From 973b04979f25b8681652f31e096ad6a32f1cb9e8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 04 2020 00:59:14 +0000 Subject: import scap-security-guide-0.1.50-16.el8_3 --- diff --git a/SOURCES/scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch b/SOURCES/scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch new file mode 100644 index 0000000..d7fab70 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch @@ -0,0 +1,737 @@ +From 3aae2f86f3d75b8bd931922152b9a6175ed18a6b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 23 Jun 2020 22:27:47 +0200 +Subject: [PATCH 1/5] Add check for zipl installed + +Based and valid in RHEL, where zipl is part of s390utils-base. +--- + rhel8/cpe/rhel8-cpe-dictionary.xml | 4 ++ + .../oval/installed_env_has_zipl_package.xml | 37 +++++++++++++++++++ + ssg/constants.py | 1 + + 3 files changed, 42 insertions(+) + create mode 100644 shared/checks/oval/installed_env_has_zipl_package.xml + +diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml +index 694cbb5a4e..cccb3c5791 100644 +--- a/rhel8/cpe/rhel8-cpe-dictionary.xml ++++ b/rhel8/cpe/rhel8-cpe-dictionary.xml +@@ -67,4 +67,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/shared/checks/oval/installed_env_has_zipl_package.xml b/shared/checks/oval/installed_env_has_zipl_package.xml +new file mode 100644 +index 0000000000..ab6545669d +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_zipl_package.xml +@@ -0,0 +1,37 @@ ++ ++ ++ ++ System uses zIPL ++ ++ multi_platform_all ++ ++ Checks if system uses zIPL bootloader. ++ ++ ++ ++ ++ ++ ++ ++{{% if pkg_system == "rpm" %}} ++ ++ ++ ++ ++ s390utils-base ++ ++{{% elif pkg_system == "dpkg" %}} ++ ++ ++ ++ ++ s390utils-base ++ ++{{% endif %}} ++ ++ +diff --git a/ssg/constants.py b/ssg/constants.py +index fb20fe8107..f03aa87f09 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -506,6 +506,7 @@ + "sssd": "cpe:/a:sssd", + "systemd": "cpe:/a:systemd", + "yum": "cpe:/a:yum", ++ "zipl": "cpe:/a:zipl", + } + + # _version_name_map = { + +From c70bdc89bf193f2fdf59cb8c3f06672fc43a0505 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 23 Jun 2020 22:33:07 +0200 +Subject: [PATCH 2/5] Set zipl and machine platforms for zipl content + +Add zipl platform to bootloader-zipl and machine platform to all zipl +rules. +Final applicability of zipl rules is equivalent to "machine and zipl" +CPE platform. +--- + linux_os/guide/system/bootloader-zipl/group.yml | 2 +- + .../guide/system/bootloader-zipl/zipl_audit_argument/rule.yml | 2 ++ + .../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 ++ + .../guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml | 2 ++ + .../system/bootloader-zipl/zipl_page_poison_argument/rule.yml | 2 ++ + .../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 2 ++ + .../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 ++ + .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 2 ++ + 8 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml +index 36da84530c..64c6c8dffb 100644 +--- a/linux_os/guide/system/bootloader-zipl/group.yml ++++ b/linux_os/guide/system/bootloader-zipl/group.yml +@@ -8,4 +8,4 @@ description: |- + options to it. + The default {{{ full_name }}} boot loader for s390x systems is called zIPL. + +-platform: machine ++platform: zipl +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +index 16c0b3f89a..2d31ef8ee7 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +@@ -38,3 +38,5 @@ ocil: |- + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +index 47a532d50f..40db232257 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +@@ -39,3 +39,5 @@ ocil: |- + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +index 5aa91c16aa..8d28d5495f 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +@@ -35,3 +35,5 @@ ocil: |- + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +index 8546325752..0a8e9a41e2 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +@@ -39,3 +39,5 @@ ocil: |- + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +index eaef25ce40..20c1448cc8 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +@@ -38,3 +38,5 @@ ocil: |- + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +index 68e91a92d6..54ac688ea0 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +@@ -39,3 +39,5 @@ ocil: |- + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +index 9624b43349..c5979a2016 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +@@ -36,3 +36,5 @@ ocil: |- + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. ++ ++platform: machine + +From 02f961ecbe8bcafab72f544c2bc0f9141b9fa8fa Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 23 Jun 2020 23:02:44 +0200 +Subject: [PATCH 3/5] Add check for grub2 installed + +Apply new CPE grub2 to bootloader-grub2 group. +--- + .../file_groupowner_efi_grub2_cfg/rule.yml | 2 + + .../file_groupowner_grub2_cfg/rule.yml | 2 + + .../file_owner_efi_grub2_cfg/rule.yml | 2 + + .../file_owner_grub2_cfg/rule.yml | 2 + + .../guide/system/bootloader-grub2/group.yml | 2 +- + .../grub2_admin_username/rule.yml | 2 + + .../grub2_enable_iommu_force/rule.yml | 2 + + .../grub2_no_removeable_media/rule.yml | 2 + + .../bootloader-grub2/grub2_password/rule.yml | 2 + + .../grub2_uefi_admin_username/rule.yml | 2 + + .../grub2_uefi_password/rule.yml | 2 + + .../uefi_no_removeable_media/rule.yml | 2 + + .../oval/installed_env_has_grub2_package.xml | 37 +++++++++++++++++++ + ssg/constants.py | 1 + + 14 files changed, 61 insertions(+), 1 deletion(-) + create mode 100644 shared/checks/oval/installed_env_has_grub2_package.xml + +diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml +index b5b583bd28..a6ac6f7b6b 100644 +--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml +@@ -51,6 +51,8 @@ ocil: |- + {{{ ocil_file_group_owner(file="/boot/efi/EFI/redhat/grub.cfg", group="root") }}} + {{%- endif %}} + ++platform: machine ++ + template: + name: file_groupowner + vars: +diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml +index 9d89ff5755..93dbf5222d 100644 +--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml +@@ -39,6 +39,8 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file="/boot/grub2/grub.cfg", grou + + ocil: '{{{ ocil_file_group_owner(file="/boot/grub2/grub.cfg", group="root") }}}' + ++platform: machine ++ + template: + name: file_groupowner + vars: +diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml +index ed17987478..e2c118cf0a 100644 +--- a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml +@@ -49,6 +49,8 @@ ocil: |- + {{{ ocil_file_owner(file="/boot/efi/EFI/redhat/grub.cfg", owner="root") }}} + {{%- endif %}} + ++platform: machine ++ + template: + name: file_owner + vars: +diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml +index 9ce4c3d60b..5086553921 100644 +--- a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml +@@ -37,6 +37,8 @@ ocil_clause: '{{{ ocil_clause_file_owner(file="/boot/grub2/grub.cfg", owner="roo + + ocil: '{{{ ocil_file_owner(file="/boot/grub2/grub.cfg", owner="root") }}}' + ++platform: machine ++ + template: + name: file_owner + vars: +diff --git a/linux_os/guide/system/bootloader-grub2/group.yml b/linux_os/guide/system/bootloader-grub2/group.yml +index 69489bc0c2..4ffb40c0e8 100644 +--- a/linux_os/guide/system/bootloader-grub2/group.yml ++++ b/linux_os/guide/system/bootloader-grub2/group.yml +@@ -15,4 +15,4 @@ description: |- + with a password and ensure its configuration file's permissions + are set properly. + +-platform: machine ++platform: grub2 +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml +index 63a6a7a83c..15db01a75f 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml +@@ -68,3 +68,5 @@ warnings: + + Also, do NOT manually add the superuser account and password to the + grub.cfg file as the grub2-mkconfig command overwrites this file. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml +index baade9c13e..d4f455e66a 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml +@@ -17,3 +17,5 @@ identifiers: + + references: + anssi: NT28(R11) ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml +index 113726d34f..c8956c2f34 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml +@@ -37,3 +37,5 @@ ocil: |- + usb0, cd, fd0, etc. are some examples of removeable + media which should not exist in the line: +
set root='hd0,msdos1'
++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml +index 985b8727d7..b6e9774608 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml +@@ -72,3 +72,5 @@ warnings: + + Also, do NOT manually add the superuser account and password to the + grub.cfg file as the grub2-mkconfig command overwrites this file. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml +index 1926837db7..5abd86b9d9 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml +@@ -75,3 +75,5 @@ warnings: + + Also, do NOT manually add the superuser account and password to the + grub.cfg file as the grub2-mkconfig command overwrites this file. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml +index 3ce5a2df13..3114d2d27c 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml +@@ -73,3 +73,5 @@ warnings: + + Also, do NOT manually add the superuser account and password to the + grub.cfg file as the grub2-mkconfig command overwrites this file. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml +index c94185f3f4..5de05c057a 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml +@@ -35,3 +35,5 @@ ocil: |- + usb0, cd, fd0, etc. are some examples of removeable + media which should not exist in the line: +
set root='hd0,msdos1'
++ ++platform: machine +diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml +new file mode 100644 +index 0000000000..e83f45bc3b +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_grub2_package.xml +@@ -0,0 +1,37 @@ ++ ++ ++ ++ Package grub2 is installed ++ ++ multi_platform_all ++ ++ Checks if package grub2-pc is installed. ++ ++ ++ ++ ++ ++ ++ ++{{% if pkg_system == "rpm" %}} ++ ++ ++ ++ ++ grub2-pc ++ ++{{% elif pkg_system == "dpkg" %}} ++ ++ ++ ++ ++ grub2-pc ++ ++{{% endif %}} ++ ++ +diff --git a/ssg/constants.py b/ssg/constants.py +index f03aa87f09..318763b219 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -498,6 +498,7 @@ + "container": "cpe:/a:container", + "chrony": "cpe:/a:chrony", + "gdm": "cpe:/a:gdm", ++ "grub2": "cpe:/a:grub2", + "libuser": "cpe:/a:libuser", + "nss-pam-ldapd": "cpe:/a:nss-pam-ldapd", + "ntp": "cpe:/a:ntp", + +From 8bb44ebe9c32b7916a7291b1fa5735b381494cfb Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 2 Jul 2020 16:58:14 +0200 +Subject: [PATCH 4/5] Move grub2_disable_interactive_boot to grub2 platform + +It should have both platforms machine and grub2. +But as the parent group is very broad, I cannot put parent group as +machine. + +As a side effect this change makes this rules applicable in containers. +--- + .../accounts-physical/grub2_disable_interactive_boot/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml +index 3080470aa8..44ea1aa49a 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml +@@ -48,4 +48,4 @@ ocil: |- + Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates + that interactive boot is enabled at boot time. + +-platform: machine ++platform: grub2 + +From 17ba5bc9ecc955911b7a3ab30bcd221283472b3f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 23 Jun 2020 23:20:18 +0200 +Subject: [PATCH 5/5] Update CPE Dictionaries + +Again, whenever a package CPE is added, all CPE dictionaries need to be +updated. +Because the project doesn't share CPEs among the products. +--- + debian10/cpe/debian10-cpe-dictionary.xml | 5 +++++ + debian8/cpe/debian8-cpe-dictionary.xml | 5 +++++ + debian9/cpe/debian9-cpe-dictionary.xml | 5 +++++ + fedora/cpe/fedora-cpe-dictionary.xml | 5 +++++ + ol7/cpe/ol7-cpe-dictionary.xml | 5 +++++ + ol8/cpe/ol8-cpe-dictionary.xml | 5 +++++ + opensuse/cpe/opensuse-cpe-dictionary.xml | 5 +++++ + rhel7/cpe/rhel7-cpe-dictionary.xml | 5 +++++ + rhel8/cpe/rhel8-cpe-dictionary.xml | 5 +++++ + rhv4/cpe/rhv4-cpe-dictionary.xml | 5 +++++ + sle11/cpe/sle11-cpe-dictionary.xml | 5 +++++ + sle12/cpe/sle12-cpe-dictionary.xml | 5 +++++ + sle15/cpe/sle15-cpe-dictionary.xml | 5 +++++ + ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 5 +++++ + ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 5 +++++ + ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 5 +++++ + wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 5 +++++ + wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 5 +++++ + 18 files changed, 90 insertions(+) + +diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml +index 5cc27ceb79..f2dbd09cfc 100644 +--- a/debian10/cpe/debian10-cpe-dictionary.xml ++++ b/debian10/cpe/debian10-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml +index 38d490138a..f385709052 100644 +--- a/debian8/cpe/debian8-cpe-dictionary.xml ++++ b/debian8/cpe/debian8-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml +index f01770b044..bc90a12bae 100644 +--- a/debian9/cpe/debian9-cpe-dictionary.xml ++++ b/debian9/cpe/debian9-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml +index 2964e320c2..ff7cebc322 100644 +--- a/fedora/cpe/fedora-cpe-dictionary.xml ++++ b/fedora/cpe/fedora-cpe-dictionary.xml +@@ -62,6 +62,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml +index c153272121..613f853a6d 100644 +--- a/ol7/cpe/ol7-cpe-dictionary.xml ++++ b/ol7/cpe/ol7-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml +index 3fd74e53ca..912fe01346 100644 +--- a/ol8/cpe/ol8-cpe-dictionary.xml ++++ b/ol8/cpe/ol8-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml +index 1ab4e85ea8..7f485b800e 100644 +--- a/opensuse/cpe/opensuse-cpe-dictionary.xml ++++ b/opensuse/cpe/opensuse-cpe-dictionary.xml +@@ -42,6 +42,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml +index a5214e36f0..f232b7ed29 100644 +--- a/rhel7/cpe/rhel7-cpe-dictionary.xml ++++ b/rhel7/cpe/rhel7-cpe-dictionary.xml +@@ -57,6 +57,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml +index cccb3c5791..eab827291f 100644 +--- a/rhel8/cpe/rhel8-cpe-dictionary.xml ++++ b/rhel8/cpe/rhel8-cpe-dictionary.xml +@@ -32,6 +32,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml +index ce9b06dcae..db1b4b239b 100644 +--- a/rhv4/cpe/rhv4-cpe-dictionary.xml ++++ b/rhv4/cpe/rhv4-cpe-dictionary.xml +@@ -32,6 +32,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml +index c732ecb48a..1b6b3e2518 100644 +--- a/sle11/cpe/sle11-cpe-dictionary.xml ++++ b/sle11/cpe/sle11-cpe-dictionary.xml +@@ -32,6 +32,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml +index 79daa31412..b1b66e1294 100644 +--- a/sle12/cpe/sle12-cpe-dictionary.xml ++++ b/sle12/cpe/sle12-cpe-dictionary.xml +@@ -32,6 +32,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/sle15/cpe/sle15-cpe-dictionary.xml b/sle15/cpe/sle15-cpe-dictionary.xml +index 91d3d78b19..0ee5a1b817 100644 +--- a/sle15/cpe/sle15-cpe-dictionary.xml ++++ b/sle15/cpe/sle15-cpe-dictionary.xml +@@ -32,6 +32,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml +index df5abff723..7f3ce4271b 100644 +--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml ++++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml +index 6269344376..83f0c8c516 100644 +--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml ++++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml +index ccb285768e..77b78d74ec 100644 +--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml ++++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml +@@ -27,6 +27,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml +index 73e419c9ab..cc4e806a4d 100644 +--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml ++++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml +@@ -26,6 +26,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + +diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml +index 8449ea1416..824c575a6a 100644 +--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml ++++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml +@@ -26,6 +26,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + diff --git a/SOURCES/scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch b/SOURCES/scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch new file mode 100644 index 0000000..084c528 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch @@ -0,0 +1,595 @@ +From 2c354a6bfbcedee3f92fd8cbdd42ce0f0861fcaf Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 25 May 2020 14:33:06 +0200 +Subject: [PATCH 1/5] Add zIPL bootloader group + +--- + linux_os/guide/system/bootloader-zipl/group.yml | 11 +++++++++++ + 1 file changed, 11 insertions(+) + create mode 100644 linux_os/guide/system/bootloader-zipl/group.yml + +diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml +new file mode 100644 +index 0000000000..36da84530c +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/group.yml +@@ -0,0 +1,11 @@ ++documentation_complete: true ++ ++title: 'zIPL bootloader configuration' ++ ++description: |- ++ During the boot process, the bootloader is ++ responsible for starting the execution of the kernel and passing ++ options to it. ++ The default {{{ full_name }}} boot loader for s390x systems is called zIPL. ++ ++platform: machine + +From 13c11b539e5c8cc929a5ccbc4b117a98bb35d915 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 25 May 2020 15:26:19 +0200 +Subject: [PATCH 2/5] Add zIPL rule for early audit capability + +--- + .../zipl_audit_argument/rule.yml | 40 +++++++++++++++++++ + 1 file changed, 40 insertions(+) + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +new file mode 100644 +index 0000000000..ce2bd60c59 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +@@ -0,0 +1,40 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL' ++ ++description: |- ++ To ensure all processes can be audited, even those which start prior to the audit daemon, ++ check that all boot entries in /boot/loader/entries/*.conf have audit=1 ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain
image = 
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run
zipl
command so that /boot/bootmap is updated. ++ ++ To ensure that new kernels and boot entries continue to enable audit, ++ add
audit=1
to /etc/kernel/cmdline. ++ ++rationale: |- ++ Each process on the system carries an "auditable" flag which indicates whether ++ its activities can be audited. Although auditd takes care of enabling ++ this for all processes which launch after it does, adding the kernel argument ++ ensures it is set for every process during boot. ++ ++severity: medium ++ ++ocil_clause: 'auditing is not enabled at boot time' ++ ++ocil: |- ++ To check that audit is enabled at boot time, check all boot entries with following command: ++
sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that doesn't enable audit. ++ ++ Check that no image file is specified in /etc/zipl.conf: ++
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. + +From 221979b3aebfe6dda39e1a446140454138e231bf Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 26 May 2020 15:06:12 +0200 +Subject: [PATCH 3/5] Add few more zIPL kernel option rules + +Add rules for following options: +- audit_backlog_limit +- selinux +- audit_backlog_limit +- enable_selinux +- page_poison +- pti +- slub_debug +- vsyscall +--- + .../rule.yml | 41 +++++++++++++++++++ + .../zipl_enable_selinux/rule.yml | 37 +++++++++++++++++ + .../zipl_page_poison_argument/rule.yml | 41 +++++++++++++++++++ + .../zipl_pti_argument/rule.yml | 40 ++++++++++++++++++ + .../zipl_slub_debug_argument/rule.yml | 41 +++++++++++++++++++ + .../zipl_vsyscall_argument/rule.yml | 41 +++++++++++++++++++ + 6 files changed, 241 insertions(+) + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +new file mode 100644 +index 0000000000..08c5b53207 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL' ++ ++description: |- ++ To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, ++ check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192 ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain
image = 
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run
zipl
command so that /boot/bootmap is updated. ++ ++ To ensure that new kernels and boot entries continue to extend the audit log events queue, ++ add
audit_backlog_limit=8192
to /etc/kernel/cmdline. ++ ++rationale: |- ++ audit_backlog_limit sets the queue length for audit events awaiting transfer ++ to the audit daemon. Until the audit daemon is up and running, all log messages ++ are stored in this queue. If the queue is overrun during boot process, the action ++ defined by audit failure flag is taken. ++ ++severity: medium ++ ++ocil_clause: 'audit backlog limit is not configured' ++ ++ocil: |- ++ To check that all boot entries extend the backlog limit; ++ Check that all boot entries extend the log events queue: ++
sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that does not extend the log events queue. ++ ++ Check that no image file is specified in /etc/zipl.conf: ++
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +new file mode 100644 +index 0000000000..e7a455b90c +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +@@ -0,0 +1,37 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Ensure SELinux Not Disabled in zIPL' ++ ++description: |- ++ To ensure SELinux is not disabled at boot time, ++ check that no boot entry in /boot/loader/entries/*.conf has selinux=0 ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain
image = 
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run
zipl
command so that /boot/bootmap is updated. ++ ++rationale: |- ++ Disabling a major host protection feature, such as SELinux, at boot time prevents ++ it from confining system services at boot time. Further, it increases ++ the chances that it will remain off during system operation. ++ ++severity: medium ++ ++ocil_clause: 'SELinux is disabled at boot time' ++ ++ocil: |- ++ To check that selinux is not disabled at boot time; ++ Check that no boot entry disables selinux: ++
sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that disables SELinux. ++ ++ Check that no image file is specified in /etc/zipl.conf: ++
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +new file mode 100644 +index 0000000000..b8a2eecee6 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Enable page allocator poisoning in zIPL' ++ ++description: |- ++ To enable poisoning of free pages, ++ check that all boot entries in /boot/loader/entries/*.conf have page_poison=1 ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain
image = 
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run
zipl
command so that /boot/bootmap is updated. ++ ++ To ensure that new kernels and boot entries continue to enable page poisoning, ++ add
page_poison=1
to /etc/kernel/cmdline. ++ ++rationale: |- ++ Poisoning writes an arbitrary value to freed pages, so any modification or ++ reference to that page after being freed or before being initialized will be ++ detected and prevented. ++ This prevents many types of use-after-free vulnerabilities at little performance cost. ++ Also prevents leak of data and detection of corrupted memory. ++ ++severity: medium ++ ++ocil_clause: 'page allocator poisoning is not enabled' ++ ++ocil: |- ++ To check that page poisoning is enabled at boot time, check all boot entries with following command: ++
sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that doesn't enable page poisoning. ++ ++ Check that no image file is specified in /etc/zipl.conf: ++
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +new file mode 100644 +index 0000000000..4757871a5f +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +@@ -0,0 +1,40 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL' ++ ++description: |- ++ To enable Kernel page-table isolation, ++ check that all boot entries in /boot/loader/entries/*.conf have pti=on ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain
image = 
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run
zipl
command so that /boot/bootmap is updated. ++ ++ To ensure that new kernels and boot entries continue to enable page-table isolation, ++ add
pti=on
to /etc/kernel/cmdline. ++ ++rationale: |- ++ Kernel page-table isolation is a kernel feature that mitigates ++ the Meltdown security vulnerability and hardens the kernel ++ against attempts to bypass kernel address space layout ++ randomization (KASLR). ++ ++severity: medium ++ ++ocil_clause: 'Kernel page-table isolation is not enabled' ++ ++ocil: |- ++ To check that page-table isolation is enabled at boot time, check all boot entries with following command: ++
sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation . ++ ++ Check that no image file is specified in /etc/zipl.conf: ++
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +new file mode 100644 +index 0000000000..166dd41afd +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Enable SLUB/SLAB allocator poisoning in zIPL' ++ ++description: |- ++ To enable poisoning of SLUB/SLAB objects, ++ check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain
image = 
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run
zipl
command so that /boot/bootmap is updated. ++ ++ To ensure that new kernels and boot entries continue to extend the audit log events queue, ++ add
slub_debug=P
to /etc/kernel/cmdline. ++ ++rationale: |- ++ Poisoning writes an arbitrary value to freed objects, so any modification or ++ reference to that object after being freed or before being initialized will be ++ detected and prevented. ++ This prevents many types of use-after-free vulnerabilities at little performance cost. ++ Also prevents leak of data and detection of corrupted memory. ++ ++severity: medium ++ ++ocil_clause: 'SLUB/SLAB poisoning is not enabled' ++ ++ocil: |- ++ To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command; ++
sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that does not enable poisoning. ++ ++ Check that no image file is specified in /etc/zipl.conf: ++
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +new file mode 100644 +index 0000000000..6b95d16fb8 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Disable vsyscalls in zIPL' ++ ++description: |- ++ To disable use of virtual syscalls, ++ check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none ++ included in its options. ++ Make sure /etc/zipl.conf doesn't contain
image = 
setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS). ++ And run
zipl
command so that /boot/bootmap is updated. ++ ++ To ensure that new kernels and boot entries continue to disable virtual syscalls, ++ add
vsyscall=none
to /etc/kernel/cmdline. ++ ++rationale: |- ++ Poisoning writes an arbitrary value to freed pages, so any modification or ++ reference to that page after being freed or before being initialized will be ++ detected and prevented. ++ This prevents many types of use-after-free vulnerabilities at little performance cost. ++ Also prevents leak of data and detection of corrupted memory. ++ ++severity: medium ++ ++ocil_clause: 'vsyscalls are enabled' ++ ++ocil: |- ++ To check that virtual syscalls are disabled at boot time, check all boot entries with following command: ++
sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf
++ No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls. ++ ++ Check that no image file is specified in /etc/zipl.conf: ++
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned zipl may load a different kernel than intended. ++ ++ And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. + +From a45ba0eaa12de63abb43449c6caee4776100005c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 2 Jun 2020 13:29:39 +0200 +Subject: [PATCH 4/5] Fix formatting of zIPL rules + +
 is renderend in a separate line, while  is rendered inline.
+Add line breaks for better readability.
+---
+ .../bootloader-zipl/zipl_audit_argument/rule.yml       | 10 +++++-----
+ .../zipl_audit_backlog_limit_argument/rule.yml         | 10 +++++-----
+ .../bootloader-zipl/zipl_enable_selinux/rule.yml       |  8 ++++----
+ .../bootloader-zipl/zipl_page_poison_argument/rule.yml | 10 +++++-----
+ .../system/bootloader-zipl/zipl_pti_argument/rule.yml  | 10 +++++-----
+ .../bootloader-zipl/zipl_slub_debug_argument/rule.yml  | 10 +++++-----
+ .../bootloader-zipl/zipl_vsyscall_argument/rule.yml    | 10 +++++-----
+ 7 files changed, 34 insertions(+), 34 deletions(-)
+
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+index ce2bd60c59..16c0b3f89a 100644
+--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+@@ -7,13 +7,13 @@ title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
+ description: |-
+     To ensure all processes can be audited, even those which start prior to the audit daemon,
+     check that all boot entries in /boot/loader/entries/*.conf have audit=1
+-    included in its options.
+-    Make sure /etc/zipl.conf doesn't contain 
image = 
setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS). +- And run
zipl
command so that /boot/bootmap is updated. ++ included in its options.
++ Make sure /etc/zipl.conf doesn't contain image = setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run zipl command so that /boot/bootmap is updated.

+ + To ensure that new kernels and boot entries continue to enable audit, +- add
audit=1
to /etc/kernel/cmdline. ++ add audit=1 to /etc/kernel/cmdline. + + rationale: |- + Each process on the system carries an "auditable" flag which indicates whether +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +index 08c5b53207..47a532d50f 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +@@ -7,13 +7,13 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL' + description: |- + To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, + check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192 +- included in its options. +- Make sure /etc/zipl.conf doesn't contain
image = 
setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS). +- And run
zipl
command so that /boot/bootmap is updated. ++ included in its options.
++ Make sure /etc/zipl.conf doesn't contain image = setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run zipl command so that /boot/bootmap is updated.

+ + To ensure that new kernels and boot entries continue to extend the audit log events queue, +- add
audit_backlog_limit=8192
to /etc/kernel/cmdline. ++ add audit_backlog_limit=8192 to /etc/kernel/cmdline. + + rationale: |- + audit_backlog_limit sets the queue length for audit events awaiting transfer +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +index e7a455b90c..5aa91c16aa 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +@@ -7,10 +7,10 @@ title: 'Ensure SELinux Not Disabled in zIPL' + description: |- + To ensure SELinux is not disabled at boot time, + check that no boot entry in /boot/loader/entries/*.conf has selinux=0 +- included in its options. +- Make sure /etc/zipl.conf doesn't contain
image = 
setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS). +- And run
zipl
command so that /boot/bootmap is updated. ++ included in its options.
++ Make sure /etc/zipl.conf doesn't contain image = setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run zipl command so that /boot/bootmap is updated.

+ + rationale: |- + Disabling a major host protection feature, such as SELinux, at boot time prevents +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +index b8a2eecee6..8546325752 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +@@ -7,13 +7,13 @@ title: 'Enable page allocator poisoning in zIPL' + description: |- + To enable poisoning of free pages, + check that all boot entries in /boot/loader/entries/*.conf have page_poison=1 +- included in its options. +- Make sure /etc/zipl.conf doesn't contain
image = 
setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS). +- And run
zipl
command so that /boot/bootmap is updated. ++ included in its options.
++ Make sure /etc/zipl.conf doesn't contain image = setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run zipl command so that /boot/bootmap is updated.
+ + To ensure that new kernels and boot entries continue to enable page poisoning, +- add
page_poison=1
to /etc/kernel/cmdline. ++ add page_poison=1 to /etc/kernel/cmdline. + + rationale: |- + Poisoning writes an arbitrary value to freed pages, so any modification or +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +index 4757871a5f..eaef25ce40 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +@@ -7,13 +7,13 @@ title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL' + description: |- + To enable Kernel page-table isolation, + check that all boot entries in /boot/loader/entries/*.conf have pti=on +- included in its options. +- Make sure /etc/zipl.conf doesn't contain
image = 
setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS). +- And run
zipl
command so that /boot/bootmap is updated. ++ included in its options.
++ Make sure /etc/zipl.conf doesn't contain image = setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run zipl command so that /boot/bootmap is updated.

+ + To ensure that new kernels and boot entries continue to enable page-table isolation, +- add
pti=on
to /etc/kernel/cmdline. ++ add pti=on to /etc/kernel/cmdline. + + rationale: |- + Kernel page-table isolation is a kernel feature that mitigates +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +index 166dd41afd..68e91a92d6 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +@@ -7,13 +7,13 @@ title: 'Enable SLUB/SLAB allocator poisoning in zIPL' + description: |- + To enable poisoning of SLUB/SLAB objects, + check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P +- included in its options. +- Make sure /etc/zipl.conf doesn't contain
image = 
setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS). +- And run
zipl
command so that /boot/bootmap is updated. ++ included in its options.
++ Make sure /etc/zipl.conf doesn't contain image = setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run zipl command so that /boot/bootmap is updated.

+ + To ensure that new kernels and boot entries continue to extend the audit log events queue, +- add
slub_debug=P
to /etc/kernel/cmdline. ++ add slub_debug=P to /etc/kernel/cmdline. + + rationale: |- + Poisoning writes an arbitrary value to freed objects, so any modification or +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +index 6b95d16fb8..8d39337f9e 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +@@ -7,13 +7,13 @@ title: 'Disable vsyscalls in zIPL' + description: |- + To disable use of virtual syscalls, + check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none +- included in its options. +- Make sure /etc/zipl.conf doesn't contain
image = 
setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS). +- And run
zipl
command so that /boot/bootmap is updated. ++ included in its options.
++ Make sure /etc/zipl.conf doesn't contain image = setting, ++ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
++ And run zipl command so that /boot/bootmap is updated.

+ + To ensure that new kernels and boot entries continue to disable virtual syscalls, +- add
vsyscall=none
to /etc/kernel/cmdline. ++ add vsyscall=none to /etc/kernel/cmdline. + + rationale: |- + Poisoning writes an arbitrary value to freed pages, so any modification or + +From ae8f9252c3c5c1d1ac1bed201e0981c0d50168aa Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Jun 2020 13:08:07 +0200 +Subject: [PATCH 5/5] zipl_vsyscall_argument: Fix rationale + +copy-pasta error +--- + .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +index 8d39337f9e..9624b43349 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +@@ -16,11 +16,8 @@ description: |- + add vsyscall=none to /etc/kernel/cmdline. + + rationale: |- +- Poisoning writes an arbitrary value to freed pages, so any modification or +- reference to that page after being freed or before being initialized will be +- detected and prevented. +- This prevents many types of use-after-free vulnerabilities at little performance cost. +- Also prevents leak of data and detection of corrupted memory. ++ Virtual Syscalls provide an opportunity of attack for a user who has control ++ of the return instruction pointer. + + severity: medium + diff --git a/SOURCES/scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch b/SOURCES/scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch new file mode 100644 index 0000000..58339fa --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch @@ -0,0 +1,29 @@ +From c7d49a79cffdbfb2e1231077f665cbb940b50a98 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 13 Jul 2020 17:52:35 +0200 +Subject: [PATCH] Fix SCAPVAL error SRC-15 + +The CPE `cpe:/a:grub2` is used in `xccdf-1.2:platform` element +in group `bootloader-grub2`, but this CPE isn't defined in the +RHEL 6 CPE dictionary. All used CPEs should be defined in the +dictionary. +--- + rhel6/cpe/rhel6-cpe-dictionary.xml | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml +index bca8986f7a..1b696b88d3 100644 +--- a/rhel6/cpe/rhel6-cpe-dictionary.xml ++++ b/rhel6/cpe/rhel6-cpe-dictionary.xml +@@ -47,6 +47,11 @@ + + installed_env_has_gdm_package + ++ ++ Package grub2 is installed ++ ++ installed_env_has_grub2_package ++ + + Package libuser is installed + diff --git a/SOURCES/scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch b/SOURCES/scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch new file mode 100644 index 0000000..1f77753 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch @@ -0,0 +1,250 @@ +From d1b9040748605416220e09feb56fc5a6b6402f1e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 7 Jul 2020 16:37:30 +0200 +Subject: [PATCH] Add zipl to CPE dictionaries in all Linux products + +The CPE platform `cpe:/a:zipl` has been set as a platform for XCCDF +group `bootloader-zipl` but the definition of the CPE was missing from +the CPE dictionary in some datastreams, for example fedora datastream. +This triggered error SRC-15 in NIST scapval tool. +--- + debian10/cpe/debian10-cpe-dictionary.xml | 4 ++++ + debian8/cpe/debian8-cpe-dictionary.xml | 4 ++++ + debian9/cpe/debian9-cpe-dictionary.xml | 4 ++++ + fedora/cpe/fedora-cpe-dictionary.xml | 4 ++++ + ol7/cpe/ol7-cpe-dictionary.xml | 4 ++++ + ol8/cpe/ol8-cpe-dictionary.xml | 4 ++++ + opensuse/cpe/opensuse-cpe-dictionary.xml | 4 ++++ + rhel6/cpe/rhel6-cpe-dictionary.xml | 4 ++++ + rhel7/cpe/rhel7-cpe-dictionary.xml | 4 ++++ + rhv4/cpe/rhv4-cpe-dictionary.xml | 4 ++++ + sle11/cpe/sle11-cpe-dictionary.xml | 4 ++++ + sle12/cpe/sle12-cpe-dictionary.xml | 4 ++++ + ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 4 ++++ + ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 4 ++++ + ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 4 ++++ + wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 4 ++++ + wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 4 ++++ + 19 files changed, 76 insertions(+) + +diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml +index f2dbd09cfc..ddb68c34bd 100644 +--- a/debian10/cpe/debian10-cpe-dictionary.xml ++++ b/debian10/cpe/debian10-cpe-dictionary.xml +@@ -72,4 +72,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml +index f385709052..24bbca69cd 100644 +--- a/debian8/cpe/debian8-cpe-dictionary.xml ++++ b/debian8/cpe/debian8-cpe-dictionary.xml +@@ -72,4 +72,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml +index bc90a12bae..d5595fd594 100644 +--- a/debian9/cpe/debian9-cpe-dictionary.xml ++++ b/debian9/cpe/debian9-cpe-dictionary.xml +@@ -72,4 +72,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml +index ff7cebc322..bef1337fc9 100644 +--- a/fedora/cpe/fedora-cpe-dictionary.xml ++++ b/fedora/cpe/fedora-cpe-dictionary.xml +@@ -107,4 +107,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml +index 613f853a6d..5d4691aaf6 100644 +--- a/ol7/cpe/ol7-cpe-dictionary.xml ++++ b/ol7/cpe/ol7-cpe-dictionary.xml +@@ -72,4 +72,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml +index 912fe01346..35167b1f70 100644 +--- a/ol8/cpe/ol8-cpe-dictionary.xml ++++ b/ol8/cpe/ol8-cpe-dictionary.xml +@@ -67,4 +67,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml +index 7f485b800e..6b95e46d3f 100644 +--- a/opensuse/cpe/opensuse-cpe-dictionary.xml ++++ b/opensuse/cpe/opensuse-cpe-dictionary.xml +@@ -87,4 +87,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml +index 2c8a82ebc5..bca8986f7a 100644 +--- a/rhel6/cpe/rhel6-cpe-dictionary.xml ++++ b/rhel6/cpe/rhel6-cpe-dictionary.xml +@@ -87,4 +87,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml +index f232b7ed29..bc2aa869e8 100644 +--- a/rhel7/cpe/rhel7-cpe-dictionary.xml ++++ b/rhel7/cpe/rhel7-cpe-dictionary.xml +@@ -102,4 +102,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml +index db1b4b239b..02450d6efc 100644 +--- a/rhv4/cpe/rhv4-cpe-dictionary.xml ++++ b/rhv4/cpe/rhv4-cpe-dictionary.xml +@@ -72,4 +72,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml +index 1b6b3e2518..b7cb4e1fd5 100644 +--- a/sle11/cpe/sle11-cpe-dictionary.xml ++++ b/sle11/cpe/sle11-cpe-dictionary.xml +@@ -77,4 +77,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml +index b1b66e1294..73cddd7740 100644 +--- a/sle12/cpe/sle12-cpe-dictionary.xml ++++ b/sle12/cpe/sle12-cpe-dictionary.xml +@@ -77,4 +77,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml +index 7f3ce4271b..3f5447741b 100644 +--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml ++++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml +@@ -72,4 +72,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml +index 83f0c8c516..e3e842842b 100644 +--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml ++++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml +@@ -72,4 +72,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml +index 77b78d74ec..897673c6f5 100644 +--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml ++++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml +@@ -72,4 +72,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml +index cc4e806a4d..ef7e803505 100644 +--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml ++++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml +@@ -71,4 +71,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + +diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml +index 824c575a6a..7184ebfd0b 100644 +--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml ++++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml +@@ -71,4 +71,8 @@ + + installed_env_has_yum_package + ++ ++ System uses zipl ++ installed_env_has_zipl_package ++ + diff --git a/SOURCES/scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch b/SOURCES/scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch new file mode 100644 index 0000000..398abcc --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch @@ -0,0 +1,88 @@ +From d455dc468ef51dd595ce6184f1d31ebf4c20ab9c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 22 Jul 2020 09:52:50 +0200 +Subject: [PATCH] Add grub2 platform to grub2 kernel option rules + +This will make sure these rules are applicable only when grub2 +(grub2-pc) is installed. +--- + linux_os/guide/system/auditing/grub2_audit_argument/rule.yml | 2 ++ + .../system/auditing/grub2_audit_backlog_limit_argument/rule.yml | 2 +- + .../system/permissions/mounting/grub2_nousb_argument/rule.yml | 2 ++ + .../guide/system/permissions/restrictions/poisoning/group.yml | 2 ++ + .../restrictions/poisoning/grub2_page_poison_argument/rule.yml | 2 +- + .../restrictions/poisoning/grub2_slub_debug_argument/rule.yml | 2 +- + 7 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +index 00cb7f9b6c..5f3a47a776 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +@@ -102,6 +102,8 @@ warnings: + {{% endif %}} + + ++platform: grub2 ++ + template: + name: grub2_bootloader_argument + vars: +diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +index 6cab6f7bfe..aa95957b58 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +@@ -60,7 +60,7 @@ warnings: + {{% endif %}} + + +-platform: machine ++platform: grub2 + + template: + name: grub2_bootloader_argument +diff --git a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml +index a3c1f48231..407ba2c069 100644 +--- a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml +@@ -37,3 +37,5 @@ warnings: + Disabling all kernel support for USB will cause problems for systems + with USB-based keyboards, mice, or printers. This configuration is + infeasible for systems which require USB devices, which is common. ++ ++platform: grub2 +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml +index 6a7a370f2b..030a3e9918 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml +@@ -6,3 +6,5 @@ description: |- + Memory Poisoning consists of writing a special value to uninitialized or freed memory. + Poisoning can be used as a mechanism to prevent leak of information and detection of + corrupted memory. ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +index e3047ef223..2d97ec75ea 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +@@ -60,7 +60,7 @@ warnings: + {{% endif %}} + + +-platform: machine ++platform: grub2 + + template: + name: grub2_bootloader_argument +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +index 024c93f18b..39ca33b77a 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +@@ -60,7 +60,7 @@ warnings: + {{% endif %}} + + +-platform: machine ++platform: grub2 + + template: + name: grub2_bootloader_argument diff --git a/SOURCES/scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch b/SOURCES/scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch new file mode 100644 index 0000000..3e89401 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch @@ -0,0 +1,954 @@ +From f37e40e3de5ff493c60c61a054026dabf7b79032 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 1 Jul 2020 16:12:35 +0200 +Subject: [PATCH 01/18] Kickstart zipl_bls_entries_option template + +Create initial version of zIPL specific BLS entries +template by copying bls_entries_option template. +--- + .../template_OVAL_zipl_bls_entries_option | 32 +++++++++++++++++++ + ssg/templates.py | 5 +++ + 2 files changed, 37 insertions(+) + create mode 100644 shared/templates/template_OVAL_zipl_bls_entries_option + +diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option +new file mode 100644 +index 0000000000..a19bd5a89c +--- /dev/null ++++ b/shared/templates/template_OVAL_zipl_bls_entries_option +@@ -0,0 +1,32 @@ ++ ++ ++ ++ Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}} ++ {{{- oval_affected(products) }}} ++ Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/boot/loader/entries/.*\.conf$ ++ ^options (.*)$ ++ 1 ++ ++ ++ ++ ^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$ ++ ++ +diff --git a/ssg/templates.py b/ssg/templates.py +index 2795267abd..fc09416abe 100644 +--- a/ssg/templates.py ++++ b/ssg/templates.py +@@ -340,6 +340,22 @@ def bls_entries_option(data, lang): + return data + + ++@template(["oval"]) ++def bls_entries_option(data, lang): ++ data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"] ++ if lang == "oval": ++ # escape dot, this is used in oval regex ++ data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.") ++ # replace . with _, this is used in test / object / state ids ++ data["sanitized_arg_name"] = data["arg_name"].replace(".", "_") ++ return data ++ ++ ++@template(["oval"]) ++def zipl_bls_entries_option(data, lang): ++ return bls_entries_option(data, lang) ++ ++ + class Builder(object): + """ + Class for building all templated content for a given product. + +From f54c3c974b6a3ce6d40533a51f867d2e8985b688 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 9 Jul 2020 14:11:04 +0200 +Subject: [PATCH 02/18] zipl_bls_entries_option: check opts after install + +Extend zipl_bls_entries_option template to check that the kernel option +is also configure in /etc/kernel/cmdline. +The presence of the argument in /etc/kernel/cmdline ensures that newly +installed kernels will be configure if the option. +--- + .../template_OVAL_zipl_bls_entries_option | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option +index a19bd5a89c..9af1bcfbee 100644 +--- a/shared/templates/template_OVAL_zipl_bls_entries_option ++++ b/shared/templates/template_OVAL_zipl_bls_entries_option +@@ -6,8 +6,10 @@ + Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf. + + +- ++ ++ + + + +@@ -25,6 +27,19 @@ + 1 + + ++ ++ ++ ++ ++ ++ /etc/kernel/cmdline ++ ^(.*)$ ++ 1 ++ ++ + + ^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$ + +From 5b66eff84794b99a4ba7a626c46f1970715b1bcd Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 9 Jul 2020 14:12:32 +0200 +Subject: [PATCH 03/18] zipl_bls_entries_option: Add Ansible and Bash + +--- + .../template_ANSIBLE_zipl_bls_entries_option | 48 +++++++++++++++++++ + .../template_BASH_zipl_bls_entries_option | 12 +++++ + ssg/templates.py | 2 +- + 3 files changed, 61 insertions(+), 1 deletion(-) + create mode 100644 shared/templates/template_ANSIBLE_zipl_bls_entries_option + create mode 100644 shared/templates/template_BASH_zipl_bls_entries_option + +diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option +new file mode 100644 +index 0000000000..c0cb131b82 +--- /dev/null ++++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option +@@ -0,0 +1,48 @@ ++# platform = Red Hat Enterprise Linux 8 ++# reboot = true ++# strategy = configure ++# complexity = medium ++# disruption = low ++ ++- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}" ++ block: ++ - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}" ++ find: ++ paths: "/boot/loader/entries/" ++ contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$" ++ patterns: "*.conf" ++ register: entries_options ++ ++ - name: "Update boot entries options" ++ command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}" ++ when: entries_options is defined and entries_options.examined != entries_options.matched ++ # The conditional above assumes that only *.conf files are present in /boot/loader/entries ++ # Then, the number of conf files is the same as examined files ++ ++ - name: "Check if /etc/kernel/cmdline exists" ++ stat: ++ path: /etc/kernel/cmdline ++ register: cmdline_stat ++ ++ - name: "Check if /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}" ++ find: ++ paths: "/etc/kernel/" ++ patterns: "cmdline" ++ contains: "^.*{{{ ARG_NAME_VALUE }}}.*$" ++ register: cmdline_find ++ ++ - name: "Add /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}" ++ lineinfile: ++ create: yes ++ path: "/etc/kernel/cmdline" ++ line: '{{{ ARG_NAME_VALUE }}}' ++ when: cmdline_stat is defined and not cmdline_stat.stat.exists ++ ++ - name: "Append /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}" ++ lineinfile: ++ path: "/etc/kernel/cmdline" ++ backrefs: yes ++ regexp: "^(.*)$" ++ line: '\1 {{{ ARG_NAME_VALUE }}}' ++ when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched == 0 ++ +diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option +new file mode 100644 +index 0000000000..9fc8865486 +--- /dev/null ++++ b/shared/templates/template_BASH_zipl_bls_entries_option +@@ -0,0 +1,12 @@ ++# platform = Red Hat Enterprise Linux 8 ++ ++# Correct BLS option using grubby, which is a thin wrapper around BLS operations ++grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}" ++ ++# Ensure new kernels and boot entries retain the boot option ++if [ ! -f /etc/kernel/cmdline ]; then ++ echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline ++elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then ++ echo " audit=1" >> /etc/kernel/cmdline ++ sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline ++fi +diff --git a/ssg/templates.py b/ssg/templates.py +index fc09416abe..a27fbb6cb6 100644 +--- a/ssg/templates.py ++++ b/ssg/templates.py +@@ -340,7 +340,7 @@ def bls_entries_option(data, lang): + return data + + +-@template(["oval"]) ++@template(["ansible", "bash", "oval"]) + def zipl_bls_entries_option(data, lang): + return bls_entries_option(data, lang) + + +From fd2d807f60a4a36ad96f5ac37df9b4651fe3480e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 3 Jul 2020 15:50:56 +0200 +Subject: [PATCH 04/18] Enable zIPL in argument rules + +--- + .../system/bootloader-zipl/zipl_audit_argument/rule.yml | 6 ++++++ + .../zipl_audit_backlog_limit_argument/rule.yml | 6 ++++++ + .../bootloader-zipl/zipl_page_poison_argument/rule.yml | 6 ++++++ + .../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 6 ++++++ + .../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 6 ++++++ + .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 6 ++++++ + 6 files changed, 36 insertions(+) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +index 624b4e7041..894bf7995f 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +@@ -28,3 +28,9 @@ ocil: |- + No line should be returned, each line returned is a boot entry that doesn't enable audit. + + platform: machine ++ ++template: ++ name: zipl_bls_entries_option ++ vars: ++ arg_name: audit ++ arg_value: '1' +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +index faf114591a..12334c9905 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +@@ -28,3 +28,9 @@ ocil: |- + No line should be returned, each line returned is a boot entry that does not extend the log events queue. + + platform: machine ++ ++template: ++ name: zipl_bls_entries_option ++ vars: ++ arg_name: audit_backlog_limit ++ arg_value: '8192' +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +index 866664c01b..f5a36ee1b3 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +@@ -28,3 +28,9 @@ ocil: |- + No line should be returned, each line returned is a boot entry that doesn't enable page poisoning. + + platform: machine ++ ++template: ++ name: zipl_bls_entries_option ++ vars: ++ arg_name: page_poison ++ arg_value: '1' +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +index 2f02d9668c..168dae46a1 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +@@ -27,3 +27,9 @@ ocil: |- + No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation . + + platform: machine ++ ++template: ++ name: zipl_bls_entries_option ++ vars: ++ arg_name: pti ++ arg_value: 'on' +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +index 0cb10d3cd8..84a374e36f 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +@@ -28,3 +28,9 @@ ocil: |- + No line should be returned, each line returned is a boot entry that does not enable poisoning. + + platform: machine ++ ++template: ++ name: zipl_bls_entries_option ++ vars: ++ arg_name: slub_debug ++ arg_value: 'P' +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +index f79adeb083..c37e8bbefd 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +@@ -25,3 +25,9 @@ ocil: |- + No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls. + + platform: machine ++ ++template: ++ name: zipl_bls_entries_option ++ vars: ++ arg_name: vsyscall ++ arg_value: 'none' + +From 08db1a1d4bb3362195c34e266feb9bac31ba4be8 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sat, 4 Jul 2020 01:15:49 +0200 +Subject: [PATCH 05/18] zipl_audit_backlog_limit_argument: Fix OCIL typo + +Fix typo +--- + .../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +index 12334c9905..15729dc6b6 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +@@ -24,7 +24,7 @@ ocil_clause: 'audit backlog limit is not configured' + ocil: |- + To check that all boot entries extend the backlog limit; + Check that all boot entries extend the log events queue: +-
sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf
++
sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that does not extend the log events queue. + + platform: machine + +From 779506348675557e204e1d88f214833b313c0f20 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 9 Jul 2020 12:00:10 +0200 +Subject: [PATCH 06/18] zipl_slub_debug_argument: Fix description + +Description about how to ensure that new boot entries continue compliant +was incorrect due to copy-pasta mistake. +--- + .../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +index 84a374e36f..83e043179d 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +@@ -8,7 +8,7 @@ description: |- + To enable poisoning of SLUB/SLAB objects, + check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P + included in its options.
+- To ensure that new kernels and boot entries continue to extend the audit log events queue, ++ To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects, + add slub_debug=P to /etc/kernel/cmdline. + + rationale: |- + +From 6a3f2f6bdc13188e780f0f3e4f829f6fa79351b2 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 9 Jul 2020 12:06:56 +0200 +Subject: [PATCH 07/18] Add CCEs to zIPL argument rules + +--- + .../system/bootloader-zipl/zipl_audit_argument/rule.yml | 3 +++ + .../zipl_audit_backlog_limit_argument/rule.yml | 3 +++ + .../bootloader-zipl/zipl_page_poison_argument/rule.yml | 3 +++ + .../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 3 +++ + .../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 3 +++ + .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 3 +++ + 7 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +index 894bf7995f..b1307ef3f2 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +@@ -20,6 +20,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 83321-0 ++ + ocil_clause: 'auditing is not enabled at boot time' + + ocil: |- +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +index 15729dc6b6..18391bee6c 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +@@ -19,6 +19,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 83341-8 ++ + ocil_clause: 'audit backlog limit is not configured' + + ocil: |- +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +index f5a36ee1b3..7ffea8ce6a 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +@@ -20,6 +20,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 83351-7 ++ + ocil_clause: 'page allocator poisoning is not enabled' + + ocil: |- +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +index 168dae46a1..6fd1082292 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +@@ -19,6 +19,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 83361-6 ++ + ocil_clause: 'Kernel page-table isolation is not enabled' + + ocil: |- +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +index 83e043179d..c499140c35 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +@@ -20,6 +20,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 83371-5 ++ + ocil_clause: 'SLUB/SLAB poisoning is not enabled' + + ocil: |- +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +index c37e8bbefd..7edd43074f 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +@@ -17,6 +17,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 83381-4 ++ + ocil_clause: 'vsyscalls are enabled' + + ocil: |- + +From a7c33132a8d5f8cdf9c0d5f38b4910376ff1330b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 9 Jul 2020 14:36:28 +0200 +Subject: [PATCH 08/18] Select zipl BLS option rules in OSPP Profile + +These rules check and ensure configuration of BLS boot options used by +zIPL. +--- + rhel8/profiles/ospp.profile | 8 ++++++++ + rhel8/profiles/stig.profile | 6 ++++++ + 2 files changed, 14 insertions(+) + +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 80e4b71fff..d3732fa805 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -419,3 +419,11 @@ selections: + # zIPl specific rules + - zipl_bls_entries_only + - zipl_bootmap_is_up_to_date ++ - zipl_audit_argument ++ - zipl_audit_backlog_limit_argument ++ - zipl_slub_debug_argument ++ - zipl_page_poison_argument ++ - zipl_vsyscall_argument ++ - zipl_vsyscall_argument.role=unscored ++ - zipl_vsyscall_argument.severity=info ++ - zipl_pti_argument +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index cfc2160be1..69d5222a32 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -49,3 +49,9 @@ selections: + # Unselect zIPL rules from OSPP + - "!zipl_bls_entries_only" + - "!zipl_bootmap_is_up_to_date" ++ - "!zipl_audit_argument" ++ - "!zipl_audit_backlog_limit_argument" ++ - "!zipl_page_poison_argument" ++ - "!zipl_pti_argument" ++ - "!zipl_slub_debug_argument" ++ - "!zipl_vsyscall_argument" + +From be070d56abed9efc9244b6c989d0a0df1f78b5ff Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 9 Jul 2020 22:30:25 +0200 +Subject: [PATCH 09/18] Extend Profile resolution to undo rule refinements + +Just like rule selection, allows rule refinements to be unselected, or "undone". +--- + build-scripts/compile_profiles.py | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/build-scripts/compile_profiles.py b/build-scripts/compile_profiles.py +index 0967252348..d1ce8984b2 100644 +--- a/build-scripts/compile_profiles.py ++++ b/build-scripts/compile_profiles.py +@@ -3,6 +3,7 @@ + import argparse + import sys + import os.path ++from copy import deepcopy + from glob import glob + + import ssg.build_yaml +@@ -36,7 +37,8 @@ def resolve(self, all_profiles): + updated_variables.update(self.variables) + self.variables = updated_variables + +- updated_refinements = dict(extended_profile.refine_rules) ++ extended_refinements = deepcopy(extended_profile.refine_rules) ++ updated_refinements = self._subtract_refinements(extended_refinements) + updated_refinements.update(self.refine_rules) + self.refine_rules = updated_refinements + +@@ -50,6 +52,18 @@ def resolve(self, all_profiles): + + self.resolved = True + ++ def _subtract_refinements(self, extended_refinements): ++ """ ++ Given a dict of rule refinements from the extended profile, ++ "undo" every refinement prefixed with '!' in this profile. ++ """ ++ for rule, refinements in list(self.refine_rules.items()): ++ if rule.startswith("!"): ++ for prop, val in refinements: ++ extended_refinements[rule[1:]].remove((prop, val)) ++ del self.refine_rules[rule] ++ return extended_refinements ++ + + def create_parser(): + parser = argparse.ArgumentParser() + +From 2ea270b1796139f42a1d56cbb31351b3f6ad3a6e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 9 Jul 2020 22:32:32 +0200 +Subject: [PATCH 10/18] Undo rule refinements done to zIPL rules + +Remove the zIPl rule refinementes from STIG profile +--- + rhel8/profiles/stig.profile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 69d5222a32..53647475aa 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -55,3 +55,5 @@ selections: + - "!zipl_pti_argument" + - "!zipl_slub_debug_argument" + - "!zipl_vsyscall_argument" ++ - "!zipl_vsyscall_argument.role=unscored" ++ - "!zipl_vsyscall_argument.severity=info" + +From 90d62ba0cd088eb95aa151fe08a9c3c9fd959a00 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 10 Jul 2020 09:38:57 +0200 +Subject: [PATCH 11/18] Update stable test for OSPP Profile + +I just copied the resolved profile to profile_stability directory. +--- + tests/data/profile_stability/rhel8/ospp.profile | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 08dcccf24c..5aa3592496 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -168,6 +168,7 @@ selections: + - service_rngd_enabled + - service_systemd-coredump_disabled + - service_usbguard_enabled ++- ssh_client_rekey_limit + - sshd_disable_empty_passwords + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth +@@ -213,8 +214,14 @@ selections: + - sysctl_user_max_user_namespaces + - timer_dnf-automatic_enabled + - usbguard_allow_hid_and_hub ++- zipl_audit_argument ++- zipl_audit_backlog_limit_argument + - zipl_bls_entries_only + - zipl_bootmap_is_up_to_date ++- zipl_page_poison_argument ++- zipl_pti_argument ++- zipl_slub_debug_argument ++- zipl_vsyscall_argument + - var_sshd_set_keepalive=0 + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour +@@ -238,11 +245,12 @@ selections: + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never ++- var_ssh_client_rekey_limit_size=1G ++- var_ssh_client_rekey_limit_time=1hour + - grub2_vsyscall_argument.role=unscored + - grub2_vsyscall_argument.severity=info + - sysctl_user_max_user_namespaces.role=unscored + - sysctl_user_max_user_namespaces.severity=info +-- ssh_client_rekey_limit +-- var_ssh_client_rekey_limit_size=1G +-- var_ssh_client_rekey_limit_time=1hour ++- zipl_vsyscall_argument.role=unscored ++- zipl_vsyscall_argument.severity=info + title: Protection Profile for General Purpose Operating Systems + +From b5d5b0f1d4319663aba9f051fc01f5209234da6f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 10 Jul 2020 15:15:25 +0200 +Subject: [PATCH 12/18] zipl_bls_entries_option: Add test scenarios + +--- + .../tests/correct_option.pass.sh | 16 ++++++++++++++++ + .../tests/missing_in_cmdline.fail.sh | 14 ++++++++++++++ + .../tests/missing_in_entry.fail.sh | 14 ++++++++++++++ + 3 files changed, 44 insertions(+) + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh +new file mode 100644 +index 0000000000..a9bd49dd0b +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh +@@ -0,0 +1,16 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# remediation = none ++ ++# Make sure boot loader entries contain audit=1 ++for file in /boot/loader/entries/*.conf ++do ++ if ! grep -q '^options.*audit=1.*$' "$file" ; then ++ sed -i '/^options / s/$/audit=1/' "$file" ++ fi ++done ++ ++# Make sure /etc/kernel/cmdline contains audit=1 ++if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then ++ echo "audit=1" >> /etc/kernel/cmdline ++fi +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh +new file mode 100644 +index 0000000000..d4d1d978c8 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# remediation = none ++ ++# Make sure boot loader entries contain audit=1 ++for file in /boot/loader/entries/*.conf ++do ++ if ! grep -q '^options.*audit=1.*$' "$file" ; then ++ sed -i '/^options / s/$/audit=1/' "$file" ++ fi ++done ++ ++# Make sure /etc/kernel/cmdline doesn't contain audit=1 ++sed -Ei 's/(^.*)audit=1(.*?)$/\1\2/' /etc/kernel/cmdline || true +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh +new file mode 100644 +index 0000000000..3e412c0542 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# remediation = none ++ ++# Remove audit=1 from all boot entries ++sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/* ++# But make sure one boot loader entry contains audit=1 ++sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf ++sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf ++ ++# Make sure /etc/kernel/cmdline contains audit=1 ++if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then ++ echo "audit=1" >> /etc/kernel/cmdline ++fi + +From 3b52ab44e043adb289ef0a96798cffaf3e1f35a1 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 10 Jul 2020 15:34:52 +0200 +Subject: [PATCH 13/18] zipl_bls_entries_option: Remove hardcoded values + +The template shouldn't have any hardcoded values. +--- + shared/templates/template_BASH_zipl_bls_entries_option | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option +index 9fc8865486..dde8c948f7 100644 +--- a/shared/templates/template_BASH_zipl_bls_entries_option ++++ b/shared/templates/template_BASH_zipl_bls_entries_option +@@ -7,6 +7,5 @@ grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}" + if [ ! -f /etc/kernel/cmdline ]; then + echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline + elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then +- echo " audit=1" >> /etc/kernel/cmdline +- sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline ++ sed -Ei 's/^(.*)$/\1 {{{ ARG_NAME_VALUE }}}/' /etc/kernel/cmdline + fi + +From 68bff71c7f60a7c68cf0bd9aa153f8a78ec02b7d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 10 Jul 2020 16:08:26 +0200 +Subject: [PATCH 14/18] Improve conditional check for the grubby command + +Let's not trust that /boot/loader/entries/ only contains *.conf files. +Count the number of conf files and how many set the propper options. +--- + .../template_ANSIBLE_zipl_bls_entries_option | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option +index c0cb131b82..bccad2267c 100644 +--- a/shared/templates/template_ANSIBLE_zipl_bls_entries_option ++++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option +@@ -6,18 +6,22 @@ + + - name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}" + block: +- - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}" ++ - name: "Check how many boot entries exist " ++ find: ++ paths: "/boot/loader/entries/" ++ patterns: "*.conf" ++ register: n_entries ++ ++ - name: "Check how many boot entries set {{{ ARG_NAME_VALUE }}}" + find: + paths: "/boot/loader/entries/" + contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$" + patterns: "*.conf" +- register: entries_options ++ register: n_entries_options + + - name: "Update boot entries options" + command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}" +- when: entries_options is defined and entries_options.examined != entries_options.matched +- # The conditional above assumes that only *.conf files are present in /boot/loader/entries +- # Then, the number of conf files is the same as examined files ++ when: n_entries is defined and n_entries_options is defined and n_entries.matched != n_entries_options.matched + + - name: "Check if /etc/kernel/cmdline exists" + stat: + +From 79c60bb40288c17381bf1e4a84e6cfd300bd8446 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 10 Jul 2020 16:17:27 +0200 +Subject: [PATCH 15/18] zipl_bls_entries_option: Fix sed in test scenario + +Append "audit=1" space from last option. +--- + .../zipl_audit_argument/tests/correct_option.pass.sh | 2 +- + .../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 2 +- + .../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh +index a9bd49dd0b..5fcbcc5667 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh +@@ -6,7 +6,7 @@ + for file in /boot/loader/entries/*.conf + do + if ! grep -q '^options.*audit=1.*$' "$file" ; then +- sed -i '/^options / s/$/audit=1/' "$file" ++ sed -i '/^options / s/$/ audit=1/' "$file" + fi + done + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh +index d4d1d978c8..b75165f904 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh +@@ -6,7 +6,7 @@ + for file in /boot/loader/entries/*.conf + do + if ! grep -q '^options.*audit=1.*$' "$file" ; then +- sed -i '/^options / s/$/audit=1/' "$file" ++ sed -i '/^options / s/$/ audit=1/' "$file" + fi + done + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh +index 3e412c0542..e3d342d533 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh +@@ -5,7 +5,7 @@ + # Remove audit=1 from all boot entries + sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/* + # But make sure one boot loader entry contains audit=1 +-sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf ++sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf + sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf + + # Make sure /etc/kernel/cmdline contains audit=1 + +From d513177d2cea39db364a0ff39a599ded36a25395 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 10 Jul 2020 16:29:06 +0200 +Subject: [PATCH 16/18] Extend scenarios platform and allow remediation + +These test scenarios can be run on any OS that supports BLS and provides +grubby. +But it will evaluate to not applicable if the OS doesn't use zIPL (i.e.: +has s390utils-base installed). +--- + .../zipl_audit_argument/tests/correct_option.pass.sh | 3 +-- + .../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 3 +-- + .../zipl_audit_argument/tests/missing_in_entry.fail.sh | 3 +-- + 3 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh +index 5fcbcc5667..73ed0eae0f 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh +@@ -1,6 +1,5 @@ + #!/bin/bash +-# platform = Red Hat Enterprise Linux 8 +-# remediation = none ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + + # Make sure boot loader entries contain audit=1 + for file in /boot/loader/entries/*.conf +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh +index b75165f904..3af83d30d8 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh +@@ -1,6 +1,5 @@ + #!/bin/bash +-# platform = Red Hat Enterprise Linux 8 +-# remediation = none ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + + # Make sure boot loader entries contain audit=1 + for file in /boot/loader/entries/*.conf +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh +index e3d342d533..142f75ba60 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh +@@ -1,6 +1,5 @@ + #!/bin/bash +-# platform = Red Hat Enterprise Linux 8 +-# remediation = none ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 + + # Remove audit=1 from all boot entries + sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/* + +From 2e841722d30551c86f14558ff39bdaa5dda55711 Mon Sep 17 00:00:00 2001 +From: Watson Yuuma Sato +Date: Fri, 10 Jul 2020 16:35:55 +0200 +Subject: [PATCH 17/18] Update comment in OVAL zipl_bls_entries_option + +Co-authored-by: vojtapolasek +--- + shared/templates/template_OVAL_zipl_bls_entries_option | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option +index 9af1bcfbee..502d5e7d9a 100644 +--- a/shared/templates/template_OVAL_zipl_bls_entries_option ++++ b/shared/templates/template_OVAL_zipl_bls_entries_option +@@ -7,7 +7,7 @@ + + + ++ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*.conf" /> + + + +From 9bd0afbde47ef368444ba1785da593980e6e00aa Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 10 Jul 2020 17:15:46 +0200 +Subject: [PATCH 18/18] zipl_bls_entries_option: Supress grep error messages + +/etc/kernel/cmdline is not always present. Lest suppress any error +message about absent file in the test scenarios. +--- + .../zipl_audit_argument/tests/correct_option.pass.sh | 2 +- + .../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh +index 73ed0eae0f..7a828837fe 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh +@@ -10,6 +10,6 @@ do + done + + # Make sure /etc/kernel/cmdline contains audit=1 +-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then ++if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then + echo "audit=1" >> /etc/kernel/cmdline + fi +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh +index 142f75ba60..5650cc0a74 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh +@@ -8,6 +8,6 @@ sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf + sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf + + # Make sure /etc/kernel/cmdline contains audit=1 +-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then ++if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then + echo "audit=1" >> /etc/kernel/cmdline + fi diff --git a/SOURCES/scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch b/SOURCES/scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch new file mode 100644 index 0000000..81d85cc --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch @@ -0,0 +1,884 @@ +From 8cbec60a51b54df386bad72cdd82b83fbf9482fa Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 25 Jun 2020 18:29:31 +0200 +Subject: [PATCH 01/14] Add rule to check for zIPL conformance to BLS + +Instead of having each zIPL argument rule check for BLS compliance, +let's split into its own rule. +--- + .../zipl_audit_argument/rule.yml | 6 ----- + .../rule.yml | 6 ----- + .../zipl_bls_entries_only/rule.yml | 24 +++++++++++++++++++ + .../zipl_enable_selinux/rule.yml | 6 ----- + .../zipl_page_poison_argument/rule.yml | 6 ----- + .../zipl_pti_argument/rule.yml | 6 ----- + .../zipl_slub_debug_argument/rule.yml | 6 ----- + .../zipl_vsyscall_argument/rule.yml | 6 ----- + 8 files changed, 24 insertions(+), 42 deletions(-) + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +index 2d31ef8ee7..1211a53295 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +@@ -8,8 +8,6 @@ description: |- + To ensure all processes can be audited, even those which start prior to the audit daemon, + check that all boot entries in /boot/loader/entries/*.conf have audit=1 + included in its options.
+- Make sure /etc/zipl.conf doesn't contain image = setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.

