From 540324ac8e8cbe0e749c41a1eac59a234a3b7ea3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 20 2020 18:29:30 +0000 Subject: import scap-security-guide-0.1.50-10.el8 --- diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch new file mode 100644 index 0000000..77a9e01 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch @@ -0,0 +1,383 @@ +From 91c7ff65572b51b52eaf14f3b147b118dc85cc9f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 19 May 2020 15:49:34 +0200 +Subject: [PATCH 1/5] Made the rule sshd_rekey_limit parametrized. + +Introduce the rekey_limit_size and rekey_limit_time XCCDF values +to make the rule more flexible. +--- + .../sshd_rekey_limit/bash/shared.sh | 9 ++++ + .../sshd_rekey_limit/oval/shared.xml | 43 +++++++++++++++++++ + .../ssh/ssh_server/sshd_rekey_limit/rule.yml | 12 +----- + .../sshd_rekey_limit/tests/bad_size.fail.sh | 4 ++ + .../sshd_rekey_limit/tests/bad_time.fail.sh | 4 ++ + .../sshd_rekey_limit/tests/no_line.fail.sh | 3 ++ + .../sshd_rekey_limit/tests/ok.pass.sh | 4 ++ + .../ssh/ssh_server/var_rekey_limit_size.var | 14 ++++++ + .../ssh/ssh_server/var_rekey_limit_time.var | 14 ++++++ + rhel8/profiles/ospp.profile | 2 + + 10 files changed, 99 insertions(+), 10 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var + create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh +new file mode 100644 +index 0000000000..2620c2d49e +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh +@@ -0,0 +1,9 @@ ++# platform = multi_platform_all ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++populate var_rekey_limit_size ++populate var_rekey_limit_time ++ ++{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +new file mode 100644 +index 0000000000..57aa090948 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +@@ -0,0 +1,43 @@ ++{{% set filepath = "/etc/ssh/sshd_config" %}} ++{{% set parameter = "RekeyLimit" %}} ++ ++ ++ ++ ++ ++ {{{ rule_title }}} ++ {{{- oval_affected(products) }}} ++ Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}' ++ ++ ++ {{{- application_not_required_or_requirement_unset() }}} ++ {{{- application_required_or_requirement_unset() }}} ++ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{ filepath }}} ++ ++ 1 ++ ++ ++ ++ ++ ^[\s]*RekeyLimit[\s]+ ++ ++ [\s]+ ++ ++ [\s]*$ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml +index e11678faa0..4936a381f5 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml +@@ -7,7 +7,7 @@ description: |- + the session key of the is renegotiated, both in terms of + amount of data that may be transmitted and the time + elapsed. To decrease the default limits, put line +- RekeyLimit 512M 1h to file /etc/ssh/sshd_config. ++ RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}} to file /etc/ssh/sshd_config. + + rationale: |- + By decreasing the limit based on the amount of data and enabling +@@ -30,12 +30,4 @@ ocil: |- + following command: +
$ sudo grep RekeyLimit /etc/ssh/sshd_config
+ If configured properly, output should be +-
RekeyLimit 512M 1h
+- +-template: +- name: sshd_lineinfile +- vars: +- missing_parameter_pass: 'false' +- parameter: RekeyLimit +- rule_id: sshd_rekey_limit +- value: 512M 1h ++
RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh +new file mode 100644 +index 0000000000..2ac0bbf350 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh +new file mode 100644 +index 0000000000..fec859fe05 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh +new file mode 100644 +index 0000000000..a6cd10163f +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh +new file mode 100644 +index 0000000000..a6a2ba7adf +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var +new file mode 100644 +index 0000000000..16dc376508 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var +@@ -0,0 +1,14 @@ ++documentation_complete: true ++ ++title: 'SSH RekeyLimit - size' ++ ++description: 'Specify the size component of the rekey limit.' ++ ++type: string ++ ++operator: equals ++ ++options: ++ sshd_default: "default" ++ default: "512M" ++ "512M": "512M" +diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var +new file mode 100644 +index 0000000000..8801fbbf6f +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var +@@ -0,0 +1,14 @@ ++documentation_complete: true ++ ++title: 'SSH RekeyLimit - size' ++ ++description: 'Specify the size component of the rekey limit.' ++ ++type: string ++ ++operator: equals ++ ++options: ++ sshd_default: "none" ++ default: "1h" ++ "1hour": "1h" +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index c672066050..a5223a187f 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -58,6 +58,8 @@ selections: + - sshd_set_keepalive + - sshd_enable_warning_banner + - sshd_rekey_limit ++ - var_rekey_limit_size=512M ++ - var_rekey_limit_time=1hour + - sshd_use_strong_rng + - openssl_use_strong_entropy + + +From 85efae481db88792de138916c242fbbf0a7adeb1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 19 May 2020 17:57:12 +0200 +Subject: [PATCH 2/5] Updated stable profile definitions. + +--- + tests/data/profile_stability/rhel8/ospp.profile | 2 ++ + tests/data/profile_stability/rhel8/stig.profile | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 23039c82b4..bdda39a903 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -214,6 +214,8 @@ selections: + - timer_dnf-automatic_enabled + - usbguard_allow_hid_and_hub + - var_sshd_set_keepalive=0 ++- var_rekey_limit_size=512M ++- var_rekey_limit_time=1hour + - var_accounts_user_umask=027 + - var_password_pam_difok=4 + - var_password_pam_maxrepeat=3 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index cd31b73700..ebef541921 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -21,7 +21,6 @@ description: 'This profile contains configuration checks that align to the + + - Red Hat Containers with a Red Hat Enterprise Linux 8 image' + documentation_complete: true +-extends: ospp + selections: + - account_disable_post_pw_expiration + - account_temp_expire_date +@@ -243,6 +242,8 @@ selections: + - timer_dnf-automatic_enabled + - usbguard_allow_hid_and_hub + - var_sshd_set_keepalive=0 ++- var_rekey_limit_size=512M ++- var_rekey_limit_time=1hour + - var_accounts_user_umask=027 + - var_password_pam_difok=4 + - var_password_pam_maxrepeat=3 + +From d75161c4f7232380a1b46aa8d99fa5d562503c80 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 22 May 2020 11:43:36 +0200 +Subject: [PATCH 3/5] Improved how variables are handled in remediations. + +--- + shared/macros-ansible.jinja | 14 ++++++++++++++ + shared/macros-bash.jinja | 15 +++++++++++++++ + 2 files changed, 29 insertions(+) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 56a3f5f3ec..6798a25d1f 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -1,3 +1,17 @@ ++{{# ++Pass strings that correspond to XCCDF value names as arguments to this macro: ++ansible_instantiate_variables("varname1", "varname2") ++ ++Then, assume that the task that follows can work with the variable by referencing it, e.g. ++value: "Setting={{ varname1 }}" ++ ++#}} ++{{%- macro ansible_instantiate_variables() -%}} ++{{%- for name in varargs -%}} ++- (xccdf-var {{{ name }}}) ++{{% endfor -%}} ++{{%- endmacro -%}} ++ + {{# + A wrapper over the Ansible lineinfile module. This handles the most common + options for us. regex is optional and when blank, it won't be included in +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 01b9e62e7b..3a94fe5dd8 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -1,5 +1,20 @@ + {{# ##### High level macros ##### #}} + ++{{# ++Pass strings that correspond to XCCDF value names as arguments to this macro: ++bash_instantiate_variables("varname1", "varname2") ++ ++Then, assume that variables of that names are defined and contain the correct value, e.g. ++echo "Setting=$varname1" >> config_file ++ ++#}} ++{{%- macro bash_instantiate_variables() -%}} ++{{%- for name in varargs -%}} ++populate {{{ name }}} ++{{# this line is intentionally left blank #}} ++{{% endfor -%}} ++{{%- endmacro -%}} ++ + {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}} + {{% if no_quotes -%}} + {{% if "$" in value %}} + +From 912ce0a4ade9aa335c044314a6cc018f1ead1abe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 22 May 2020 11:44:08 +0200 +Subject: [PATCH 4/5] Fixed Bash and Ansible remediations. + +--- + .../ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml | 8 ++++++++ + .../ssh/ssh_server/sshd_rekey_limit/bash/shared.sh | 3 +-- + 2 files changed, 9 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml +new file mode 100644 +index 0000000000..43a2d4521f +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml +@@ -0,0 +1,8 @@ ++# platform = multi_platform_all [0/453] ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}} ++ ++{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size}} {{var_rekey_limit_time}}") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh +index 2620c2d49e..0277f31392 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh +@@ -3,7 +3,6 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate var_rekey_limit_size +-populate var_rekey_limit_time ++{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}} + + {{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}} + +From d0ac47945e14017e522d523267d3a4bfb5ecdf71 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 22 May 2020 11:49:04 +0200 +Subject: [PATCH 5/5] Improved the OVAL according to the review feedback. + +--- + .../services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +index 57aa090948..47796e5332 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +@@ -1,5 +1,4 @@ +-{{% set filepath = "/etc/ssh/sshd_config" %}} +-{{% set parameter = "RekeyLimit" %}} ++{{% set filepath = "/etc/ssh/sshd_config" -%}} + + + +@@ -7,7 +6,7 @@ + + {{{ rule_title }}} + {{{- oval_affected(products) }}} +- Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}' ++ Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}' + + + {{{- application_not_required_or_requirement_unset() }}} diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch new file mode 100644 index 0000000..2b758fb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch @@ -0,0 +1,102 @@ +From 279b1d8b585d3521d4910ec8aa69583f9b7031ac Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 25 May 2020 10:51:24 +0200 +Subject: [PATCH 1/3] change rekey limit to 1G 1h in rhel8 ospp + +--- + .../guide/services/ssh/ssh_server/var_rekey_limit_size.var | 1 + + rhel8/profiles/ospp.profile | 2 +- + rhel8/profiles/stig.profile | 3 +++ + 3 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var +index 16dc376508..395a087a68 100644 +--- a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var ++++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var +@@ -12,3 +12,4 @@ options: + sshd_default: "default" + default: "512M" + "512M": "512M" ++ "1G": "1G" +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index a5223a187f..0dca8350f9 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -58,7 +58,7 @@ selections: + - sshd_set_keepalive + - sshd_enable_warning_banner + - sshd_rekey_limit +- - var_rekey_limit_size=512M ++ - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - sshd_use_strong_rng + - openssl_use_strong_entropy +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 2bb81cf9dc..a156857647 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -44,3 +44,6 @@ selections: + - package_rsyslog-gnutls_installed + - rsyslog_remote_tls + - rsyslog_remote_tls_cacert ++ - sshd_rekey_limit ++ - var_rekey_limit_size=512M ++ - var_rekey_limit_time=1hour + +From d8ce7bb5f47665e40b6ec2c47e565bb7c46164a9 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 25 May 2020 10:51:54 +0200 +Subject: [PATCH 2/3] update stable ospp profile + +--- + tests/data/profile_stability/rhel8/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index bdda39a903..25f7922bf3 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -214,7 +214,7 @@ selections: + - timer_dnf-automatic_enabled + - usbguard_allow_hid_and_hub + - var_sshd_set_keepalive=0 +-- var_rekey_limit_size=512M ++- var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - var_accounts_user_umask=027 + - var_password_pam_difok=4 + +From 6623ece14b6534164a3b953fd43111cae4a3eeea Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 28 May 2020 09:30:58 +0200 +Subject: [PATCH 3/3] propagate change also into stig profile + +--- + rhel8/profiles/stig.profile | 3 --- + tests/data/profile_stability/rhel8/stig.profile | 2 +- + 2 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index a156857647..2bb81cf9dc 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -44,6 +44,3 @@ selections: + - package_rsyslog-gnutls_installed + - rsyslog_remote_tls + - rsyslog_remote_tls_cacert +- - sshd_rekey_limit +- - var_rekey_limit_size=512M +- - var_rekey_limit_time=1hour +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index ebef541921..6c4270925f 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -242,7 +242,7 @@ selections: + - timer_dnf-automatic_enabled + - usbguard_allow_hid_and_hub + - var_sshd_set_keepalive=0 +-- var_rekey_limit_size=512M ++- var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - var_accounts_user_umask=027 + - var_password_pam_difok=4 diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch new file mode 100644 index 0000000..8ebfb97 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch @@ -0,0 +1,798 @@ +From 604f70aa2d0cce64aed5d699178394523969ba37 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 27 May 2020 14:34:50 +0200 +Subject: [PATCH 01/11] add rule, variables, check, remediations + +--- + .../ssh_client_rekey_limit/ansible/shared.yml | 8 ++++ + .../ssh_client_rekey_limit/bash/shared.sh | 8 ++++ + .../ssh_client_rekey_limit/oval/shared.xml | 39 +++++++++++++++++++ + .../crypto/ssh_client_rekey_limit/rule.yml | 34 ++++++++++++++++ + .../var_ssh_client_rekey_limit_size.var | 15 +++++++ + .../var_ssh_client_rekey_limit_time.var | 14 +++++++ + shared/references/cce-redhat-avail.txt | 1 - + 7 files changed, 118 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var + create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +new file mode 100644 +index 0000000000..6d2bcbbd44 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +@@ -0,0 +1,8 @@ ++# platform = multi_platform_all [0/453] ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} ++ ++{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}} +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh +new file mode 100644 +index 0000000000..43d0971ffc +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh +@@ -0,0 +1,8 @@ ++# platform = multi_platform_all ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} ++ ++{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml +new file mode 100644 +index 0000000000..2412763e3f +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml +@@ -0,0 +1,39 @@ ++{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}} ++ ++ ++ ++ ++ ++ {{{ rule_title }}} ++ {{{- oval_affected(products) }}} ++ Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}' ++ ++ ++ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{ filepath }}} ++ ++ 1 ++ ++ ++ ++ ++ ^[\s]*RekeyLimit[\s]+ ++ ++ [\s]+ ++ ++ [\s]*$ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +new file mode 100644 +index 0000000000..a1b85b0ee5 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Configure session renegotiation for SSH client' ++ ++description: |- ++ The RekeyLimit parameter specifies how often ++ the session key is renegotiated, both in terms of ++ amount of data that may be transmitted and the time ++ elapsed. To decrease the default limits, put line ++ RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}} to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. ++ ++rationale: |- ++ By decreasing the limit based on the amount of data and enabling ++ time-based limit, effects of potential attacks against ++ encryption keys are limited. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 82880-6 ++ ++references: ++ ospp: FCS_SSHS_EXT.1 ++ ++ocil_clause: 'it is commented out or is not set' ++ ++ocil: |- ++ To check if RekeyLimit is set correctly, run the ++ following command: ++
$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf
++ If configured properly, output should be ++
RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}
+diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +new file mode 100644 +index 0000000000..bcf051fd97 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +@@ -0,0 +1,15 @@ ++documentation_complete: true ++ ++title: 'SSH client RekeyLimit - size' ++ ++description: 'Specify the size component of the rekey limit.' ++ ++type: string ++ ++operator: equals ++ ++options: ++ ssh_client_default: "default" ++ default: "512M" ++ "512M": "512M" ++ "1G": "1G" +diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +new file mode 100644 +index 0000000000..31c76f9ab5 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +@@ -0,0 +1,14 @@ ++documentation_complete: true ++ ++title: 'SSH client RekeyLimit - size' ++ ++description: 'Specify the size component of the rekey limit.' ++ ++type: string ++ ++operator: equals ++ ++options: ++ ssh_client_default: "none" ++ default: "1h" ++ "1hour": "1h" +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 45d03a2c1d..e060d2fb1c 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -1,4 +1,3 @@ +-CCE-82880-6 + CCE-82882-2 + CCE-82883-0 + CCE-82888-9 + +From a0d54462b9a1e65de3598d7fc262f61a8e3a06ea Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 27 May 2020 14:35:24 +0200 +Subject: [PATCH 02/11] add tests + +--- + .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++++ + .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++++ + .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 3 +++ + .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 4 ++++ + 4 files changed, 15 insertions(+) + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +new file mode 100644 +index 0000000000..2ac0bbf350 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +new file mode 100644 +index 0000000000..fec859fe05 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +new file mode 100644 +index 0000000000..a6cd10163f +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +new file mode 100644 +index 0000000000..a6a2ba7adf +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config + +From 6ce9e9d55eab07f1c2a3a8d0b28f104d0b5992da Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 27 May 2020 14:35:43 +0200 +Subject: [PATCH 03/11] add rule to rhel8 ospp, update stable profiles + +--- + rhel8/profiles/ospp.profile | 5 +++++ + tests/data/profile_stability/rhel8/ospp.profile | 3 +++ + tests/data/profile_stability/rhel8/stig.profile | 3 +++ + 3 files changed, 11 insertions(+) + +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 0dca8350f9..07d32b814d 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -410,3 +410,8 @@ selections: + + # Prevent Kerberos use by system daemons + - kerberos_disable_no_keytab ++ ++ # set ssh client rekey limit ++ - ssh_client_rekey_limit ++ - var_ssh_client_rekey_limit_size=1G ++ - var_ssh_client_rekey_limit_time=1hour +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 25f7922bf3..b0d7672c36 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -240,4 +240,7 @@ selections: + - grub2_vsyscall_argument.severity=info + - sysctl_user_max_user_namespaces.role=unscored + - sysctl_user_max_user_namespaces.severity=info ++- ssh_client_rekey_limit ++- var_ssh_client_rekey_limit_size=1G ++- var_ssh_client_rekey_limit_time=1hour + title: Protection Profile for General Purpose Operating Systems +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 6c4270925f..330ecc7e1e 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -269,4 +269,7 @@ selections: + - grub2_vsyscall_argument.severity=info + - sysctl_user_max_user_namespaces.role=unscored + - sysctl_user_max_user_namespaces.severity=info ++- ssh_client_rekey_limit ++- var_ssh_client_rekey_limit_size=1G ++- var_ssh_client_rekey_limit_time=1hour + title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' + +From 763a79e337eecb24c640d1ac189edf02d20e53ad Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 28 May 2020 14:25:41 +0200 +Subject: [PATCH 04/11] improve description of variables + +--- + .../crypto/var_ssh_client_rekey_limit_size.var | 10 ++++++++-- + .../crypto/var_ssh_client_rekey_limit_time.var | 12 +++++++++--- + 2 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +index bcf051fd97..4e20104cba 100644 +--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var ++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +@@ -2,14 +2,20 @@ documentation_complete: true + + title: 'SSH client RekeyLimit - size' + +-description: 'Specify the size component of the rekey limit.' ++description: |- ++ Specify the size component of the rekey limit. This limit signifies amount ++ of data. After this amount of data is transferred through the connection, ++ the session key is renegotiated. The number is followed by K, M or G for ++ kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also ++ configured according to ellabsed time. ++ ++interactive: true + + type: string + + operator: equals + + options: +- ssh_client_default: "default" + default: "512M" + "512M": "512M" + "1G": "1G" +diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +index 31c76f9ab5..6143a5448c 100644 +--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var ++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +@@ -1,14 +1,20 @@ + documentation_complete: true + +-title: 'SSH client RekeyLimit - size' ++title: 'SSH client RekeyLimit - time' + +-description: 'Specify the size component of the rekey limit.' ++description: |- ++ Specify the time component of the rekey limit. This limit signifies amount ++ of data. The session key is renegotiated after the defined amount of time ++ passes. The number is followed by units such as H or M for hours or minutes. ++ Note that the RekeyLimit can be also configured according to amount of ++ transfered data. ++ ++interactive: true + + type: string + + operator: equals + + options: +- ssh_client_default: "none" + default: "1h" + "1hour": "1h" + +From 0800fcaff037a1b012b75e59d6771f5e7763e1de Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 28 May 2020 14:26:12 +0200 +Subject: [PATCH 05/11] fix tests and ansible + +--- + .../crypto/ssh_client_rekey_limit/ansible/shared.yml | 2 +- + .