system configuration. ++-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++ ++## Privilege escalation via su or sudo. This is entirely handled by pam. ++ ++## Audit log access ++-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail ++## Attempts to Alter Process and Session Initiation Information ++-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session ++-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session ++-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session ++ ++## Attempts to modify MAC controls ++-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy ++ ++## Software updates. This is entirely handled by rpm. ++ ++## System start and shutdown. This is entirely handled by systemd ++ ++## Kernel Module loading. This is handled in 43-module-load.rules ++ ++## Application invocation. The requirements list an optional requirement ++## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to ++## state results from that policy. This would be handled entirely by ++## that daemon. ++ +diff --git a/tests/shared/audit/43-module-load.rules b/tests/shared/audit/43-module-load.rules +new file mode 100644 +index 000000000..890750744 +--- /dev/null ++++ b/tests/shared/audit/43-module-load.rules +@@ -0,0 +1,6 @@ ++## These rules watch for kernel module insertion. By monitoring ++## the syscall, we do not need any watches on programs. ++-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load ++-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load ++-a always,exit -F arch=b32 -S delete_module -F key=module-unload ++-a always,exit -F arch=b64 -S delete_module -F key=module-unload +-- +2.21.1 + diff --git a/SOURCES/scap-security-guide-0.1.49-ssh-use-strong-rng.patch b/SOURCES/scap-security-guide-0.1.49-ssh-use-strong-rng.patch new file mode 100644 index 0000000..97b0168 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.49-ssh-use-strong-rng.patch @@ -0,0 +1,855 @@ +From e826795667e319a336ccbfe0919c044766801cb8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 17 Jan 2020 10:49:36 +0100 +Subject: [PATCH 1/7] Added lineinfile shell assignment support to our macros. + +--- + shared/macros-ansible.jinja | 20 +++++++++++++++++++ + shared/macros-bash.jinja | 26 +++++++++++++++++++++++++ + shared/macros-oval.jinja | 39 ++++++++++++++++++++++++++++++++----- + 3 files changed, 80 insertions(+), 5 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 3e4a441225..c42a5156ce 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -141,6 +141,26 @@ + {{{ ansible_set_config_file(msg, "/etc/ssh/sshd_config", parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="^[#\s]*Match") }}} + {{%- endmacro %}} + ++{{# ++ High level macro to set a value in a shell-related file that contains var assignments. This ++ takes these values: msg (the name for the Ansible task), path to the file, a parameter to set ++ in the configuration file, and the value to set it to. We specify a case ++ sensitive comparison in the prefix since this is used to deduplicate since ++ We also specify the validation program here; see 'bash -c "help set" | grep -e -n' ++#}} ++{{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}} ++{{% if no_quotes -%}} ++{{%- else -%}} ++{{%- set quotes = "\"'" -%}} ++ {{% if "$" in value %}} ++ {{% set value = '"%s"' % value %}} ++ {{% else %}} ++ {{% set value = "'%s'" % value %}} ++ {{% endif %}} ++{{%- endif -%}} ++{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}} ++{{%- endmacro %}} ++ + {{# + High level macro to set a command in tmux configuration file /etc/tmux.conf. + Parameters: +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 43200bdd8a..6c0bb2facc 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -1,5 +1,31 @@ + {{# ##### High level macros ##### #}} + ++{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}} ++{{% if no_quotes -%}} ++ {{% if "$" in value %}} ++ {{% set value = '%s' % value.replace("$", "\\$") %}} ++ {{% endif %}} ++{{%- else -%}} ++ {{% if "$" in value %}} ++ {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}} ++ {{% else %}} ++ {{% set value = "'%s'" % value %}} ++ {{% endif %}} ++{{%- endif -%}} ++{{{ set_config_file( ++ path=path, ++ parameter=parameter, ++ value=value, ++ create=true, ++ insert_after="", ++ insert_before="^Match", ++ insensitive=false, ++ separator="=", ++ separator_regex="=", ++ prefix_regex="^\s*") ++ }}} ++{{%- endmacro -%}} ++ + {{%- macro bash_sshd_config_set(parameter, value) -%}} + {{{ set_config_file( + path="/etc/ssh/sshd_config", +diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja +index 2049a24d6e..696cf36db0 100644 +--- a/shared/macros-oval.jinja ++++ b/shared/macros-oval.jinja +@@ -17,8 +17,9 @@ + - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. + - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. + - section (String): If set, the parameter will be checked only within the given section defined by [section]. ++ - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info. + #}} +-{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='') -%}} ++{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}} + + + +@@ -60,7 +61,7 @@ + + {{{ oval_line_in_file_test(path, parameter) }}} + {{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, false, multi_value) }}} +- {{{ oval_line_in_file_state(value, multi_value) }}} ++ {{{ oval_line_in_file_state(value, multi_value, quotes) }}} + {{%- if missing_parameter_pass %}} + {{{ oval_line_in_file_test(path, parameter, missing_parameter_pass) }}} + {{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, missing_parameter_pass, multi_value) }}} +@@ -173,12 +174,21 @@ + This macro can take two parameters: + - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values). + - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. ++ - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string. ++ For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be. + #}} +-{{%- macro oval_line_in_file_state(value='', multi_value='') -%}} ++{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}} ++{{%- set regex = value -%}} ++{{%- if quotes != "" %}} ++{{%- if "\\1" in value > 0 %}} ++{{{ raise("The regex for matching '%s' already references capturing groups, which doesn't go well with quoting that adds a capturing group to the beginning." % value) }}} ++{{%- endif %}} ++{{%- set regex = "((?:%s)?)%s\\1" % ("|".join(quotes), regex) -%}} ++{{%- endif %}} + {{%- if multi_value %}} +-{{%- set regex = "^.*\\b"+value+"\\b.*$" -%}} ++{{%- set regex = "^.*\\b"+regex+"\\b.*$" -%}} + {{%- else %}} +-{{%- set regex = "^"+value+"$" -%}} ++{{%- set regex = "^"+regex+"$" -%}} + {{%- endif %}} + + {{{ regex }}} +@@ -232,6 +242,25 @@ + {{{ oval_check_config_file("/etc/ssh/sshd_config", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]+', value=value, missing_parameter_pass=missing_parameter_pass, application="sshd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}} + {{%- endmacro %}} + ++{{# ++ High level macro to check if a particular shell variable is set. ++ This macro can take five parameters: ++ - path (String): Path to the file. ++ - parameter (String): The shell variable name. ++ - value (String): The variable value WITHOUT QUOTES. ++ - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). ++ - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. ++ - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. ++#}} ++{{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}} ++{{% if no_quotes -%}} ++{{%- set quotes = "" -%}} ++{{%- else -%}} ++{{%- set quotes = "\"'" -%}} ++{{%- endif -%}} ++{{{ oval_check_config_file(path, prefix_regex="^[ \\t]*", parameter=parameter, separator_regex='=', value=value, missing_parameter_pass=missing_parameter_pass, application=application, multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, quotes=quotes) }}} ++{{%- endmacro %}} ++ + {{# + High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set. + This function can take five parameters: + +From a7281779e424a0b481e1b08ca01d2ebd1af2e834 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 17 Jan 2020 10:50:16 +0100 +Subject: [PATCH 2/7] Added tests for shell lineinfile. + +--- + tests/test_macros_oval.py | 142 ++++++++++++++++++ + .../unit/bash/test_set_config_file.bats.jinja | 56 +++++++ + 2 files changed, 198 insertions(+) + +diff --git a/tests/test_macros_oval.py b/tests/test_macros_oval.py +index 65a88ba7b4..8acae8548b 100755 +--- a/tests/test_macros_oval.py ++++ b/tests/test_macros_oval.py +@@ -896,6 +896,148 @@ def main(): + "[vehicle]\nspeed =\n100", + "false" + ) ++ tester.test( ++ "SHELL commented out", ++ r"""{{{ oval_check_shell_file( ++ path='CONFIG_FILE', ++ parameter='SHELL', ++ value='/bin/bash', ++ missing_parameter_pass=false, ++ application='', ++ multi_value=false, ++ missing_config_file_fail=false, ++ ) }}}""", ++ "# SHELL=/bin/bash\n", ++ "false" ++ ) ++ tester.test( ++ "SHELL correct", ++ r"""{{{ oval_check_shell_file( ++ path='CONFIG_FILE', ++ parameter='SHELL', ++ value='/bin/bash', ++ missing_parameter_pass=false, ++ application='', ++ multi_value=false, ++ missing_config_file_fail=false, ++ ) }}}""", ++ " SHELL=/bin/bash\n", ++ "true" ++ ) ++ tester.test( ++ "SHELL single-quoted", ++ r"""{{{ oval_check_shell_file( ++ path='CONFIG_FILE', ++ parameter='SHELL', ++ value='/bin"/bash', ++ missing_parameter_pass=false, ++ application='', ++ multi_value=false, ++ missing_config_file_fail=false, ++ ) }}}""", ++ " SHELL='/bin\"/bash'\n", ++ "true" ++ ) ++ tester.test( ++ "SHELL double-quoted", ++ r"""{{{ oval_check_shell_file( ++ path='CONFIG_FILE', ++ parameter='SHELL', ++ value=' /bin/bash', ++ missing_parameter_pass=false, ++ application='', ++ multi_value=false, ++ missing_config_file_fail=false, ++ ) }}}""", ++ """ SHELL=" /bin/bash"\n""", ++ "true" ++ ) ++ tester.test( ++ "SHELL unwanted double-quoted", ++ r"""{{{ oval_check_shell_file( ++ path='CONFIG_FILE', ++ parameter='SHELL', ++ value=' /bin/bash', ++ no_quotes=true, ++ missing_parameter_pass=false, ++ application='', ++ multi_value=false, ++ missing_config_file_fail=false, ++ ) }}}""", ++ """ SHELL=" /bin/bash"\n""", ++ "false" ++ ) ++ tester.test( ++ "SHELL unwanted single-quoted", ++ r"""{{{ oval_check_shell_file( ++ path='CONFIG_FILE', ++ parameter='SHELL', ++ value='/bin"/bash', ++ no_quotes=true, ++ missing_parameter_pass=false, ++ application='', ++ multi_value=false, ++ missing_config_file_fail=false, ++ ) }}}""", ++ " SHELL='/bin\"/bash'\n", ++ "false" ++ ) ++ tester.test( ++ "SHELL double-quoted spaced", ++ r"""{{{ oval_check_shell_file( ++ path='CONFIG_FILE', ++ parameter='SHELL', ++ value='/bin/bash', ++ missing_parameter_pass=false, ++ application='', ++ multi_value=false, ++ missing_config_file_fail=false, ++ ) }}}""", ++ """ SHELL= "/bin/bash"\n""", ++ "false" ++ ) ++ tester.test( ++ "SHELL bad_var_case", ++ r"""{{{ oval_check_shell_file( ++ path='CONFIG_FILE', ++ parameter='SHELL', ++ value='/bin/bash', ++ missing_parameter_pass=false, ++ application='', ++ multi_value=false, ++ missing_config_file_fail=false, ++ ) }}}""", ++ """ Shell="/bin/bash"\n""", ++ "false" ++ ) ++ tester.test( ++ "SHELL bad_value_case", ++ r"""{{{ oval_check_shell_file( ++ path='CONFIG_FILE', ++ parameter='SHELL', ++ value='/bin/bash', ++ missing_parameter_pass=false, ++ application='', ++ multi_value=false, ++ missing_config_file_fail=false, ++ ) }}}""", ++ """ SHELL="/bin/Bash"\n""", ++ "false" ++ ) ++ tester.test( ++ "SHELL badly quoted", ++ r"""{{{ oval_check_shell_file( ++ path='CONFIG_FILE', ++ parameter='SHELL', ++ value='/bin/bash', ++ missing_parameter_pass=false, ++ application='', ++ multi_value=false, ++ missing_config_file_fail=false, ++ ) }}}""", ++ """ SHELL="/bin/bash'\n""", ++ "false" ++ ) + + tester.finish() + +diff --git a/tests/unit/bash/test_set_config_file.bats.jinja b/tests/unit/bash/test_set_config_file.bats.jinja +index 3dc2c721d4..4126d0440e 100644 +--- a/tests/unit/bash/test_set_config_file.bats.jinja ++++ b/tests/unit/bash/test_set_config_file.bats.jinja +@@ -126,3 +126,59 @@ function call_set_config_file { + + rm "$tmp_file" + } ++ ++@test "Basic Bash remediation" { ++ tmp_file="$(mktemp)" ++ printf "%s\n" "something=foo" > "$tmp_file" ++ expected_output="something='va lue'\n" ++ ++ {{{ bash_shell_file_set("$tmp_file", "something", "va lue") | indent(4) }}} ++ ++ run diff -U2 "$tmp_file" <(printf "$expected_output") ++ echo "$output" ++ [ "$status" -eq 0 ] ++ ++ rm "$tmp_file" ++} ++ ++@test "Variable remediation - preserve dollar and use double quotes" { ++ tmp_file="$(mktemp)" ++ printf "%s\n" "something=bar" > "$tmp_file" ++ expected_output='something="$value"'"\n" ++ ++ {{{ bash_shell_file_set("$tmp_file", "something", '$value') | indent(4) }}} ++ ++ run diff -U2 "$tmp_file" <(printf "$expected_output") ++ echo "$output" ++ [ "$status" -eq 0 ] ++ ++ rm "$tmp_file" ++} ++ ++@test "Basic Bash remediation - don't quote" { ++ tmp_file="$(mktemp)" ++ printf "%s\n" "something=foo" > "$tmp_file" ++ expected_output="something=va lue\n" ++ ++ {{{ bash_shell_file_set("$tmp_file", "something", "va lue", no_quotes=true) | indent(4) }}} ++ ++ run diff -U2 "$tmp_file" <(printf "$expected_output") ++ echo "$output" ++ [ "$status" -eq 0 ] ++ ++ rm "$tmp_file" ++} ++ ++@test "Variable remediation - don't quote" { ++ tmp_file="$(mktemp)" ++ printf "%s\n" "something=bar" > "$tmp_file" ++ expected_output='something=$value'"\n" ++ ++ {{{ bash_shell_file_set("$tmp_file", "something", '$value', no_quotes=true) | indent(4) }}} ++ ++ run diff -U2 "$tmp_file" <(printf "$expected_output") ++ echo "$output" ++ [ "$status" -eq 0 ] ++ ++ rm "$tmp_file" ++} + +From 347e7ab345a35fc3045a886d883d8efe7d9820b2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 17 Jan 2020 10:51:02 +0100 +Subject: [PATCH 3/7] Added the shell lineinfile template. + +--- + docs/manual/developer_guide.adoc | 21 +++++++++++++++++ + .../template_ANSIBLE_shell_lineinfile | 21 +++++++++++++++++ + .../templates/template_BASH_shell_lineinfile | 6 +++++ + .../templates/template_OVAL_shell_lineinfile | 10 ++++++++ + ssg/templates.py | 23 +++++++++++++++++++ + 5 files changed, 81 insertions(+) + create mode 100644 shared/templates/template_ANSIBLE_shell_lineinfile + create mode 100644 shared/templates/template_BASH_shell_lineinfile + create mode 100644 shared/templates/template_OVAL_shell_lineinfile + +diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc +index aa0a7491c3..b5d22213b7 100644 +--- a/docs/manual/developer_guide.adoc ++++ b/docs/manual/developer_guide.adoc +@@ -1591,6 +1591,27 @@ service_enabled:: + ** *daemonname* - name of the daemon. This argument is optional. If *daemonname* is not specified it means the name of the daemon is the same as the name of service. + * Languages: Ansible, Bash, OVAL, Puppet + ++shell_lineinfile:: ++* Checks shell variable assignments in files. ++Remediations will paste assignments with single shell quotes unless there is the dollar sign in the value string, in which case double quotes are administered. ++The OVAL checks for a match with either of no quotes, single quoted string, or double quoted string. ++* Parameters: ++** *path* - What file to check. ++** *parameter* - name of the shell variable, eg. `SHELL`. ++** *value* - value of the SSH configuration option specified by *parameter*, eg. `"/bin/bash"`. Don't pass extra shell quoting - that will be handled on the lower level. ++** *no_quotes* - If set to `"true"`, the assigned value has to be without quotes during the check and remediation doesn't quote assignments either. ++** *missing_parameter_pass* - If set to `"true"` the OVAL check will pass if the parameter is not present in the target file. ++* Languages: Ansible, Bash, OVAL ++* Example: ++A template invocation specifying that parameter `HISTSIZE` should be set to value `500` in `/etc/profile` will produce a check that passes if any of the following lines are present in `/etc/profile`: ++** `HISTSIZE=500` ++** `HISTSIZE="500"` ++** `HISTSIZE='500'` +++ ++The remediation would insert one of the quoted forms if the line was not present. +++ ++If the `no_quotes` would be set in the template, only the first form would be checked for, and the unquoted assignment would be inserted to the file by the remediation if not present. ++ + sshd_lineinfile:: + * Checks SSH server configuration items in `/etc/ssh/sshd_config`. + * Parameters: +diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile +new file mode 100644 +index 0000000000..7d0a3ebcbd +--- /dev/null ++++ b/shared/templates/template_ANSIBLE_shell_lineinfile +@@ -0,0 +1,21 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}} ++{{%- if NO_QUOTES -%}} ++ {{% set msg = "Setting unquoted " ~ msg %}} ++{{%- else -%}} ++ {{% set msg = "Setting shell-quoted " ~ msg %}} ++{{%- endif -%}} ++{{{ ++ ansible_shell_set( ++ msg=msg, ++ path=PATH, ++ parameter=PARAMETER, ++ value=VALUE, ++ no_quotes=NO_QUOTES ++ ) ++}}} ++ +diff --git a/shared/templates/template_BASH_shell_lineinfile b/shared/templates/template_BASH_shell_lineinfile +new file mode 100644 +index 0000000000..6bf869d62b +--- /dev/null ++++ b/shared/templates/template_BASH_shell_lineinfile +@@ -0,0 +1,6 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++{{{ bash_shell_file_set(path=PATH, parameter=PARAMETER, value=VALUE, no_quotes=NO_QUOTES) }}} +diff --git a/shared/templates/template_OVAL_shell_lineinfile b/shared/templates/template_OVAL_shell_lineinfile +new file mode 100644 +index 0000000000..fd05b6b568 +--- /dev/null ++++ b/shared/templates/template_OVAL_shell_lineinfile +@@ -0,0 +1,10 @@ ++{{{ ++oval_check_shell_file( ++ path=PATH, ++ parameter=PARAMETER, ++ value=VALUE, ++ no_quotes=NO_QUOTES, ++ missing_parameter_pass=MISSING_PARAMETER_PASS ++) ++}}} ++ +diff --git a/ssg/templates.py b/ssg/templates.py +index f4f56c94e6..c2c82e6c29 100644 +--- a/ssg/templates.py ++++ b/ssg/templates.py +@@ -290,6 +290,29 @@ def sshd_lineinfile(data, lang): + return data + + ++@template(["ansible", "bash", "oval"]) ++def shell_lineinfile(data, lang): ++ value = data["value"] ++ if value[0] in ("'", '"') and value[0] == value[1]: ++ msg = ( ++ "Value >>{value}<< of shell variable '{varname}' " ++ "has been supplied with quotes, please fix the content - " ++ "shell quoting is handled by the check/remediation code." ++ .format(value=value, varname=data["parameter"])) ++ raise Exception(msg) ++ missing_parameter_pass = data.get("missing_parameter_pass", "false") ++ if missing_parameter_pass == "true": ++ missing_parameter_pass = True ++ elif missing_parameter_pass == "false": ++ missing_parameter_pass = False ++ data["missing_parameter_pass"] = missing_parameter_pass ++ no_quotes = False ++ if data["no_quotes"] == "true": ++ no_quotes = True ++ data["no_quotes"] = no_quotes ++ return data ++ ++ + @template(["ansible", "bash", "oval"]) + def timer_enabled(data, lang): + if "packagename" not in data: + +From ac5d1a8ad511e828e652ce1ca58b06c18f8c083b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 21 Jan 2020 14:13:01 +0100 +Subject: [PATCH 4/7] Fixed the templated string evaluation. + +--- + ssg/templates.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssg/templates.py b/ssg/templates.py +index c2c82e6c29..873f543f41 100644 +--- a/ssg/templates.py ++++ b/ssg/templates.py +@@ -293,7 +293,7 @@ def sshd_lineinfile(data, lang): + @template(["ansible", "bash", "oval"]) + def shell_lineinfile(data, lang): + value = data["value"] +- if value[0] in ("'", '"') and value[0] == value[1]: ++ if value[0] in ("'", '"') and value[0] == value[-1]: + msg = ( + "Value >>{value}<< of shell variable '{varname}' " + "has been supplied with quotes, please fix the content - " + +From 8589574707c63eb3ac4c56674326b70dacfd2ee4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 21 Jan 2020 14:46:39 +0100 +Subject: [PATCH 5/7] Fixed jinja macros + +- Fixed macro descriptions. +- Fixed Ansible insert_after. +--- + shared/macros-ansible.jinja | 18 ++++++++---------- + shared/macros-bash.jinja | 2 +- + shared/macros-oval.jinja | 7 +++---- + 3 files changed, 12 insertions(+), 15 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index c42a5156ce..81e18e2d5c 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -143,22 +143,20 @@ + + {{# + High level macro to set a value in a shell-related file that contains var assignments. This +- takes these values: msg (the name for the Ansible task), path to the file, a parameter to set +- in the configuration file, and the value to set it to. We specify a case +- sensitive comparison in the prefix since this is used to deduplicate since ++ takes these values: ++ - msg (the name for the Ansible task), ++ - path to the file, ++ - parameter to set in the configuration file, and ++ - value to set it to. + We also specify the validation program here; see 'bash -c "help set" | grep -e -n' + #}} + {{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}} + {{% if no_quotes -%}} + {{%- else -%}} +-{{%- set quotes = "\"'" -%}} +- {{% if "$" in value %}} +- {{% set value = '"%s"' % value %}} +- {{% else %}} +- {{% set value = "'%s'" % value %}} +- {{% endif %}} ++{{# Use the double quotes in all cases, as the underlying macro single-quotes the assignment line. #}} ++{{% set value = '"%s"' % value %}} + {{%- endif -%}} +-{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}} ++{{{ ansible_set_config_file(msg, path, parameter, separator="=", separator_regex="=", value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^# " ~ parameter) }}} + {{%- endmacro %}} + + {{# +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 6c0bb2facc..dc7fd25588 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -18,7 +18,7 @@ + value=value, + create=true, + insert_after="", +- insert_before="^Match", ++ insert_before="^#\s*" ~ parameter, + insensitive=false, + separator="=", + separator_regex="=", +diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja +index 696cf36db0..cfa9de9d2d 100644 +--- a/shared/macros-oval.jinja ++++ b/shared/macros-oval.jinja +@@ -233,7 +233,7 @@ + - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values). + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. +- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. ++ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system. + + We specify a case insensitive comparison in the prefix because + sshd_config has case-insensitive parameters (but case-sensitive values). +@@ -250,7 +250,7 @@ + - value (String): The variable value WITHOUT QUOTES. + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. +- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. ++ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system. + #}} + {{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}} + {{% if no_quotes -%}} +@@ -268,8 +268,7 @@ + - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values). + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. +- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. +- ++ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system. + #}} + {{%- macro oval_auditd_config(parameter='', value='', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}} + {{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}} + +From af0e3ba8ef2d5b53dcffed4432ec0415a81ab2bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Wed, 22 Jan 2020 11:37:39 +0100 +Subject: [PATCH 6/7] Shell lineinfile macros and templates style fixes. + +--- + shared/macros-ansible.jinja | 2 +- + shared/macros-oval.jinja | 10 ++++++++-- + shared/templates/template_ANSIBLE_shell_lineinfile | 4 ++-- + 3 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 81e18e2d5c..f752e7a2be 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -25,7 +25,7 @@ + {{%- elif insert_before %}} + insertbefore: '{{{ insert_before }}}' + {{%- endif %}} +- {{% else %}} ++ {{%- else %}} + state: '{{{ state }}}' + {{%- endif %}} + {{%- if validate %}} +diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja +index cfa9de9d2d..5f391efdcb 100644 +--- a/shared/macros-oval.jinja ++++ b/shared/macros-oval.jinja +@@ -13,13 +13,16 @@ + - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values). + - separator_regex (String): Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression. + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). +- - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check. ++ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check. + - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. + - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. + - section (String): If set, the parameter will be checked only within the given section defined by [section]. + - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info. + #}} + {{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}} ++{{%- if application == '' -%}} ++ {{%- set application = "The respective application or service" -%}} ++{{%- endif -%}} + + + +@@ -248,6 +251,9 @@ + - path (String): Path to the file. + - parameter (String): The shell variable name. + - value (String): The variable value WITHOUT QUOTES. ++ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check. ++ - no_quotes (boolean): If set, the check will require that the RHS of the assignment is the literal value, without quotes. ++ If no_quotes is false, then one level of single or double quotes won't be regarded as part of the value by the check. + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). + - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. + - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system. +@@ -342,7 +348,7 @@ + - parameter (String): The parameter to be checked in the configuration file. + - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values). + - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). +- - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check. ++ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check. + - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. + - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system. + #}} +diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile +index 7d0a3ebcbd..3e6c5619ea 100644 +--- a/shared/templates/template_ANSIBLE_shell_lineinfile ++++ b/shared/templates/template_ANSIBLE_shell_lineinfile +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}} ++{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'" -%}} + {{%- if NO_QUOTES -%}} + {{% set msg = "Setting unquoted " ~ msg %}} + {{%- else -%}} +@@ -15,7 +15,7 @@ + path=PATH, + parameter=PARAMETER, + value=VALUE, +- no_quotes=NO_QUOTES ++ no_quotes=NO_QUOTES + ) + }}} + + +From a7779d2fae1086838daa1ded483decd499e8749f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 21 Jan 2020 16:43:23 +0100 +Subject: [PATCH 7/7] Add a shell_lineinfile template exemplary rule. + +--- + .../ssh_server/sshd_use_strong_rng/rule.yml | 47 +++++++++++++++++++ + .../tests/bad_config.fail.sh | 3 ++ + .../tests/good_config.pass.sh | 3 ++ + .../tests/no_config.fail.sh | 3 ++ + .../sshd_use_strong_rng/tests/quoted.fail.sh | 3 ++ + rhel8/profiles/ospp.profile | 1 + + shared/references/cce-redhat-avail.txt | 1 - + 7 files changed, 60 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml +new file mode 100644 +index 0000000000..4bfb72702b +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml +@@ -0,0 +1,47 @@ ++documentation_complete: true ++ ++# TODO: The plan is not to need this for RHEL>=8.4 ++# TODO: Compliant setting is SSH_USE_STRONG_RNG set to 32 or more ++prodtype: rhel8 ++ ++title: 'SSH server uses strong entropy to seed' ++ ++description: |- ++ To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file. ++ The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so ++ make sure that the file contains line ++
SSH_USE_STRONG_RNG=32
++ ++rationale: |- ++ SSH implementation in RHEL8 uses the openssl library, which doesn't use high-entropy sources by default. ++ Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors ++ in encryption algorithms, and high-quality entropy elliminates the possibility that the output of ++ the random number generator used by SSH would be known to potential attackers. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82462-3 ++ ++references: ++ ospp: FIA_AFL.1 ++ ++ocil: |- ++ To determine whether the SSH service is configured to use strong entropy seed, ++ run
$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd
++ If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned, ++ then the option is set correctly. ++ ++ocil_clause: |- ++ The SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd ++ ++warnings: ++ - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available." ++ ++template: ++ name: shell_lineinfile ++ vars: ++ path: '/etc/sysconfig/sshd' ++ parameter: 'SSH_USE_STRONG_RNG' ++ value: '32' ++ no_quotes: 'true' +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh +new file mode 100644 +index 0000000000..f4f8c22f64 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_rhel ++ ++echo 'SSH_USE_STRONG_RNG=1' > /etc/sysconfig/sshd +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh +new file mode 100644 +index 0000000000..70f53ac22b +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_rhel ++ ++echo 'SSH_USE_STRONG_RNG=32' > /etc/sysconfig/sshd +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh +new file mode 100644 +index 0000000000..1e5f0b2998 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_rhel ++ ++rm -f /etc/sysconfig/sshd +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh +new file mode 100644 +index 0000000000..a10d24a73b +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_rhel ++ ++echo 'SSH_USE_STRONG_RNG="32"' > /etc/sysconfig/sshd +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index f97527a914..63aea526b7 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -58,6 +58,7 @@ selections: + - sshd_set_keepalive + - sshd_enable_warning_banner + - sshd_rekey_limit ++ - sshd_use_strong_rng + + # Time Server + - chronyd_client_only +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index b665fa1cea..1ff291c7df 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -1,4 +1,3 @@ +-CCE-82462-3 + CCE-82463-1 + CCE-82464-9 + CCE-82465-6 diff --git a/SOURCES/scap-security-guide-0.1.49-update-cobit-uri.patch b/SOURCES/scap-security-guide-0.1.49-update-cobit-uri.patch new file mode 100644 index 0000000..58ad831 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.49-update-cobit-uri.patch @@ -0,0 +1,22 @@ +From fc99f5b30e1f6e98eac2382949418532fe0a2230 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 3 Feb 2020 10:55:42 +0100 +Subject: [PATCH] Update ISACA COBIT URI. + +--- + shared/transforms/shared_constants.xslt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/transforms/shared_constants.xslt b/shared/transforms/shared_constants.xslt +index e88922d965..0aed1f6337 100644 +--- a/shared/transforms/shared_constants.xslt ++++ b/shared/transforms/shared_constants.xslt +@@ -28,7 +28,7 @@ + https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf + https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785 + https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731 +-http://www.isaca.org/COBIT/Pages/default.aspx ++https://www.isaca.org/resources/cobit + https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf + https://www.niap-ccevs.org/Profile/PP.cfm + https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf diff --git a/SOURCES/scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch b/SOURCES/scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch new file mode 100644 index 0000000..b604aaa --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch @@ -0,0 +1,124 @@ +From 95ae3d5ca08f511ef40503f758dfb02feca29252 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 21 Jan 2020 13:42:35 +0100 +Subject: [PATCH 1/2] Update configure_crypto_policy test scenarios + +Update test scenarios for OSPP profile, it selects 'FIPS:OSPP' crypto policy, +not 'FIPS'. +--- + .../tests/dropin_file_and_symlink_exist.fail.sh | 4 ++-- + .../tests/file_exists_but_no_file_in_local_d.fail.sh | 2 +- + .../configure_crypto_policy/tests/missing_nss_config.fail.sh | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh +index 693cdb03a9..2de1cf4a3b 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh +@@ -1,11 +1,11 @@ + #!/bin/bash + # platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +-# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard ++# profiles = xccdf_org.ssgproject.content_profile_ospp + + # using example of opensshserver + DROPIN_FILE="/etc/crypto-policies/local.d/opensshserver-test.config" + +-update-crypto-policies --set FIPS ++update-crypto-policies --set "FIPS:OSPP" + + echo "" > "$DROPIN_FILE" + echo "CRYPTO_POLICY=" >> "$DROPIN_FILE" +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh +index 5935a38eac..428b76879a 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh +@@ -5,7 +5,7 @@ + #using example of openssh server + CRYPTO_POLICY_FILE="/etc/crypto-policies/back-ends/opensshserver.config" + +-update-crypto-policies --set "FIPS" ++update-crypto-policies --set "FIPS:OSPP" + + rm -f /etc/crypto-policies/local.d/opensshserver-*.config + rm -f "$CRYPTO_POLICY_FILE" +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh +index b165006a8d..97bc4b499c 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/missing_nss_config.fail.sh +@@ -2,6 +2,6 @@ + # platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + # profiles = xccdf_org.ssgproject.content_profile_ospp + +-update-crypto-policies --set "FIPS" ++update-crypto-policies --set "FIPS:OSPP" + + rm -f "/etc/crypto-policies/back-ends/nss.config" + +From dbbd7ecc294ba86544fb96d5a1b06feba9458a28 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 21 Jan 2020 14:07:50 +0100 +Subject: [PATCH 2/2] Remove configure_crypto_policy test scenarios + +--- + .../tests/dropin_file_and_symlink_exist.fail.sh | 11 ----------- + .../file_exists_but_no_file_in_local_d.fail.sh | 13 ------------- + .../tests/override_policy.pass.sh | 11 ----------- + 3 files changed, 35 deletions(-) + delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh + delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh + delete mode 100644 linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh +deleted file mode 100644 +index 2de1cf4a3b..0000000000 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/dropin_file_and_symlink_exist.fail.sh ++++ /dev/null +@@ -1,11 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +-# profiles = xccdf_org.ssgproject.content_profile_ospp +- +-# using example of opensshserver +-DROPIN_FILE="/etc/crypto-policies/local.d/opensshserver-test.config" +- +-update-crypto-policies --set "FIPS:OSPP" +- +-echo "" > "$DROPIN_FILE" +-echo "CRYPTO_POLICY=" >> "$DROPIN_FILE" +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh +deleted file mode 100644 +index 428b76879a..0000000000 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/file_exists_but_no_file_in_local_d.fail.sh ++++ /dev/null +@@ -1,13 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +-# profiles = xccdf_org.ssgproject.content_profile_ospp +- +-#using example of openssh server +-CRYPTO_POLICY_FILE="/etc/crypto-policies/back-ends/opensshserver.config" +- +-update-crypto-policies --set "FIPS:OSPP" +- +-rm -f /etc/crypto-policies/local.d/opensshserver-*.config +-rm -f "$CRYPTO_POLICY_FILE" +- +-echo "pretend that we overide the crrypto policy but no related file is in /etc/crypto-policies/local.d, smart, right?" > "$CRYPTO_POLICY_FILE" +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh +deleted file mode 100644 +index ce37abd7ff..0000000000 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/tests/override_policy.pass.sh ++++ /dev/null +@@ -1,11 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +-# profiles = xccdf_org.ssgproject.content_profile_ospp +- +-#using openssh server as example +-CRYPTO_POLICY_OVERRIDE_FILE="/etc/crypto-policies/local.d/opensshserver-test.config" +- +-echo "" > "$CRYPTO_POLICY_OVERRIDE_FILE" +-echo "CRYPTO_POLICY=" >> "$CRYPTO_POLICY_OVERRIDE_FILE" +- +-update-crypto-policies --set FIPS:OSPP diff --git a/SOURCES/scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch b/SOURCES/scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch new file mode 100644 index 0000000..df16070 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch @@ -0,0 +1,273 @@ +From 38cc9c9eb785f17fbc23a2e7ccbb9902d069f4b3 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 10 Feb 2020 16:16:17 +0100 +Subject: [PATCH 1/4] create new rules, add missing reference to older rule + +--- + .../rule.yml | 26 +++++++++++++++ + .../package_openssh-server_installed/rule.yml | 1 + + .../rule.yml | 32 +++++++++++++++++++ + .../rule.yml | 29 +++++++++++++++++ + 5 files changed, 88 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml + create mode 100644 linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml + +diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml +new file mode 100644 +index 0000000000..9b3c55f23b +--- /dev/null ++++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml +@@ -0,0 +1,26 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Install OpenSSH client software' ++ ++description: |- ++ {{{ describe_package_install(package="openssh-clients") }}} ++ ++rationale: 'The openssh-clients package needs to be installed to meet OSPP criteria.' ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82722-0 ++ ++references: ++ srg: SRG-OS-000480-GPOS-00227 ++ ospp: FIA_UAU.5,FTP_ITC_EXT.1 ++ ++{{{ complete_ocil_entry_package(package='openssh-clients') }}} ++ ++template: ++ name: package_installed ++ vars: ++ pkgname: openssh-clients +diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +index c18e604a5c..ba013ec509 100644 +--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml ++++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +@@ -28,6 +28,7 @@ references: + cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 13,14 ++ ospp: FIA_UAU.5,FTP_ITC_EXT.1 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml +new file mode 100644 +index 0000000000..6025f0cd33 +--- /dev/null ++++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml +@@ -0,0 +1,32 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Install policycoreutils-python-utils package' ++ ++description: |- ++ {{{ describe_package_install(package="policycoreutils-python-utils") }}} ++ ++rationale: |- ++ Security-enhanced Linux is a feature of the Linux kernel and a number of utilities ++ with enhanced security functionality designed to add mandatory access controls to Linux. ++ The Security-enhanced Linux kernel contains new architectural components originally ++ developed to improve security of the Flask operating system. These architectural components ++ provide general support for the enforcement of many kinds of mandatory access control ++ policies, including those based on the concepts of Type Enforcement, Role-based Access ++ Control, and Multi-level Security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82724-6 ++ ++references: ++ srg: SRG-OS-000480-GPOS-00227 ++ ++{{{ complete_ocil_entry_package(package='policycoreutils-python-utils') }}} ++ ++template: ++ name: package_installed ++ vars: ++ pkgname: policycoreutils-python-utils +diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml +new file mode 100644 +index 0000000000..c418518e7a +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml +@@ -0,0 +1,29 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Install crypto-policies package' ++ ++description: |- ++ {{{ describe_package_install(package="crypto-policies") }}} ++ ++rationale: |- ++ The crypto-policies package provides configuration and tools to ++ apply centralizet cryptographic policies for backends such as SSL/TLS libraries. ++ ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82723-8 ++ ++references: ++ ospp: FCS_COP* ++ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 ++ ++{{{ complete_ocil_entry_package(package='crypto-policies') }}} ++ ++template: ++ name: package_installed ++ vars: ++ pkgname: crypto-policies +From 0c54cbf24a83e38c89841d4dc65a5fbe51fd2f99 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 10 Feb 2020 16:18:03 +0100 +Subject: [PATCH 2/4] modify ospp profile + +--- + rhel8/profiles/ospp.profile | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 4d5a9edd8e..c672066050 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -169,17 +169,17 @@ selections: + - package_dnf-plugin-subscription-manager_installed + - package_firewalld_installed + - package_iptables_installed +- - package_libcap-ng-utils_installed + - package_openscap-scanner_installed + - package_policycoreutils_installed + - package_rng-tools_installed + - package_sudo_installed + - package_usbguard_installed +- - package_audispd-plugins_installed + - package_scap-security-guide_installed + - package_audit_installed +- - package_gnutls-utils_installed +- - package_nss-tools_installed ++ - package_crypto-policies_installed ++ - package_openssh-server_installed ++ - package_openssh-clients_installed ++ - package_policycoreutils-python-utils_installed + + ### Remove Prohibited Packages + - package_sendmail_removed +@@ -316,7 +316,7 @@ selections: + ## Configure the System to Offload Audit Records to a Log + ## Server + ## AU-4(1) / FAU_GEN.1.1.c +- - auditd_audispd_syslog_plugin_activated ++ # temporarily dropped + + ## Set Logon Warning Banner + ## AC-8(a) / FMT_MOF_EXT.1 + +From 105efe3a51118eca22c36771ce22d45778a4c34f Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 10 Feb 2020 16:18:52 +0100 +Subject: [PATCH 3/4] add rules to rhel8 stig profile + +--- + rhel8/profiles/stig.profile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 821cc26914..7eb1869a3c 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -33,6 +33,9 @@ selections: + - encrypt_partitions + - sysctl_net_ipv4_tcp_syncookies + - clean_components_post_updating ++ - package_audispd-plugins_installed ++ - package_libcap-ng-utils_installed ++ - auditd_audispd_syslog_plugin_activated + + # Configure TLS for remote logging + - package_rsyslog_installed + +From 1a5e17c9a6e3cb3ad6cc2cc4601ea49f2f6278ce Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 10 Feb 2020 17:42:43 +0100 +Subject: [PATCH 4/4] rephrase some rationales, fix SFR + +--- + .../ssh/package_openssh-clients_installed/rule.yml | 4 +++- + .../rule.yml | 9 ++------- + .../crypto/package_crypto-policies_installed/rule.yml | 8 ++++---- + 3 files changed, 9 insertions(+), 12 deletions(-) + +diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml +index 9b3c55f23b..f5b29d32e8 100644 +--- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml ++++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml +@@ -7,7 +7,9 @@ title: 'Install OpenSSH client software' + description: |- + {{{ describe_package_install(package="openssh-clients") }}} + +-rationale: 'The openssh-clients package needs to be installed to meet OSPP criteria.' ++rationale: |- ++ This package includes utilities to make encrypted connections and transfer ++ files securely to SSH servers. + + severity: medium + +diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml +index 6025f0cd33..7ae7461077 100644 +--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml ++++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml +@@ -8,13 +8,8 @@ description: |- + {{{ describe_package_install(package="policycoreutils-python-utils") }}} + + rationale: |- +- Security-enhanced Linux is a feature of the Linux kernel and a number of utilities +- with enhanced security functionality designed to add mandatory access controls to Linux. +- The Security-enhanced Linux kernel contains new architectural components originally +- developed to improve security of the Flask operating system. These architectural components +- provide general support for the enforcement of many kinds of mandatory access control +- policies, including those based on the concepts of Type Enforcement, Role-based Access +- Control, and Multi-level Security. ++ This package is required to operate and manage an SELinux environment and its policies. ++ It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox. + + severity: medium + +diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml +index c418518e7a..bb07f9d617 100644 +--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml +@@ -8,9 +8,9 @@ description: |- + {{{ describe_package_install(package="crypto-policies") }}} + + rationale: |- +- The crypto-policies package provides configuration and tools to +- apply centralizet cryptographic policies for backends such as SSL/TLS libraries. +- ++ Centralized cryptographic policies simplify applying secure ciphers across an operating system and ++ the applications that run on that operating system. Use of weak or untested encryption algorithms ++ undermines the purposes of utilizing encryption to protect data. + + severity: medium + +@@ -18,7 +18,7 @@ identifiers: + cce@rhel8: 82723-8 + + references: +- ospp: FCS_COP* ++ ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4) + srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 + + {{{ complete_ocil_entry_package(package='crypto-policies') }}} diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec new file mode 100644 index 0000000..2787a5e --- /dev/null +++ b/SPECS/scap-security-guide.spec @@ -0,0 +1,440 @@ +Name: scap-security-guide +Version: 0.1.48 +Release: 7%{?dist} +Summary: Security guidance and baselines in SCAP formats +Group: Applications/System +License: BSD +URL: https://github.com/ComplianceAsCode/content/ +Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 +# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream +Patch0: disable-not-in-good-shape-profiles.patch +Patch1: scap-security-guide-0.1.49-update-crypto-policy-test-scenarios.patch +Patch2: scap-security-guide-0.1.49-max-path-len-skip-logs.patch +Patch3: scap-security-guide-0.1.49-drop-rsyslog-rules.patch +Patch4: scap-security-guide-0.1.49-update-cobit-uri.patch +Patch5: scap-security-guide-0.1.49-ssh-use-strong-rng.patch +Patch6: scap-security-guide-0.1.49-openssl-strong-entropy-wrap.patch +Patch7: scap-security-guide-0.1.49-add-stig-kickstart.patch +Patch8: scap-security-guide-0.1.49-add-rsyslog-to-stig.patch +Patch9: scap-security-guide-0.1.49-add-few-srg-mappings.patch +# Patch10 was generated from squashed commit to prevent 'cannot find file to patch' situations +# from https://github.com/ComplianceAsCode/content/pull/5110 +# HEAD 210ee56aab3f831c96810ca42189642274bd735f +Patch10: scap-security-guide-0.1.49-split-audit-rules.patch +Patch11: scap-security-guide-0.1.49-fix-remaining-srgs.patch +# Patch 12 and 13 had changes to file cce-redhat-avail.txt stripped out, to ease application of patch +Patch12: scap-security-guide-0.1.49-update-ospp-baseline-package-list.patch +Patch13: scap-security-guide-0.1.49-add-cce-openssh-server.patch +BuildArch: noarch + +# To get python3 inside the buildroot require its path explicitly in BuildRequires +BuildRequires: /usr/bin/python3 +BuildRequires: libxslt, expat, openscap-scanner >= 1.2.5, python3-lxml, cmake >= 2.8, python3-jinja2, python3-PyYAML +Requires: xml-common, openscap-scanner >= 1.2.5 +Obsoletes: openscap-content < 0:0.9.13 +Provides: openscap-content + +%description +The scap-security-guide