From dac76ab332cb6f7ca5cdbec311d2754a26f6d91e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 29 2020 07:03:09 +0000 Subject: import scap-security-guide-0.1.49-13.el7 --- diff --git a/.gitignore b/.gitignore index ef19f89..a0b3fab 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.46.tar.bz2 +SOURCES/scap-security-guide-0.1.49.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 26ee133..c49602b 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -05a9c42472d6918e10d25df002ab6b3c3d379016 SOURCES/scap-security-guide-0.1.46.tar.bz2 +abc5640ac0b212fbea8379036830f650dd2543db SOURCES/scap-security-guide-0.1.49.tar.bz2 diff --git a/SOURCES/centos-debranding.patch b/SOURCES/centos-debranding.patch deleted file mode 100644 index b5fd3d3..0000000 --- a/SOURCES/centos-debranding.patch +++ /dev/null @@ -1,241 +0,0 @@ -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/anssi_nt28_minimal.profile scap-security-guide-0.1.46/rhel7/profiles/anssi_nt28_minimal.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/anssi_nt28_minimal.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/anssi_nt28_minimal.profile 2020-04-02 00:12:34.138435758 +0000 -@@ -2,7 +2,8 @@ documentation_complete: true - - title: 'DRAFT - ANSSI DAT-NT28 (minimal)' - --description: 'Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des -+description: ' **Not applicable to CentOS Linux, included for reference only** -+ Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des - systèmes d''information. Based on https://www.ssi.gouv.fr/.' - - selections: -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/C2S-docker.profile scap-security-guide-0.1.46/rhel7/profiles/C2S-docker.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/C2S-docker.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/C2S-docker.profile 2020-04-02 00:13:40.055578160 +0000 -@@ -3,6 +3,8 @@ documentation_complete: false - title: 'DRAFT - C2S for Docker' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile demonstrates compliance against the - U.S. Government Commercial Cloud Services (C2S) baseline. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/C2S.profile scap-security-guide-0.1.46/rhel7/profiles/C2S.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/C2S.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/C2S.profile 2020-04-02 00:13:14.710523405 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'C2S for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile demonstrates compliance against the - U.S. Government Commercial Cloud Services (C2S) baseline. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/cjis.profile scap-security-guide-0.1.46/rhel7/profiles/cjis.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/cjis.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/cjis.profile 2020-04-02 00:14:09.815642451 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Criminal Justice Information Services (CJIS) Security Policy' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile is derived from FBI's CJIS v5.4 - Security Policy. A copy of this policy can be found at the CJIS Security - Policy Resource Center: -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/cui.profile scap-security-guide-0.1.46/rhel7/profiles/cui.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/cui.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/cui.profile 2020-04-02 00:14:39.735707092 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - From NIST 800-171, Section 2.2: - Security requirements for protecting the confidentiality of CUI in non-federal - information systems and organizations have a well-defined structure that -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/docker-host.profile scap-security-guide-0.1.46/rhel7/profiles/docker-host.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/docker-host.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/docker-host.profile 2020-04-02 00:15:08.697769654 +0000 -@@ -3,6 +3,8 @@ documentation_complete: false - title: 'DRAFT - Standard Docker Host Security Profile' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains rules to ensure standard security - baseline of Red Hat Enterprise Linux 7 system running docker. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/e8.profile scap-security-guide-0.1.46/rhel7/profiles/e8.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/e8.profile 2020-04-02 00:07:38.530797155 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/e8.profile 2020-04-02 00:15:34.521825440 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Australian Cyber Security Centre (ACSC) Essential Eight' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains configuration checks for Red Hat Enterprise Linux 7 - that align to the Australian Cyber Security Centre (ACSC) Essential Eight. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/hipaa.profile scap-security-guide-0.1.46/rhel7/profiles/hipaa.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/hipaa.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/hipaa.profile 2020-04-02 00:16:12.605907713 +0000 -@@ -3,6 +3,8 @@ documentation_complete: True - title: 'Health Insurance Portability and Accountability Act (HIPAA)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - The HIPAA Security Rule establishes U.S. national standards to protect individuals’ - electronic personal health information that is created, received, used, or - maintained by a covered entity. The Security Rule requires appropriate -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/http-stig.profile scap-security-guide-0.1.46/rhel7/profiles/http-stig.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/http-stig.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/http-stig.profile 2020-04-02 00:16:43.191973788 +0000 -@@ -3,6 +3,8 @@ documentation_complete: false - title: 'DRAFT - DISA STIG for Apache HTTP on Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains configuration checks that align to the - DISA STIG for Apache HTTP web server. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ipa-stig.profile scap-security-guide-0.1.46/rhel7/profiles/ipa-stig.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/ipa-stig.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/ipa-stig.profile 2020-04-02 00:17:03.371017390 +0000 -@@ -3,6 +3,8 @@ documentation_complete: false - title: 'DRAFT - DISA STIG for Red Hat IdM' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This is a *draft* profile for STIG. This profile is being - developed under the DoD consensus model to become a STIG in - coordination with DISA FSO. -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ncp.profile scap-security-guide-0.1.46/rhel7/profiles/ncp.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/ncp.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/ncp.profile 2020-04-02 00:19:00.198269763 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'NIST National Checklist Program Security Guide' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This compliance profile reflects the core set of security - related configuration settings for deployment of Red Hat Enterprise - Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ospp.profile scap-security-guide-0.1.46/rhel7/profiles/ospp.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/ospp.profile 2020-04-02 00:07:38.523797140 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/ospp.profile 2020-04-02 00:18:53.448255187 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'OSPP - Protection Profile for General Purpose Operating Systems v4.2.1' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile reflects mandatory configuration controls identified in the - NIAP Configuration Annex to the Protection Profile for General Purpose - Operating Systems (Protection Profile Version 4.2.1). -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/pci-dss.profile scap-security-guide-0.1.46/rhel7/profiles/pci-dss.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/pci-dss.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/pci-dss.profile 2020-04-02 00:19:22.109317098 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - Ensures PCI-DSS v3.2.1 security configuration settings are applied. - - selections: -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-stig.profile scap-security-guide-0.1.46/rhel7/profiles/rhelh-stig.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-stig.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/rhelh-stig.profile 2020-04-02 00:20:04.168407959 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This *draft* profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH). - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-vpp.profile scap-security-guide-0.1.46/rhel7/profiles/rhelh-vpp.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-vpp.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/rhelh-vpp.profile 2020-04-02 00:18:01.448142852 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This compliance profile reflects the core set of security - related configuration settings for deployment of Red Hat Enterprise - Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies. -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rht-ccp.profile scap-security-guide-0.1.46/rhel7/profiles/rht-ccp.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/rht-ccp.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/rht-ccp.profile 2020-04-02 00:20:25.205453406 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains the minimum security relevant - configuration settings recommended by Red Hat, Inc for - Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/satellite-stig.profile scap-security-guide-0.1.46/rhel7/profiles/satellite-stig.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/satellite-stig.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/satellite-stig.profile 2020-04-02 00:20:44.967496099 +0000 -@@ -3,6 +3,8 @@ documentation_complete: false - title: 'DRAFT - DISA STIG for Red Hat Satellite' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This is a *draft* profile for STIG. This profile is being - developed under the DoD consensus model to become a STIG in - coordination with DISA FSO. -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/standard.profile scap-security-guide-0.1.46/rhel7/profiles/standard.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/standard.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/standard.profile 2020-04-02 00:21:05.637540751 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Standard System Security Profile for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains rules to ensure standard security baseline - of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload - all of these checks should pass. -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/stig.profile scap-security-guide-0.1.46/rhel7/profiles/stig.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/stig.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/stig.profile 2020-04-02 00:21:23.477579298 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'DISA STIG for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux V1R4. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/tower-stig.profile scap-security-guide-0.1.46/rhel7/profiles/tower-stig.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/tower-stig.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/tower-stig.profile 2020-04-02 00:21:44.885625545 +0000 -@@ -3,6 +3,8 @@ documentation_complete: false - title: 'DRAFT - DISA STIG for Red Hat Ansible Tower' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This is a *draft* profile for STIG. This profile is being - developed under the DoD consensus model to become a STIG in - coordination with DISA FSO. diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch index ae3d0dd..d26c4b2 100644 --- a/SOURCES/disable-not-in-good-shape-profiles.patch +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -1,34 +1,37 @@ -From c6c4eae7d085adb1571e5c45edb4bd982c242f4d Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Mon, 17 Dec 2018 13:30:06 +0100 -Subject: [PATCH] Disable profiles that are not in good shape for RHEL8. +From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 17 Jan 2020 19:01:22 +0100 +Subject: [PATCH] Disable profiles that are not in good shape for RHEL8 They raise too many errors and fails. +Also disable tables for profiles that are not built. --- - rhel8/CMakeLists.txt | 3 ++- - rhel8/profiles/cjis.profile | 2 +- - rhel8/profiles/cui.profile | 2 +- - rhel8/profiles/hipaa.profile | 2 +- - rhel8/profiles/rht-ccp.profile | 2 +- - rhel8/profiles/standard.profile | 2 +- - 6 files changed, 7 insertions(+), 6 deletions(-) + rhel8/CMakeLists.txt | 2 -- + rhel8/profiles/cjis.profile | 2 +- + rhel8/profiles/cui.profile | 2 +- + rhel8/profiles/hipaa.profile | 2 +- + rhel8/profiles/rhelh-stig.profile | 2 +- + rhel8/profiles/rhelh-vpp.profile | 2 +- + rhel8/profiles/rht-ccp.profile | 2 +- + rhel8/profiles/standard.profile | 2 +- + 9 files changed, 8 insertions(+), 10 deletions(-) diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt -index 99bccbed7..77f8ccaec 100644 +index 40f2b2b0f..492a8dae1 100644 --- a/rhel8/CMakeLists.txt +++ b/rhel8/CMakeLists.txt -@@ -14,7 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") +@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") ssg_build_html_table_by_ref(${PRODUCT} "pcidss") ssg_build_html_table_by_ref(${PRODUCT} "anssi") -ssg_build_html_nistrefs_table(${PRODUCT} "standard") -+# Standard profile is disabled for RHEL8 as it is not in good shape -+#ssg_build_html_nistrefs_table(${PRODUCT} "standard") ssg_build_html_nistrefs_table(${PRODUCT} "ospp") + ssg_build_html_nistrefs_table(${PRODUCT} "stig") # Uncomment when anssi profiles are marked documentation_complete: true + #ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal") diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile -index a7f8c0b16..c460793be 100644 +index 05ea9cdd6..9c55ac5b1 100644 --- a/rhel8/profiles/cjis.profile +++ b/rhel8/profiles/cjis.profile @@ -1,4 +1,4 @@ @@ -48,7 +51,7 @@ index eb62252a4..e8f369708 100644 title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile -index feb98007c..0667f65ed 100644 +index 8d20f9019..d641b56fe 100644 --- a/rhel8/profiles/hipaa.profile +++ b/rhel8/profiles/hipaa.profile @@ -1,4 +1,4 @@ @@ -57,8 +60,28 @@ index feb98007c..0667f65ed 100644 title: 'Health Insurance Portability and Accountability Act (HIPAA)' +diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile +index 1efca5f44..c3d0b0964 100644 +--- a/rhel8/profiles/rhelh-stig.profile ++++ b/rhel8/profiles/rhelh-stig.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)' + +diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile +index 2baee6d66..8592d7aaf 100644 +--- a/rhel8/profiles/rhelh-vpp.profile ++++ b/rhel8/profiles/rhelh-vpp.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)' + diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile -index 023663b21..8b22bc711 100644 +index c84579592..164ec98c4 100644 --- a/rhel8/profiles/rht-ccp.profile +++ b/rhel8/profiles/rht-ccp.profile @@ -1,4 +1,4 @@ @@ -78,5 +101,5 @@ index a63ae2cf3..da669bb84 100644 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' -- -2.19.2 +2.21.1 diff --git a/SOURCES/scap-security-guide-0.1.47-add_-t_parameter_to_fix_audit_syscall_rule.patch b/SOURCES/scap-security-guide-0.1.47-add_-t_parameter_to_fix_audit_syscall_rule.patch deleted file mode 100644 index ece79f4..0000000 --- a/SOURCES/scap-security-guide-0.1.47-add_-t_parameter_to_fix_audit_syscall_rule.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9df5bac6e7ee74c75c750ff15bf3d36c5d9a653f Mon Sep 17 00:00:00 2001 -From: Milan Lysonek -Date: Tue, 1 Oct 2019 16:56:37 +0200 -Subject: [PATCH] Add -t parameter for readarray to remove trailing newline. - ---- - shared/bash_remediation_functions/fix_audit_syscall_rule.sh | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh -index 25f80fe30b..d91e4f7b62 100644 ---- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh -+++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh -@@ -82,7 +82,7 @@ elif [ "$tool" == 'augenrules' ] - then - # Extract audit $key from audit rule so we can use it later - key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)') -- readarray matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules) -+ readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules) - if [ $? -ne 0 ] - then - retval=1 -@@ -114,7 +114,7 @@ do - # * follow the rule pattern, and - # * meet the hardware architecture requirement, and - # * are current syscall group specific -- readarray existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file") -+ readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file") - if [ $? -ne 0 ] - then - retval=1 diff --git a/SOURCES/scap-security-guide-0.1.47-add_missing_cce_sudo_require_authentication.patch b/SOURCES/scap-security-guide-0.1.47-add_missing_cce_sudo_require_authentication.patch deleted file mode 100644 index e1020b6..0000000 --- a/SOURCES/scap-security-guide-0.1.47-add_missing_cce_sudo_require_authentication.patch +++ /dev/null @@ -1,19 +0,0 @@ -commit 12ee9b8f0b3829ab7dff76992764e38032fc7346 -Author: Matěj Týč -Date: Fri Oct 11 15:55:56 2019 +0200 - - Added missing CCEs. - -diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml -index e542b8965..1ad038f77 100644 ---- a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml -@@ -21,6 +21,8 @@ severity: medium - - identifiers: - cce@rhel6: 80506-9 -+ cce@rhel7: 82278-3 -+ cce@rhel8: 82279-1 - - references: - disa@rhel6: "2038" diff --git a/SOURCES/scap-security-guide-0.1.47-compare_suid_files_with_rpm.patch b/SOURCES/scap-security-guide-0.1.47-compare_suid_files_with_rpm.patch deleted file mode 100644 index e15c07c..0000000 --- a/SOURCES/scap-security-guide-0.1.47-compare_suid_files_with_rpm.patch +++ /dev/null @@ -1,1013 +0,0 @@ -From b457ba1cf5ea6043a501ecc45f7a54c4de61b372 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 22 Jul 2019 15:26:48 +0200 -Subject: [PATCH 1/6] Compare suid/sgid files with the RPM database - -It is difficult to maintain the list to list paths of all possible suid -and sgid binaries in a Linux distribution. Instead, we can check if the -suid or sgid file is owned by an RPM package by consulting the RPM -database. Another advantage of this solution is that we can have a -single OVAL for all RPM-related Linux distributions. The patch modifies -OVAL for rules file_permissions_unauthorized_suid and -file_permissions_unauthorized_sgid and also adds test scenarios for -these rules. -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1693026 ---- - .../oval/shared.xml | 131 ++++++++---------- - .../oval/wrlinux.xml | 42 ------ - .../tests/no_unpackaged_sgid.pass.sh | 10 ++ - .../tests/unpackaged_sgid.fail.sh | 13 ++ - .../oval/ol7.xml | 93 ------------- - .../oval/ol8.xml | 93 ------------- - .../oval/rhel6.xml | 99 ------------- - .../oval/rhel7.xml | 95 ------------- - .../oval/shared.xml | 62 +++++++++ - .../oval/wrlinux.xml | 55 -------- - .../tests/no_unpackaged_suid.pass.sh | 10 ++ - .../tests/unpackaged_suid.fail.sh | 13 ++ - 12 files changed, 162 insertions(+), 554 deletions(-) - delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml - create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh - create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh - delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml - delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml - delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml - delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml - create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml - delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml - create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh - create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh - -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml -index de4b86c3e0..83988feec7 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml -@@ -1,85 +1,62 @@ - -- -- -- Find setgid files system packages -- -- multi_platform_rhel -- multi_platform_ol -- -- All files with setgid should be owned by a base system package -- -- -- -- -- -+ -+ -+ Find SGID files that are not owned by RPM packages -+ -+ multi_platform_fedora -+ multi_platform_rhel -+ multi_platform_ol -+ multi_platform_wrlinux -+ -+ Evaluates to true if all files with SGID set are owned by RPM packages. -+ -+ -+ -+ -+ - -- -- -- -+ -+ -+ - -- -- -- / -- ^.*$ -- state_file_permissions_unauthorized_sgid -- state_sgid_whitelist -- -+ -+ -+ / -+ ^.*$ -+ state_file_permissions_unauthorized_sgid_sgid_set -+ state_file_permissions_unauthorized_sgid_filepaths -+ - -- -- true -- -+ -+ -+ .* -+ .* -+ .* -+ .* -+ .* -+ -+ - -- -- -- -- -+ -+ -+ / -+ ^.*$ -+ state_file_permissions_unauthorized_sgid_sgid_set -+ - -- -- {{% if product == "rhel6" %}} -- /bin/cgclassify -- /bin/cgexec -- /sbin/netreport -- {{% else %}} -- /usr/bin/cgclassify -- /usr/bin/cgexec -- /usr/sbin/netreport -- /usr/lib/vte-2.90/gnome-pty-helper -- /usr/lib/vte-2.91/gnome-pty-helper -- /usr/lib64/vte/gnome-pty-helper -- /usr/lib64/vte-2.90/gnome-pty-helper -- /usr/lib64/vte-2.91/gnome-pty-helper -- /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -- /usr/libexec/openssh/ssh-keysign -- {{% endif %}} -- /usr/bin/crontab -- /usr/bin/gnomine -- /usr/bin/iagno -- /usr/bin/locate -- /usr/bin/lockfile -- /usr/bin/same-gnome -- /usr/bin/screen -- /usr/bin/ssh-agent -- /usr/bin/wall -- /usr/bin/write -- /usr/lib/vte/gnome-pty-helper -- /usr/libexec/kde4/kdesud -- /usr/libexec/utempter/utempter -- /usr/lib/mailman/cgi-bin/admindb -- /usr/lib/mailman/cgi-bin/admin -- /usr/lib/mailman/cgi-bin/confirm -- /usr/lib/mailman/cgi-bin/create -- /usr/lib/mailman/cgi-bin/edithtml -- /usr/lib/mailman/cgi-bin/listinfo -- /usr/lib/mailman/cgi-bin/options -- /usr/lib/mailman/cgi-bin/private -- /usr/lib/mailman/cgi-bin/rmlist -- /usr/lib/mailman/cgi-bin/roster -- /usr/lib/mailman/cgi-bin/subscribe -- /usr/lib/mailman/mail/mailman -- /usr/sbin/lockdev -- /usr/sbin/postdrop -- /usr/sbin/postqueue -- /usr/sbin/sendmail.sendmail -- -+ -+ true -+ - -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml -deleted file mode 100644 -index 962a26d5f3..0000000000 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml -+++ /dev/null -@@ -1,42 +0,0 @@ -- -- -- -- Find setgid files system packages -- -- Wind River Linux 8 -- -- All files with setgid should be owned by a base system package -- -- -- -- -- -- -- -- -- -- -- -- -- / -- ^.*$ -- state_file_permissions_unauthorized_sgid -- state_sgid_whitelist -- -- -- -- true -- -- -- -- -- -- -- -- -- /usr/bin/crontab -- /usr/sbin/postdrop -- /usr/sbin/postqueue -- -- -- -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh -new file mode 100644 -index 0000000000..adf6b6b959 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_standard -+# remediation = none -+ -+for x in $(find / -perm /g=s) ; do -+ if ! rpm -qf $x ; then -+ rm -rf $x -+ fi -+done -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh -new file mode 100644 -index 0000000000..4aa273ca89 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh -@@ -0,0 +1,13 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_standard -+# remediation = none -+ -+for x in $(find / -perm /g=s) ; do -+ if ! rpm -qf $x ; then -+ rm -rf $x -+ fi -+done -+ -+touch /usr/bin/sgid_binary -+chmod g+xs /usr/bin/sgid_binary -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml -deleted file mode 100644 -index 6f4a87e3fb..0000000000 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml -+++ /dev/null -@@ -1,93 +0,0 @@ -- -- -- -- Find setuid files from system packages -- -- Oracle Linux 7 -- -- All files with setuid should be owned by a base system package -- -- -- -- -- -- -- -- -- -- -- -- -- / -- ^.*$ -- state_file_permissions_unauthorized_suid -- state_suid_whitelist -- -- -- -- true -- -- -- -- -- -- -- -- -- -- /usr/bin/abrt-action-install-debuginfo-to-abrt-cache -- /usr/bin/at -- /usr/bin/chage -- /usr/bin/chfn -- /usr/bin/chsh -- /usr/bin/crontab -- /usr/bin/fusermount -- /usr/bin/gpasswd -- /usr/bin/ksu -- /usr/bin/mount -- /usr/bin/newgrp -- /usr/bin/passwd -- /usr/bin/pkexec -- /usr/bin/staprun -- /usr/bin/sudoedit -- /usr/bin/sudo -- /usr/bin/su -- /usr/bin/umount -- /usr/bin/Xorg -- /usr/lib64/amanda/application/amgtar -- /usr/lib64/amanda/application/amstar -- /usr/lib64/amanda/calcsize -- /usr/lib64/amanda/dumper -- /usr/lib64/amanda/killpgrp -- /usr/lib64/amanda/planner -- /usr/lib64/amanda/rundump -- /usr/lib64/amanda/runtar -- /usr/lib64/dbus-1/dbus-daemon-launch-helper -- /usr/lib/amanda/application/amgtar -- /usr/lib/amanda/application/amstar -- /usr/lib/amanda/calcsize -- /usr/lib/amanda/dumper -- /usr/lib/amanda/killpgrp -- /usr/lib/amanda/planner -- /usr/lib/amanda/rundump -- /usr/lib/amanda/runtar -- /usr/lib/dbus-1/dbus-daemon-launch-helper -- /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -- /usr/libexec/kde4/kpac_dhcp_helper -- /usr/libexec/qemu-bridge-helper -- /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper -- /usr/libexec/sssd/krb5_child -- /usr/libexec/sssd/ldap_child -- /usr/libexec/sssd/proxy_child -- /usr/libexec/sssd/selinux_child -- /usr/lib/polkit-1/polkit-agent-helper-1 -- /usr/sbin/amcheck -- /usr/sbin/amservice -- /usr/sbin/mount.nfs -- /usr/sbin/pam_timestamp_check -- /usr/sbin/unix_chkpwd -- /usr/sbin/userhelper -- /usr/sbin/usernetctl -- -- -- -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml -deleted file mode 100644 -index f185efc221..0000000000 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml -+++ /dev/null -@@ -1,93 +0,0 @@ -- -- -- -- Find setuid files from system packages -- -- Oracle Linux 8 -- -- All files with setuid should be owned by a base system package -- -- -- -- -- -- -- -- -- -- -- -- -- / -- ^.*$ -- state_file_permissions_unauthorized_suid -- state_suid_whitelist -- -- -- -- true -- -- -- -- -- -- -- -- -- -- /usr/bin/abrt-action-install-debuginfo-to-abrt-cache -- /usr/bin/at -- /usr/bin/chage -- /usr/bin/chfn -- /usr/bin/chsh -- /usr/bin/crontab -- /usr/bin/fusermount -- /usr/bin/gpasswd -- /usr/bin/ksu -- /usr/bin/mount -- /usr/bin/newgrp -- /usr/bin/passwd -- /usr/bin/pkexec -- /usr/bin/staprun -- /usr/bin/sudoedit -- /usr/bin/sudo -- /usr/bin/su -- /usr/bin/umount -- /usr/bin/Xorg -- /usr/lib64/amanda/application/amgtar -- /usr/lib64/amanda/application/amstar -- /usr/lib64/amanda/calcsize -- /usr/lib64/amanda/dumper -- /usr/lib64/amanda/killpgrp -- /usr/lib64/amanda/planner -- /usr/lib64/amanda/rundump -- /usr/lib64/amanda/runtar -- /usr/lib64/dbus-1/dbus-daemon-launch-helper -- /usr/lib/amanda/application/amgtar -- /usr/lib/amanda/application/amstar -- /usr/lib/amanda/calcsize -- /usr/lib/amanda/dumper -- /usr/lib/amanda/killpgrp -- /usr/lib/amanda/planner -- /usr/lib/amanda/rundump -- /usr/lib/amanda/runtar -- /usr/lib/dbus-1/dbus-daemon-launch-helper -- /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -- /usr/libexec/kde4/kpac_dhcp_helper -- /usr/libexec/qemu-bridge-helper -- /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper -- /usr/libexec/sssd/krb5_child -- /usr/libexec/sssd/ldap_child -- /usr/libexec/sssd/proxy_child -- /usr/libexec/sssd/selinux_child -- /usr/lib/polkit-1/polkit-agent-helper-1 -- /usr/sbin/amcheck -- /usr/sbin/amservice -- /usr/sbin/mount.nfs -- /usr/sbin/pam_timestamp_check -- /usr/sbin/unix_chkpwd -- /usr/sbin/userhelper -- /usr/sbin/usernetctl -- -- -- -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml -deleted file mode 100644 -index 3a59897356..0000000000 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml -+++ /dev/null -@@ -1,99 +0,0 @@ -- -- -- -- Find setuid files from system packages -- -- Red Hat Enterprise Linux 6 -- -- All files with setuid should be owned by a base system package -- -- -- -- -- -- -- -- -- -- -- -- -- / -- ^.*$ -- state_file_permissions_unauthorized_suid -- state_suid_whitelist -- -- -- -- true -- -- -- -- -- -- -- -- -- /bin/fusermount -- /bin/mount -- /bin/ping6 -- /bin/ping -- /bin/su -- /bin/umount -- /lib64/dbus-1/dbus-daemon-launch-helper -- /lib/dbus-1/dbus-daemon-launch-helper -- /sbin/mount.ecryptfs_private -- /sbin/mount.nfs -- /sbin/pam_timestamp_check -- /sbin/unix_chkpwd -- /usr/bin/abrt-action-install-debuginfo-to-abrt-cache -- /usr/bin/at -- /usr/bin/chage -- /usr/bin/chfn -- /usr/bin/chsh -- /usr/bin/crontab -- /usr/bin/gpasswd -- /usr/bin/kgrantpty -- /usr/bin/kpac_dhcp_helper -- /usr/bin/ksu -- /usr/bin/newgrp -- /usr/bin/newrole -- /usr/bin/passwd -- /usr/bin/pkexec -- /usr/bin/rcp -- /usr/bin/rlogin -- /usr/bin/rsh -- /usr/bin/sperl5.10.1 -- /usr/bin/staprun -- /usr/bin/sudoedit -- /usr/bin/sudo -- /usr/bin/Xorg -- /usr/lib64/amanda/calcsize -- /usr/lib64/amanda/dumper -- /usr/lib64/amanda/killpgrp -- /usr/lib64/amanda/planner -- /usr/lib64/amanda/rundump -- /usr/lib64/amanda/runtar -- /usr/lib64/nspluginwrapper/plugin-config -- /usr/lib/amanda/calcsize -- /usr/lib/amanda/dumper -- /usr/lib/amanda/killpgrp -- /usr/lib/amanda/planner -- /usr/lib/amanda/rundump -- /usr/lib/amanda/runtar -- /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -- /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper -- /usr/libexec/mc/cons.saver -- /usr/libexec/openssh/ssh-keysign -- /usr/libexec/polkit-1/polkit-agent-helper-1 -- /usr/libexec/pt_chown -- /usr/libexec/pulse/proximity-helper -- /usr/lib/nspluginwrapper/plugin-config -- /usr/sbin/amcheck -- /usr/sbin/seunshare -- /usr/sbin/suexec -- /usr/sbin/userhelper -- /usr/sbin/usernetctl -- -- -- -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml -deleted file mode 100644 -index c48bda0ef6..0000000000 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml -+++ /dev/null -@@ -1,95 +0,0 @@ -- -- -- -- Find setuid files from system packages -- -- Red Hat Enterprise Linux 7 -- -- All files with setuid should be owned by a base system package -- -- -- -- -- -- -- -- -- -- -- -- -- / -- ^.*$ -- state_file_permissions_unauthorized_suid -- state_suid_whitelist -- -- -- -- true -- -- -- -- -- -- -- -- -- -- /usr/bin/abrt-action-install-debuginfo-to-abrt-cache -- /usr/bin/at -- /usr/bin/chage -- /usr/bin/chfn -- /usr/bin/chsh -- /usr/bin/crontab -- /usr/bin/fusermount -- /usr/bin/gpasswd -- /usr/bin/ksu -- /usr/bin/mount -- /usr/bin/newgrp -- /usr/bin/passwd -- /usr/bin/pkexec -- /usr/bin/staprun -- /usr/bin/sudoedit -- /usr/bin/sudo -- /usr/bin/su -- /usr/bin/umount -- /usr/bin/Xorg -- /usr/lib64/amanda/application/amgtar -- /usr/lib64/amanda/application/amstar -- /usr/lib64/amanda/calcsize -- /usr/lib64/amanda/dumper -- /usr/lib64/amanda/killpgrp -- /usr/lib64/amanda/planner -- /usr/lib64/amanda/rundump -- /usr/lib64/amanda/runtar -- /usr/lib64/dbus-1/dbus-daemon-launch-helper -- /usr/lib/amanda/application/amgtar -- /usr/lib/amanda/application/amstar -- /usr/lib/amanda/calcsize -- /usr/lib/amanda/dumper -- /usr/lib/amanda/killpgrp -- /usr/lib/amanda/planner -- /usr/lib/amanda/rundump -- /usr/lib/amanda/runtar -- /usr/lib/dbus-1/dbus-daemon-launch-helper -- /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -- /usr/libexec/cockpit-session -- /usr/libexec/dbus-1/dbus-daemon-launch-helper -- /usr/libexec/kde4/kpac_dhcp_helper -- /usr/libexec/qemu-bridge-helper -- /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper -- /usr/libexec/sssd/krb5_child -- /usr/libexec/sssd/ldap_child -- /usr/libexec/sssd/proxy_child -- /usr/libexec/sssd/selinux_child -- /usr/lib/polkit-1/polkit-agent-helper-1 -- /usr/sbin/amcheck -- /usr/sbin/amservice -- /usr/sbin/mount.nfs -- /usr/sbin/pam_timestamp_check -- /usr/sbin/unix_chkpwd -- /usr/sbin/userhelper -- /usr/sbin/usernetctl -- -- -- -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml -new file mode 100644 -index 0000000000..e83595c198 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml -@@ -0,0 +1,62 @@ -+ -+ -+ -+ Find SUID files that are not owned by RPM packages -+ -+ multi_platform_fedora -+ multi_platform_rhel -+ multi_platform_ol -+ multi_platform_wrlinux -+ -+ Evaluates to true if all files with SUID set are owned by RPM packages. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ / -+ ^.*$ -+ state_file_permissions_unauthorized_suid_suid_set -+ state_file_permissions_unauthorized_suid_filepaths -+ -+ -+ -+ -+ .* -+ .* -+ .* -+ .* -+ .* -+ -+ -+ -+ -+ -+ / -+ ^.*$ -+ state_file_permissions_unauthorized_suid_suid_set -+ -+ -+ -+ true -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml -deleted file mode 100644 -index 8306d38211..0000000000 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml -+++ /dev/null -@@ -1,55 +0,0 @@ -- -- -- -- Find setuid files from system packages -- -- Wind River Linux 8 -- -- All files with setuid should be owned by a base system package -- -- -- -- -- -- -- -- -- -- -- -- -- / -- ^.*$ -- state_file_permissions_unauthorized_suid -- state_suid_whitelist -- -- -- -- true -- -- -- -- -- -- -- -- -- -- /bin/su.shadow -- /bin/su.util-linux -- /usr/bin/chage -- /usr/bin/chfn.shadow -- /usr/bin/chsh.shadow -- /usr/bin/expiry -- /usr/bin/gpasswd -- /usr/bin/newgidmap -- /usr/bin/newgrp.shadow -- /usr/bin/newuidmap -- /usr/bin/passwd.shadow -- /usr/bin/sudo -- /usr/lib64/dbus/dbus-daemon-launch-helper -- /usr/sbin/unix_chkpwd -- /usr/sbin/vlock-main -- -- -- -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh -new file mode 100644 -index 0000000000..e6e5a29fb3 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_standard -+# remediation = none -+ -+for x in $(find / -perm /u=s) ; do -+ if ! rpm -qf $x ; then -+ rm -rf $x -+ fi -+done -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh -new file mode 100644 -index 0000000000..f05f1821ec ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh -@@ -0,0 +1,13 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_standard -+# remediation = none -+ -+for x in $(find / -perm /u=s) ; do -+ if ! rpm -qf $x ; then -+ rm -rf $x -+ fi -+done -+ -+touch /usr/bin/suid_binary -+chmod u+xs /usr/bin/suid_binary - -From 359400441acb2290af7e5ff49942dec01cb39a43 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 9 Aug 2019 08:44:59 +0200 -Subject: [PATCH 2/6] Describe the logic of the check in rule description - ---- - .../files/file_permissions_unauthorized_sgid/rule.yml | 5 +++++ - .../files/file_permissions_unauthorized_suid/rule.yml | 5 +++++ - 2 files changed, 10 insertions(+) - -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -index f039eea88c..9bad52d9b2 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -@@ -8,6 +8,11 @@ description: |- - unauthorized SGID files is determine if any were not installed as part of an - RPM package, which is cryptographically verified. Investigate the origin - of any unpackaged SGID files. -+ This configuration check whitelists SGID files which were installed via RPM. -+ It is assumed that when an individual has sudo access to install an RPM -+ and all packages are signed with an organizationally-recognized GPG key, -+ the software should be considered an approved package on the system. -+ Any SGID file not deployed through an RPM will be flagged for further review. - - rationale: |- - Executable files with the SGID permission run with the privileges of -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -index 5f4bc02cd1..1e01924469 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -@@ -8,6 +8,11 @@ description: |- - unauthorized SGID files is determine if any were not installed as part of an - RPM package, which is cryptographically verified. Investigate the origin - of any unpackaged SUID files. -+ This configuration check whitelists SUID files which were installed via RPM. -+ It is assumed that when an individual has sudo access to install an RPM -+ and all packages are signed with an organizationally-recognized GPG key, -+ the software should be considered an approved package on the system. -+ Any SUID file not deployed through an RPM will be flagged for further review. - - rationale: |- - Executable files with the SUID permission run with the privileges of - -From f8f7c2ae18f6c1d0cb145d996fb59d875276c991 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 14 Aug 2019 11:28:38 +0200 -Subject: [PATCH 3/6] Change 'whitelists' to 'considers authorized' - ---- - .../files/file_permissions_unauthorized_sgid/rule.yml | 2 +- - .../files/file_permissions_unauthorized_suid/rule.yml | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -index 9bad52d9b2..e92637ca09 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -@@ -8,7 +8,7 @@ description: |- - unauthorized SGID files is determine if any were not installed as part of an - RPM package, which is cryptographically verified. Investigate the origin - of any unpackaged SGID files. -- This configuration check whitelists SGID files which were installed via RPM. -+ This configuration check considers authorized SGID files which were installed via RPM. - It is assumed that when an individual has sudo access to install an RPM - and all packages are signed with an organizationally-recognized GPG key, - the software should be considered an approved package on the system. -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -index 1e01924469..9f3f3dc86c 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -@@ -8,7 +8,7 @@ description: |- - unauthorized SGID files is determine if any were not installed as part of an - RPM package, which is cryptographically verified. Investigate the origin - of any unpackaged SUID files. -- This configuration check whitelists SUID files which were installed via RPM. -+ This configuration check considers authorized SUID files which were installed via RPM. - It is assumed that when an individual has sudo access to install an RPM - and all packages are signed with an organizationally-recognized GPG key, - the software should be considered an approved package on the system. - -From 69fac9536f88047a77aea67db81004872e27dae6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 16 Oct 2019 10:23:47 +0200 -Subject: [PATCH 4/6] Fix OCIL - ---- - .../files/file_permissions_unauthorized_sgid/rule.yml | 4 ++-- - .../files/file_permissions_unauthorized_suid/rule.yml | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -index e92637ca09..d03e7bf980 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -@@ -41,5 +41,5 @@ references: - ocil_clause: 'there is output' - - ocil: |- -- To find world-writable files, run the following command: -- 