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++-- + .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++-- + .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 2 +- + .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 5 +++-- + 5 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +index 6d2bcbbd44..bb6544a0a0 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_all [0/453] ++# platform = multi_platform_all + # reboot = false + # strategy = configure + # complexity = low +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +index 2ac0bbf350..22c465b08f 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +@@ -1,4 +1,4 @@ + # platform = multi_platform_all + +-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +-echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config ++ ++echo "RekeyLimit 812M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +index fec859fe05..0dc621b1da 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +@@ -1,4 +1,4 @@ + # platform = multi_platform_all + +-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +-echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config ++ ++echo "RekeyLimit 512M 2h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +index a6cd10163f..f6abf711da 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +@@ -1,3 +1,3 @@ + # platform = multi_platform_all + +-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config ++echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +index a6a2ba7adf..e64e4191bc 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +@@ -1,4 +1,5 @@ + # platform = multi_platform_all + +-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +-echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config ++ ++rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf ++echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf + +From 9451e6d91c9975a3e9ecd4c627cbb0f9afce4c92 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 1 Jun 2020 14:29:47 +0200 +Subject: [PATCH 06/11] fix test to use default value, remove rule from stig + +--- + .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 2 +- + rhel8/profiles/stig.profile | 1 + + tests/data/profile_stability/rhel8/stig.profile | 1 - + 3 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +index e64e4191bc..89d7069687 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +@@ -2,4 +2,4 @@ + + + rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf +-echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf ++echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 2bb81cf9dc..8f12852e26 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -44,3 +44,4 @@ selections: + - package_rsyslog-gnutls_installed + - rsyslog_remote_tls + - rsyslog_remote_tls_cacert ++ - "!ssh_client_rekey_limit" +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 330ecc7e1e..9b164eb5c2 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -269,7 +269,6 @@ selections: + - grub2_vsyscall_argument.severity=info + - sysctl_user_max_user_namespaces.role=unscored + - sysctl_user_max_user_namespaces.severity=info +-- ssh_client_rekey_limit + - var_ssh_client_rekey_limit_size=1G + - var_ssh_client_rekey_limit_time=1hour + title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' + +From bd47b1145f17c97de719c887db6146d5e7b59616 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 3 Jun 2020 12:38:19 +0200 +Subject: [PATCH 07/11] rewrite oval to check for multiple locations + +--- + .../ssh_client_rekey_limit/oval/shared.xml | 42 ++++++++++++------- + 1 file changed, 26 insertions(+), 16 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml +index 2412763e3f..41fa0497ae 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml +@@ -1,28 +1,17 @@ +-{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}} +- + + + + + {{{ rule_title }}} + {{{- oval_affected(products) }}} +- Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}' ++ Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf + +- +- {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}} ++ ++ ++ + + + +- +- +- +- +- +- {{{ filepath }}} +- +- 1 +- +- + + + ^[\s]*RekeyLimit[\s]+ +@@ -35,5 +24,26 @@ + + + +- + ++ ++ ++ ++ ++ ++ ++ /etc/ssh/ssh_config ++ ^[\s]*RekeyLimit.*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/ssh/ssh_config\.d/.*\.conf$ ++ ++ 1 ++ ++ ++
+ +From c090301ab1cf43a83994b654ccb2ab0b967d05b4 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 4 Jun 2020 08:24:54 +0200 +Subject: [PATCH 08/11] reqrite remediations + +--- + .../ssh_client_rekey_limit/ansible/shared.yml | 16 ++++++++++++++++ + .../crypto/ssh_client_rekey_limit/bash/shared.sh | 13 +++++++++++++ + 2 files changed, 29 insertions(+) + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +index bb6544a0a0..36de503806 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +@@ -5,4 +5,20 @@ + # disruption = low + {{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} + ++{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', create='no', state='absent') }}} ++ ++- name: Collect all include config files for ssh client which configure RekeyLimit ++ find: ++ paths: "/etc/ssh/ssh_config.d/" ++ contains: '^[\s]*RekeyLimit.*$' ++ patterns: "*.config" ++ register: ssh_config_include_files ++ ++- name: Remove all occurences of RekeyLimit configuration from include config files of ssh client ++ lineinfile: ++ path: "{{ item }}" ++ regexp: '^[\s]*RekeyLimit.*$' ++ state: "absent" ++ loop: "{{ ssh_config_include_files.files }}" ++ + {{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}} +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh +index 43d0971ffc..99f6f63c92 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh +@@ -5,4 +5,17 @@ + + {{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} + ++main_config="/etc/ssh/ssh_config" ++include_directory="/etc/ssh/ssh_config.d" ++ ++if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then ++ sed -i '/^[\s]*RekeyLimit.*/d' "$main_config" ++fi ++ ++for file in "$include_directory"/*.conf; do ++ if grep -q '^[\s]*RekeyLimit.*$' "$file"; then ++ sed -i '/^[\s]*RekeyLimit.*/d' "$file" ++ fi ++done ++ + {{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} + +From 22b8cb067cfc9d6d48065233973d1dba223ef5a4 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 4 Jun 2020 08:25:14 +0200 +Subject: [PATCH 09/11] add more tests + +--- + .../tests/bad_main_config_good_include_config.fail.sh | 4 ++++ + .../ssh_client_rekey_limit/tests/line_in_main_config.fail.sh | 4 ++++ + .../tests/ok_different_config_file.pass.sh | 3 +++ + 3 files changed, 11 insertions(+) + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh +new file mode 100644 +index 0000000000..90314712af +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/basdh ++ ++echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config ++echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh +new file mode 100644 +index 0000000000..9ba20b0290 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++rm -rf /etc/ssh/ssh_config.d/* ++echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh +new file mode 100644 +index 0000000000..f725f6936f +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/05-some-file.conf + +From 78904a0cc4461cc26786289095fd76e8ce15843e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 4 Jun 2020 08:25:29 +0200 +Subject: [PATCH 10/11] extend description and ocil + +--- + .../crypto/ssh_client_rekey_limit/rule.yml | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +index a1b85b0ee5..76f5f84090 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +@@ -10,6 +10,12 @@ description: |- + amount of data that may be transmitted and the time + elapsed. To decrease the default limits, put line + RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}} to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. ++ Make sure that there is no other RekeyLimit configuration preceding ++ the include directive in the main config file ++ /etc/ssh/ssh_config. Check also other files in ++ /etc/ssh/ssh_config.d directory. Files are processed according to ++ their names. Make sure that there is no file processed before ++ 02-rekey-limit.conf containing definition of RekeyLimit. + + rationale: |- + By decreasing the limit based on the amount of data and enabling +@@ -27,8 +33,11 @@ references: + ocil_clause: 'it is commented out or is not set' + + ocil: |- +- To check if RekeyLimit is set correctly, run the +- following command: +-
$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf
+- If configured properly, output should be +-
RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}
++ To check if RekeyLimit is set correctly, run the following command:
$
++    sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf
If configured ++ properly, output should be
/etc/ssh/ssh_config.d/02-rekey-limit.conf:
++    RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
++    sub_var_value("var_ssh_client_rekey_limit_time") }}}
Check also the ++ main configuration file with the following command:
sudo grep
++    RekeyLimit /etc/ssh/ssh_config
The command should not return any ++ output. + +From 854d5c9d1e1a44e97fe59aeaace687adcff620d5 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 8 Jun 2020 11:44:44 +0200 +Subject: [PATCH 11/11] fix typos and wording + +--- + .../integrity/crypto/ssh_client_rekey_limit/rule.yml | 5 +++-- + .../tests/bad_main_config_good_include_config.fail.sh | 2 +- + .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 1 + + .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 1 + + .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 1 + + .../crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 1 + + .../integrity/crypto/var_ssh_client_rekey_limit_size.var | 2 +- + .../integrity/crypto/var_ssh_client_rekey_limit_time.var | 9 ++++----- + 8 files changed, 13 insertions(+), 9 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +index 76f5f84090..b054d9d221 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +@@ -14,8 +14,9 @@ description: |- + the include directive in the main config file + /etc/ssh/ssh_config. Check also other files in + /etc/ssh/ssh_config.d directory. Files are processed according to +- their names. Make sure that there is no file processed before +- 02-rekey-limit.conf containing definition of RekeyLimit. ++ lexicographical order of file names. Make sure that there is no file ++ processed before 02-rekey-limit.conf containing definition of ++ RekeyLimit. + + rationale: |- + By decreasing the limit based on the amount of data and enabling +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh +index 90314712af..58befb0107 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh +@@ -1,4 +1,4 @@ +-#!/bin/basdh ++#!/bin/bash + + echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config + echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +index 22c465b08f..1803c26629 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +@@ -1,3 +1,4 @@ ++#!/bin/bash + # platform = multi_platform_all + + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +index 0dc621b1da..2c9e839255 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +@@ -1,3 +1,4 @@ ++#!/bin/bash + # platform = multi_platform_all + + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +index f6abf711da..7de108eafd 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +@@ -1,3 +1,4 @@ ++#!/bin/bash + # platform = multi_platform_all + + echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +index 89d7069687..4c047ed179 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +@@ -1,3 +1,4 @@ ++#!/bin/bash + # platform = multi_platform_all + + +diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +index 4e20104cba..c8dd8ef10e 100644 +--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var ++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +@@ -7,7 +7,7 @@ description: |- + of data. After this amount of data is transferred through the connection, + the session key is renegotiated. The number is followed by K, M or G for + kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also +- configured according to ellabsed time. ++ configured according to elapsed time. + + interactive: true + +diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +index 6143a5448c..6223e8e38f 100644 +--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var ++++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +@@ -3,11 +3,10 @@ documentation_complete: true + title: 'SSH client RekeyLimit - time' + + description: |- +- Specify the time component of the rekey limit. This limit signifies amount +- of data. The session key is renegotiated after the defined amount of time +- passes. The number is followed by units such as H or M for hours or minutes. +- Note that the RekeyLimit can be also configured according to amount of +- transfered data. ++ Specify the time component of the rekey limit. The session key is ++ renegotiated after the defined amount of time passes. The number is followed ++ by units such as H or M for hours or minutes. Note that the RekeyLimit can ++ be also configured according to amount of transfered data. + + interactive: true + diff --git a/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch b/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch new file mode 100644 index 0000000..801edff --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch @@ -0,0 +1,43 @@ +From 5a5b3bdead44bd24fb138bd7b9785d4e0809ff4b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 28 Jul 2020 13:22:58 +0200 +Subject: [PATCH 1/2] update wording for rhel7 profile + +--- + rhel7/profiles/hipaa.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile +index 4310561323..000441de52 100644 +--- a/rhel7/profiles/hipaa.profile ++++ b/rhel7/profiles/hipaa.profile +@@ -12,6 +12,7 @@ description: |- + + This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security + Rule identified for securing of electronic protected health information. ++ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). + + selections: + - grub2_password + +From 0c5cc87c4f8aaed8eb199b77440ae0dc64658e4a Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 28 Jul 2020 13:23:18 +0200 +Subject: [PATCH 2/2] update wording for rhel8 profile + +--- + rhel8/profiles/hipaa.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile +index 8d20f9019c..0cb7fbed1f 100644 +--- a/rhel8/profiles/hipaa.profile ++++ b/rhel8/profiles/hipaa.profile +@@ -12,6 +12,7 @@ description: |- + + This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security + Rule identified for securing of electronic protected health information. ++ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). + + selections: + - grub2_password diff --git a/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch b/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch new file mode 100644 index 0000000..36b46ee --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch @@ -0,0 +1,52 @@ +From 4c54b1cfb05961bde8248e03d27cabeca967e211 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 17 Aug 2020 10:59:15 +0200 +Subject: [PATCH] Remove SCAP-1.3 SCAPVAL workarounds + +These changes to the DS cause SRC-330 to fail in SCAPVAL-1.3.5. +In SCAPVAL-1.3.5 was fixed and these false positive workarounds are not +necessary anymore. +--- + tests/run_scapval.py | 26 -------------------------- + 1 file changed, 26 deletions(-) + +diff --git a/tests/run_scapval.py b/tests/run_scapval.py +index e1dd806ca1..bc2655b9fd 100755 +--- a/tests/run_scapval.py ++++ b/tests/run_scapval.py +@@ -46,35 +46,9 @@ def process_results(result_path): + return ret_val + + +-def workaround_datastream(datastream_path): +- tree = ET.parse(datastream_path) +- root = tree.getroot() +- # group_id and user_id cannot be zero +- # tracked at https://github.com/OVAL-Community/OVAL/issues/23 +- for group_id_element in root.findall(".//{%s}group_id" % oval_unix_ns): +- if group_id_element.text is not None: +- group_id_element.text = "-1" +- for user_id_element in root.findall(".//{%s}user_id" % oval_unix_ns): +- if user_id_element.text is not None: +- user_id_element.text = "-1" +- # OCIL checks for security_patches_up_to_date is causing fail +- # of SRC-377, when requirement is about OVAL checks. +- rule_id = "xccdf_org.ssgproject.content_rule_security_patches_up_to_date" +- for rule in root.findall(".//{%s}Rule[@id=\"%s\"]" % (xccdf_ns, rule_id)): +- for check in rule.findall("{%s}check" % xccdf_ns): +- system = check.get("system") +- if system == "http://scap.nist.gov/schema/ocil/2": +- rule.remove(check) +- output_path = datastream_path + ".workaround.xml" +- tree.write(output_path) +- return output_path +- +- + def test_datastream(datastream_path, scapval_path, scap_version): + result_path = datastream_path + ".result.xml" + report_path = datastream_path + ".report.html" +- if scap_version == "1.3": +- datastream_path = workaround_datastream(datastream_path) + scapval_command = [ + "java", + "-Xmx1024m", diff --git a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch new file mode 100644 index 0000000..88f8237 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch @@ -0,0 +1,48 @@ +From eb3a18cea5776038d0aeef0299083fcd282a0177 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Mon, 17 Aug 2020 15:56:40 +0200 +Subject: [PATCH] Add a missing Crypto Policy rule to OSPP. + +The rule fell out by mistake, this addition complements #4682 +--- + rhel8/profiles/ospp.profile | 1 + + tests/data/profile_stability/rhel8/ospp.profile | 1 + + tests/data/profile_stability/rhel8/stig.profile | 5 +++-- + 3 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 5b5b5b711a..a651885eef 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -235,6 +235,7 @@ selections: + - enable_fips_mode + - var_system_crypto_policy=fips_ospp + - configure_crypto_policy ++ - configure_ssh_crypto_policy + - configure_bind_crypto_policy + - configure_openssl_crypto_policy + - configure_libreswan_crypto_policy +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 5aa3592496..13c4e6b08d 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -62,6 +62,7 @@ selections: + - configure_kerberos_crypto_policy + - configure_libreswan_crypto_policy + - configure_openssl_crypto_policy ++- configure_ssh_crypto_policy + - configure_tmux_lock_after_time + - configure_tmux_lock_command + - configure_usbguard_auditbackend +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 9b164eb5c2..c7fe02169a 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -77,6 +77,7 @@ selections: + - configure_kerberos_crypto_policy + - configure_libreswan_crypto_policy + - configure_openssl_crypto_policy ++- configure_ssh_crypto_policy + - configure_tmux_lock_after_time + - configure_tmux_lock_command + - configure_usbguard_auditbackend diff --git a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch new file mode 100644 index 0000000..c469fe6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch @@ -0,0 +1,22 @@ +From 87e62e90df9995de6aca436e9242c0ac4d72e136 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 18 Aug 2020 13:55:12 +0200 +Subject: [PATCH] Added SRG to configure_ssh_crypto_policy + +https://www.stigviewer.com/stig/general_purpose_operating_system_srg/2016-04-25/finding/V-56935 +--- + .../integrity/crypto/configure_ssh_crypto_policy/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +index e2dd99dbb5..51788a3226 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +@@ -24,6 +24,7 @@ identifiers: + references: + nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13 + cis@rhel8: 5.2.20 ++ srg: SRG-OS-000250-GPOS-00093 + + ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd' + diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index d073a0c..7cd18e6 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.50 -Release: 8%{?dist} +Release: 10%{?dist} Summary: Security guidance and baselines in SCAP formats Group: Applications/System License: BSD @@ -23,6 +23,14 @@ Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.pa Patch12: scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch Patch13: scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch Patch14: scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch +Patch15: scap-security-guide-0.1.52-fix_hipaa_description.patch +Patch16: scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch +Patch17: scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch +Patch18: scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch +Patch19: scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch +Patch20: scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch +Patch21: scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch + BuildArch: noarch # To get python3 inside the buildroot require its path explicitly in BuildRequires @@ -71,6 +79,13 @@ present in %{name} package. %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 mkdir build %build @@ -105,6 +120,15 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Mon Aug 17 2020 Matěj Týč - 0.1.50-10 +- Update the scapval invocation (RHBZ#1815007) +- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007) +- Change the spec file macro invocation from patch to Patch +- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066) + +* Wed Aug 05 2020 Vojtech Polasek - 0.1.50-9 +- fix description of HIPAA profile (RHBZ#1867559) + * Fri Jul 17 2020 Watson Sato - 0.1.50-8 - Add rule to harden OpenSSL crypto-policy (RHBZ#1852928) - Remove CCM from TLS Ciphersuites