project provides a guide for configuration of the +system from the final system's security point of view. The guidance is specified +in the Security Content Automation Protocol (SCAP) format and constitutes +a catalog of practical hardening advice, linked to government requirements +where applicable. The project bridges the gap between generalized policy +requirements and specific implementation guidelines. The Red Hat Enterprise +Linux 8 system administrator can use the oscap CLI tool from openscap-scanner +package, or the scap-workbench GUI tool from scap-workbench package to verify +that the system conforms to provided guideline. Refer to scap-security-guide(8) +manual page for further information. + +%package doc +Summary: HTML formatted security guides generated from XCCDF benchmarks +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description doc +The %{name}-doc package contains HTML formatted documents containing +hardening guidances that have been generated from XCCDF benchmarks +present in %{name} package. + +%prep +%setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +mkdir build + +%build +cd build +%cmake \ +-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \ +-DSSG_PRODUCT_RHEL6:BOOLEAN=TRUE \ +-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \ +-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \ +-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \ +-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \ +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ +-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../ +%make_build + +%install +cd build +%make_install + +%files +%{_datadir}/xml/scap/ssg/content +%{_datadir}/%{name}/kickstart +%{_datadir}/%{name}/ansible +%{_datadir}/%{name}/bash +%lang(en) %{_mandir}/man8/scap-security-guide.8.* +%doc %{_docdir}/%{name}/LICENSE +%doc %{_docdir}/%{name}/README.md +%doc %{_docdir}/%{name}/Contributors.md + +%files doc +%doc %{_docdir}/%{name}/guides/*.html +%doc %{_docdir}/%{name}/tables/*.html + +%changelog +* Tue Feb 11 2020 Watson Sato - 0.1.48-7 +- Update baseline package list of OSPP profile + +* Thu Feb 06 2020 Watson Sato - 0.1.48-6 +- Rebuilt with correct spec file + +* Thu Feb 06 2020 Watson Sato - 0.1.48-5 +- Add SRG references to STIG rules (RHBZ#1755447) + +* Mon Feb 03 2020 Vojtech Polasek - 0.1.48-4 +- Drop rsyslog rules from OSPP profile +- Update COBIT URI +- Add rules for strong source of RNG entropy +- Enable build of RHEL8 STIG Profile (RHBZ#1755447) +- STIG profile: added rsyslog rules and updated SRG mappings +- Split audit rules according to audit component (RHBZ#1791312) + +* Tue Jan 21 2020 Watson Sato - 0.1.48-3 +- Update crypto-policy test scenarios +- Update max-path-len test to skip tests/logs directory + +* Fri Jan 17 2020 Watson Sato - 0.1.48-2 +- Fix list of tables that are generated for RHEL8 + +* Fri Jan 17 2020 Watson Sato - 0.1.48-1 +- Update to latest upstream SCAP-Security-Guide-0.1.48 release + +* Tue Nov 26 2019 Matěj Týč - 0.1.47-2 +- Improved the e8 profile (RHBZ#1755194) + +* Mon Nov 11 2019 Vojtech Polasek - 0.1.47-1 +- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762) + +* Wed Oct 16 2019 Gabriel Becker - 0.1.46-3 +- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821) + +* Wed Oct 09 2019 Watson Sato - 0.1.46-2 +- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919) + +* Mon Sep 02 2019 Watson Sato - 0.1.46-1 +- Update to latest upstream SCAP-Security-Guide-0.1.46 release +- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798) + +* Wed Aug 07 2019 Milan Lysonek - 0.1.45-2 +- Use crypto-policy rules in OSPP profile. +- Re-enable FIREFOX and JRE product in build. +- Change test suite logging message about missing profile from ERROR to WARNING. +- Build only one version of SCAP content at a time. + +* Tue Aug 06 2019 Milan Lysonek - 0.1.45-1 +- Update to latest upstream SCAP-Security-Guide-0.1.45 release + +* Mon Jun 17 2019 Matěj Týč - 0.1.44-2 +- Ported changelog from late 8.0 builds. +- Disabled build of the OL8 product, updated other components of the cmake invocation. + +* Fri Jun 14 2019 Matěj Týč - 0.1.44-1 +- Update to latest upstream SCAP-Security-Guide-0.1.44 release + +* Mon Mar 11 2019 Gabriel Becker - 0.1.42-11 +- Assign CCE to rules from OSPP profile which were missing the identifier. +- Fix regular expression for Audit rules ordering +- Account for Audit rules flags parameter position within syscall +- Add remediations for Audit rules file path +- Add Audit rules for modification of /etc/shadow and /etc/gshadow +- Add Ansible and Bash remediations for directory_access_var_log_audit rule +- Add a Bash remediation for Audit rules that require ordering + +* Thu Mar 07 2019 Gabriel Becker - 0.1.42-10 +- Assign CCE identifier to rules used by RHEL8 profiles. + +* Thu Feb 14 2019 Matěj Týč - 0.1.42-9 +- Fixed Crypto Policy OVAL for NSS +- Got rid of rules requiring packages dropped in RHEL8. +- Profile descriptions fixes. + +* Tue Jan 22 2019 Jan Černý - 0.1.42-8 +- Update applicable platforms in crypto policy tests + +* Mon Jan 21 2019 Jan Černý - 0.1.42-7 +- Introduce Podman backend for SSG Test suite +- Update bind and libreswan crypto policy test scenarios + +* Fri Jan 11 2019 Matěj Týč - 0.1.42-6 +- Further fix of profiles descriptions, so they don't contain literal '\'. +- Removed obsolete sshd rule from the OSPP profile. + +* Tue Jan 08 2019 Matěj Týč - 0.1.42-5 +- Fixed profiles descriptions, so they don't contain literal '\n'. +- Made the configure_kerberos_crypto_policy OVAL more robust. +- Made OVAL for libreswan and bind work as expected when those packages are not installed. + +* Wed Jan 02 2019 Matěj Týč - 0.1.42-4 +- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs. + +* Tue Dec 18 2018 Matěj Týč - 0.1.42-3 +- Added FIPS mode rule for the OSPP profile. +- Split the installed_OS_is certified rule. +- Explicitly disabled OSP13, RHV4 and Example products. + +* Mon Dec 17 2018 Gabriel Becker - 0.1.42-2 +- Add missing kickstart files for RHEL8 +- Disable profiles that are not in good shape for RHEL8 + +* Wed Dec 12 2018 Matěj Týč - 0.1.42-1 +- Update to latest upstream SCAP-Security-Guide-0.1.42 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42 +- System-wide crypto policies are introduced for RHEL8 +- Patches introduced the RHEL8 product were dropped, as it has been upstreamed. + +* Wed Oct 10 2018 Watson Yuuma Sato - 0.1.41-2 +- Fix man page and package description + +* Mon Oct 08 2018 Watson Yuuma Sato - 0.1.41-1 +- Update to latest upstream SCAP-Security-Guide-0.1.41 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41 +- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles + +* Mon Aug 13 2018 Watson Sato - 0.1.40-3 +- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot +- Only build content for rhel8 products + +* Fri Aug 10 2018 Watson Sato - 0.1.40-2 +- Update build of rhel8 content + +* Fri Aug 10 2018 Watson Sato - 0.1.40-1 +- Enable build of rhel8 content + +* Fri May 18 2018 Jan Černý - 0.1.39-1 +- Update to latest upstream SCAP-Security-Guide-0.1.39 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39 +- Fix spec file to build using Python 3 +- Fix License because upstream changed to BSD-3 + +* Mon Mar 05 2018 Watson Yuuma Sato - 0.1.38-1 +- Update to latest upstream SCAP-Security-Guide-0.1.38 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38 + +* Fri Feb 09 2018 Fedora Release Engineering - 0.1.37-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 04 2018 Watson Yuuma Sato - 0.1.37-1 +- Update to latest upstream SCAP-Security-Guide-0.1.37 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37 + +* Wed Nov 01 2017 Watson Yuuma Sato - 0.1.36-1 +- Update to latest upstream SCAP-Security-Guide-0.1.36 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36 + +* Tue Aug 29 2017 Watson Sato - 0.1.35-1 +- Update to latest upstream SCAP-Security-Guide-0.1.35 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35 + +* Thu Jul 27 2017 Fedora Release Engineering - 0.1.34-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jul 03 2017 Watson Sato - 0.1.34-1 +- updated to latest upstream release + +* Mon May 01 2017 Martin Preisler - 0.1.33-1 +- updated to latest upstream release + +* Thu Mar 30 2017 Martin Preisler - 0.1.32-1 +- updated to latest upstream release + +* Sat Feb 11 2017 Fedora Release Engineering - 0.1.31-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Nov 28 2016 Martin Preisler - 0.1.31-2 +- use make_build and make_install RPM macros + +* Mon Nov 28 2016 Martin Preisler - 0.1.31-1 +- update to the latest upstream release +- new default location for content /usr/share/scap/ssg +- install HTML tables in the doc subpackage + +* Mon Jun 27 2016 Jan iankko Lieskovsky - 0.1.30-2 +- Correct currently failing parallel SCAP Security Guide build + +* Mon Jun 27 2016 Jan iankko Lieskovsky - 0.1.30-1 +- Update to latest upstream SCAP-Security-Guide-0.1.30 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30 +- Drop shell library for remediation functions since it is not required + starting from 0.1.30 release any more + +* Thu May 05 2016 Jan iankko Lieskovsky - 0.1.29-1 +- Update to latest upstream SCAP-Security-Guide-0.1.29 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29 +- Do not ship Firefox/DISCLAIMER documentation file since it has been removed + in 0.1.29 upstream release + +* Thu Feb 04 2016 Fedora Release Engineering - 0.1.28-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jan 20 2016 Šimon Lukašík - 0.1.28-1 +- upgrade to the latest upstream release + +* Fri Dec 11 2015 Šimon Lukašík - 0.1.27-1 +- update to the latest upstream release + +* Tue Oct 20 2015 Šimon Lukašík - 0.1.26-1 +- update to the latest upstream release + +* Sat Sep 05 2015 Šimon Lukašík - 0.1.25-1 +- update to the latest upstream release + +* Thu Jul 09 2015 Šimon Lukašík - 0.1.24-1 +- update to the latest upstream release +- created doc sub-package to ship all the guides +- start distributing centos and scientific linux content +- rename java content to jre + +* Fri Jun 19 2015 Fedora Release Engineering - 0.1.22-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue May 05 2015 Šimon Lukašík - 0.1.22-1 +- update to the latest upstream release +- only DataStream file is now available for Fedora +- start distributing security baseline for Firefox +- start distributing security baseline for Java RunTime deployments + +* Wed Mar 04 2015 Šimon Lukašík - 0.1.21-1 +- update to the latest upstream release +- move content to /usr/share/scap/ssg/content + +* Thu Oct 02 2014 Šimon Lukašík - 0.1.19-1 +- update to the latest upstream release + +* Mon Jul 14 2014 Šimon Lukašík - 0.1.5-4 +- require only openscap-scanner, not whole openscap-utils package + +* Tue Jul 01 2014 Šimon Lukašík - 0.1.5-3 +- Rebase the RHEL part of SSG to the latest upstream version (0.1.18) +- Add STIG DISCLAIMER to the shipped documentation + +* Sun Jun 08 2014 Fedora Release Engineering - 0.1.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Feb 27 2014 Jan iankko Lieskovsky 0.1.5-1 +- Fix fedora-srpm and fedora-rpm Make targets to work again +- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans +- EOL for Fedora 18 support +- Include Fedora datastream file for remote Fedora system scans + +* Mon Jan 06 2014 Jan iankko Lieskovsky 0.1.4-2 +- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14) + +* Fri Dec 20 2013 Jan iankko Lieskovsky 0.1.4-1 +- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move + it to /shared +- Add shared remediations for sshd disable empty passwords and + sshd set idle timeout +- Shared remediation for sshd disable root login +- Add empty -compat subpackage to ensure backward-compatibility with + openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335) +- OVAL check for sshd disable root login +- Fix typo in OVAL check for sshd disable empty passwords +- OVAL check for sshd disable empty passwords +- Unselect no shelllogin for systemaccounts rule from being run by default +- Rename XCCDF rules +- Revert Set up Fedora release name and CPE based on build system properties +- Shared OVAL check for Verify that Shared Library Files Have Root Ownership +- Shared OVAL check for Verify that System Executables Have Restrictive Permissions +- Shared OVAL check for Verify that System Executables Have Root Ownership +- Shared OVAL check for Verify that Shared Library Files Have Restrictive + Permissions +- Fix remediation for Disable Prelinking rule +- OVAL check and remediation for sshd's ClientAliveCountMax rule +- OVAL check for sshd's ClientAliveInterval rule +- Include descriptions for permissions section, and rules for checking + permissions and ownership of shared library files and system executables +- Disable selected rules by default +- Add remediation for Disable Prelinking rule +- Adjust service-enable-macro, service-disable-macro XSLT transforms + definition to evaluate to proper systemd syntax +- Fix service_ntpd_enabled OVAL check make validate to pass again +- Include patch from Šimon Lukašík to obsolete openscap-content + package (RH BZ#1028706) +- Add OVAL check to test if there's is remote NTP server configured for + time data +- Add system settings section for the guide (to track system wide + hardening configurations) +- Include disable prelink rule and OVAL check for it +- Initial OVAL check if ntpd service is enabled. Add package_installed + OVAL templating directory structure and functionality. +- Include services section, and XCCDF description for selected ntpd's + sshd's service rules +- Include remediations for login.defs' based password minimum, maximum and + warning age rules +- Include directory structure to support remediations +- Add SCAP "replace or append pattern value in text file based on variable" + remediation script generator +- Add remediation for "Set Password Minimum Length in login.defs" rule + +* Mon Nov 18 2013 Jan iankko Lieskovsky 0.1.3-1 +- Update versioning scheme - move fedorassgrelease to be part of + upstream version. Rename it to fedorassgversion to avoid name collision + with Fedora package release. + +* Tue Oct 22 2013 Jan iankko Lieskovsky 0.1-3 +- Add .gitignore for Fedora output directory +- Set up Fedora release name and CPE based on build system properties +- Use correct file paths in scap-security-guide(8) manual page + (RH BZ#1018905, c#10) +- Apply further changes motivated by scap-security-guide Fedora RPM review + request (RH BZ#1018905, c#8): + * update package description, + * make content files to be owned by the scap-security-guide package, + * remove Fedora release number from generated content files, + * move HTML form of the guide under the doc directory (together + with that drop fedora/content subdir and place the content + directly under fedora/ subdir). +- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905): + * drop Fedora release from package provided files' final path (c#5), + * drop BuildRoot, selected Requires:, clean section, drop chcon for + manual page, don't gzip man page (c#4), + * change package's description (c#4), + * include PD license text (#c4). + +* Mon Oct 14 2013 Jan iankko Lieskovsky 0.1-2 +- Provide manual page for scap-security-guide +- Remove percent sign from spec's changelog to silence rpmlint warning +- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora +- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora +- Introduce 'Account and Access Control' section +- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's + rules to Fedora +- Set proper name of the build directory in the spec's setup macro. +- Replace hard-coded paths with macros. Preserve attributes when copying files. + +* Tue Sep 17 2013 Jan iankko Lieskovsky 0.1-1 +- Initial Fedora SSG RPM.