$ sudo find / -xdev -type f -perm -002
-+ To find SGID files, run the following command: -+ 
$ sudo find / -xdev -type f -perm -2000
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -index 9f3f3dc86c..9aa7f40161 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -@@ -41,5 +41,5 @@ references: - ocil_clause: 'only authorized files appear in the output of the find command' - - ocil: |- -- To find world-writable files, run the following command: -- 
$ sudo find / -xdev -type f -perm -002
-+ To find SUID files, run the following command: -+ 
$ sudo find / -xdev -type f -perm -4000
- -From 4cd5fec7f7c71a475bbd5e9781dbfc38fdda5b92 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 16 Oct 2019 10:23:58 +0200 -Subject: [PATCH 5/6] Fix a typo - ---- - .../files/file_permissions_unauthorized_suid/rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -index 9aa7f40161..6cfcff2e4b 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -@@ -5,7 +5,7 @@ title: 'Ensure All SUID Executables Are Authorized' - description: |- - The SUID (set user id) bit should be set only on files that were - installed via authorized means. A straightforward means of identifying -- unauthorized SGID files is determine if any were not installed as part of an -+ unauthorized SUID files is determine if any were not installed as part of an - RPM package, which is cryptographically verified. Investigate the origin - of any unpackaged SUID files. - This configuration check considers authorized SUID files which were installed via RPM. - -From 5cce2c77ae93750442a9635929786fb265834310 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 16 Oct 2019 11:19:54 +0200 -Subject: [PATCH 6/6] Add prodtype - -This rule has OVAL only for RHEL, Fedora, OL and WRLinux. -We can specify it in prodtype to prevent its inclusion to datastreams -for products where this rule isn't applicable ---- - .../files/file_permissions_unauthorized_sgid/rule.yml | 2 ++ - .../files/file_permissions_unauthorized_suid/rule.yml | 2 ++ - 2 files changed, 4 insertions(+) - -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -index d03e7bf980..de627fbe7e 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -@@ -2,6 +2,8 @@ documentation_complete: true - - title: 'Ensure All SGID Executables Are Authorized' - -+prodtype: rhel6,rhel7,rhel8,ol7,ol8,fedora,wrlinux8,wrlinux1019 -+ - description: |- - The SGID (set group id) bit should be set only on files that were - installed via authorized means. A straightforward means of identifying -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -index 6cfcff2e4b..27946fb86a 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -@@ -2,6 +2,8 @@ documentation_complete: true - - title: 'Ensure All SUID Executables Are Authorized' - -+prodtype: rhel6,rhel7,rhel8,ol7,ol8,fedora,wrlinux8,wrlinux1019 -+ - description: |- - The SUID (set user id) bit should be set only on files that were - installed via authorized means. A straightforward means of identifying diff --git a/SOURCES/scap-security-guide-0.1.47-e8.patch b/SOURCES/scap-security-guide-0.1.47-e8.patch deleted file mode 100644 index a16df46..0000000 --- a/SOURCES/scap-security-guide-0.1.47-e8.patch +++ /dev/null @@ -1,301 +0,0 @@ -From 294a7b225581b89a8029143e18e14cd961fcff7d Mon Sep 17 00:00:00 2001 -From: shaneboulden -Date: Sun, 22 Sep 2019 06:10:57 +1000 -Subject: [PATCH] Add Essential Eight profiles - -The Australian Cyber Security Centre (ACSC) Essential Eight provides -a baseline for cyber resilience. - -A copy of the Essential Eight in Linux Environments guide can be found -at the ACSC website: - -https://www.cyber.gov.au/publications/essential-eight-in-linux-environments ---- - rhel7/profiles/e8.profile | 132 ++++++++++++++++++++++++++++++++++++ - rhel8/profiles/e8.profile | 138 ++++++++++++++++++++++++++++++++++++++ - 2 files changed, 270 insertions(+) - create mode 100644 rhel7/profiles/e8.profile - create mode 100644 rhel8/profiles/e8.profile - -diff --git a/rhel7/profiles/e8.profile b/rhel7/profiles/e8.profile -new file mode 100644 -index 0000000000..27ff2a58e6 ---- /dev/null -+++ b/rhel7/profiles/e8.profile -@@ -0,0 +1,132 @@ -+documentation_complete: true -+ -+title: 'Australian Cyber Security Centre (ACSC) Essential Eight' -+ -+description: |- -+ This profile contains configuration checks for Red Hat Enterprise Linux 7 -+ that align to the Australian Cyber Security Centre (ACSC) Essential Eight. -+ -+ A copy of the Essential Eight in Linux Environments guide can be found at the -+ ACSC website: -+ -+ https://www.cyber.gov.au/publications/essential-eight-in-linux-environments -+ -+selections: -+ -+ ### Remove obsolete packages -+ - package_talk_removed -+ - package_talk-server_removed -+ - package_xinetd_removed -+ - service_xinetd_disabled -+ - package_ypbind_removed -+ - package_telnet_removed -+ - service_telnet_disabled -+ - package_telnet-server_removed -+ - package_rsh_removed -+ - package_rsh-server_removed -+ - service_zebra_disabled -+ - package_quagga_removed -+ - service_avahi-daemon_disabled -+ - package_squid_removed -+ - service_squid_disabled -+ -+ ### Software update -+ - ensure_redhat_gpgkey_installed -+ - ensure_gpgcheck_never_disabled -+ - ensure_gpgcheck_local_packages -+ - ensure_gpgcheck_globally_activated -+ - security_patches_up_to_date -+ -+ ### System security settings -+ - sysctl_kernel_randomize_va_space -+ - sysctl_kernel_exec_shield -+ - sysctl_kernel_kptr_restrict -+ - sysctl_kernel_dmesg_restrict -+ - sysctl_kernel_kexec_load_disabled -+ - sysctl_kernel_yama_ptrace_scope -+ -+ ### SELinux -+ - var_selinux_state=enforcing -+ - selinux_state -+ - var_selinux_policy_name=targeted -+ - selinux_policytype -+ -+ ### Filesystem integrity -+ - rpm_verify_hashes -+ - rpm_verify_permissions -+ - rpm_verify_ownership -+ - file_permissions_unauthorized_sgid -+ - file_permissions_unauthorized_suid -+ - file_permissions_unauthorized_world_writable -+ - dir_perms_world_writable_sticky_bits -+ - file_permissions_library_dirs -+ - file_ownership_binary_dirs -+ - file_permissions_binary_dirs -+ - file_ownership_library_dirs -+ -+ ### Passwords -+ - no_empty_passwords -+ -+ ### Partitioning -+ - mount_option_dev_shm_nodev -+ - mount_option_dev_shm_nosuid -+ - mount_option_dev_shm_noexec -+ -+ ### Network -+ - package_firewalld_installed -+ - service_firewalld_enabled -+ - network_sniffer_disabled -+ -+ ### Admin privileges -+ - sudo_remove_nopasswd -+ - sudo_remove_no_authenticate -+ - sudo_require_authentication -+ -+ ### Audit -+ - package_rsyslog_installed -+ - service_rsyslog_enabled -+ - service_auditd_enabled -+ - var_auditd_flush=incremental_async -+ - auditd_data_retention_flush -+ - auditd_local_events -+ - auditd_write_logs -+ - auditd_log_format -+ - auditd_freq -+ - auditd_name_format -+ - audit_rules_login_events_tallylog -+ - audit_rules_login_events_faillock -+ - audit_rules_login_events_lastlog -+ - audit_rules_login_events -+ - audit_rules_time_adjtimex -+ - audit_rules_time_clock_settime -+ - audit_rules_time_watch_localtime -+ - audit_rules_time_settimeofday -+ - audit_rules_time_stime -+ - audit_rules_execution_restorecon -+ - audit_rules_execution_chcon -+ - audit_rules_execution_semanage -+ - audit_rules_execution_setsebool -+ - audit_rules_execution_setfiles -+ - audit_rules_execution_seunshare -+ - audit_rules_sysadmin_actions -+ - audit_rules_networkconfig_modification -+ - audit_rules_usergroup_modification -+ - audit_rules_dac_modification_chmod -+ - audit_rules_dac_modification_chown -+ - audit_rules_kernel_module_loading -+ -+ ### Secure access -+ - sshd_disable_root_login -+ - sshd_disable_gssapi_auth -+ - sshd_use_strong_ciphers -+ - sshd_print_last_log -+ - sshd_use_priv_separation -+ - sshd_do_not_permit_user_env -+ - sshd_disable_rhosts_rsa -+ - sshd_disable_rhosts -+ - sshd_allow_only_protocol2 -+ - sshd_set_loglevel_info -+ - sshd_disable_empty_passwords -+ - sshd_disable_user_known_hosts -+ - sshd_enable_strictmodes -+ - sshd_use_strong_macs -diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile -new file mode 100644 -index 0000000000..53b4c156e2 ---- /dev/null -+++ b/rhel8/profiles/e8.profile -@@ -0,0 +1,138 @@ -+documentation_complete: true -+ -+title: 'Australian Cyber Security Centre (ACSC) Essential Eight' -+ -+description: |- -+ This profile contains configuration checks for Red Hat Enterprise Linux 8 -+ that align to the Australian Cyber Security Centre (ACSC) Essential Eight. -+ -+ A copy of the Essential Eight in Linux Environments guide can be found at the -+ ACSC website: -+ -+ https://www.cyber.gov.au/publications/essential-eight-in-linux-environments -+ -+selections: -+ -+ ### Remove obsolete packages -+ - package_talk_removed -+ - package_talk-server_removed -+ - package_xinetd_removed -+ - service_xinetd_disabled -+ - package_ypbind_removed -+ - package_telnet_removed -+ - service_telnet_disabled -+ - package_telnet-server_removed -+ - package_rsh_removed -+ - package_rsh-server_removed -+ - service_zebra_disabled -+ - package_quagga_removed -+ - service_avahi-daemon_disabled -+ - package_squid_removed -+ - service_squid_disabled -+ -+ ### Software update -+ - ensure_redhat_gpgkey_installed -+ - ensure_gpgcheck_never_disabled -+ - ensure_gpgcheck_local_packages -+ - ensure_gpgcheck_globally_activated -+ - security_patches_up_to_date -+ -+ ### System security settings -+ - sysctl_kernel_randomize_va_space -+ - sysctl_kernel_exec_shield -+ - sysctl_kernel_kptr_restrict -+ - sysctl_kernel_dmesg_restrict -+ - sysctl_kernel_kexec_load_disabled -+ - sysctl_kernel_yama_ptrace_scope -+ - sysctl_kernel_unprivileged_bpf_disabled -+ - sysctl_net_core_bpf_jit_harden -+ -+ ### SELinux -+ - var_selinux_state=enforcing -+ - selinux_state -+ - var_selinux_policy_name=targeted -+ - selinux_policytype -+ -+ ### Filesystem integrity -+ - rpm_verify_hashes -+ - rpm_verify_permissions -+ - rpm_verify_ownership -+ - file_permissions_unauthorized_sgid -+ - file_permissions_unauthorized_suid -+ - file_permissions_unauthorized_world_writable -+ - dir_perms_world_writable_sticky_bits -+ - file_permissions_library_dirs -+ - file_ownership_binary_dirs -+ - file_permissions_binary_dirs -+ - file_ownership_library_dirs -+ -+ ### Passwords -+ - no_empty_passwords -+ -+ ### Partitioning -+ - mount_option_dev_shm_nodev -+ - mount_option_dev_shm_nosuid -+ - mount_option_dev_shm_noexec -+ -+ ### Network -+ - package_firewalld_installed -+ - service_firewalld_enabled -+ - network_sniffer_disabled -+ -+ ### Admin privileges -+ - sudo_remove_nopasswd -+ - sudo_remove_no_authenticate -+ - sudo_require_authentication -+ -+ ### Audit -+ - package_rsyslog_installed -+ - service_rsyslog_enabled -+ - service_auditd_enabled -+ - var_auditd_flush=incremental_async -+ - auditd_data_retention_flush -+ - auditd_local_events -+ - auditd_write_logs -+ - auditd_log_format -+ - auditd_freq -+ - auditd_name_format -+ - audit_rules_login_events_tallylog -+ - audit_rules_login_events_faillock -+ - audit_rules_login_events_lastlog -+ - audit_rules_login_events -+ - audit_rules_time_adjtimex -+ - audit_rules_time_clock_settime -+ - audit_rules_time_watch_localtime -+ - audit_rules_time_settimeofday -+ - audit_rules_time_stime -+ - audit_rules_execution_restorecon -+ - audit_rules_execution_chcon -+ - audit_rules_execution_semanage -+ - audit_rules_execution_setsebool -+ - audit_rules_execution_setfiles -+ - audit_rules_execution_seunshare -+ - audit_rules_sysadmin_actions -+ - audit_rules_networkconfig_modification -+ - audit_rules_usergroup_modification -+ - audit_rules_dac_modification_chmod -+ - audit_rules_dac_modification_chown -+ - audit_rules_kernel_module_loading -+ -+ ### Secure access -+ - sshd_disable_root_login -+ - sshd_disable_gssapi_auth -+ - sshd_print_last_log -+ - sshd_use_priv_separation -+ - sshd_do_not_permit_user_env -+ - sshd_disable_rhosts_rsa -+ - sshd_disable_rhosts -+ - sshd_allow_only_protocol2 -+ - sshd_set_loglevel_info -+ - sshd_disable_empty_passwords -+ - sshd_disable_user_known_hosts -+ - sshd_enable_strictmodes -+ -+ ### Application whitelisting -+ - package_fapolicyd_installed -+ - service_fapolicyd_enabled -+ - configure_fapolicyd_mounts -+ diff --git a/SOURCES/scap-security-guide-0.1.47-first_occurence_mtab.patch b/SOURCES/scap-security-guide-0.1.47-first_occurence_mtab.patch deleted file mode 100644 index 938aa71..0000000 --- a/SOURCES/scap-security-guide-0.1.47-first_occurence_mtab.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 4a4c12bf3058079bc2336db9e7330aa869b0753f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 31 Oct 2019 16:00:52 +0100 -Subject: [PATCH 1/2] Use only first occurence from /etc/mtab - -The mount options of the first entry will be used. If there are -multiple lines in `/etc/mtab` that match the same mount point, the -variable `_previous_mount_opts` contained newline characters. These -newlines were propagated to `/etc/fstab`. As a result, an invalid entry -in /etc/fstab was created, `mount` command hasn't been successful and -the oscap scan after remediation returned false. ---- - .../include_mount_options_functions.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/bash_remediation_functions/include_mount_options_functions.sh b/shared/bash_remediation_functions/include_mount_options_functions.sh -index 392367dc05..7e81e8c711 100644 ---- a/shared/bash_remediation_functions/include_mount_options_functions.sh -+++ b/shared/bash_remediation_functions/include_mount_options_functions.sh -@@ -27,7 +27,7 @@ function ensure_mount_option_in_fstab { - - if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then - # runtime opts without some automatic kernel/userspace-added defaults -- _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | awk '{print $4}' \ -+ _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ - | sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//") - [ "$_previous_mount_opts" ] && _previous_mount_opts+="," - echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab - -From 0a7f149efed656fe61ab3e873055fd630054f5f5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 1 Nov 2019 14:50:42 +0100 -Subject: [PATCH 2/2] Add test scenario for multiple entries in mtab - ---- - .../tests/multiple_entries_in_mtab.fail.sh | 9 +++++++++ - 1 file changed, 9 insertions(+) - create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh - -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh -new file mode 100644 -index 0000000000..dd56f9bb6c ---- /dev/null -+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+cat /etc/mtab > /etc/mtab.old -+# destroy symlink -+rm -f /etc/mtab -+cp /etc/mtab.old /etc/mtab -+echo "tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0" >> /etc/mtab -+echo "tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0" >> /etc/mtab diff --git a/SOURCES/scap-security-guide-0.1.47-fix_missing_cce.patch b/SOURCES/scap-security-guide-0.1.47-fix_missing_cce.patch deleted file mode 100644 index 85adba9..0000000 --- a/SOURCES/scap-security-guide-0.1.47-fix_missing_cce.patch +++ /dev/null @@ -1,1028 +0,0 @@ -From 06a1519f5121eb7a2fbf39d31fec3e951191ad57 Mon Sep 17 00:00:00 2001 -From: Matus Marhefka -Date: Tue, 24 Sep 2019 14:31:03 +0200 -Subject: [PATCH] Added RHEL7 CCEs for rules audit_rules_for_ospp and - installed_OS_is_vendor_supported - ---- - .../system/auditing/policy_rules/audit_rules_for_ospp/rule.yml | 1 + - .../certified-vendor/installed_OS_is_vendor_supported/rule.yml | 1 + - 3 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml -index bebb86f93d..18a6f2f49a 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml -@@ -37,6 +37,7 @@ rationale: |- - severity: medium - - identifiers: -+ cce@rhel7: 82370-8 - cce@rhel8: 82309-6 - - references: -diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml -index 82d9c22726..6a4ff9bc0e 100644 ---- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml -+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml -@@ -28,6 +28,7 @@ warnings: - severity: high - - identifiers: -+ cce@rhel7: 82371-6 - cce@rhel8: 80947-5 - - references: -From a22ef605871ed199454eaed3aae02cb033a04b04 Mon Sep 17 00:00:00 2001 -From: Milan Lysonek -Date: Wed, 30 Oct 2019 15:36:29 +0100 -Subject: [PATCH 1/5] Add missing CCEs to rules from ncp profile. - ---- - .../package_pcsc-lite_installed/rule.yml | 1 + - .../sebool_cron_can_relabel/rule.yml | 3 + - .../rule.yml | 3 + - .../rule.yml | 3 + - .../sebool_daemons_dump_core/rule.yml | 3 + - .../sebool_daemons_use_tcp_wrapper/rule.yml | 3 + - .../sebool_daemons_use_tty/rule.yml | 3 + - .../sebool_deny_execmem/rule.yml | 3 + - .../sebool_deny_ptrace/rule.yml | 3 + - .../sebool_domain_fd_use/rule.yml | 3 + - .../rule.yml | 3 + - .../sebool_gpg_web_anon_write/rule.yml | 3 + - .../sebool_guest_exec_content/rule.yml | 3 + - .../sebool_kerberos_enabled/rule.yml | 3 + - .../sebool_logadm_exec_content/rule.yml | 3 + - .../rule.yml | 3 + - .../sebool_logging_syslogd_use_tty/rule.yml | 3 + - .../sebool_login_console_enabled/rule.yml | 3 + - .../sebool_mmap_low_allowed/rule.yml | 3 + - .../sebool_mock_enable_homedirs/rule.yml | 3 + - .../sebool_mount_anyfile/rule.yml | 3 + - .../sebool_polyinstantiation_enabled/rule.yml | 3 + - .../sebool_secadm_exec_content/rule.yml | 3 + - .../sebool_secure_mode/rule.yml | 3 + - .../sebool_secure_mode_insmod/rule.yml | 3 + - .../sebool_secure_mode_policyload/rule.yml | 3 + - .../rule.yml | 3 + - .../sebool_selinuxuser_execheap/rule.yml | 1 + - .../sebool_selinuxuser_execmod/rule.yml | 1 + - .../sebool_selinuxuser_execstack/rule.yml | 1 + - .../rule.yml | 3 + - .../sebool_selinuxuser_ping/rule.yml | 3 + - .../rule.yml | 3 + - .../rule.yml | 3 + - .../sebool_selinuxuser_share_music/rule.yml | 3 + - .../sebool_selinuxuser_tcp_server/rule.yml | 3 + - .../sebool_selinuxuser_udp_server/rule.yml | 3 + - .../rule.yml | 3 + - .../sebool_ssh_chroot_rw_homedirs/rule.yml | 3 + - .../sebool_ssh_keysign/rule.yml | 3 + - .../sebool_ssh_sysadm_login/rule.yml | 3 + - .../sebool_staff_exec_content/rule.yml | 3 + - .../sebool_sysadm_exec_content/rule.yml | 3 + - .../sebool_unconfined_login/rule.yml | 3 + - .../sebool_use_ecryptfs_home_dirs/rule.yml | 3 + - .../sebool_user_exec_content/rule.yml | 3 + - .../sebool_xdm_bind_vnc_tcp_port/rule.yml | 3 + - .../sebool_xdm_exec_bootloader/rule.yml | 3 + - .../sebool_xdm_sysadm_login/rule.yml | 3 + - .../sebool_xdm_write_home/rule.yml | 3 + - .../sebool_xguest_connect_network/rule.yml | 3 + - .../sebool_xguest_exec_content/rule.yml | 3 + - .../sebool_xguest_mount_media/rule.yml | 3 + - .../sebool_xguest_use_bluetooth/rule.yml | 3 + - .../rule.yml | 3 + - .../sebool_xserver_execmem/rule.yml | 3 + - .../sebool_xserver_object_manager/rule.yml | 3 + - 58 files changed, 163 insertions(+), 57 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml -index ac9e4f8a17..f7d2cb64b2 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml -@@ -14,6 +14,7 @@ rationale: |- - severity: medium - - identifiers: -+ cce@rhel7: 82347-6 - cce@rhel8: 80993-9 - - references: -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml -index e7a65fcacb..8cb1b590d2 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82284-1 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="cron_can_relabel") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml -index 79db9b1d33..3af5c04e41 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82285-8 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="cron_system_cronjob_use_shares") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml -index ec48f00f8d..e29b865fae 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml -@@ -14,4 +14,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82286-6 -+ - {{{ complete_ocil_entry_sebool_enabled(sebool="cron_userdomain_transition") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml -index a92c190617..67ff95568e 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82287-4 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="daemons_dump_core") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml -index eff77b941a..cae4936565 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82288-2 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="daemons_use_tcp_wrapper") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml -index 9517982a88..3e8749669f 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82289-0 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="daemons_use_tty") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml -index 489a75feb6..81f490af40 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82290-8 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="deny_execmem") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml -index 5213001969..b60ef6cc0c 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82291-6 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="deny_ptrace") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml -index 02b0281f60..7ebcdc08f1 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82292-4 -+ - {{{ complete_ocil_entry_sebool_enabled(sebool="domain_fd_use") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml -index aed06f6e60..b55f7449c3 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82293-2 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="domain_kernel_load_modules") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml -index 9879943020..bd3aef8967 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82294-0 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="gpg_web_anon_write") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml -index 0cd25b2abf..604add7c40 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82295-7 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="guest_exec_content") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml -index 4e046cef2e..9f4eea0835 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml -@@ -14,4 +14,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82296-5 -+ - {{{ complete_ocil_entry_sebool_enabled(sebool="kerberos_enabled") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml -index 09e5b17eee..5c6812d5fc 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82298-1 -+ - {{{ complete_ocil_entry_sebool_enabled(sebool="logadm_exec_content") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml -index 84c05ea067..21a1476843 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82299-9 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="logging_syslogd_can_sendmail") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml -index 4600b4d2a4..faa4b66598 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml -@@ -14,4 +14,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82300-5 -+ - {{{ complete_ocil_entry_sebool_enabled(sebool="logging_syslogd_use_tty") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml -index f06a939af2..65d8b21785 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml -@@ -14,4 +14,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82301-3 -+ - {{{ complete_ocil_entry_sebool_enabled(sebool="login_console_enabled") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml -index e9b55edff6..f3fb149cd6 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82302-1 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="mmap_low_allowed") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml -index 4222d2b1dd..7f6303b37d 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82303-9 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="mock_enable_homedirs") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml -index e172deda7e..ee010438d9 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml -@@ -14,4 +14,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82304-7 -+ - {{{ complete_ocil_entry_sebool_enabled(sebool="mount_anyfile") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml -index 32b48441c6..9bd370ac94 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82305-4 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="polyinstantiation_enabled") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml -index 6699164b3a..5e404adfe8 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82306-2 -+ - {{{ complete_ocil_entry_sebool_enabled(sebool="secadm_exec_content") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml -index 19ff0ff859..c021a016cd 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82307-0 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml -index 020ade04d0..45513725d8 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml -@@ -16,4 +16,7 @@ references: - - severity: medium - -+identifiers: -+ cce@rhel7: 82308-8 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_insmod") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml -index 4dc1dd57f9..5259ec3776 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82310-4 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_policyload") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml -index 7389882aba..4d76582d9d 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml -@@ -14,4 +14,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82311-2 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_direct_dri_enabled") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml -index 3b5276d8d8..bfef9808ed 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml -@@ -14,6 +14,7 @@ rationale: "" - severity: medium - - identifiers: -+ cce@rhel7: 82312-0 - cce@rhel8: 80949-1 - - references: -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml -index 97d65d0175..f8f65b4d20 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml -@@ -14,6 +14,7 @@ rationale: "" - severity: medium - - identifiers: -+ cce@rhel7: 82313-8 - cce@rhel8: 80950-9 - - references: -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml -index d6ed7c355b..785a3e9d06 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml -@@ -15,6 +15,7 @@ rationale: "" - severity: medium - - identifiers: -+ cce@rhel7: 82314-6 - cce@rhel8: 80951-7 - - references: -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml -index c12f9b0b84..18cfd17a78 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82317-9 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_mysql_connect_enabled") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml -index d8d6d69f98..25a4cb4c20 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml -@@ -14,4 +14,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82318-7 -+ - {{{ complete_ocil_entry_sebool_enabled(sebool="selinuxuser_ping") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml -index f17f6b3cf4..fedba937e5 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82319-5 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_postgresql_connect_enabled") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml -index 14218b5015..8d30bc437d 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml -@@ -14,4 +14,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82320-3 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_rw_noexattrfile") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml -index cf7cd9ec7c..221e925b9b 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82321-1 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_share_music") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml -index e6a8407c13..cfc17033f8 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82322-9 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_tcp_server") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml -index 69a650a1c6..c773cfaa7b 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82323-7 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_udp_server") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml -index 062b060180..f2005f056c 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82324-5 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_use_ssh_chroot") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml -index 1a3dd18dce..64085cfd8b 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82325-2 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_chroot_rw_homedirs") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml -index 5ed8effd7f..ea48425f03 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82326-0 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_keysign") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml -index 26db5e0b28..6a4f49c410 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml -@@ -16,4 +16,7 @@ references: - - severity: medium - -+identifiers: -+ cce@rhel7: 82327-8 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_sysadm_login") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml -index deddaa989f..473fe953fe 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82328-6 -+ - {{{ complete_ocil_entry_sebool_enabled(sebool="staff_exec_content") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml -index 63c36e8822..65c3d85d62 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82329-4 -+ - {{{ complete_ocil_entry_sebool_enabled(sebool="sysadm_exec_content") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml -index de1f78e8dc..88a8b842af 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82330-2 -+ - {{{ complete_ocil_entry_sebool_enabled(sebool="unconfined_login") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml -index 9d51a610ca..6e5983fd3a 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82331-0 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="use_ecryptfs_home_dirs") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml -index 5c32b74fab..394b49cade 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82332-8 -+ - {{{ complete_ocil_entry_sebool_enabled(sebool="user_exec_content") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml -index d39d6eb97d..19a1ee23cc 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82333-6 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_bind_vnc_tcp_port") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml -index 52f90382e4..dca18f3744 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82334-4 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_exec_bootloader") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml -index 42acdebfbc..fed51e91ec 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82335-1 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_sysadm_login") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml -index c601c4ef66..fca878f48d 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82336-9 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_write_home") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml -index da71e2e0aa..0d6c2be3d8 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml -@@ -14,4 +14,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82337-7 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_connect_network") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml -index 0713368404..4a94acd4bf 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml -@@ -14,4 +14,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82338-5 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_exec_content") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml -index 171b21bb76..a106a6e148 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml -@@ -14,4 +14,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82339-3 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_mount_media") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml -index 28ef740608..9162facb68 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml -@@ -14,4 +14,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82340-1 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_use_bluetooth") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml -index 793bca2fab..954456203c 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82341-9 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="xserver_clients_write_xshm") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml -index 2f73f30596..cc4ccc0342 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82342-7 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="xserver_execmem") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml -index 31c10d6459..2f4bc25fe3 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml -@@ -13,4 +13,7 @@ rationale: "" - - severity: medium - -+identifiers: -+ cce@rhel7: 82346-8 -+ - {{{ complete_ocil_entry_sebool_disabled(sebool="xserver_object_manager") }}} -From 7f41b550251afb65fec04a1ada7a59432816fa52 Mon Sep 17 00:00:00 2001 -From: Milan Lysonek -Date: Wed, 30 Oct 2019 15:49:44 +0100 -Subject: [PATCH 2/5] Add missing CCEs to rules from rhelh-stig profile. - ---- - .../guide/system/software/gnome/package_gdm_removed/rule.yml | 3 +++ - .../guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml | 3 +++ - 3 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml -index 012dbebb38..57b3c00454 100644 ---- a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml -+++ b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml -@@ -18,6 +18,9 @@ rationale: |- - - severity: medium - -+identifiers: -+ cce@rhel7: 82348-4 -+ - references: - nist: AC-17(8).1(ii) - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml -index 0f20412886..3dbf1b4499 100644 ---- a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml -@@ -16,6 +16,9 @@ rationale: |- - - severity: medium - -+identifiers: -+ cce@rhel7: 82349-2 -+ - ocil_clause: 'nopasswd is set for any users beyond vdsm' - - ocil: |- -diff --git From 9bd0bbf84484fa02c1c53953aa48bb01bed41663 Mon Sep 17 00:00:00 2001 -From: Milan Lysonek -Date: Wed, 30 Oct 2019 15:54:44 +0100 -Subject: [PATCH 3/5] Add missing CCEs to rules from anssi_nt28_high profile. - ---- - .../services/deprecated/package_telnetd_removed/rule.yml | 3 +++ - .../system/bootloader-grub2/grub2_enable_iommu_force/rule.yml | 3 +++ - .../permissions/files/file_permissions_systemmap/rule.yml | 3 +++ - .../software/disk_partitioning/partition_for_var_tmp/rule.yml | 3 +++ - 5 files changed, 12 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml b/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml -index a08170f2c4..bdbbe8437a 100644 ---- a/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml -+++ b/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml -@@ -8,6 +8,9 @@ rationale: 'telnet allows clear text communications, and does not protect any da - - severity: high - -+identifiers: -+ cce@rhel7: 82352-6 -+ - references: - anssi: NT007(R03) - nist: AC-17(8),CM-7 -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml -index 785ebe4a69..baade9c13e 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml -@@ -12,5 +12,8 @@ rationale: |- - - severity: unknown - -+identifiers: -+ cce@rhel7: 82351-8 -+ - references: - anssi: NT28(R11) -diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml -index 0cf14df579..3c313824d3 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml -@@ -13,6 +13,9 @@ rationale: |- - - severity: unknown - -+identifiers: -+ cce@rhel7: 82350-0 -+ - references: - anssi: NT28(R13) - -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml -index 32a15afc45..65d7d8060b 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml -@@ -16,6 +16,9 @@ rationale: |- - - severity: low - -+identifiers: -+ cce@rhel7: 82353-4 -+ - references: - cis: 1.1.7 - anssi: NT28(R12) -From fd0aee12ebdced5f1d0507cd7ee1a8a0a470c401 Mon Sep 17 00:00:00 2001 -From: Milan Lysonek -Date: Wed, 30 Oct 2019 15:57:35 +0100 -Subject: [PATCH 4/5] Add missing CCEs to rules from C2S profile. - ---- - .../services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml | 3 +++ - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -index 2a20218c3c..9bdc4bb57a 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -@@ -14,6 +14,9 @@ rationale: |- - - severity: medium - -+identifiers: -+ cce@rhel7: 82354-2 -+ - references: - cis@debian8: 9.3.5 - cis@rhel7: 5.2.5 -From aa2b6ca11b84700b1b0c4a9d034cd33b594ebdbe Mon Sep 17 00:00:00 2001 -From: Milan Lysonek -Date: Wed, 30 Oct 2019 16:00:18 +0100 -Subject: [PATCH 5/5] Add missing CCEs to rules from e8 profile. - ---- - .../ssh/ssh_server/sshd_use_strong_ciphers/rule.yml | 3 +++ - .../services/ssh/ssh_server/sshd_use_strong_macs/rule.yml | 3 +++ - .../audit_rules_execution_seunshare/rule.yml | 1 + - .../auditd_freq/rule.yml | 1 + - .../auditd_local_events/rule.yml | 1 + - .../auditd_log_format/rule.yml | 1 + - .../auditd_name_format/rule.yml | 1 + - .../auditd_write_logs/rule.yml | 1 + - 9 files changed, 12 insertions(+), 8 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml -index 39e87e86bf..d4b61cedb9 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml -@@ -23,6 +23,9 @@ rationale: |- - - severity: medium - -+identifiers: -+ cce@rhel7: 82363-3 -+ - references: - cis@debian: 9.3.11 - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml -index 16259017d8..7f0d75c53d 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml -@@ -19,6 +19,9 @@ rationale: |- - - severity: medium - -+identifiers: -+ cce@rhel7: 82364-1 -+ - ocil_clause: 'MACs option is commented out or not using strong hash algorithms' - - ocil: |- -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml -index 1d25819675..ae64febdf5 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml -@@ -31,6 +31,7 @@ rationale: |- - severity: medium - - identifiers: -+ cce@rhel7: 82362-5 - cce@rhel8: 80933-5 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_freq/rule.yml b/linux_os/guide/system/auditing/auditd_freq/rule.yml -index b0a89910f1..38a356dad9 100644 ---- a/linux_os/guide/system/auditing/auditd_freq/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_freq/rule.yml -@@ -15,6 +15,7 @@ rationale: |- - severity: medium - - identifiers: -+ cce@rhel7: 82358-3 - cce@rhel8: 82258-5 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/auditd_local_events/rule.yml -index 9d24add817..3db55f6594 100644 ---- a/linux_os/guide/system/auditing/auditd_local_events/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_local_events/rule.yml -@@ -14,6 +14,7 @@ rationale: |- - severity: medium - - identifiers: -+ cce@rhel7: 82355-9 - cce@rhel8: 82233-8 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_log_format/rule.yml b/linux_os/guide/system/auditing/auditd_log_format/rule.yml -index a10e86113d..75c63e1d5b 100644 ---- a/linux_os/guide/system/auditing/auditd_log_format/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_log_format/rule.yml -@@ -15,6 +15,7 @@ rationale: |- - severity: medium - - identifiers: -+ cce@rhel7: 82357-5 - cce@rhel8: 82201-5 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/auditd_name_format/rule.yml -index fecae8163f..6673dd050c 100644 ---- a/linux_os/guide/system/auditing/auditd_name_format/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_name_format/rule.yml -@@ -16,6 +16,7 @@ rationale: |- - severity: medium - - identifiers: -+ cce@rhel7: 82359-1 - cce@rhel8: 82897-0 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_write_logs/rule.yml b/linux_os/guide/system/auditing/auditd_write_logs/rule.yml -index 2f2d0fa258..261bee9695 100644 ---- a/linux_os/guide/system/auditing/auditd_write_logs/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_write_logs/rule.yml -@@ -14,6 +14,7 @@ rationale: |- - severity: medium - - identifiers: -+ cce@rhel7: 82356-7 - cce@rhel8: 82366-6 - - references: diff --git a/SOURCES/scap-security-guide-0.1.47-improve_bash_based_on_shellcheck.patch b/SOURCES/scap-security-guide-0.1.47-improve_bash_based_on_shellcheck.patch deleted file mode 100644 index e4e6775..0000000 --- a/SOURCES/scap-security-guide-0.1.47-improve_bash_based_on_shellcheck.patch +++ /dev/null @@ -1,172 +0,0 @@ -From 7014c398140eb02e651639e22b85c0b9e91938fd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Tue, 3 Sep 2019 14:02:02 +0200 -Subject: [PATCH] Improved Bash code based on shellcheck feedback. - -* Quote `find` glob, arguments, so they are protected from the shell. -* Quote the whole `awk` command, so shellcheck is not confused by unquoted curly braces. -* Fix a typo of `file_to_inspect` vs `files_to_inspect`. -* Made vars expansion explicit when they are followed by square brackets, - i.e. `$x[[:space:]]` to `${x}[[:space:]]` -* Separated `local` declarations from assignments using subsells. - `local` shadows the subshell return code in those cases. -* Removed `local` from the Jinja macro, as there is no function there. -* Changed `sed` separator in `FSTAB_TARGET_ROW` definition to `|`, got rid of `TARGET_ESCAPED`. -* Double-quoted backslashes in double quotes. -* Commented out unused def of `TARGET_OPTS`. ---- - .../audit_rules_immutable/bash/shared.sh | 2 +- - .../audit_rules_system_shutdown/bash/shared.sh | 2 +- - .../dir_perms_world_writable_sticky_bits/bash/shared.sh | 2 +- - .../bash/rhel6.sh | 9 +++------ - .../bash_remediation_functions/fix_audit_syscall_rule.sh | 2 +- - .../include_mount_options_functions.sh | 2 +- - ...form_audit_adjtimex_settimeofday_stime_remediation.sh | 2 +- - shared/bash_remediation_functions/service_command.sh | 4 +++- - shared/macros-bash.jinja | 4 ++-- - 9 files changed, 14 insertions(+), 15 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh -index ce411358a7..20282296d7 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh -@@ -8,7 +8,7 @@ - # files to check if '-e .*' setting is present in that '*.rules' file already. - # If found, delete such occurrence since auditctl(8) manual page instructs the - # '-e 2' rule should be placed as the last rule in the configuration --find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' -+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' - - # Append '-e 2' requirement at the end of both: - # * /etc/audit/audit.rules file (for auditctl case) -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -index 58047353cf..1c9748ce9b 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -@@ -8,7 +8,7 @@ - # files to check if '-f .*' setting is present in that '*.rules' file already. - # If found, delete such occurrence since auditctl(8) manual page instructs the - # '-f 2' rule should be placed as the last rule in the configuration --find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' -+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' - - # Append '-f 2' requirement at the end of both: - # * /etc/audit/audit.rules file (for auditctl case) -diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh -index 57b1ef0198..150244d4cd 100644 ---- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh -+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh -@@ -1,5 +1,5 @@ - # platform = multi_platform_rhel --df --local -P | awk {'if (NR!=1) print $6'} \ -+df --local -P | awk '{if (NR!=1) print $6}' \ - | xargs -I '{}' find '{}' -xdev -type d \ - \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ - | xargs chmod a+t -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh -index 609658410a..0e56752ae4 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh -+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh -@@ -44,23 +44,20 @@ do - MOUNT_OPTIONS="$MOUNT_OPTIONS,nodev" - fi - -- # Escape possible slash ('/') characters in target for use as sed -- # expression below -- TARGET_ESCAPED=${TARGET//$'/'/$'\/'} - # This target doesn't contain 'nodev' in mount options yet (and meets - # the above filtering criteria). Therefore obtain particular /etc/fstab's - # row into FSTAB_TARGET_ROW variable separating the mount options field with - # hash '#' character -- FSTAB_TARGET_ROW=$(sed -n "s/\(.*$TARGET_ESCAPED[$SP]\+$FSTYPE[$SP]\+\)\([^$SP]\+\)/\1#\2#/p" /etc/fstab) -+ FSTAB_TARGET_ROW=$(sed -n "s|\\(.*${TARGET}[$SP]\\+${FSTYPE}[$SP]\\+\\)\\([^$SP]\\+\\)|\\1#\\2#|p" /etc/fstab) - # Split the retrieved value by the hash '#' delimiter to get the - # row's head & tail (i.e. columns other than mount options) which won't - # get modified - TARGET_HEAD=$(cut -f 1 -d '#' <<< "$FSTAB_TARGET_ROW") -- TARGET_OPTS=$(cut -f 2 -d '#' <<< "$FSTAB_TARGET_ROW") -+ # TARGET_OPTS=$(cut -f 2 -d '#' <<< "$FSTAB_TARGET_ROW") - TARGET_TAIL=$(cut -f 3 -d '#' <<< "$FSTAB_TARGET_ROW") - # Replace old mount options for particular /etc/fstab's row (for this target - # and fstype) with new mount options -- sed -i "s#${TARGET_HEAD}\(.*\)${TARGET_TAIL}#${TARGET_HEAD}${MOUNT_OPTIONS}${TARGET_TAIL}#" /etc/fstab -+ sed -i "s|${TARGET_HEAD}\(.*\)${TARGET_TAIL}|${TARGET_HEAD}${MOUNT_OPTIONS}${TARGET_TAIL}|" /etc/fstab - fi - fi - done -diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh -index 0bb5ad2ef4..25f80fe30b 100644 ---- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh -+++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh -@@ -95,7 +95,7 @@ then - if [ ${#files_to_inspect[@]} -eq "0" ] - then - file_to_inspect="/etc/audit/rules.d/$key.rules" -- files_to_inspect=("$files_to_inspect") -+ files_to_inspect=("$file_to_inspect") - if [ ! -e "$file_to_inspect" ] - then - touch "$file_to_inspect" -diff --git a/shared/bash_remediation_functions/include_mount_options_functions.sh b/shared/bash_remediation_functions/include_mount_options_functions.sh -index 8467b01628..392367dc05 100644 ---- a/shared/bash_remediation_functions/include_mount_options_functions.sh -+++ b/shared/bash_remediation_functions/include_mount_options_functions.sh -@@ -8,7 +8,7 @@ function include_mount_options_functions { - # $4: mount type of new mount point (used when adding new entry in fstab) - function ensure_mount_option_for_vfstype { - local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=() -- readarray -t _vfstype_points < <(grep -E "[[:space:]]$_vfstype[[:space:]]" /etc/fstab | awk '{print $2}') -+ readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}') - - for _vfstype_point in "${_vfstype_points[@]}" - do -diff --git a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh -index 8d2f357c0c..be1425b454 100644 ---- a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh -+++ b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh -@@ -14,7 +14,7 @@ source fix_audit_syscall_rule.sh - function perform_audit_adjtimex_settimeofday_stime_remediation { - - # Retrieve hardware architecture of the underlying system --[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") -+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - - for ARCH in "${RULE_ARCHS[@]}" - do -diff --git a/shared/bash_remediation_functions/service_command.sh b/shared/bash_remediation_functions/service_command.sh -index feb8a9648f..e1eb18cd95 100644 ---- a/shared/bash_remediation_functions/service_command.sh -+++ b/shared/bash_remediation_functions/service_command.sh -@@ -13,7 +13,9 @@ function service_command { - # Load function arguments into local variables - local service_state=$1 - local service=$2 --local xinetd=$(echo $3 | cut -d'=' -f2) -+local xinetd -+ -+xinetd=$(echo $3 | cut -d = -f 2) - - # Check sanity of the input - if [ $# -lt "2" ] -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index 135531991a..969989e59f 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -173,7 +173,7 @@ printf '%s\n' "{{{ line }}}" > "{{{ path }}}" - cat "{{{ path }}}.bak" >> "{{{ path }}}" - {{%- elif insert_after %}} - # Insert after the line matching the regex '{{{ insert_after }}}' --local line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" -+line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" - if [ -z "$line_number" ]; then - # There was no match of '{{{ insert_after }}}', insert at - # the end of the file. -@@ -185,7 +185,7 @@ else - fi - {{%- elif insert_before %}} - # Insert before the line matching the regex '{{{ insert_before }}}'. --local line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" -+line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" - if [ -z "$line_number" ]; then - # There was no match of '{{{ insert_before }}}', insert at - # the end of the file. diff --git a/SOURCES/scap-security-guide-0.1.47-remove_directory_access_var_log_audit_from_ospp.patch b/SOURCES/scap-security-guide-0.1.47-remove_directory_access_var_log_audit_from_ospp.patch deleted file mode 100644 index d6b7bd2..0000000 --- a/SOURCES/scap-security-guide-0.1.47-remove_directory_access_var_log_audit_from_ospp.patch +++ /dev/null @@ -1,69 +0,0 @@ -From d0f70c7a7383dd41277599cb776e03534aa2137c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 30 Oct 2019 18:11:09 +0100 -Subject: [PATCH 1/2] Remove audit_rules_for_ospp from RHEL 7 OSPP - -The audit rule `-a always,exit -F dir=/var/log/audit/ --F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail -is present in /usr/share/doc/audit-2.8.5/rules/30-ospp-v42.rules -(checked on audit-2.8.5-4.el7.x86_64). That means this audir rule -is already checked and remediated by rule `audit_rules_for_ospp`. ---- - rhel7/profiles/ospp.profile | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile -index e20c58875d..81762ad782 100644 ---- a/rhel7/profiles/ospp.profile -+++ b/rhel7/profiles/ospp.profile -@@ -285,13 +285,11 @@ selections: - ## AU-2(a) / FAU_GEN.1.1.c - ## Audit Kernel Module Loading and Unloading Events (Success/Failure) - ## AU-2(a) / FAU_GEN.1.1.c -- - audit_rules_for_ospp -- - ## Audit All Audit and Log Data Accesses (Success/Failure) - ## CNSSI 1253 Value or DoD-specific Values: - ## - Audit and log data access (Success/Failure) - ## AU-2(a) / FAU_GEN.1.1.c -- - directory_access_var_log_audit -+ - audit_rules_for_ospp - - - ### SELinux Configuration - -From 0b822d21cdee7c7da136337a45e9c7136b7d576e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 31 Oct 2019 15:23:01 +0100 -Subject: [PATCH 2/2] Make comments the same - ---- - rhel7/profiles/ospp.profile | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile -index 81762ad782..a3168d51a7 100644 ---- a/rhel7/profiles/ospp.profile -+++ b/rhel7/profiles/ospp.profile -@@ -278,6 +278,10 @@ selections: - ## CNSSI 1253 Value or DoD-specific Values: - ## - Privilege/Role escalation (Success/Failure) - ## AU-2(a) / FAU_GEN.1.1.c -+ ## Audit All Audit and Log Data Accesses (Success/Failure) -+ ## CNSSI 1253 Value or DoD-specific Values: -+ ## - Audit and log data access (Success/Failure) -+ ## AU-2(a) / FAU_GEN.1.1.c - ## Audit Cryptographic Verification of Software (Success/Failure) - ## CNSSI 1253 Value or DoD-specific Values: - ## - Applications (e.g. Firefox, Internet Explorer, MS Office Suite, -@@ -285,10 +289,6 @@ selections: - ## AU-2(a) / FAU_GEN.1.1.c - ## Audit Kernel Module Loading and Unloading Events (Success/Failure) - ## AU-2(a) / FAU_GEN.1.1.c -- ## Audit All Audit and Log Data Accesses (Success/Failure) -- ## CNSSI 1253 Value or DoD-specific Values: -- ## - Audit and log data access (Success/Failure) -- ## AU-2(a) / FAU_GEN.1.1.c - - audit_rules_for_ospp - - diff --git a/SOURCES/scap-security-guide-0.1.47-remove_shell_module_from_playbooks.patch b/SOURCES/scap-security-guide-0.1.47-remove_shell_module_from_playbooks.patch deleted file mode 100644 index e118819..0000000 --- a/SOURCES/scap-security-guide-0.1.47-remove_shell_module_from_playbooks.patch +++ /dev/null @@ -1,476 +0,0 @@ -From 4995c390a22020454be6625f2bd63c1a04302043 Mon Sep 17 00:00:00 2001 -From: Gabe -Date: Fri, 30 Aug 2019 11:15:22 -0600 -Subject: [PATCH 1/5] Remove usage of the SHELL module or get rid of pipe usage - ---- - .../no_direct_root_logins/ansible/shared.yml | 10 ++++----- - .../ansible/shared.yml | 22 +++++++++---------- - .../ansible/shared.yml | 4 +--- - .../template_ANSIBLE_service_disabled | 14 +++++++----- - 4 files changed, 25 insertions(+), 25 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -index 9049733c64..e9a29a24d5 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -@@ -3,13 +3,13 @@ - # strategy = restrict - # complexity = low - # disruption = low --- name: Test for existence /etc/cron.allow -+- name: Test for existence of /etc/securetty - stat: - path: /etc/securetty - register: securetty_empty - - - name: "Direct root Logins Not Allowed" -- shell: echo > /etc/securetty -- args: -- warn: False -- changed_when: securetty_empty.stat.size > 1 -+ copy: -+ dest: /etc/securetty -+ content: "" -+ when: securetty_empty.stat.size > 1 -diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml -index 3ec812835f..cee947e8cc 100644 ---- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml -@@ -3,27 +3,27 @@ - # strategy = restrict - # complexity = low - # disruption = medium --- name: "Fail if user is not root" -+- name: "Print error message if user is not root" - fail: - msg: 'Root account required to read root $PATH' - when: ansible_user != "root" -+ ignore_errors: true - - - name: "Get root paths which are not symbolic links" -- shell: | -- set -o pipefail -- tr ":" "\n" <<< "$PATH" | xargs -I% find % -maxdepth 0 -type d -- args: -- warn: False -- executable: /bin/bash -+ stat: -+ path: "{{ item }}" - changed_when: False - failed_when: False - register: root_paths -+ with_items: "{{ ansible_env.PATH.split(':') }}" - when: ansible_user == "root" -- check_mode: no - - - name: "Disable writability to root directories" - file: -- path: "{{ item }}" -+ path: "{{ item.item }}" - mode: "g-w,o-w" -- with_items: "{{ root_paths.stdout_lines }}" -- when: root_paths.stdout_lines is defined -+ with_items: "{{ root_paths.results }}" -+ when: -+ - root_paths.results is defined -+ - item.stat.exists -+ - not item.stat.islnk -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml -index 7f958e0af5..9a8f91020c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml -@@ -5,9 +5,7 @@ - # disruption = low - - - name: Search for privileged commands -- shell: | -- set -o pipefail -- find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat -+ shell: find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null - args: - warn: False - executable: /bin/bash -diff --git a/shared/templates/template_ANSIBLE_service_disabled b/shared/templates/template_ANSIBLE_service_disabled -index 69bf69aaea..07bb8fff0c 100644 ---- a/shared/templates/template_ANSIBLE_service_disabled -+++ b/shared/templates/template_ANSIBLE_service_disabled -@@ -4,9 +4,10 @@ - # complexity = low - # disruption = low - {{%- if init_system == "systemd" %}} --- name: "Unit Service Exists" -- shell: systemctl list-unit-files | grep -q '^{{{ DAEMONNAME }}}.service' -+- name: "Unit Service Exists - {{{ DAEMONNAME }}}.service" -+ command: systemctl list-unit-files {{{ DAEMONNAME }}}.service - register: service_file_exists -+ changed_when: False - ignore_errors: True - - - name: Disable service {{{ SERVICENAME }}} -@@ -17,11 +18,12 @@ - {{%- if MASK_SERVICE %}} - masked: "yes" - {{%- endif %}} -- when: service_file_exists.rc == 0 -+ when: '"{{{ DAEMONNAME }}}.service" in service_file_exists.stdout_lines[1]' - --- name: "Unit Socket Exists" -- shell: systemctl list-unit-files | grep -q '^{{{ DAEMONNAME }}}.socket' -+- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket" -+ command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket - register: socket_file_exists -+ changed_when: False - ignore_errors: True - - - name: Disable socket {{{ SERVICENAME }}} -@@ -32,7 +34,7 @@ - {{%- if MASK_SERVICE %}} - masked: "yes" - {{%- endif %}} -- when: socket_file_exists.rc == 0 -+ when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]' - - {{% elif init_system == "upstart" %}} - - name: Stop {{{ SERVICENAME }}} - -From e268f1e07192a5cf343b6ac36053553d1074bd3b Mon Sep 17 00:00:00 2001 -From: Gabe -Date: Fri, 30 Aug 2019 12:53:40 -0600 -Subject: [PATCH 2/5] Use command and mount module instead of shell - -- Fixes #4783 ---- - .../ansible/shared.yml | 20 ++++++++----------- - ...te_ANSIBLE_mount_option_remote_filesystems | 19 ++++++++---------- - 2 files changed, 16 insertions(+), 23 deletions(-) - -diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml -index 506c3dee31..6982ce293e 100644 ---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml -+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml -@@ -5,20 +5,16 @@ - # disruption = medium - - - name: "Get nfs and nfs4 mount points, that don't have Kerberos security option" -- shell: | -- set -o pipefail -- grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "sec=krb5:krb5i:krb5p" | awk '{print $2}' -- args: -- warn: False -- executable: /bin/bash -+ command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n -o TARGET - register: points_register - check_mode: no - changed_when: False - --- name: "Add Kerberos security to mount points" -- shell: awk '$2=="{{ item }}"{$4=$4",sec=krb5:krb5i:krb5p"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab -- args: -- warn: False -- with_items: -- - "{{ points_register.stdout_lines }}" -+- name: "Add Kerberos security to nfs and nfs4 mount points" -+ mount: -+ path: "{{ item.split()[0] }}" -+ src: "{{ item.split()[1] }}" -+ fstype: "{{ item.split()[2] }}" -+ state: mounted -+ opts: "{{ item.split()[3] }},sec=krb5:krb5i:krb5p" - when: (points_register.stdout | length > 0) -diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems -index f89c1d7285..f3d6f02d82 100644 ---- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems -+++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems -@@ -5,19 +5,16 @@ - # disruption = medium - - - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}" -- shell: | -- set -o pipefail -- grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "{{{ MOUNTOPTION }}}" | awk '{print $2}' -- args: -- executable: /bin/bash -+ command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }} -n - register: points_register - check_mode: no - changed_when: False - --- name: "Add {{{ MOUNTOPTION }}} to mount points" -- shell: awk '$2=="{{ item }}"{$4=$4",{{{ MOUNTOPTION }}}"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab -- args: -- executable: /bin/bash -- with_items: -- - "{{ points_register.stdout_lines }}" -+- name: "Add {{{ MOUNTOPTION }}} to nfs and nfs4 mount points" -+ mount: -+ path: "{{ item.split()[0] }}" -+ src: "{{ item.split()[1] }}" -+ fstype: "{{ item.split()[2] }}" -+ state: mounted -+ opts: "{{ item.split()[3] }},{{{ MOUNTOPTION }}}" - when: (points_register.stdout | length > 0) - -From 189a8962ddfc35a516eb468f7df1b66a55d874a6 Mon Sep 17 00:00:00 2001 -From: Gabe -Date: Fri, 30 Aug 2019 15:18:02 -0600 -Subject: [PATCH 3/5] Remove usage of shell module in gpgkey install Ansible - snippet - ---- - .../ansible/shared.yml | 18 +++++++++--------- - ...ate_ANSIBLE_mount_option_remote_filesystems | 2 +- - 2 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml -index 079020f8cd..91a98640ad 100644 ---- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml -+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml -@@ -14,13 +14,9 @@ - - name: Read signatures in GPG key - # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10 - {{% if product == "rhel8" -%}} -- shell: | -- set -o pipefail -- gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10 -+ command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - {{%- else -%}} -- shell: | -- set -o pipefail -- gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" | grep "^fpr" | cut -d ":" -f 10 -+ command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - {{%- endif %}} - args: - warn: False -@@ -29,9 +25,13 @@ - register: gpg_fingerprints - check_mode: no - -+- name: Set Fact - Installed GPG Fingerprints -+ set_fact: -+ gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}" -+ - - name: Set Fact - Valid fingerprints - set_fact: -- gpg_valid_fingerprints: ("{{{ release_key_fingerprint }}}" "{{{ auxiliary_key_fingerprint }}}") -+ gpg_valid_fingerprints: ("{{{ release_key_fingerprint }}}" "{{{ auxiliary_key_fingerprint }}}") - - - name: Import RedHat GPG key - rpm_key: -@@ -39,6 +39,6 @@ - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release - when: - - gpg_key_directory_permission.stat.mode <= '0755' -- - ( gpg_fingerprints.stdout_lines | difference(gpg_valid_fingerprints)) | length == 0 -- - gpg_fingerprints.stdout_lines | length > 0 -+ - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0 -+ - gpg_installed_fingerprints | length > 0 - - ansible_distribution == "RedHat" -diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems -index f3d6f02d82..a58d7729ec 100644 ---- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems -+++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems -@@ -5,7 +5,7 @@ - # disruption = medium - - - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}" -- command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }} -n -+ command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }}} -n - register: points_register - check_mode: no - changed_when: False - -From 047c5d342860745dcc2f80a9f00d30cf25e76348 Mon Sep 17 00:00:00 2001 -From: Gabe -Date: Tue, 3 Sep 2019 14:18:54 -0600 -Subject: [PATCH 4/5] Remove shell module usage for rpm verification tasks - -- Fixes #4617 ---- - .../rpm_verify_hashes/ansible/shared.yml | 27 ++++++++++++------- - .../rpm_verify_ownership/ansible/shared.yml | 11 +++----- - .../rpm_verify_permissions/ansible/shared.yml | 19 ++++++++----- - 3 files changed, 34 insertions(+), 23 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml -index 2a38e43c3b..1ba29992ab 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml -@@ -1,6 +1,6 @@ - # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv - # reboot = false --# strategy = unknown -+# strategy = restrict - # complexity = high - # disruption = medium - - name: "Set fact: Package manager reinstall command (dnf)" -@@ -14,21 +14,30 @@ - when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") - - - name: "Read files with incorrect hash" -- shell: | -- set -o pipefail -- rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | awk '{print $NF}' -+ command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noconfig --noghost - args: - warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module -- executable: /bin/bash - register: files_with_incorrect_hash - changed_when: False - failed_when: files_with_incorrect_hash.rc > 1 - when: (package_manager_reinstall_cmd is defined) -- check_mode: no -+ -+- name: Create list of packages -+ command: rpm -qf "{{ item }}" -+ args: -+ warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module -+ with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" -+ register: list_of_packages -+ changed_when: False -+ when: -+ - files_with_incorrect_hash.stdout_lines is defined -+ - (files_with_incorrect_hash.stdout_lines | length > 0) - - - name: "Reinstall packages of files with incorrect hash" -- shell: "{{ package_manager_reinstall_cmd }} $(rpm -qf '{{ item }}')" -+ command: "{{ package_manager_reinstall_cmd }} '{{ item }}'" - args: - warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager -- with_items: "{{ files_with_incorrect_hash.stdout_lines }}" -- when: (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) -+ with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" -+ when: -+ - files_with_incorrect_hash.stdout_lines is defined -+ - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml -index 9fd07f8da2..1d9720cb82 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml -@@ -4,27 +4,24 @@ - # complexity = high - # disruption = medium - - name: "Read list of files with incorrect ownership" -- shell: | -- set -o pipefail -- rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }' -+ command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode - args: - warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module -- executable: /bin/bash - register: files_with_incorrect_ownership - failed_when: files_with_incorrect_ownership.rc > 1 - changed_when: False -- check_mode: no - - - name: Create list of packages - command: rpm -qf "{{ item }}" - args: - warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module -- with_items: "{{ files_with_incorrect_ownership.stdout_lines | unique }}" -+ with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" - register: list_of_packages -+ changed_when: False - when: (files_with_incorrect_ownership.stdout_lines | length > 0) - - - name: "Correct file ownership with RPM" -- command: "rpm --quiet --setugids '{{ item }}'" -+ command: "rpm --setperms '{{ item }}'" - args: - warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module - with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml -index a22f03a987..149dbf9fb7 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml -@@ -4,20 +4,25 @@ - # complexity = high - # disruption = medium - - name: "Read list of files with incorrect permissions" -- shell: | -- set -o pipefail -- rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }' -+ command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup - args: - warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module -- executable: /bin/bash - register: files_with_incorrect_permissions - failed_when: files_with_incorrect_permissions.rc > 1 - changed_when: False -- check_mode: no -+ -+- name: Create list of packages -+ command: rpm -qf "{{ item }}" -+ args: -+ warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module -+ with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" -+ register: list_of_packages -+ changed_when: False -+ when: (files_with_incorrect_permissions.stdout_lines | length > 0) - - - name: "Correct file permissions with RPM" -- shell: "rpm --setperms $(rpm -qf '{{ item }}')" -+ command: "rpm --setperms '{{ item }}'" - args: - warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module -- with_items: "{{ files_with_incorrect_permissions.stdout_lines }}" -+ with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" - when: (files_with_incorrect_permissions.stdout_lines | length > 0) - -From 83d241dceafb1b8d8829655b0cdeb44af1b01d2a Mon Sep 17 00:00:00 2001 -From: Gabe -Date: Fri, 6 Sep 2019 11:55:18 -0600 -Subject: [PATCH 5/5] Fix regex and escape correctly - ---- - .../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 2 +- - .../rpm_verification/rpm_verify_ownership/ansible/shared.yml | 4 ++-- - .../rpm_verify_permissions/ansible/shared.yml | 2 +- - 3 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml -index 1ba29992ab..0dc09339f4 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml -@@ -26,7 +26,7 @@ - command: rpm -qf "{{ item }}" - args: - warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module -- with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" -+ with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" - register: list_of_packages - changed_when: False - when: -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml -index 1d9720cb82..d02508808c 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml -@@ -15,13 +15,13 @@ - command: rpm -qf "{{ item }}" - args: - warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module -- with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" -+ with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" - register: list_of_packages - changed_when: False - when: (files_with_incorrect_ownership.stdout_lines | length > 0) - - - name: "Correct file ownership with RPM" -- command: "rpm --setperms '{{ item }}'" -+ command: "rpm --quiet --setugids '{{ item }}'" - args: - warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module - with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml -index 149dbf9fb7..55a37a4235 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml -@@ -15,7 +15,7 @@ - command: rpm -qf "{{ item }}" - args: - warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module -- with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" -+ with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" - register: list_of_packages - changed_when: False - when: (files_with_incorrect_permissions.stdout_lines | length > 0) diff --git a/SOURCES/scap-security-guide-0.1.47-remove_slash_from_audit_rules_login_faillock.patch b/SOURCES/scap-security-guide-0.1.47-remove_slash_from_audit_rules_login_faillock.patch deleted file mode 100644 index a1ef98b..0000000 --- a/SOURCES/scap-security-guide-0.1.47-remove_slash_from_audit_rules_login_faillock.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 10c50d294f61c3638abd4a8dfa0e6870c4d4f10f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 2 Oct 2019 15:10:42 +0200 -Subject: [PATCH] Remove slash from audit rules login failock - -Follows 0e83474ea75d762c77f78630448ad5a72b58d211 -There shoudn't be slash. ---- - .../audit_rules_login_events/bash/shared.sh | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh -index 17112b7c4e..a0d18c21b2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh -@@ -8,8 +8,8 @@ - fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins" - fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins" - --fix_audit_watch_rule "auditctl" "/var/run/faillock/" "wa" "logins" --fix_audit_watch_rule "augenrules" "/var/run/faillock/" "wa" "logins" -+fix_audit_watch_rule "auditctl" "/var/run/faillock" "wa" "logins" -+fix_audit_watch_rule "augenrules" "/var/run/faillock" "wa" "logins" - - fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins" - fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins" diff --git a/SOURCES/scap-security-guide-0.1.47-update_arufm_to_match_multiple_-S_args.patch b/SOURCES/scap-security-guide-0.1.47-update_arufm_to_match_multiple_-S_args.patch deleted file mode 100644 index 614e391..0000000 --- a/SOURCES/scap-security-guide-0.1.47-update_arufm_to_match_multiple_-S_args.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 754649d2ac077e64aae4fcadfdfca30f09149687 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 2 Oct 2019 18:51:48 +0200 -Subject: [PATCH 1/2] Add tests for acceptable rule syntax for arufm - -These test scenarios cover multiple valid formats for the audit rules. -arufm stands for audit_rules_unsuccessful_file_modification ---- - .../tests/default.fail.sh | 6 +++ - .../tests/syscalls_multiple_per_arg.pass.sh | 12 ++++++ - .../tests/syscalls_one_per_arg.pass.sh | 11 ++++++ - .../tests/syscalls_one_per_line.pass.sh | 12 ++++++ - .../tests/test_audit.rules | 39 +++++++++++++++++++ - 5 files changed, 80 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/default.fail.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_multiple_per_arg.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_arg.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_line.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/test_audit.rules - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/default.fail.sh -new file mode 100644 -index 0000000000..5769121389 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/default.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = bash -+ -+rm -f /etc/audit/rules.d/* -+> /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_multiple_per_arg.pass.sh -new file mode 100644 -index 0000000000..ba950a6dfe ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_multiple_per_arg.pass.sh -@@ -0,0 +1,12 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = bash -+ -+# Use auditctl, on RHEL7, default is to use augenrules -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+rm -f /etc/audit/rules.d/* -+ -+# Deletes everything up do "one per line" -+# Then deletes everything from "one per arg" until end of file -+sed '/# one per line/,/# multiple per arg/d;/# one per arg/,$d' test_audit.rules > /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_arg.pass.sh -new file mode 100644 -index 0000000000..1741dad27d ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_arg.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = bash -+ -+# Use auditctl, on RHEL7, default is to use augenrules -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+rm -f /etc/audit/rules.d/* -+ -+# Delete everything that is between "one per line" and "one per arg" -+sed '/# one per line/,/# one per arg/d' test_audit.rules > /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_line.pass.sh -new file mode 100644 -index 0000000000..5cdc0294be ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_line.pass.sh -@@ -0,0 +1,12 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = bash -+ -+# Use auditctl, on RHEL7, default is to use augenrules -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+rm -f /etc/audit/rules.d/* -+ -+# Delete everything that is not between "one per line" and "multiple per arg" -+sed '/# one per line/,/# multiple per arg/!d' test_audit.rules > /etc/audit/audit.rules -+ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/test_audit.rules b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/test_audit.rules -new file mode 100644 -index 0000000000..0c9f7e6b61 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/test_audit.rules -@@ -0,0 +1,39 @@ -+# WARNING: Do not remove the comments in this file -+# one per line -+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+ -+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+ -+# multiple per arg -+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+ -+# one per arg -+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -+-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access - -From df1f092a9f0786c6137d10bb8ac440f572d4e460 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 2 Oct 2019 20:14:47 +0200 -Subject: [PATCH 2/2] Update regex to match multiple syscall args - -The regex was not matching case where there were multiple '-S' -arguments ---- - .../template_OVAL_audit_rules_unsuccessful_file_modification | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -index 688c482ba4..314d7a7610 100644 ---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -@@ -48,12 +48,13 @@ - - - -+ - - -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*({{{ NAME }}})(?:,[\S]+)*)[\s]+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,]))).* - - -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*({{{ NAME }}})(?:,[\S]+)*)[\s]+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,]))).* - - - [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ diff --git a/SOURCES/scap-security-guide-0.1.48-add_e8_profile_kickstart.patch b/SOURCES/scap-security-guide-0.1.48-add_e8_profile_kickstart.patch deleted file mode 100644 index 9d425f5..0000000 --- a/SOURCES/scap-security-guide-0.1.48-add_e8_profile_kickstart.patch +++ /dev/null @@ -1,362 +0,0 @@ -From 3cf5caec6f0705d24bc3f285e19d1831714bca16 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 13 Nov 2019 18:05:32 +0100 -Subject: [PATCH 1/4] Add simple kickstart file for e8 profiles - -As the profile doesn't require a particular disk partition layout, I -went for the 'autopart' feature. ---- - rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 122 ++++++++++++++++++++++++++++ - rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 122 ++++++++++++++++++++++++++++ - 2 files changed, 244 insertions(+) - create mode 100644 rhel7/kickstart/ssg-rhel7-e8-ks.cfg - create mode 100644 rhel8/kickstart/ssg-rhel8-e8-ks.cfg - -diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg -new file mode 100644 -index 0000000000..9e44a87a86 ---- /dev/null -+++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg -@@ -0,0 +1,122 @@ -+# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 7 Server -+# Version: 0.0.1 -+# Date: 2019-11-13 -+# -+# Based on: -+# http://fedoraproject.org/wiki/Anaconda/Kickstart -+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -+ -+# Install a fresh new system (optional) -+install -+ -+# Specify installation method to use for installation -+# To use a different one comment out the 'url' one below, update -+# the selected choice with proper options & un-comment it -+# -+# Install from an installation tree on a remote server via FTP or HTTP: -+# --url the URL to install from -+# -+# Example: -+# -+# url --url=http://192.168.122.1/image -+# -+# Modify concrete URL in the above example appropriately to reflect the actual -+# environment machine is to be installed in -+# -+# Other possible / supported installation methods: -+# * install from the first CD-ROM/DVD drive on the system: -+# -+# cdrom -+# -+# * install from a directory of ISO images on a local drive: -+# -+# harddrive --partition=hdb2 --dir=/tmp/install-tree -+# -+# * install from provided NFS server: -+# -+# nfs --server= --dir= [--opts=] -+# -+ -+# Set language to use during installation and the default language to use on the installed system (required) -+lang en_US.UTF-8 -+ -+# Set system keyboard type / layout (required) -+keyboard us -+ -+# Configure network information for target system and activate network devices in the installer environment (optional) -+# --onboot enable device at a boot time -+# --device device to be activated and / or configured with the network command -+# --bootproto method to obtain networking configuration for device (default dhcp) -+# --noipv6 disable IPv6 on this device -+# -+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, -+# "--bootproto=static" must be used. For example: -+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 -+# -+network --onboot yes --device eth0 --bootproto dhcp --noipv6 -+ -+# Set the system's root password (required) -+# Plaintext