+ + To ensure that new kernels and boot entries continue to enable audit, +@@ -30,10 +28,6 @@ ocil: |- +
sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that doesn't enable audit. + +- Check that no image file is specified in /etc/zipl.conf: +-
grep -R "^image\s*=" /etc/zipl.conf
+- No line should be returned, if a line is returned zipl may load a different kernel than intended. +- + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +index 40db232257..7d88e38686 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +@@ -8,8 +8,6 @@ description: |- + To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, + check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192 + included in its options.
+- Make sure /etc/zipl.conf doesn't contain image = setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.

+ + To ensure that new kernels and boot entries continue to extend the audit log events queue, +@@ -31,10 +29,6 @@ ocil: |- +
sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that does not extend the log events queue. + +- Check that no image file is specified in /etc/zipl.conf: +-
grep -R "^image\s*=" /etc/zipl.conf
+- No line should be returned, if a line is returned zipl may load a different kernel than intended. +- + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +new file mode 100644 +index 0000000000..b6ccbb5343 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +@@ -0,0 +1,24 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Ensure all zIPL boot entries are BLS compliant' ++ ++description: |- ++ Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS) ++ by checking that /etc/zipl.conf doesn't contain image = . ++ ++rationale: |- ++ {{{ full_name }}} adheres to Boot Loader Specification (BLS) and is the prefered method of ++ configuration. ++ ++severity: medium ++ ++ocil_clause: 'a non BLS boot entry is configured' ++ ++ocil: |- ++ Check that no boot image file is specified in /etc/zipl.conf: ++
grep -R "^image\s*=" /etc/zipl.conf
++ No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +index 8d28d5495f..1c3bfeb246 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +@@ -8,8 +8,6 @@ description: |- + To ensure SELinux is not disabled at boot time, + check that no boot entry in /boot/loader/entries/*.conf has selinux=0 + included in its options.
+- Make sure /etc/zipl.conf doesn't contain image = setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.

+ + rationale: |- +@@ -27,10 +25,6 @@ ocil: |- +
sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that disables SELinux. + +- Check that no image file is specified in /etc/zipl.conf: +-
grep -R "^image\s*=" /etc/zipl.conf
+- No line should be returned, if a line is returned zipl may load a different kernel than intended. +- + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +index 0a8e9a41e2..6dbfd501b7 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +@@ -8,8 +8,6 @@ description: |- + To enable poisoning of free pages, + check that all boot entries in /boot/loader/entries/*.conf have page_poison=1 + included in its options.
+- Make sure /etc/zipl.conf doesn't contain image = setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.
+ + To ensure that new kernels and boot entries continue to enable page poisoning, +@@ -31,10 +29,6 @@ ocil: |- +
sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that doesn't enable page poisoning. + +- Check that no image file is specified in /etc/zipl.conf: +-
grep -R "^image\s*=" /etc/zipl.conf
+- No line should be returned, if a line is returned zipl may load a different kernel than intended. +- + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +index 20c1448cc8..555fdf2b66 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +@@ -8,8 +8,6 @@ description: |- + To enable Kernel page-table isolation, + check that all boot entries in /boot/loader/entries/*.conf have pti=on + included in its options.
+- Make sure /etc/zipl.conf doesn't contain image = setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.

+ + To ensure that new kernels and boot entries continue to enable page-table isolation, +@@ -30,10 +28,6 @@ ocil: |- +
sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation . + +- Check that no image file is specified in /etc/zipl.conf: +-
grep -R "^image\s*=" /etc/zipl.conf
+- No line should be returned, if a line is returned zipl may load a different kernel than intended. +- + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +index 54ac688ea0..dd7865bf81 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +@@ -8,8 +8,6 @@ description: |- + To enable poisoning of SLUB/SLAB objects, + check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P + included in its options.
+- Make sure /etc/zipl.conf doesn't contain image = setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.

+ + To ensure that new kernels and boot entries continue to extend the audit log events queue, +@@ -31,10 +29,6 @@ ocil: |- +
sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that does not enable poisoning. + +- Check that no image file is specified in /etc/zipl.conf: +-
grep -R "^image\s*=" /etc/zipl.conf
+- No line should be returned, if a line is returned zipl may load a different kernel than intended. +- + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +index c5979a2016..18b7ade460 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +@@ -8,8 +8,6 @@ description: |- + To disable use of virtual syscalls, + check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none + included in its options.
+- Make sure /etc/zipl.conf doesn't contain image = setting, +- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run zipl command so that /boot/bootmap is updated.

+ + To ensure that new kernels and boot entries continue to disable virtual syscalls, +@@ -28,10 +26,6 @@ ocil: |- +
sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls. + +- Check that no image file is specified in /etc/zipl.conf: +-
grep -R "^image\s*=" /etc/zipl.conf
+- No line should be returned, if a line is returned zipl may load a different kernel than intended. +- + And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ +From 5e3b19077d781d0441595019429c653efafede8e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 2 Jul 2020 09:52:39 +0200 +Subject: [PATCH 02/14] zipl_bls_entries_only: Add OVAL and tests + +--- + .../zipl_bls_entries_only/oval/shared.xml | 27 +++++++++++++++++++ + .../tests/image_configured.fail.sh | 6 +++++ + .../tests/no_image.pass.sh | 7 +++++ + 3 files changed, 40 insertions(+) + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml +new file mode 100644 +index 0000000000..41e9773814 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml +@@ -0,0 +1,27 @@ ++ ++ ++ ++ Ensure zIPL entries are BLS compliant ++ {{{- oval_affected(products) }}} ++ Check if /etc/zipl.conf configures any boot entry ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/zipl.conf$ ++ ^image\s*=.*$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh +new file mode 100644 +index 0000000000..e3adb99638 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# remediation = none ++ ++# Make sure no image configured in zipl config file ++echo 'image = /boot/image' >> /etc/zipl.conf +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh +new file mode 100644 +index 0000000000..47626442f6 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# remediation = none ++ ++# Make sure no image configured in zipl config file ++sed -Ei '/^image\s*=/d' /etc/zipl.conf ++true + +From 05e5b05b41080b7fbfaf42469cbb366eeffe35ec Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 2 Jul 2020 11:09:08 +0200 +Subject: [PATCH 03/14] zipl_bls_entries_only: Add no-remediation warning + +Automated remediation to remove non-BLS boot entries from /etc/zipl.conf +is tricky and can lead to broken entries or removal of all of them. +--- + .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +index b6ccbb5343..f792c5257f 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +@@ -22,3 +22,8 @@ ocil: |- + No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL. + + platform: machine ++ ++warnings: ++ - general: |- ++ To prevent breakage or removal of all boot entries oconfigured in /etc/zipl.conf ++ automated remediation for this rule is not available. + +From 53d811ed09cd63d4472a2133f3d9dc465dbd2962 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 25 Jun 2020 18:51:04 +0200 +Subject: [PATCH 04/14] Add rule to check hotness of zIPL bootmap + +Instead of having each zIPL argument rule check if zIPL bootmap is up to +date, let's split it into its own rule. +--- + .../zipl_audit_argument/rule.yml | 6 ----- + .../rule.yml | 7 ----- + .../zipl_bootmap_is_up_to_date/rule.yml | 27 +++++++++++++++++++ + .../zipl_enable_selinux/rule.yml | 6 ----- + .../zipl_page_poison_argument/rule.yml | 7 ----- + .../zipl_pti_argument/rule.yml | 7 ----- + .../zipl_slub_debug_argument/rule.yml | 7 ----- + .../zipl_vsyscall_argument/rule.yml | 7 ----- + 8 files changed, 27 insertions(+), 47 deletions(-) + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +index 1211a53295..624b4e7041 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +@@ -8,7 +8,6 @@ description: |- + To ensure all processes can be audited, even those which start prior to the audit daemon, + check that all boot entries in /boot/loader/entries/*.conf have audit=1 + included in its options.
+- And run zipl command so that /boot/bootmap is updated.

+ + To ensure that new kernels and boot entries continue to enable audit, + add audit=1 to /etc/kernel/cmdline. +@@ -28,9 +27,4 @@ ocil: |- +
sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that doesn't enable audit. + +- And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf +- and /etc/zipl.conf: +-
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +- + platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +index 7d88e38686..faf114591a 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +@@ -8,8 +8,6 @@ description: |- + To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, + check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192 + included in its options.
+- And run zipl command so that /boot/bootmap is updated.

+- + To ensure that new kernels and boot entries continue to extend the audit log events queue, + add audit_backlog_limit=8192 to /etc/kernel/cmdline. + +@@ -29,9 +27,4 @@ ocil: |- +
sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that does not extend the log events queue. + +- And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf +- and /etc/zipl.conf: +-
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +- + platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml +new file mode 100644 +index 0000000000..082562d11e +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml +@@ -0,0 +1,27 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Ensure zIPL bootmap is up to date' ++ ++description: |- ++ Make sure that /boot/bootmap is up to date.
++ Every time a boot entry or zIPL configuration is changed /boot/bootmap needs to ++ be updated to reflect the changes.
++ Run zipl command to generate an updated /boot/bootmap. ++ ++rationale: |- ++ The file /boot/bootmap contains all boot data, keeping it up to date is crucial to ++ boot correct kernel and options. ++ ++severity: medium ++ ++ocil_clause: 'the bootmap is outdated' ++ ++ocil: |- ++ Make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf ++ and /etc/zipl.conf: ++
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
++ No line should be returned, if a line is returned /boot/bootmap is outdated and needs to be regenerated. ++ ++platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +index 1c3bfeb246..b0bc0fc374 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +@@ -8,7 +8,6 @@ description: |- + To ensure SELinux is not disabled at boot time, + check that no boot entry in /boot/loader/entries/*.conf has selinux=0 + included in its options.
+- And run zipl command so that /boot/bootmap is updated.

