From 2e618f9239de966ec167f7b43ae854650a3421ad Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Apr 2019 18:05:15 +0200
Subject: [PATCH 1/3] Introduce CPE shadow-utils
- Add inventory OVAL check for shadow-utils package installed
- Add shadow-utils CPE to RHEL7 dictionary
---
rhel7/cpe/rhel7-cpe-dictionary.xml | 5 ++++
...installed_env_has_shadow-utils_package.xml | 24 +++++++++++++++++++
2 files changed, 29 insertions(+)
create mode 100644 shared/checks/oval/installed_env_has_shadow-utils_package.xml
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
index 23541378f8..44fe06f103 100644
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
@@ -47,4 +47,9 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_is_a_machine</check>
</cpe-item>
+ <cpe-item name="cpe:/a:shadow-utils">
+ <title xml:lang="en-us">Package shadow-utils is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_shadow-utils_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/shared/checks/oval/installed_env_has_shadow-utils_package.xml b/shared/checks/oval/installed_env_has_shadow-utils_package.xml
new file mode 100644
index 0000000000..12dd5bd565
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_shadow-utils_package.xml
@@ -0,0 +1,24 @@
+<def-group>
+ <definition class="inventory"
+ id="installed_env_has_shadow-utils_package" version="1">
+ <metadata>
+ <title>Package shadow-utils is installed</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Checks if package shadow-utils is installed.</description>
+ <reference ref_id="cpe:/a:shadow-utils" source="CPE" />
+ </metadata>
+ <criteria>
+ <criterion comment="Package shadow-utils is installed" test_ref="test_env_has_shadow-utils_installed" />
+ </criteria>
+ </definition>
+
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package shadow-utils installed" id="test_env_has_shadow-utils_installed" version="1">
+ <linux:object object_ref="obj_env_has_shadow-utils_installed" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_object id="obj_env_has_shadow-utils_installed" version="1">
+ <linux:name>shadow-utils</linux:name>
+ </linux:rpminfo_object>
+
+</def-group>
From 06650f96e4e880c90a23eaf565e70d37a175aa47 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Apr 2019 18:10:33 +0200
Subject: [PATCH 2/3] Rules are applicable when shadow-utils installed
If package shadow-utils is not installed, the rule will result in
notapplicable.
---
.../account_disable_post_pw_expiration/rule.yml | 2 ++
.../accounts_maximum_age_login_defs/rule.yml | 2 ++
.../accounts_minimum_age_login_defs/rule.yml | 2 ++
.../accounts_password_minlen_login_defs/rule.yml | 2 ++
.../accounts_password_warn_age_login_defs/rule.yml | 2 ++
.../accounts-session/accounts_logon_fail_delay/rule.yml | 2 ++
6 files changed, 12 insertions(+)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
index 9d19274f1c..d8b29b6436 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
@@ -62,3 +62,5 @@ ocil: |-
to an appropriate integer as shown in the example below:
<pre>$ grep "INACTIVE" /etc/default/useradd
INACTIVE=<sub idref="var_account_disable_post_pw_expiration" /></pre>
+
+platform: shadow-utils
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
index 90dc1b4f2b..de322bc787 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
@@ -55,3 +55,5 @@ ocil: |-
<pre>$ grep PASS_MAX_DAYS /etc/login.defs</pre>
The DoD and FISMA requirement is 60.
A value of 180 days is sufficient for many environments.
+
+platform: shadow-utils
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
index 88706c8b3e..dd7030cd0a 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
@@ -49,3 +49,5 @@ ocil_clause: 'it is not equal to or greater than the required value'
ocil: |-
To check the minimum password age, run the command:
<pre>$ grep PASS_MIN_DAYS /etc/login.defs</pre>
+
+platform: shadow-utils
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
index 814fda94b9..d38ee253fb 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
@@ -51,3 +51,5 @@ ocil: |-
To check the minimum password length, run the command:
<pre>$ grep PASS_MIN_LEN /etc/login.defs</pre>
The DoD requirement is <tt>15</tt>.
+
+platform: shadow-utils
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
index d8947ad9fd..85b5cd762f 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
@@ -40,3 +40,5 @@ ocil: |-
To check the password warning age, run the command:
<pre>$ grep PASS_WARN_AGE /etc/login.defs</pre>
The DoD requirement is 7.
+
+platform: shadow-utils
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
index 171051e138..33fc873e97 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
@@ -37,3 +37,5 @@ ocil: |-
All output must show the value of <tt>FAIL_DELAY</tt> set as shown in the below:
<pre>$ sudo grep -i "FAIL_DELAY" /etc/login.defs
fail_delay <sub idref="var_accounts_fail_delay" /></pre>
+
+platform: shadow-utils
From 63ab7328a57c185734037a124eab2ab8ac740e82 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Apr 2019 18:14:58 +0200
Subject: [PATCH 3/3] Map shadow-utils platform to CPE name
---
ssg/constants.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssg/constants.py b/ssg/constants.py
index b80382be3d..f96fd51790 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -375,7 +375,8 @@
XCCDF_PLATFORM_TO_CPE = {
"machine": "cpe:/a:machine",
- "container": "cpe:/a:container"
+ "container": "cpe:/a:container",
+ "shadow-utils": "cpe:/a:shadow-utils",
}
# Application constants