password is: server -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 -+ -+# The selected profile will restrict root login -+# Add a user that can login and escalate privileges -+# Plaintext password is: admin123 -+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted -+ -+# Configure firewall settings for the system (optional) -+# --enabled reject incoming connections that are not in response to outbound requests -+# --ssh allow sshd service through the firewall -+firewall --enabled --ssh -+ -+# Set up the authentication options for the system (required) -+# --enableshadow enable shadowed passwords by default -+# --passalgo hash / crypt algorithm for new passwords -+# See the manual page for authconfig for a complete list of possible options. -+authconfig --enableshadow --passalgo=sha512 -+ -+# State of SELinux on the installed system (optional) -+# Defaults to enforcing -+selinux --enforcing -+ -+# Set the system time zone (required) -+timezone --utc America/New_York -+ -+# Specify how the bootloader should be installed (required) -+# Plaintext password is: password -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 -+ -+# Initialize (format) all disks (optional) -+zerombr -+ -+# The following partition layout scheme assumes disk of size 20GB or larger -+# Modify size of partitions appropriately to reflect actual machine's hardware -+# -+# Remove Linux partitions from the system prior to creating new ones (optional) -+# --linux erase all Linux partitions -+# --initlabel initialize the disk label to the default based on the underlying architecture -+clearpart --linux --initlabel -+ -+# Create primary system partitions (required for installs) -+autopart -+ -+%addon org_fedora_oscap -+ content-type = scap-security-guide -+ profile = xccdf_org.ssgproject.content_profile_e8 -+%end -+ -+# Packages selection (%packages section is required) -+%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section -+ -+# Reboot after the installation is complete (optional) -+# --eject attempt to eject CD or DVD media before rebooting -+reboot --eject -diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -new file mode 100644 -index 0000000000..3555f528cb ---- /dev/null -+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -@@ -0,0 +1,122 @@ -+# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 8 Server -+# Version: 0.0.1 -+# Date: 2019-11-13 -+# -+# Based on: -+# http://fedoraproject.org/wiki/Anaconda/Kickstart -+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -+ -+# Install a fresh new system (optional) -+install -+ -+# Specify installation method to use for installation -+# To use a different one comment out the 'url' one below, update -+# the selected choice with proper options & un-comment it -+# -+# Install from an installation tree on a remote server via FTP or HTTP: -+# --url the URL to install from -+# -+# Example: -+# -+# url --url=http://192.168.122.1/image -+# -+# Modify concrete URL in the above example appropriately to reflect the actual -+# environment machine is to be installed in -+# -+# Other possible / supported installation methods: -+# * install from the first CD-ROM/DVD drive on the system: -+# -+# cdrom -+# -+# * install from a directory of ISO images on a local drive: -+# -+# harddrive --partition=hdb2 --dir=/tmp/install-tree -+# -+# * install from provided NFS server: -+# -+# nfs --server= --dir= [--opts=] -+# -+ -+# Set language to use during installation and the default language to use on the installed system (required) -+lang en_US.UTF-8 -+ -+# Set system keyboard type / layout (required) -+keyboard us -+ -+# Configure network information for target system and activate network devices in the installer environment (optional) -+# --onboot enable device at a boot time -+# --device device to be activated and / or configured with the network command -+# --bootproto method to obtain networking configuration for device (default dhcp) -+# --noipv6 disable IPv6 on this device -+# -+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, -+# "--bootproto=static" must be used. For example: -+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 -+# -+network --onboot yes --device eth0 --bootproto dhcp --noipv6 -+ -+# Set the system's root password (required) -+# Plaintext password is: server -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 -+ -+# The selected profile will restrict root login -+# Add a user that can login and escalate privileges -+# Plaintext password is: admin123 -+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted -+ -+# Configure firewall settings for the system (optional) -+# --enabled reject incoming connections that are not in response to outbound requests -+# --ssh allow sshd service through the firewall -+firewall --enabled --ssh -+ -+# Set up the authentication options for the system (required) -+# --enableshadow enable shadowed passwords by default -+# --passalgo hash / crypt algorithm for new passwords -+# See the manual page for authconfig for a complete list of possible options. -+authconfig --enableshadow --passalgo=sha512 -+ -+# State of SELinux on the installed system (optional) -+# Defaults to enforcing -+selinux --enforcing -+ -+# Set the system time zone (required) -+timezone --utc America/New_York -+ -+# Specify how the bootloader should be installed (required) -+# Plaintext password is: password -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 -+ -+# Initialize (format) all disks (optional) -+zerombr -+ -+# The following partition layout scheme assumes disk of size 20GB or larger -+# Modify size of partitions appropriately to reflect actual machine's hardware -+# -+# Remove Linux partitions from the system prior to creating new ones (optional) -+# --linux erase all Linux partitions -+# --initlabel initialize the disk label to the default based on the underlying architecture -+clearpart --linux --initlabel -+ -+# Create primary system partitions (required for installs) -+autopart -+ -+%addon org_fedora_oscap -+ content-type = scap-security-guide -+ profile = xccdf_org.ssgproject.content_profile_e8 -+%end -+ -+# Packages selection (%packages section is required) -+%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section -+ -+# Reboot after the installation is complete (optional) -+# --eject attempt to eject CD or DVD media before rebooting -+reboot --eject - -From 94249bce4b61c33e52f59efdb112e2082b4acf46 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 Nov 2019 11:19:51 +0100 -Subject: [PATCH 2/4] Use authselect for el8 kickstart - -auth and authconfig are deprecated ---- - rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -index 3555f528cb..e814024e2e 100644 ---- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -@@ -72,10 +72,10 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf - firewall --enabled --ssh - - # Set up the authentication options for the system (required) --# --enableshadow enable shadowed passwords by default --# --passalgo hash / crypt algorithm for new passwords --# See the manual page for authconfig for a complete list of possible options. --authconfig --enableshadow --passalgo=sha512 -+# sssd profile sets sha512 to hash passwords -+# passwords are shadowed by default -+# See the manual page for authselect-profile for a complete list of possible options. -+authselect select sssd - - # State of SELinux on the installed system (optional) - # Defaults to enforcing - -From 1ff6ab4ec0449074c4608eed0194903123eda34b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 Nov 2019 11:22:31 +0100 -Subject: [PATCH 3/4] Updated kickstart documenation link for el8 - ---- - rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -index e814024e2e..41d4b3d654 100644 ---- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -@@ -4,7 +4,7 @@ - # - # Based on: - # http://fedoraproject.org/wiki/Anaconda/Kickstart --# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart - - # Install a fresh new system (optional) - install - -From ef5edccc3ec58131644f31481ec3df20ab345229 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 18 Nov 2019 13:31:18 +0100 -Subject: [PATCH 4/4] Add link to oscap-anaconda-addon documentation - ---- - rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 3 +++ - rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 3 +++ - 2 files changed, 6 insertions(+) - -diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg -index 9e44a87a86..23f1bad7e1 100644 ---- a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg -+++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg -@@ -104,6 +104,9 @@ clearpart --linux --initlabel - # Create primary system partitions (required for installs) - autopart - -+# Harden installation with Essential Eight profile -+# For more details and configuration options see command %addon org_fedora_oscap in -+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands - %addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_e8 -diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -index 41d4b3d654..8380ea13a3 100644 ---- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg -@@ -104,6 +104,9 @@ clearpart --linux --initlabel - # Create primary system partitions (required for installs) - autopart - -+# Harden installation with Essential Eight profile -+# For more details and configuration options see -+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program - %addon org_fedora_oscap - content-type = scap-security-guide - profile = xccdf_org.ssgproject.content_profile_e8 diff --git a/SOURCES/scap-security-guide-0.1.48-fix_aide_periodic_crontab_check.patch b/SOURCES/scap-security-guide-0.1.48-fix_aide_periodic_crontab_check.patch deleted file mode 100644 index c86849e..0000000 --- a/SOURCES/scap-security-guide-0.1.48-fix_aide_periodic_crontab_check.patch +++ /dev/null @@ -1,181 +0,0 @@ -From 29ef00ac92720e22108c78d10ea6f2e8a65cfe98 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 5 Nov 2019 20:01:40 +0100 -Subject: [PATCH 1/5] tried to update regex - -tests added ---- - .../aide/aide_periodic_cron_checking/oval/shared.xml | 2 +- - .../aide_periodic_cron_checking/tests/crontab_daily.pass.sh | 4 ++++ - .../tests/crontab_weekly_on_exact_day.pass.sh | 4 ++++ - .../tests/crontab_weekly_shortcut.pass.sh | 4 ++++ - 4 files changed, 13 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_daily.pass.sh - create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_on_exact_day.pass.sh - create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_shortcut.pass.sh - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml -index e5b20e545b..49f53e997f 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml -@@ -29,7 +29,7 @@ - - - /etc/crontab -- ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ -+ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*[\*,0-9])|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ - 1 - - - -From 6ac0dfcc4fd968a3ab8dd7b32f0654b2800446d7 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 6 Nov 2019 16:06:14 +0100 -Subject: [PATCH 2/5] rewrote oval check, extended remediation, wrote tests - -everything applies only to /etc/crontab -allowed more flexible configuration of runs -remediation deletes all potentially wrong lines from /etc/crontab ---- - .../aide/aide_periodic_cron_checking/bash/shared.sh | 3 +++ - .../aide/aide_periodic_cron_checking/oval/shared.xml | 2 +- - .../aide_periodic_cron_checking/tests/crontab_monthly.fail.sh | 4 ++++ - .../tests/crontab_two_days_week.pass.sh | 4 ++++ - .../tests/crontab_weekly_shortcut.pass.sh | 2 +- - .../tests/crontab_weekly_word.pass.sh | 4 ++++ - .../aide_periodic_cron_checking/tests/crontab_yearly.fail.sh | 4 ++++ - 7 files changed, 21 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_monthly.fail.sh - create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_two_days_week.pass.sh - create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_word.pass.sh - create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_yearly.fail.sh - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh -index 367d7b2df3..674fa7c9d8 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh -@@ -4,4 +4,7 @@ - - if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then - echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab -+else -+ sed -i '/^.*\/usr\/sbin\/aide --check.*$/d' /etc/crontab -+ echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab - fi -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml -index 49f53e997f..06a6eb5618 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml -@@ -29,7 +29,7 @@ - - - /etc/crontab -- ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*[\*,0-9])|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ -+ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ - 1 - - - -From 3c697624a85dcca87daae189103901ce95a7c27a Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 6 Nov 2019 16:25:30 +0100 -Subject: [PATCH 3/5] modified oval checks for other locations - ---- - .../aide/aide_periodic_cron_checking/oval/shared.xml | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml -index 06a6eb5618..70271a0553 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml -@@ -39,7 +39,7 @@ - - /etc/cron.d - ^.*$ -- ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ -+ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ - 1 - - -@@ -48,7 +48,7 @@ - - - /var/spool/cron/root -- ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ -+ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*/usr/sbin/aide[\s]*\-\-check.*$ - 1 - - -@@ -56,7 +56,7 @@ - - - -- ^/etc/cron.(daily|weekly|monthly)$ -+ ^/etc/cron.(daily|weekly)$ - ^.*$ - ^\s*/usr/sbin/aide[\s]*\-\-check.*$ - 1 - -From 0d0268edacf7544ca7febe33c5f9e82899fca935 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 7 Nov 2019 09:19:11 +0100 -Subject: [PATCH 4/5] fixed oval comments - ---- - .../aide/aide_periodic_cron_checking/oval/shared.xml | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml -index 70271a0553..b330e496e1 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml -@@ -19,7 +19,7 @@ - - - -- -+ - - - -@@ -52,10 +52,10 @@ - 1 - - -- -+ - - -- -+ - ^/etc/cron.(daily|weekly)$ - ^.*$ - ^\s*/usr/sbin/aide[\s]*\-\-check.*$ - -From f1455731d6633375fd144a69e4bc1d0c2d5e7f3a Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 7 Nov 2019 09:32:51 +0100 -Subject: [PATCH 5/5] added one test and modified description - -lower limit of daily Aide scan removed ---- - .../aide/aide_periodic_cron_checking/rule.yml | 2 +- - .../tests/crontab_daily_shortcut.pass.sh | 4 ++++ - .../tests/crontab_weekly_on_exact_day.pass.sh | 2 +- - 3 files changed, 6 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_daily_shortcut.pass.sh - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -index a91aaa23c5..1e13a534fa 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -@@ -5,7 +5,7 @@ prodtype: wrlinux1019,rhel6,rhel7,rhel8,fedora,ol7,ol8,rhv4 - title: 'Configure Periodic Execution of AIDE' - - description: |- -- At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. -+ At a minimum, AIDE should be configured to run a weekly scan. - To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: - 
05 4 * * * root /usr/sbin/aide --check
- To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: diff --git a/SOURCES/scap-security-guide-0.1.48-fix_ansible_tasks_in_check_mode.patch b/SOURCES/scap-security-guide-0.1.48-fix_ansible_tasks_in_check_mode.patch deleted file mode 100644 index 5fe9bf9..0000000 --- a/SOURCES/scap-security-guide-0.1.48-fix_ansible_tasks_in_check_mode.patch +++ /dev/null @@ -1,349 +0,0 @@ -From f891d5d4245963ca1bb1a2c785656077ae9fcced Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Nov 2019 15:36:12 +0100 -Subject: [PATCH 1/6] Run the command also in check mode - -Setting check_mode to False will force to run the command in -this task even if the playbook is run in check_mode. This task -produces variable `socket_file_exists` which is then used -in task "Disable socket ...". In check mode, the command wasn't -executed, which caused this error: - -fatal: [localhost]: FAILED! => {"msg": "The conditional check -'\"sshd.socket\" in socket_file_exists.stdout_lines[1]' failed. The -error was: error while evaluating conditional (\"sshd.socket\" in -socket_file_exi -sts.stdout_lines[1]): Unable to look up a name or access an attribute in -template string ({% if \"sshd.socket\" in -socket_file_exists.stdout_lines[1] %} True {% else %} False {% endif -%}).\nMake sure your variab -le name does not contain invalid characters like '-': argument of type -'AnsibleUndefined' is not iterable\n\nThe error appears to be in -'/home/jcerny/scap-security-guide/build/fedora/playbooks/all/service_sshd_d -isabled.yml': line 44, column 7, but may\nbe elsewhere in the file -depending on the exact syntax problem.\n\nThe offending line appears to -be:\n\n\n - name: Disable socket sshd\n ^ here\n"} ---- - shared/templates/template_ANSIBLE_service_disabled | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/shared/templates/template_ANSIBLE_service_disabled b/shared/templates/template_ANSIBLE_service_disabled -index 1faeeeb9b8..cb3d0634af 100644 ---- a/shared/templates/template_ANSIBLE_service_disabled -+++ b/shared/templates/template_ANSIBLE_service_disabled -@@ -26,6 +26,7 @@ - register: socket_file_exists - changed_when: False - ignore_errors: True -+ check_mode: False - - - name: Disable socket {{{ SERVICENAME }}} - systemd: - -From 0a5f4fdac9a409e543ff05f2dbb46c78a7fc76b3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Nov 2019 15:58:42 +0100 -Subject: [PATCH 2/6] Add "check_mode: no" everywhere possible - -This option forces to run the command also in the check mode. -If the command only reads, eg. grep, it should be harmless. -It prevents issues that in "check" mode the playbook will terminate -because the variable that was expected to be populated by this -command is empty. ---- - .../sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 1 + - .../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 1 + - .../services/sssd/sssd_enable_smartcards/ansible/shared.yml | 1 + - .../services/sssd/sssd_memcache_timeout/ansible/shared.yml | 1 + - .../sssd/sssd_offline_cred_expiration/ansible/shared.yml | 1 + - .