+ + rationale: |- + Disabling a major host protection feature, such as SELinux, at boot time prevents +@@ -25,9 +24,4 @@ ocil: |- +
sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that disables SELinux. + +- And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf +- and /etc/zipl.conf: +-
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +- + platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +index 6dbfd501b7..866664c01b 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +@@ -8,8 +8,6 @@ description: |- + To enable poisoning of free pages, + check that all boot entries in /boot/loader/entries/*.conf have page_poison=1 + included in its options.
+- And run zipl command so that /boot/bootmap is updated.
+- + To ensure that new kernels and boot entries continue to enable page poisoning, + add page_poison=1 to /etc/kernel/cmdline. + +@@ -29,9 +27,4 @@ ocil: |- +
sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that doesn't enable page poisoning. + +- And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf +- and /etc/zipl.conf: +-
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +- + platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +index 555fdf2b66..2f02d9668c 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +@@ -8,8 +8,6 @@ description: |- + To enable Kernel page-table isolation, + check that all boot entries in /boot/loader/entries/*.conf have pti=on + included in its options.
+- And run zipl command so that /boot/bootmap is updated.

+- + To ensure that new kernels and boot entries continue to enable page-table isolation, + add pti=on to /etc/kernel/cmdline. + +@@ -28,9 +26,4 @@ ocil: |- +
sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation . + +- And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf +- and /etc/zipl.conf: +-
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +- + platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +index dd7865bf81..0cb10d3cd8 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +@@ -8,8 +8,6 @@ description: |- + To enable poisoning of SLUB/SLAB objects, + check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P + included in its options.
+- And run zipl command so that /boot/bootmap is updated.

+- + To ensure that new kernels and boot entries continue to extend the audit log events queue, + add slub_debug=P to /etc/kernel/cmdline. + +@@ -29,9 +27,4 @@ ocil: |- +
sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that does not enable poisoning. + +- And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf +- and /etc/zipl.conf: +-
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +- + platform: machine +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +index 18b7ade460..f79adeb083 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +@@ -8,8 +8,6 @@ description: |- + To disable use of virtual syscalls, + check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none + included in its options.
+- And run zipl command so that /boot/bootmap is updated.

+- + To ensure that new kernels and boot entries continue to disable virtual syscalls, + add vsyscall=none to /etc/kernel/cmdline. + +@@ -26,9 +24,4 @@ ocil: |- +
sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls. + +- And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf +- and /etc/zipl.conf: +-
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. +- + platform: machine + +From b9f27383a09afbc6cef61bbbaad0f18f9ebec075 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 2 Jul 2020 15:59:31 +0200 +Subject: [PATCH 05/14] zipl_bootmap_is_up_to_date: Add OVAL check + +--- + .../oval/shared.xml | 46 +++++++++++++++++++ + 1 file changed, 46 insertions(+) + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml +new file mode 100644 +index 0000000000..6c446cbe59 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml +@@ -0,0 +1,46 @@ ++ ++ ++ ++ Ensure zIPL bootmap is up to date ++ {{{- oval_affected(products) }}} ++ Check if /boot/bootmap is up to date ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /boot/bootmap ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/zipl.conf ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/boot/loader/entries/.*\.conf$ ++ ++ + +From 97aff87a403f9b319e87967561c43dc99e8a672e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 2 Jul 2020 16:15:35 +0200 +Subject: [PATCH 06/14] zipl_bootmap_is_up_to_date: Add mock tests + +These tests mock existence of zIPL files. +--- + .../tests/newer_boot_entry.fail.sh | 10 ++++++++++ + .../tests/newer_zipl_conf.fail.sh | 10 ++++++++++ + .../tests/up_to_date.pass.sh | 9 +++++++++ + 3 files changed, 29 insertions(+) + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh +new file mode 100644 +index 0000000000..728c6b7bdb +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# remediation = none ++ ++touch /etc/zipl.conf ++touch /boot/loader/entries/*.conf # Update current existing entries ++touch /boot/loader/entries/zipl-entry-1.conf ++touch /boot/bootmap ++sleep 2 ++touch /boot/loader/entries/zipl-entry-2.conf +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh +new file mode 100644 +index 0000000000..1ae4d631ee +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# remediation = none ++ ++touch /boot/loader/entries/*.conf # Update current existing entries ++touch /boot/loader/entries/zipl-entry-1.conf ++touch /boot/loader/entries/zipl-entry-2.conf ++touch /boot/bootmap ++sleep 2 ++touch /etc/zipl.conf +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh +new file mode 100644 +index 0000000000..7981ba8c5c +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++# remediation = none ++ ++touch /etc/zipl.conf ++touch /boot/loader/entries/*.conf # Update current existing entries ++touch /boot/loader/entries/zipl-entry-1.conf ++touch /boot/loader/entries/zipl-entry-2.conf ++touch /boot/bootmap + +From 180e57bd23154c1ed8dc2575fbf9660c2f83a803 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 3 Jul 2020 18:35:06 +0200 +Subject: [PATCH 07/14] zipl_bootmap_is_up_to_date: Add remediations + +--- + .../ansible/shared.yml | 24 +++++++++++++++++++ + .../zipl_bootmap_is_up_to_date/bash/shared.sh | 3 +++ + 2 files changed, 27 insertions(+) + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml + create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml +new file mode 100644 +index 0000000000..e545eacc13 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml +@@ -0,0 +1,24 @@ ++# platform = Red Hat Enterprise Linux 8 ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++ ++- name: "Ensure zIPL bootmap is up to date" ++ block: ++ - name: "Obtain stats of /boot/bootmap" ++ stat: ++ path: /boot/bootmap ++ register: boot_bootmap ++ ++ - name: "Obtain stats of /etc/zipl.conf" ++ stat: ++ path: /etc/zipl.conf ++ register: zipl_conf ++ ++ # TODO: handle /boot/loader/entries/*.conf ++ ++ - name: "Update zIPL bootmap" ++ command: /usr/sbin/zipl ++ changed_when: True ++ when: boot_bootmap.stat.mtime < zipl_conf.stat.mtime +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh +new file mode 100644 +index 0000000000..2cf7e388f0 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh +@@ -0,0 +1,3 @@ ++# platform = Red Hat Enterprise Linux 8 ++ ++/usr/bin/zipl + +From 93703727b12a34edb26de25410bf23ff72fead2a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 1 Jul 2020 17:16:41 +0200 +Subject: [PATCH 08/14] Select zIPL specific rules in OSPP profile + +--- + rhel8/profiles/ospp.profile | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 07d32b814d..80e4b71fff 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -415,3 +415,7 @@ selections: + - ssh_client_rekey_limit + - var_ssh_client_rekey_limit_size=1G + - var_ssh_client_rekey_limit_time=1hour ++ ++ # zIPl specific rules ++ - zipl_bls_entries_only ++ - zipl_bootmap_is_up_to_date + +From 260891e9b2f38d50fadf9eaacd9ee9ca98c977ee Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 8 Jul 2020 14:03:21 +0200 +Subject: [PATCH 09/14] Fix path to zipl binary in Bash remediation + +--- + .../bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh +index 2cf7e388f0..2310ca060d 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh +@@ -1,3 +1,3 @@ + # platform = Red Hat Enterprise Linux 8 + +-/usr/bin/zipl ++/usr/sbin/zipl + +From 46d2b1584cf769ae8dbaaa2657541bd0db056a9c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 8 Jul 2020 14:06:22 +0200 +Subject: [PATCH 10/14] zipl_bls_entries_only: there can be leading spaces + +There can be leading spaces before 'image'. +--- + .../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml +index 41e9773814..f68d91c128 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml +@@ -20,7 +20,7 @@ + + ^/etc/zipl.conf$ +- ^image\s*=.*$ ++ ^\s*image\s*=.*$ + 1 + + + +From 0a89ed181803c15e3b73cfb2e13f0ec1cb7689ad Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 8 Jul 2020 14:10:22 +0200 +Subject: [PATCH 11/14] zipl_bls_entries_only: check file /etc/zipl.conf + +There is no need to perform pattern match, the check just needs to +examine /etc/zipl.conf file. +--- + .../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml +index f68d91c128..1ebf03ee37 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml +@@ -19,7 +19,7 @@ + + +- ^/etc/zipl.conf$ ++ /etc/zipl.conf + ^\s*image\s*=.*$ + 1 + + +From 699d5f5bd3075e019387e6fb6b3af81182987c43 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 8 Jul 2020 14:13:26 +0200 +Subject: [PATCH 12/14] Add CCE identifiers to bootmap and bls only rules + +Add RHEL-8 CCE identifiers for: +- zipl_bls_entries_only +- zipl_bootmap_is_up_to_date +--- + .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 3 +++ + .../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 3 +++ + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +index f792c5257f..67cc061ce3 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +@@ -14,6 +14,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 83485-3 ++ + ocil_clause: 'a non BLS boot entry is configured' + + ocil: |- +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml +index 082562d11e..da9411d00b 100644 +--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml ++++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml +@@ -16,6 +16,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel8: 83486-1 ++ + ocil_clause: 'the bootmap is outdated' + + ocil: |- + +From 2ebc3d188e4c243d8e60a9e669d5b661b77f2301 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 8 Jul 2020 14:16:58 +0200 +Subject: [PATCH 13/14] Incorporate OSPP selection changes to profile test + +Update the profile reference file. +--- + tests/data/profile_stability/rhel8/ospp.profile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index b0d7672c36..08dcccf24c 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -213,6 +213,8 @@ selections: + - sysctl_user_max_user_namespaces + - timer_dnf-automatic_enabled + - usbguard_allow_hid_and_hub ++- zipl_bls_entries_only ++- zipl_bootmap_is_up_to_date + - var_sshd_set_keepalive=0 + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + +From 33bae25bd543880315433925214868917ec8e399 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 8 Jul 2020 15:28:09 +0200 +Subject: [PATCH 14/14] Unselect zIPL rules from STIG Profile + +The zIPL rules are inherited from OSPP profile +--- + rhel8/profiles/stig.profile | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 8f12852e26..cfc2160be1 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -45,3 +45,7 @@ selections: + - rsyslog_remote_tls + - rsyslog_remote_tls_cacert + - "!ssh_client_rekey_limit" ++ ++ # Unselect zIPL rules from OSPP ++ - "!zipl_bls_entries_only" ++ - "!zipl_bootmap_is_up_to_date" diff --git a/SOURCES/scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch b/SOURCES/scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch new file mode 100644 index 0000000..9154e40 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch @@ -0,0 +1,280 @@ +From 844be904d8de624abe9bbe620d7a06417dfff842 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 27 Aug 2020 13:19:01 +0200 +Subject: [PATCH 1/5] Align Ansible task applicability with CPE platform + +Adds a when clause to Ansible snippets of rules with Package CPE platform. + +If the when clause is added, a fact_packages Task needs to added as +well. +--- + ssg/build_remediations.py | 52 ++++++++++++++++++++++++++++++++++++--- + 1 file changed, 49 insertions(+), 3 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index a9ef3014ac..597aed5889 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -6,8 +6,7 @@ + import os.path + import re + import codecs +-from collections import defaultdict, namedtuple +- ++from collections import defaultdict, namedtuple, OrderedDict + + import ssg.yaml + from . import build_yaml +@@ -343,11 +342,46 @@ def _get_rule_reference(self, ref_class): + else: + return [] + ++ def inject_package_facts_task(self, parsed_snippet): ++ """ Injects a package_facts task only if ++ the snippet has a task with a when clause with ansible_facts.packages, ++ and the snippet doesn't already have an package_facts task ++ """ ++ has_package_facts_task = False ++ has_ansible_facts_packages_clause = False ++ ++ for p_task in parsed_snippet: ++ # We are only interested in the OrderedDicts, which represent Ansible tasks ++ if not isinstance(p_task, dict): ++ continue ++ ++ if "package_facts" in p_task: ++ has_package_facts_task = True ++ ++ if "ansible_facts.packages" in p_task.get("when", ""): ++ has_ansible_facts_packages_clause = True ++ ++ if has_ansible_facts_packages_clause and not has_package_facts_task: ++ facts_task = OrderedDict({'name': 'Gather the package facts', ++ 'package_facts': {'manager': 'auto'}}) ++ parsed_snippet.insert(0, facts_task) ++ + def update_when_from_rule(self, to_update): + additional_when = "" +- if self.associated_rule.platform == "machine": +- additional_when = ('ansible_virtualization_role != "guest" ' +- 'or ansible_virtualization_type != "docker"') ++ rule_platform = self.associated_rule.platform ++ if rule_platform == "machine": ++ additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]' ++ elif rule_platform is not None: ++ # Assume any other platform is a Package CPE ++ ++ # It doesn't make sense to add a conditional on the task that ++ # gathers data for the conditional ++ if "package_facts" in to_update: ++ return ++ ++ additional_when = '"' + rule_platform + '" in ansible_facts.packages' ++ # After adding the conditional, we need to make sure package_facts are collected. ++ # This is done via inject_package_facts_task() + to_update.setdefault("when", "") + new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when) + if not new_when: +@@ -355,10 +390,21 @@ def update_when_from_rule(self, to_update): + to_update["when"] = new_when + + def update(self, parsed, config): ++ # We split the remediation update in three steps ++ ++ # 1. Update the when clause + for p in parsed: + if not isinstance(p, dict): + continue + self.update_when_from_rule(p) ++ ++ # 2. Inject any extra task necessary ++ self.inject_package_facts_task(parsed) ++ ++ # 3. Add tags to all tasks, including the ones we have injected ++ for p in parsed: ++ if not isinstance(p, dict): ++ continue + self.update_tags_from_config(p, config) + self.update_tags_from_rule(p) + + +From 60e5723e0e35ec8d79bafdd113f04691e61738e7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 27 Aug 2020 17:09:06 +0200 +Subject: [PATCH 2/5] Add inherited_platform to Rule + +This field is exported to the rule when it is resolved. +--- + ssg/build_yaml.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py +index 4ba114eee4..fe290ffc05 100644 +--- a/ssg/build_yaml.py ++++ b/ssg/build_yaml.py +@@ -832,6 +832,7 @@ class Rule(object): + "conflicts": lambda: list(), + "requires": lambda: list(), + "platform": lambda: None, ++ "inherited_platforms": lambda: list(), + "template": lambda: None, + } + +@@ -851,6 +852,7 @@ def __init__(self, id_): + self.requires = [] + self.conflicts = [] + self.platform = None ++ self.inherited_platforms = [] # platforms inherited from the group + self.template = None + + @classmethod +@@ -1293,6 +1295,9 @@ def _process_rules(self): + continue + self.all_rules.add(rule) + self.loaded_group.add_rule(rule) ++ ++ rule.inherited_platforms.append(self.loaded_group.platform) ++ + if self.resolved_rules_dir: + output_for_rule = os.path.join( + self.resolved_rules_dir, "{id_}.yml".format(id_=rule.id_)) + +From 3a0bb0d2981670e90a8eaca53b28e1a6f7cc29d6 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 27 Aug 2020 17:21:35 +0200 +Subject: [PATCH 3/5] Add when clauses for inherited platforms too + +Consider the Rule's Group platform while including 'when' clauses to +Ansible snippets. + +Some rules have two platforms, a machine platform and a package +platform. One of them is represented of the Rule, and the other is +represented in the Rule's Group. + +The platforms are organized like this to due limiation in XCCDF, +multiple platforms in a Rule are ORed, not ANDed. +--- + ssg/build_remediations.py | 44 ++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 17 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 597aed5889..a2a996d0af 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -358,8 +358,13 @@ def inject_package_facts_task(self, parsed_snippet): + if "package_facts" in p_task: + has_package_facts_task = True + +- if "ansible_facts.packages" in p_task.get("when", ""): +- has_ansible_facts_packages_clause = True ++ # When clause of the task can be string or a list, lets normalize to list ++ task_when = p_task.get("when", "") ++ if type(task_when) is str: ++ task_when = [ task_when ] ++ for when in task_when: ++ if "ansible_facts.packages" in when: ++ has_ansible_facts_packages_clause = True + + if has_ansible_facts_packages_clause and not has_package_facts_task: + facts_task = OrderedDict({'name': 'Gather the package facts', +@@ -367,21 +372,26 @@ def inject_package_facts_task(self, parsed_snippet): + parsed_snippet.insert(0, facts_task) + + def update_when_from_rule(self, to_update): +- additional_when = "" +- rule_platform = self.associated_rule.platform +- if rule_platform == "machine": +- additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]' +- elif rule_platform is not None: +- # Assume any other platform is a Package CPE +- +- # It doesn't make sense to add a conditional on the task that +- # gathers data for the conditional +- if "package_facts" in to_update: +- return +- +- additional_when = '"' + rule_platform + '" in ansible_facts.packages' +- # After adding the conditional, we need to make sure package_facts are collected. +- # This is done via inject_package_facts_task() ++ additional_when = [] ++ ++ rule_platforms = set([self.associated_rule.platform] + ++ self.associated_rule.inherited_platforms) ++ ++ for platform in rule_platforms: ++ if platform == "machine": ++ additional_when.append('ansible_virtualization_type not in ["docker", "lxc", "openvz"]') ++ elif platform is not None: ++ # Assume any other platform is a Package CPE ++ ++ # It doesn't make sense to add a conditional on the task that ++ # gathers data for the conditional ++ if "package_facts" in to_update: ++ continue ++ ++ additional_when.append('"' + platform + '" in ansible_facts.packages') ++ # After adding the conditional, we need to make sure package_facts are collected. ++ # This is done via inject_package_facts_task() ++ + to_update.setdefault("when", "") + new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when) + if not new_when: + +From 99c92e39bccc3fcfadca41096e66ca146137b207 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 31 Aug 2020 16:06:14 +0200 +Subject: [PATCH 4/5] Improve inherihted and rule's platforms handling + +Add a quick comment too. +--- + ssg/build_remediations.py | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index a2a996d0af..9e622ef740 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -374,8 +374,9 @@ def inject_package_facts_task(self, parsed_snippet): + def update_when_from_rule(self, to_update): + additional_when = [] + +- rule_platforms = set([self.associated_rule.platform] + +- self.associated_rule.inherited_platforms) ++ # There can be repeated inherited platforms and rule platforms ++ rule_platforms = set(self.associated_rule.inherited_platforms) ++ rule_platforms.add(self.associated_rule.platform) + + for platform in rule_platforms: + if platform == "machine": + +From 596da9993edfbd244cbaa6d797abbd68b2e82185 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 31 Aug 2020 16:10:53 +0200 +Subject: [PATCH 5/5] Code style and grammar changes + +--- + ssg/build_remediations.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 9e622ef740..866450dd8c 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -345,7 +345,7 @@ def _get_rule_reference(self, ref_class): + def inject_package_facts_task(self, parsed_snippet): + """ Injects a package_facts task only if + the snippet has a task with a when clause with ansible_facts.packages, +- and the snippet doesn't already have an package_facts task ++ and the snippet doesn't already have a package_facts task + """ + has_package_facts_task = False + has_ansible_facts_packages_clause = False +@@ -361,7 +361,7 @@ def inject_package_facts_task(self, parsed_snippet): + # When clause of the task can be string or a list, lets normalize to list + task_when = p_task.get("when", "") + if type(task_when) is str: +- task_when = [ task_when ] ++ task_when = [task_when] + for when in task_when: + if "ansible_facts.packages" in when: + has_ansible_facts_packages_clause = True diff --git a/SOURCES/scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch b/SOURCES/scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch new file mode 100644 index 0000000..f1510d8 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch @@ -0,0 +1,241 @@ +From c05cce1a4a5eb95be857b07948fda0c95cdaa106 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 8 Sep 2020 14:36:07 +0200 +Subject: [PATCH 1/5] Align Bash applicability with CPE platform + +Wraps the remediation of rules with Packager CPE Platform +with an if condition that checks for the respective +platforms's package. +--- + ssg/build_remediations.py | 45 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index ccbdf9fc1f..2d4a805e78 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -27,6 +27,13 @@ + 'kubernetes': '.yml' + } + ++PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = { ++ 'apt_get': 'dpkg-query -s {} &>/dev/null', ++ 'dnf': 'rpm --quiet -q {}', ++ 'yum': 'rpm --quiet -q {}', ++ 'zypper': 'rpm --quiet -q {}', ++} ++ + FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED' + + REMEDIATION_CONFIG_KEYS = ['complexity', 'disruption', 'platform', 'reboot', +@@ -262,6 +269,44 @@ class BashRemediation(Remediation): + def __init__(self, file_path): + super(BashRemediation, self).__init__(file_path, "bash") + ++ def parse_from_file_with_jinja(self, env_yaml): ++ self.local_env_yaml.update(env_yaml) ++ result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml) ++ ++ # There can be repeated inherited platforms and rule platforms ++ rule_platforms = set(self.associated_rule.inherited_platforms) ++ rule_platforms.add(self.associated_rule.platform) ++ ++ platform_conditionals = [] ++ for platform in rule_platforms: ++ if platform == "machine": ++ # Based on check installed_env_is_a_container ++ platform_conditionals.append('[ ! -f /.dockerenv -a ! -f /run/.containerenv ]') ++ elif platform is not None: ++ # Assume any other platform is a Package CPE ++ ++ # Some package names are different from the platform names ++ if platform in self.local_env_yaml["platform_package_overrides"]: ++ platform = self.local_env_yaml["platform_package_overrides"].get(platform) ++ ++ # Adjust package check command according to the pkg_manager ++ pkg_manager = self.local_env_yaml["pkg_manager"] ++ pkg_check_command = PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND[pkg_manager] ++ platform_conditionals.append(pkg_check_command.format(platform)) ++ ++ if platform_conditionals: ++ platform_fix_text = "# Remediation is applicable only in certain platforms\n" ++ ++ cond = platform_conditionals.pop(0) ++ platform_fix_text += "if {}".format(cond) ++ for cond in platform_conditionals: ++ platform_fix_text += " && {}".format(cond) ++ platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents) ++ ++ remediation = namedtuple('remediation', ['contents', 'config']) ++ result = remediation(contents=platform_fix_text, config=result.config) ++ ++ return result + + class AnsibleRemediation(Remediation): + def __init__(self, file_path): + +From 19e0c3b709e091159655d37b8ce5d693750f0a81 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 8 Sep 2020 14:41:01 +0200 +Subject: [PATCH 2/5] Handle Bash platform wrapping in xccdf expansion + +Adjust expansion of subs and variables not to remove the whole beginning +of the fix test. This was removing the package conditional wrapping. +--- + ssg/build_remediations.py | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 2d4a805e78..49ec557000 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -736,14 +736,16 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions): + patcomp = re.compile(pattern, re.DOTALL) + fixparts = re.split(patcomp, fix.text) + if fixparts[0] is not None: +- # Split the portion of fix.text from fix start to first call of +- # remediation function, keeping only the third part: +- # * tail to hold part of the fix.text after inclusion, +- # but before first call of remediation function ++ # Split the portion of fix.text at the string remediation_functions, ++ # and remove preceeding comment whenever it is there. ++ # * head holds part of the fix.text before ++ # remediation_functions string ++ # * tail holds part of the fix.text after the ++ # remediation_functions string + try: +- rfpattern = '(.*remediation_functions)(.*)' +- rfpatcomp = re.compile(rfpattern, re.DOTALL) +- _, _, tail, _ = re.split(rfpatcomp, fixparts[0], maxsplit=2) ++ rfpattern = r'((?:# Include source function library\.\n)?.*remediation_functions)' ++ rfpatcomp = re.compile(rfpattern) ++ head, _, tail = re.split(rfpatcomp, fixparts[0], maxsplit=1) + except ValueError: + sys.stderr.write("Processing fix.text for: %s rule\n" + % fix.get('rule')) +@@ -751,9 +753,10 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions): + "after inclusion of remediation functions." + " Aborting..\n") + sys.exit(1) +- # If the 'tail' is not empty, make it new fix.text. ++ # If the 'head' is not empty, make it new fix.text. + # Otherwise use '' +- fix.text = tail if tail is not None else '' ++ fix.text = head if head is not None else '' ++ fix.text += tail if tail is not None else '' + # Drop the first element of 'fixparts' since it has been processed + fixparts.pop(0) + # Perform sanity check on new 'fixparts' list content (to continue + +From 1292b93dc35a9a308464f1effb7f10f8de6db457 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 8 Sep 2020 20:56:17 +0200 +Subject: [PATCH 3/5] Check if remediation has associated rule before use + +--- + ssg/build_remediations.py | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 49ec557000..85f7139d8f 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -273,9 +273,11 @@ def parse_from_file_with_jinja(self, env_yaml): + self.local_env_yaml.update(env_yaml) + result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml) + +- # There can be repeated inherited platforms and rule platforms +- rule_platforms = set(self.associated_rule.inherited_platforms) +- rule_platforms.add(self.associated_rule.platform) ++ rule_platforms = set() ++ if self.associated_rule: ++ # There can be repeated inherited platforms and rule platforms ++ rule_platforms.update(self.associated_rule.inherited_platforms) ++ rule_platforms.add(self.associated_rule.platform) + + platform_conditionals = [] + for platform in rule_platforms: + +From 7953a02e61bb56b501c56f46972247751292dcbb Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 10 Sep 2020 10:59:43 +0200 +Subject: [PATCH 4/5] Fix python2 compat and improve code readability + +--- + ssg/build_remediations.py | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 85f7139d8f..673d6d0cc6 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -28,10 +28,10 @@ + } + + PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = { +- 'apt_get': 'dpkg-query -s {} &>/dev/null', +- 'dnf': 'rpm --quiet -q {}', +- 'yum': 'rpm --quiet -q {}', +- 'zypper': 'rpm --quiet -q {}', ++ 'apt_get': 'dpkg-query -s {0} &>/dev/null', ++ 'dnf': 'rpm --quiet -q {0}', ++ 'yum': 'rpm --quiet -q {0}', ++ 'zypper': 'rpm --quiet -q {0}', + } + + FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED' +@@ -297,16 +297,23 @@ def parse_from_file_with_jinja(self, env_yaml): + platform_conditionals.append(pkg_check_command.format(platform)) + + if platform_conditionals: +- platform_fix_text = "# Remediation is applicable only in certain platforms\n" ++ wrapped_fix_text = ["# Remediation is applicable only in certain platforms"] + +- cond = platform_conditionals.pop(0) +- platform_fix_text += "if {}".format(cond) +- for cond in platform_conditionals: +- platform_fix_text += " && {}".format(cond) +- platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents) ++ all_conditions = " && ".join(platform_conditionals) ++ wrapped_fix_text.append("if {0}; then".format(all_conditions)) ++ ++ # Avoid adding extra blank line ++ if not result.contents.startswith("\n"): ++ wrapped_fix_text.append("") ++ ++ wrapped_fix_text.append("{0}".format(result.contents)) ++ wrapped_fix_text.append("") ++ wrapped_fix_text.append("else") ++ wrapped_fix_text.append(" >&2 echo 'Remediation is not applicable, nothing was done'") ++ wrapped_fix_text.append("fi") + + remediation = namedtuple('remediation', ['contents', 'config']) +- result = remediation(contents=platform_fix_text, config=result.config) ++ result = remediation(contents="\n".join(wrapped_fix_text), config=result.config) + + return result + + +From 0bd3912651367c64789bb3d67b44c3b8848708c0 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 10 Sep 2020 17:25:27 +0200 +Subject: [PATCH 5/5] Document the perils of indenting wrapped Bash fixes + +--- + ssg/build_remediations.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 673d6d0cc6..f269d4d2d6 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -306,6 +306,9 @@ def parse_from_file_with_jinja(self, env_yaml): + if not result.contents.startswith("\n"): + wrapped_fix_text.append("") + ++ # It is possible to indent the original body of the remediation with textwrap.indent(), ++ # however, it is not supported by python2, and there is a risk of breaking remediations ++ # For example, remediations with a here-doc block could be affected. + wrapped_fix_text.append("{0}".format(result.contents)) + wrapped_fix_text.append("") + wrapped_fix_text.append("else") diff --git a/SOURCES/scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch b/SOURCES/scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch new file mode 100644 index 0000000..d8fc95c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch @@ -0,0 +1,203 @@ +From 7c0b04c157374e9251360d1d5e12a9e00dd4375e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 4 Sep 2020 09:50:54 +0200 +Subject: [PATCH 1/3] Introduce platform_package_overrides + +Introduce a mapping of CPE package platform name to a package name. + +Each linux distro or version may have its specific name for a package, +this mapping allows a product to override the package name of a +platorm. + +By default, it assumes that the package name will be the same as the +platform name. +--- + rhel8/product.yml | 7 +++++++ + ssg/build_remediations.py | 3 +++ + 2 files changed, 10 insertions(+) + +diff --git a/rhel8/product.yml b/rhel8/product.yml +index 6cdc51919e..6b5b4e2748 100644 +--- a/rhel8/product.yml ++++ b/rhel8/product.yml +@@ -18,3 +18,10 @@ aux_pkg_version: "d4082792" + + release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51" + auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792" ++ ++# Mapping of CPE platform to package ++platform_package_overrides: ++ grub2: "grub2-pc" ++ login_defs: "shadow-utils" ++ sssd: "sssd-common" ++ zipl: "s390x-utils" +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 866450dd8c..ccbdf9fc1f 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -389,6 +389,9 @@ def update_when_from_rule(self, to_update): + if "package_facts" in to_update: + continue + ++ if platform in self.local_env_yaml["platform_package_overrides"]: ++ platform = self.local_env_yaml["platform_package_overrides"].get(platform) ++ + additional_when.append('"' + platform + '" in ansible_facts.packages') + # After adding the conditional, we need to make sure package_facts are collected. + # This is done via inject_package_facts_task() + +From 10dc62084cf8e38be9189b527c3b99b545826091 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 4 Sep 2020 14:42:57 +0200 +Subject: [PATCH 2/3] Move platform to cpe mappings to ssg/constants + +--- + rhel8/product.yml | 6 ------ + ssg/constants.py | 8 ++++++++ + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/rhel8/product.yml b/rhel8/product.yml +index 6b5b4e2748..d839b23231 100644 +--- a/rhel8/product.yml ++++ b/rhel8/product.yml +@@ -19,9 +19,3 @@ aux_pkg_version: "d4082792" + release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51" + auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792" + +-# Mapping of CPE platform to package +-platform_package_overrides: +- grub2: "grub2-pc" +- login_defs: "shadow-utils" +- sssd: "sssd-common" +- zipl: "s390x-utils" +diff --git a/ssg/constants.py b/ssg/constants.py +index 3f9d7d37ce..7e9678241c 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -501,6 +501,14 @@ + "zipl": "cpe:/a:zipl", + } + ++# Default platform to package mapping ++XCCDF_PLATFORM_TO_PACKAGE = { ++ "grub2": "grub2-pc", ++ "login_defs": "login", ++ "sssd": "sssd-common", ++ "zipl": "s390x-utils", ++} ++ + # _version_name_map = { + MAKEFILE_ID_TO_PRODUCT_MAP = { + 'chromium': 'Google Chromium Browser', + +From feb012f06adae989138be15431020f2c174becc4 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 4 Sep 2020 14:47:29 +0200 +Subject: [PATCH 3/3] Allow override of default platform package mapping + +With default platform to package mappings defined, we need to allow a +product to override it if needed. +--- + rhel6/product.yml | 4 ++++ + rhel7/product.yml | 4 ++++ + rhel8/product.yml | 3 +++ + rhosp10/product.yml | 3 +++ + rhosp13/product.yml | 4 ++++ + rhv4/product.yml | 4 ++++ + ssg/yaml.py | 6 +++++- + 8 files changed, 31 insertions(+), 1 deletion(-) + +diff --git a/rhel6/product.yml b/rhel6/product.yml +index cc8fa4f8ed..eab9b80c47 100644 +--- a/rhel6/product.yml ++++ b/rhel6/product.yml +@@ -20,3 +20,7 @@ aux_pkg_version: "2fa658e0" + + release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51" + auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0" ++ ++# Mapping of CPE platform to package ++platform_package_overrides: ++ login_defs: "shadow-utils" +diff --git a/rhel7/product.yml b/rhel7/product.yml +index f03c928b8f..3ff996b8cc 100644 +--- a/rhel7/product.yml ++++ b/rhel7/product.yml +@@ -18,3 +18,7 @@ aux_pkg_version: "2fa658e0" + + release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51" + auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0" ++ ++# Mapping of CPE platform to package ++platform_package_overrides: ++ login_defs: "shadow-utils" +diff --git a/rhel8/product.yml b/rhel8/product.yml +index d839b23231..f3aa59faec 100644 +--- a/rhel8/product.yml ++++ b/rhel8/product.yml +@@ -19,3 +19,6 @@ aux_pkg_version: "d4082792" + release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51" + auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792" + ++# Mapping of CPE platform to package ++platform_package_overrides: ++ login_defs: "shadow-utils" +diff --git a/rhosp10/product.yml b/rhosp10/product.yml +index 51d0a932a5..af42ca998d 100644 +--- a/rhosp10/product.yml ++++ b/rhosp10/product.yml +@@ -10,3 +10,6 @@ pkg_manager: "yum" + + init_system: "systemd" + ++# Mapping of CPE platform to package ++platform_package_overrides: ++ login_defs: "shadow-utils" +diff --git a/rhosp13/product.yml b/rhosp13/product.yml +index 5e849ff609..ba42a31cd7 100644 +--- a/rhosp13/product.yml ++++ b/rhosp13/product.yml +@@ -9,3 +9,7 @@ profiles_root: "./profiles" + pkg_manager: "yum" + + init_system: "systemd" ++ ++# Mapping of CPE platform to package ++platform_package_overrides: ++ login_defs: "shadow-utils" +diff --git a/rhv4/product.yml b/rhv4/product.yml +index 10a2eda079..a61bf1588d 100644 +--- a/rhv4/product.yml ++++ b/rhv4/product.yml +@@ -18,3 +18,7 @@ aux_pkg_version: "d4082792" + + release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51" + auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792" ++ ++# Mapping of CPE platform to package ++platform_package_overrides: ++ login_defs: "shadow-utils" +diff --git a/ssg/yaml.py b/ssg/yaml.py +index cefbba374c..22cf5bad66 100644 +--- a/ssg/yaml.py ++++ b/ssg/yaml.py +@@ -10,7 +10,8 @@ + + from .jinja import load_macros, process_file + from .constants import (PKG_MANAGER_TO_SYSTEM, +- PKG_MANAGER_TO_CONFIG_FILE) ++ PKG_MANAGER_TO_CONFIG_FILE, ++ XCCDF_PLATFORM_TO_PACKAGE) + from .constants import DEFAULT_UID_MIN + + try: +@@ -138,6 +139,9 @@ def open_raw(yaml_file): + + def open_environment(build_config_yaml, product_yaml): + contents = open_raw(build_config_yaml) ++ # Load common platform package mappings, ++ # any specific mapping in product_yaml will override the default ++ contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE + contents.update(open_raw(product_yaml)) + contents.update(_get_implied_properties(contents)) + return contents diff --git a/SOURCES/scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch b/SOURCES/scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch new file mode 100644 index 0000000..2023459 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch @@ -0,0 +1,92 @@ +From fbcd3e42106b95efd8a63914a558c04c76487783 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 21 Sep 2020 10:26:53 +0200 +Subject: [PATCH] Remove zIPL rule for PTI bootloader option + +This setting is to mitigate a problem specific for intel archs. +Also returns the CCE to the pool. +--- + .../zipl_pti_argument/rule.yml | 38 ------------------- + rhel8/profiles/ospp.profile | 1 - + rhel8/profiles/stig.profile | 1 - + .../data/profile_stability/rhel8/ospp.profile | 1 - + 4 files changed, 41 deletions(-) + delete mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml + +diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +deleted file mode 100644 +index 96170e6d85..0000000000 +--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml ++++ /dev/null +@@ -1,38 +0,0 @@ +-documentation_complete: true +- +-prodtype: rhel8 +- +-title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL' +- +-description: |- +- To enable Kernel page-table isolation, +- check that all boot entries in /boot/loader/entries/*.conf have pti=on +- included in its options.
+- To ensure that new kernels and boot entries continue to enable page-table isolation, +- add pti=on to /etc/kernel/cmdline. +- +-rationale: |- +- Kernel page-table isolation is a kernel feature that mitigates +- the Meltdown security vulnerability and hardens the kernel +- against attempts to bypass kernel address space layout +- randomization (KASLR). +- +-severity: medium +- +-identifiers: +- cce@rhel8: 83361-6 +- +-ocil_clause: 'Kernel page-table isolation is not enabled' +- +-ocil: |- +- To check that page-table isolation is enabled at boot time, check all boot entries with following command: +-
sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf
+- No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation . +- +-platform: machine +- +-template: +- name: zipl_bls_entries_option +- vars: +- arg_name: pti +- arg_value: 'on' +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 5e81e4a92a..46f00c89f1 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -426,4 +426,3 @@ selections: + - zipl_vsyscall_argument + - zipl_vsyscall_argument.role=unscored + - zipl_vsyscall_argument.severity=info +- - zipl_pti_argument +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 53647475aa..817d5dbadd 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -52,7 +52,6 @@ selections: + - "!zipl_audit_argument" + - "!zipl_audit_backlog_limit_argument" + - "!zipl_page_poison_argument" +- - "!zipl_pti_argument" + - "!zipl_slub_debug_argument" + - "!zipl_vsyscall_argument" + - "!zipl_vsyscall_argument.role=unscored" +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 7b7307cba8..223b1423cd 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -219,7 +219,6 @@ selections: + - zipl_bls_entries_only + - zipl_bootmap_is_up_to_date + - zipl_page_poison_argument +-- zipl_pti_argument + - zipl_slub_debug_argument + - zipl_vsyscall_argument + - var_sshd_set_keepalive=0 diff --git a/SOURCES/scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch b/SOURCES/scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch new file mode 100644 index 0000000..0199bf4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch @@ -0,0 +1,49 @@ +From 08d5fb8355020856282eecfcdd09e96d9850cd62 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 9 Oct 2020 09:30:35 +0200 +Subject: [PATCH] Do not platform wrap empty Bash remediation + +The fix text for a rule can end up empty if a Jinja macro or conditional +doesn't render any text. +In these cases, avoid wrapping empty lines in an if-else, as this causes +syntax error. +--- + ssg/build_remediations.py | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index f269d4d2d6..572db61701 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -273,6 +273,13 @@ def parse_from_file_with_jinja(self, env_yaml): + self.local_env_yaml.update(env_yaml) + result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml) + ++ # Avoid platform wrapping empty fix text ++ # Remediations can be empty when a Jinja macro or conditional ++ # renders no fix text for a product ++ stripped_fix_text = result.contents.strip() ++ if stripped_fix_text == "": ++ return result ++ + rule_platforms = set() + if self.associated_rule: + # There can be repeated inherited platforms and rule platforms +@@ -301,15 +308,11 @@ def parse_from_file_with_jinja(self, env_yaml): + + all_conditions = " && ".join(platform_conditionals) + wrapped_fix_text.append("if {0}; then".format(all_conditions)) +- +- # Avoid adding extra blank line +- if not result.contents.startswith("\n"): +- wrapped_fix_text.append("") +- ++ wrapped_fix_text.append("") + # It is possible to indent the original body of the remediation with textwrap.indent(), + # however, it is not supported by python2, and there is a risk of breaking remediations + # For example, remediations with a here-doc block could be affected. +- wrapped_fix_text.append("{0}".format(result.contents)) ++ wrapped_fix_text.append("{0}".format(stripped_fix_text)) + wrapped_fix_text.append("") + wrapped_fix_text.append("else") + wrapped_fix_text.append(" >&2 echo 'Remediation is not applicable, nothing was done'") diff --git a/SOURCES/scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch b/SOURCES/scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch new file mode 100644 index 0000000..83df4d6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch @@ -0,0 +1,116 @@ +From cf1d85924b5945506e57f8701be066c83a894378 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 5 Oct 2020 16:40:39 +0200 +Subject: [PATCH 1/2] Check for grub2-common instead of grub2-pc + +Check for grub2 intallation based on grub2-common. +grub2-pc is a x86_64 package, but other arches use grub2 as well. +--- + .../checks/oval/installed_env_has_grub2_package.xml | 12 ++++++------ + ssg/constants.py | 2 +- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml +index e83f45bc3b..2a170d668e 100644 +--- a/shared/checks/oval/installed_env_has_grub2_package.xml ++++ b/shared/checks/oval/installed_env_has_grub2_package.xml +@@ -6,31 +6,31 @@ + + multi_platform_all + +- Checks if package grub2-pc is installed. ++ Checks if package grub2-common is installed. + + + +- ++ + + + + {{% if pkg_system == "rpm" %}} + ++ comment="system has package grub2-common installed"> + + + +- grub2-pc ++ grub2-common + + {{% elif pkg_system == "dpkg" %}} + ++ comment="system has package grub2-common installed"> + + + +- grub2-pc ++ grub2-common + + {{% endif %}} + +diff --git a/ssg/constants.py b/ssg/constants.py +index b07fe5f0fe..88316374b5 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -468,7 +468,7 @@ + + # Default platform to package mapping + XCCDF_PLATFORM_TO_PACKAGE = { +- "grub2": "grub2-pc", ++ "grub2": "grub2-common", + "login_defs": "login", + "sssd": "sssd-common", + "zipl": "s390utils-base", + +From fba876cfc7f85f5b9a696d0f5fa1177299b7c6bb Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 5 Oct 2020 16:49:15 +0200 +Subject: [PATCH 2/2] Handle exception of grub2-coomon in ppc64le + +ppc64le systems can use Grub2 or OPAL and the package set will be the +same in both cases. +Add a few more checks to make sure ppc64le arch is handled correctly. +--- + .../oval/installed_env_has_grub2_package.xml | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml +index 2a170d668e..fb2c9cc784 100644 +--- a/shared/checks/oval/installed_env_has_grub2_package.xml ++++ b/shared/checks/oval/installed_env_has_grub2_package.xml +@@ -9,8 +9,18 @@ + Checks if package grub2-common is installed. + + +- ++ + ++ ++ ++ ++ ++ ++ ++ + + + +@@ -34,4 +44,11 @@ + + {{% endif %}} + ++ ++ ++ ++ ++ /sys/firmware/opal ++ ++ + diff --git a/SOURCES/scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch b/SOURCES/scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch new file mode 100644 index 0000000..8c84ee4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch @@ -0,0 +1,38 @@ +From 7dfeb5ec0513a58502eb83aa2900e7c5fb0d478e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 8 Sep 2020 11:29:57 +0200 +Subject: [PATCH] Fix load of product platform mapping + +The product specific mappings were overriding the common mappings, +instead of being merged with them. +--- + ssg/yaml.py | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/ssg/yaml.py b/ssg/yaml.py +index 22cf5bad66..d8856e52c9 100644 +--- a/ssg/yaml.py ++++ b/ssg/yaml.py +@@ -13,6 +13,7 @@ + PKG_MANAGER_TO_CONFIG_FILE, + XCCDF_PLATFORM_TO_PACKAGE) + from .constants import DEFAULT_UID_MIN ++from .utils import merge_dicts + + try: + from yaml import CSafeLoader as yaml_SafeLoader +@@ -139,10 +140,11 @@ def open_raw(yaml_file): + + def open_environment(build_config_yaml, product_yaml): + contents = open_raw(build_config_yaml) +- # Load common platform package mappings, +- # any specific mapping in product_yaml will override the default +- contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE + contents.update(open_raw(product_yaml)) ++ platform_package_overrides = contents.get("platform_package_overrides", {}) ++ # Merge common platform package mappings, while keeping product specific mappings ++ contents["platform_package_overrides"] = merge_dicts(XCCDF_PLATFORM_TO_PACKAGE, ++ platform_package_overrides) + contents.update(_get_implied_properties(contents)) + return contents + diff --git a/SOURCES/scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch b/SOURCES/scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch new file mode 100644 index 0000000..fc1fecd --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch @@ -0,0 +1,22 @@ +From 570dc073739e9044b54e872c8368125bccadb704 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 29 Sep 2020 15:28:02 +0200 +Subject: [PATCH] Fix zIPL package mapping + +--- + ssg/constants.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssg/constants.py b/ssg/constants.py +index 0eca2f4f95..fa6c756ff6 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -470,7 +470,7 @@ + "grub2": "grub2-pc", + "login_defs": "login", + "sssd": "sssd-common", +- "zipl": "s390x-utils", ++ "zipl": "s390utils-base", + } + + # _version_name_map = { diff --git a/SOURCES/scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch b/SOURCES/scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch new file mode 100644 index 0000000..20310cb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch @@ -0,0 +1,16 @@ +From 7a069a2deb4d1ce69b02b7615523424f2ecf281f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 29 Sep 2020 15:04:39 +0200 +Subject: [PATCH] Move grub2_vsyscall_argument to grub2 group + +This will put the rule under grub2 platform, so the rule is only +applicable on a machine system with grub2. +--- + .../grub2_vsyscall_argument/rule.yml | 0 + 1 file changed, 0 insertions(+), 0 deletions(-) + rename linux_os/guide/system/{permissions/restrictions => bootloader-grub2}/grub2_vsyscall_argument/rule.yml (100%) + +diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml +similarity index 100% +rename from linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml +rename to linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index e098e0d..8430bd2 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.50 -Release: 14%{?dist} +Release: 16%{?dist} Summary: Security guidance and baselines in SCAP formats Group: Applications/System License: BSD @@ -35,6 +35,23 @@ Patch23: scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_58 Patch24: scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch Patch25: scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch Patch26: scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch +Patch27: scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch +Patch28: scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch +Patch29: scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch +Patch30: scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch +Patch31: scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch +Patch32: scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch +Patch33: scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch +# To ease backport, patch 33 also includes changes from #5995 +Patch34: scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch +Patch35: scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch +Patch36: scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch +Patch37: scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch +Patch38: scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch +Patch39: scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch +Patch40: scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch +Patch41: scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch +Patch42: scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch BuildArch: noarch @@ -96,6 +113,22 @@ present in %{name} package. %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 +%patch38 -p1 +%patch39 -p1 +%patch40 -p1 +%patch41 -p1 +%patch42 -p1 mkdir build %build @@ -130,6 +163,13 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Fri Oct 09 2020 Watson Sato - 0.1.50-16 +- Fix Bash platform in empty remediations (rhbz#1886318) + +* Tue Oct 06 2020 Watson Sato - 0.1.50-15 +- Add and select zIPL bootloader rules in OSPP (rhbz#1886318) +- Add support for remediation platforms + * Wed Sep 02 2020 Matěj Týč - 0.1.50-14 - Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)