skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Files

  1.   fe0dde01a42673c3eda1933c38a8f78dbff6c1de
  2.   SOURCES
  3.   scap-security-guide-0.1.53-fix_efi_grub_rule-PR_6276.patch
Blob Blame History Raw 
From 30ad9f95ef5256fea1844d2240b19eb2d717ee4e Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 19 Oct 2020 16:34:06 +0200
Subject: [PATCH 1/3] Remove extra single quote from OVAL macros.

---
 shared/macros-oval.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index 47033bedbe..5ea97c7537 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -25,7 +25,7 @@
 {{%- endif -%}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
-    {{{ oval_metadata("Ensure '" + parameter + "' is configured with value '" + value | replace("(?i)", "") | replace("(?-i)", "") + (" in section '" + section if section else "") + "' in '" + path) }}}
+    {{{ oval_metadata("Ensure '" + parameter + "' is configured with value '" + value | replace("(?i)", "") | replace("(?-i)", "") + (" in section '" + section if section else "") + "' in " + path) }}}
     {{%- if missing_config_file_fail %}}
     <criteria comment="{{{ application }}} is configured correctly and configuration file exists"
     operator="AND">

From 973a52024c21c3c2a97e8f159e53849eadc11285 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 19 Oct 2020 16:50:39 +0200
Subject: [PATCH 2/3] Create custom OVAL check for uefi_no_removeable_media.

Include the extended definition to check if the system is a UEFI system
or not.
---
 .../uefi_no_removeable_media/oval/shared.xml  | 36 ++++++++++++++++++-
 .../tests/hard_disk_set.pass.sh               | 12 +++++++
 .../tests/removable_media_set.fail.sh         | 12 +++++++
 tests/shared/grub2.sh                         |  6 ++++
 4 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/hard_disk_set.pass.sh
 create mode 100644 linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/removable_media_set.fail.sh

diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
index fd482a3d9d..44e54538c8 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
@@ -1 +1,35 @@
-{{{ oval_check_config_file(path='/boot/efi/EFI/redhat/grub.cfg', prefix_regex='^[ \\t]*', parameter='set root', separator_regex='=', value="'(?!fd)(?!cd)(?!usb).*'", missing_parameter_pass=false, missing_config_file_fail=true) }}}
+{{% if product == "fedora" %}}
+{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
+{{% else %}}
+{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
+{{% endif %}}
+
+<def-group>
+  <definition class="compliance" id="uefi_no_removeable_media" version="1">
+    {{{ oval_metadata("Ensure 'set root' is configured with value '(?!fd)(?!cd)(?!usb).*' in /boot/efi/EFI/redhat/grub.cfg") }}}
+    <criteria comment="The respective application or service is configured correctly or system boot mode is not UEFI" operator="OR">
+      <extend_definition definition_ref="system_boot_mode_is_uefi" negate="true" comment="Pass if system boot mode is not UEFI" />
+      <criterion comment="Check the set root in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
+      {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="tests the value of set root setting in the {{{ grub_cfg_prefix + "/grub.cfg" }}} file"
+  id="test_uefi_no_removeable_media" version="1">
+  <ind:object object_ref="obj_uefi_no_removeable_media" />
+  <ind:state state_ref="state_uefi_no_removeable_media" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_uefi_no_removeable_media" version="1">
+    <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^[ \t]*set root=(.+?)[ \t]*(?:$|#)</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_uefi_no_removeable_media" version="1">
+    <ind:subexpression datatype="string" operation="pattern match">^'(?!fd)(?!cd)(?!usb).*'$</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
+</def-group>
diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/hard_disk_set.pass.sh b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/hard_disk_set.pass.sh
new file mode 100644
index 0000000000..afe131c417
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/hard_disk_set.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# remediation = none
+
+. $SHARED/grub2.sh
+
+set_grub_uefi_root
+
+# make the check applicable since it tries to detect this directory first
+# mkdir -p /sys/firmware/efi
+
+set_root_unquoted "'hd0,msdos1'"
diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/removable_media_set.fail.sh b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/removable_media_set.fail.sh
new file mode 100644
index 0000000000..92499094c1
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/removable_media_set.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# remediation = none
+
+. $SHARED/grub2.sh
+
+set_grub_uefi_root
+
+# make the check applicable since it tries to detect this directory first
+# mkdir -p /sys/firmware/efi
+
+set_root_unquoted "'usb0,msdos1'"
diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
index ce1943349e..bce7683a7c 100644
--- a/tests/shared/grub2.sh
+++ b/tests/shared/grub2.sh
@@ -25,3 +25,9 @@ function set_superusers_unquoted {
 	mkdir -p "$GRUB_CFG_ROOT"
 	echo "set superusers=$1" > "$GRUB_CFG_ROOT/grub.cfg"
 }
+
+
+function set_root_unquoted {
+	mkdir -p "$GRUB_CFG_ROOT"
+	echo "set root=$1" > "$GRUB_CFG_ROOT/grub.cfg"
+}

From fc2b030015317ad465b9dd8c9d9e9714de9c8ac8 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 20 Oct 2020 16:30:10 +0200
Subject: [PATCH 3/3] Update
 linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml

Co-authored-by: Gabe Alford <redhatrises@gmail.com>
---
 .../bootloader-grub2/uefi_no_removeable_media/oval/shared.xml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
index 44e54538c8..5ae57cbfa6 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
@@ -6,7 +6,7 @@
 
 <def-group>
   <definition class="compliance" id="uefi_no_removeable_media" version="1">
-    {{{ oval_metadata("Ensure 'set root' is configured with value '(?!fd)(?!cd)(?!usb).*' in /boot/efi/EFI/redhat/grub.cfg") }}}
+    {{{ oval_metadata("Ensure the system is not configured to use a boot loader on removable media.") }}}
     <criteria comment="The respective application or service is configured correctly or system boot mode is not UEFI" operator="OR">
       <extend_definition definition_ref="system_boot_mode_is_uefi" negate="true" comment="Pass if system boot mode is not UEFI" />
       <criterion comment="Check the set root in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation