Tree - rpms/scap-security-guide

skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Source
Stats
Files

Commit: 7f349f640d51d38a60f9292c89076e646ba9e6fc
Blob Blame History Raw
From d09b82de682756213c96b396abb0c912bea32a2b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 26 Aug 2020 17:50:57 +0200
Subject: [PATCH 1/4] unify bash remediations

---
 .../accounts_maximum_age_login_defs/bash/fedora.sh    | 11 -----------
 .../accounts_maximum_age_login_defs/bash/shared.sh    |  2 +-
 2 files changed, 1 insertion(+), 12 deletions(-)
 delete mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh
deleted file mode 100644
index ef664f1a64..0000000000
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-# platform = multi_platform_fedora
-. /usr/share/scap-security-guide/remediation_functions
-declare var_accounts_maximum_age_login_defs
-populate var_accounts_maximum_age_login_defs
-
-grep -q ^PASS_MAX_DAYS /etc/login.defs && \
-sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs/g" /etc/login.defs
-if ! [ $? -eq 0 ]
-then
-  echo -e "PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs" >> /etc/login.defs
-fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
index 494e04abb9..9c61548d3a 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_fedora
 . /usr/share/scap-security-guide/remediation_functions
 populate var_accounts_maximum_age_login_defs
 

From 041017588bf29a3f84024ab2dd4928624dfbf82e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 26 Aug 2020 17:51:19 +0200
Subject: [PATCH 2/4] fix regex in oval check

---
 .../accounts_maximum_age_login_defs/oval/shared.xml             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml
index cd79ca81b5..27649723ac 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml
@@ -22,6 +22,6 @@
     <ind:filepath>/etc/login.defs</ind:filepath>
     <!-- Retrieve last (uncommented) occurrence of PASS_MAX_DAYS directive -->
-    <ind:pattern operation="pattern match">.*\n[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n</ind:pattern>
+    <ind:pattern operation="pattern match">^(?:.*\n)*\s*[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 

From 6120e191d15b5869e6f95bea8c0a6e9de4e3e6fc Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 26 Aug 2020 17:51:37 +0200
Subject: [PATCH 3/4] add tests

---
 .../tests/commented_standard.fail.sh                         | 5 +++++
 .../tests/commented_stig.fail.sh                             | 5 +++++
 .../tests/correct_standard.pass.sh                           | 5 +++++
 .../tests/correct_stig.pass.sh                               | 5 +++++
 .../tests/incorrect_standard.fail.sh                         | 5 +++++
 .../tests/incorrect_stig.fail.sh                             | 5 +++++
 6 files changed, 30 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
new file mode 100644
index 0000000000..84301cc031
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_standard
+
+rm -f /etc/login.defs
+echo '#PASS_MAX_DAYS 90' > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh
new file mode 100644
index 0000000000..8ab4879dda
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+rm -f /etc/login.defs
+echo '#PASS_MAX_DAYS 60' > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
new file mode 100644
index 0000000000..989cf596d6
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_standard
+
+rm -f /etc/login.defs
+echo "PASS_MAX_DAYS    90" > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh
new file mode 100644
index 0000000000..172cc4841d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+rm -f /etc/login.defs
+echo "PASS_MAX_DAYS        60" > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
new file mode 100644
index 0000000000..4556ef09d5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_standard
+
+rm -f /etc/login.defs
+echo "PASS_MAX_DAYS 120" > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh
new file mode 100644
index 0000000000..d079467f2d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+rm -f /etc/login.defs
+echo "PASS_MAX_DAYS 120" > /etc/login.defs

From c3dfc4148e2136ce74e1c59cd66ade7e540b51b3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 1 Sep 2020 14:46:23 +0200
Subject: [PATCH 4/4] change platform of some tests to fedora

---
 ...mented_standard.fail.sh => commented_standard_fedora.fail.sh} | 1 +
 ...{correct_standard.pass.sh => correct_standard_fedora.pass.sh} | 1 +
 ...orrect_standard.fail.sh => incorrect_standard_fedora.fail.sh} | 1 +
 3 files changed, 3 insertions(+)
 rename linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/{commented_standard.fail.sh => commented_standard_fedora.fail.sh} (79%)
 rename linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/{correct_standard.pass.sh => correct_standard_fedora.pass.sh} (79%)
 rename linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/{incorrect_standard.fail.sh => incorrect_standard_fedora.fail.sh} (79%)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard_fedora.fail.sh
similarity index 79%
rename from linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
rename to linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard_fedora.fail.sh
index 84301cc031..0add08ec19 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard_fedora.fail.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # profiles = xccdf_org.ssgproject.content_profile_standard
+# platform = multi_platform_fedora
 
 rm -f /etc/login.defs
 echo '#PASS_MAX_DAYS 90' > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard_fedora.pass.sh
similarity index 79%
rename from linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
rename to linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard_fedora.pass.sh
index 989cf596d6..7fd75139c8 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard_fedora.pass.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # profiles = xccdf_org.ssgproject.content_profile_standard
+# platform = multi_platform_fedora
 
 rm -f /etc/login.defs
 echo "PASS_MAX_DAYS    90" > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard_fedora.fail.sh
similarity index 79%
rename from linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
rename to linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard_fedora.fail.sh
index 4556ef09d5..b4f647c324 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard_fedora.fail.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # profiles = xccdf_org.ssgproject.content_profile_standard
+# platform = multi_platform_fedora
 
 rm -f /etc/login.defs
 echo "PASS_MAX_DAYS 120" > /etc/login.defs
skyler / rpms / scap-security-guide

Source Code

Files