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 1 + - .../integrity/fips/grub2_enable_fips_mode/ansible/shared.yml | 3 +++ - .../package_dracut-fips-aesni_installed/ansible/shared.yml | 1 + - 8 files changed, 10 insertions(+) - -diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml -index 7ab0904da0..ca7bbf9f4f 100644 ---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml -@@ -10,6 +10,7 @@ - register: test_grep_domain - ignore_errors: yes - changed_when: False -+ check_mode: no - - - name: "Add default domain group and set CA directory (if no domain there)" - ini_file: -diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -index 1aeb2728db..1fd1e7d2c5 100644 ---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -@@ -16,6 +16,7 @@ - register: test_grep_domain - ignore_errors: yes - changed_when: False -+ check_mode: no - - - name: "Add default domain group and use STARTTLS (if no domain there)" - ini_file: -diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml -index 636bc3f65f..1087367dde 100644 ---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml -@@ -8,6 +8,7 @@ - register: test_grep_domain - ignore_errors: yes - changed_when: False -+ check_mode: no - - - name: "Add default domain group (if no domain there)" - ini_file: -diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml -index 79dbd9140a..4a146b1008 100644 ---- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml -@@ -10,6 +10,7 @@ - register: test_grep_domain - ignore_errors: yes - changed_when: False -+ check_mode: no - - - name: "Add default domain group (if no domain there)" - ini_file: -diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml -index 614cf5c05e..d79b0e6ca6 100644 ---- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml -@@ -8,6 +8,7 @@ - register: test_grep_domain - ignore_errors: yes - changed_when: False -+ check_mode: no - - - name: "Add default domain group (if no domain there)" - ini_file: -diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -index 6284435ec4..6763e27c7e 100644 ---- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -@@ -10,6 +10,7 @@ - register: test_grep_domain - ignore_errors: yes - changed_when: False -+ check_mode: no - - - name: "Add default domain group (if no domain there)" - ini_file: -diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml -index 5cc5fe0e96..b642b6c3c3 100644 ---- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml -@@ -24,6 +24,7 @@ - command: grep -q -m1 -o aes /proc/cpuinfo - failed_when: aesni_supported.rc > 1 - register: aesni_supported -+ check_mode: no - - - name: Ensure dracut-fips-aesni is installed - package: -@@ -45,6 +46,7 @@ - command: grep 'GRUB_CMDLINE_LINUX.*fips=' /etc/default/grub - failed_when: False - register: fipsargcheck -+ check_mode: no - - - name: replace existing fips argument - replace: -@@ -68,6 +70,7 @@ - command: grep 'GRUB_CMDLINE_LINUX.*boot=' /etc/default/grub - failed_when: False - register: bootargcheck -+ check_mode: no - - - name: replace existing boot argument - replace: -diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml -index 28a9dd71c4..8ed524fc75 100644 ---- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml -@@ -7,6 +7,7 @@ - command: grep -q -m1 -o aes /proc/cpuinfo - failed_when: aesni_supported.rc > 1 - register: aesni_supported -+ check_mode: no - - - name: Ensure dracut-fips-aesni is installed - package: - -From 7b669bf3d9e30e842095693456109c38d82f94a6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Nov 2019 16:51:04 +0100 -Subject: [PATCH 3/6] Prevent fails in check mode - -Addressing: - -fatal: [localhost]: FAILED! => {"msg": "The task includes an option with -an undefined variable. The error was: 'dict object' has no attribute -'stdout'\n\nThe error appears to be in '/home/jcerny/scap-security-gu -ide/build/rhel7/playbooks/all/grub2_enable_fips_mode.yml': line 134, -column 7, but may\nbe elsewhere in the file depending on the exact -syntax problem.\n\nThe offending line appears to be:\n\n\n - name: -add b -oot argument\n ^ here\n"} ---- - .../integrity/fips/grub2_enable_fips_mode/ansible/shared.yml | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml -index b642b6c3c3..0dd7dea18d 100644 ---- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml -@@ -65,6 +65,7 @@ - - name: get boot device uuid - command: findmnt --noheadings --output uuid --target /boot - register: bootuuid -+ check_mode: no - - - name: check boot argument exists - command: grep 'GRUB_CMDLINE_LINUX.*boot=' /etc/default/grub - -From 309946d9ae49847bdb922ac5e0ba3657afa787a3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Nov 2019 17:14:06 +0100 -Subject: [PATCH 4/6] Prevent fails in check mode - ---- - .../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 2 ++ - .../rpm_verification/rpm_verify_ownership/ansible/shared.yml | 2 ++ - .../rpm_verification/rpm_verify_permissions/ansible/shared.yml | 2 ++ - 3 files changed, 6 insertions(+) - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml -index 0dc09339f4..991d637853 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml -@@ -20,6 +20,7 @@ - register: files_with_incorrect_hash - changed_when: False - failed_when: files_with_incorrect_hash.rc > 1 -+ check_mode: False - when: (package_manager_reinstall_cmd is defined) - - - name: Create list of packages -@@ -29,6 +30,7 @@ - with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" - register: list_of_packages - changed_when: False -+ check_mode: False - when: - - files_with_incorrect_hash.stdout_lines is defined - - (files_with_incorrect_hash.stdout_lines | length > 0) -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml -index d02508808c..d0d52e7c76 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml -@@ -10,6 +10,7 @@ - register: files_with_incorrect_ownership - failed_when: files_with_incorrect_ownership.rc > 1 - changed_when: False -+ check_mode: False - - - name: Create list of packages - command: rpm -qf "{{ item }}" -@@ -18,6 +19,7 @@ - with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" - register: list_of_packages - changed_when: False -+ check_mode: False - when: (files_with_incorrect_ownership.stdout_lines | length > 0) - - - name: "Correct file ownership with RPM" -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml -index 55a37a4235..517cc38af2 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml -@@ -10,6 +10,7 @@ - register: files_with_incorrect_permissions - failed_when: files_with_incorrect_permissions.rc > 1 - changed_when: False -+ check_mode: False - - - name: Create list of packages - command: rpm -qf "{{ item }}" -@@ -18,6 +19,7 @@ - with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" - register: list_of_packages - changed_when: False -+ check_mode: False - when: (files_with_incorrect_permissions.stdout_lines | length > 0) - - - name: "Correct file permissions with RPM" - -From d410766260716cf974fba04dfd3710b9bfd72323 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 13 Nov 2019 17:26:42 +0100 -Subject: [PATCH 5/6] Fix template_ANSIBLE_mount_option_remote_filesystems - -"item" was not defined. Also, `findmnt` command can return 1 if there -is no nfs entry in /etc/fstab. The MOUNTOPTION variable is a complete -mount option, eg. `nosuid`. ---- - .../ansible/shared.yml | 1 + - .../template_ANSIBLE_mount_option_remote_filesystems | 4 ++++ - 2 files changed, 5 insertions(+) - -diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml -index 6982ce293e..1c318715cf 100644 ---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml -+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml -@@ -18,3 +18,4 @@ - state: mounted - opts: "{{ item.split()[3] }},sec=krb5:krb5i:krb5p" - when: (points_register.stdout | length > 0) -+ with_items: "{{ points_register.stdout_lines }}" -diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems -index a58d7729ec..c82201d507 100644 ---- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems -+++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems -@@ -5,10 +5,13 @@ - # disruption = medium - - - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}" -+ # 'no' before MOUNTOPTION isn't omission, it means a negation - command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }}} -n - register: points_register - check_mode: no - changed_when: False -+ # if no nfs/nfs4 entries are in /etc/fstab, findmnt command returns 1 -+ failed_when: False - - - name: "Add {{{ MOUNTOPTION }}} to nfs and nfs4 mount points" - mount: -@@ -18,3 +21,4 @@ - state: mounted - opts: "{{ item.split()[3] }},{{{ MOUNTOPTION }}}" - when: (points_register.stdout | length > 0) -+ with_items: "{{ points_register.stdout_lines }}" - -commit 924ac061a1e044213f838ac5a15f26b451f35352 -Author: Gabriel Becker -Date: Fri Nov 15 17:27:15 2019 +0100 - - Fix mount_option_krb_sec_remote_filesystems ansible content. - -diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml -index 1c31871..befa06e 100644 ---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml -+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml -@@ -5,10 +5,11 @@ - # disruption = medium - - - name: "Get nfs and nfs4 mount points, that don't have Kerberos security option" -- command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n -o TARGET -+ command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n - register: points_register - check_mode: no - changed_when: False -+ failed_when: False - - - name: "Add Kerberos security to nfs and nfs4 mount points" - mount: diff --git a/SOURCES/scap-security-guide-0.1.48-fix_grub2_enable_fips_mode.patch b/SOURCES/scap-security-guide-0.1.48-fix_grub2_enable_fips_mode.patch deleted file mode 100644 index 0be3f99..0000000 --- a/SOURCES/scap-security-guide-0.1.48-fix_grub2_enable_fips_mode.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 77a21063367337b874e9396547b3d1439eef2754 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Fri, 6 Sep 2019 11:44:49 -0400 -Subject: [PATCH] Rename disable_prelink -> bash_disable_prelink - -Per conversation in #4746, we should probably prefix bash remediation -helpers with the bash_ prefix. This lets us quickly identify which -language a particular macro is for, especially when macros with similar -functionality behave differently across languages. - -Signed-off-by: Alexander Scheel ---- - .../system/software/integrity/disable_prelink/bash/shared.sh | 2 +- - .../integrity/fips/grub2_enable_fips_mode/bash/shared.sh | 2 +- - shared/macros-bash.jinja | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh b/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh -index a79bd71ab0..ed6a388d0a 100644 ---- a/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh -@@ -1,2 +1,2 @@ - # platform = multi_platform_all --{{{ disable_prelink() }}} -+{{{ bash_disable_prelink() }}} -diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh -index 2b99be11a7..18b57e6f87 100644 ---- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh -@@ -3,7 +3,7 @@ - # include remediation functions library - . /usr/share/scap-security-guide/remediation_functions - --{{{ disable_prelink() }}} -+{{{ bash_disable_prelink() }}} - - if grep -q -m1 -o aes /proc/cpuinfo; then - {{{ bash_package_install("dracut-fips-aesni") }}} -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index 1af0143805..8a6b9b5099 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -87,7 +87,7 @@ apt-get remove -y "{{{ package }}}" - {{%- endif -%}} - {{%- endmacro -%}} - --{{%- macro disable_prelink() -%}} -+{{%- macro bash_disable_prelink() -%}} - # prelink not installed - if test ! -e /etc/sysconfig/prelink -a ! -e /usr/sbin/prelink; then - return 0 -From 747a407d54a4c3549795fbf2a484092d175a39a4 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Wed, 6 Nov 2019 15:45:47 +0100 -Subject: [PATCH 1/2] Invert logic when testing for prelink package presence. - -Since this piece of code is not a bash function anymore, it is not -possible to use the return statement, so inverting the logic of the test -did the trick. ---- - shared/macros-bash.jinja | 26 ++++++++++++-------------- - 1 file changed, 12 insertions(+), 14 deletions(-) - -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index 49ef874f0b..62b1b165a8 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -89,21 +89,19 @@ apt-get remove -y "{{{ package }}}" - - {{%- macro bash_disable_prelink() -%}} - # prelink not installed --if test ! -e /etc/sysconfig/prelink -a ! -e /usr/sbin/prelink; then -- return 0 --fi -- --if grep -q ^PRELINKING /etc/sysconfig/prelink --then -- sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink --else -- printf '\n' >> /etc/sysconfig/prelink -- printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink --fi -+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then -+ if grep -q ^PRELINKING /etc/sysconfig/prelink -+ then -+ sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink -+ else -+ printf '\n' >> /etc/sysconfig/prelink -+ printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink -+ fi - --# Undo previous prelink changes to binaries if prelink is available. --if test -x /usr/sbin/prelink; then -- /usr/sbin/prelink -ua -+ # Undo previous prelink changes to binaries if prelink is available. -+ if test -x /usr/sbin/prelink; then -+ /usr/sbin/prelink -ua -+ fi - fi - {{%- endmacro -%}} - - -From 6c7182016b956d53ac5cf306da6d1b4efda953ab Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Wed, 6 Nov 2019 17:15:47 +0100 -Subject: [PATCH 2/2] Add dracut-fips-aesni package to grub2_enable_fips_mode - anaconda remediation. - ---- - .../fips/grub2_enable_fips_mode/anaconda/shared.anaconda | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda -index 4a329df8f4..2dd06202b3 100644 ---- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda -+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda -@@ -1,3 +1,3 @@ - # platform = Red Hat Enterprise Linux 7,Oracle Linux 7 - --package --add=dracut-fips -+package --add=dracut-fips --add=dracut-fips-aesni diff --git a/SOURCES/scap-security-guide-0.1.48-fix_sshd_use_strong.patch b/SOURCES/scap-security-guide-0.1.48-fix_sshd_use_strong.patch deleted file mode 100644 index 60a0b62..0000000 --- a/SOURCES/scap-security-guide-0.1.48-fix_sshd_use_strong.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 8bf82a98ae80879d2b1800ae0d5bc19b6c5cab3c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 14 Nov 2019 18:04:39 +0100 -Subject: [PATCH 1/2] Fix RHEL7 rules sshd_use_strong_macs and - sshd_use_strong_ciphers. - -- Implemented Bash remediations according to rule description. -- Synced sshd_use_strong_ciphers OVAL according with the rule description. ---- - .../ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh | 3 +++ - .../ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml | 2 +- - .../ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh | 4 ++++ - 3 files changed, 8 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh -new file mode 100644 -index 0000000000..69c1f3eead ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh -@@ -0,0 +1,3 @@ -+# platform = multi_platform_all -+ -+{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml -index 3adae19c5a..0b20f775ce 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml -@@ -1 +1 @@ --{{{ oval_sshd_config(parameter="Ciphers", value="((chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}} -+{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh -new file mode 100644 -index 0000000000..f77be04a1b ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh -@@ -0,0 +1,4 @@ -+# platform = multi_platform_all -+ -+{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}} -+ - -From 32c5bdbfc532d36bae5aaf0e0510b8516373598e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 15 Nov 2019 14:44:25 +0100 -Subject: [PATCH 2/2] Fixed sshd_use_strong_ciphers. - -- Fixed ciphers rule description metadata and bash remediation - removed duplicate ciphers. -- Fixed ciphers rule OVAL. ---- - .../ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh | 2 +- - .../ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml | 2 +- - .../ssh/ssh_server/sshd_use_strong_ciphers/rule.yml | 3 +-- - 7 files changed, 23 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh -index 69c1f3eead..d30e534064 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh -@@ -1,3 +1,3 @@ - # platform = multi_platform_all - --{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr") }}} -+{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml -index 0b20f775ce..474cb49979 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml -@@ -1 +1 @@ --{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}} -+{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com),?)+") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml -index d4b61cedb9..90e11c0d99 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml -@@ -9,8 +9,7 @@ description: |- - Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. - The following line in /etc/ssh/sshd_config - demonstrates use of those ciphers: -- 
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
-- 
chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
-+ 
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
- The man page sshd_config(5) contains a list of supported ciphers. - - rationale: |- diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_networkconfig_mod_PR_5719.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_networkconfig_mod_PR_5719.patch new file mode 100644 index 0000000..cd4dde8 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_networkconfig_mod_PR_5719.patch @@ -0,0 +1,136 @@ +From ac5a43653e418d52ecba4f1469388615620cd731 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 29 Apr 2020 11:54:04 +0200 +Subject: [PATCH 1/3] add ansible remediation + +--- + .../ansible/shared.yml | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml +new file mode 100644 +index 0000000000..3708226e66 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml +@@ -0,0 +1,18 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++# remediate syscalls ++{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification") }}} ++{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification") }}} ++ ++# remediate watches ++{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/issue', permissions='wa', key='audit_rules_networkconfig_modification') }}} ++{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/issue', permissions='wa', key='audit_rules_networkconfig_modification') }}} ++{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/issue.net', permissions='wa', key='audit_rules_networkconfig_modification') }}} ++{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/issue.net', permissions='wa', key='audit_rules_networkconfig_modification') }}} ++{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/hosts', permissions='wa', key='audit_rules_networkconfig_modification') }}} ++{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/hosts', permissions='wa', key='audit_rules_networkconfig_modification') }}} ++{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sysconfig/network', permissions='wa', key='audit_rules_networkconfig_modification') }}} ++{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/sysconfig/network', permissions='wa', key='audit_rules_networkconfig_modification') }}} + +From 8de44a2ec24813affd51377bcaa8472b53b67e86 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 29 Apr 2020 11:54:23 +0200 +Subject: [PATCH 2/3] improve tests + +--- + .../tests/auditctl_correct_rules.pass.sh | 17 +++++++++++++++++ + ...ules.pass.sh => augen_correct_rules.pass.sh} | 0 + .../tests/partial_rules.fail.sh | 10 ++++++++++ + 3 files changed, 27 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules.pass.sh + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/{correct_rules.pass.sh => augen_correct_rules.pass.sh} (100%) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/partial_rules.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules.pass.sh +new file mode 100644 +index 0000000000..ac5059f31c +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules.pass.sh +@@ -0,0 +1,17 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++ ++# use auditctl ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++ ++rm -rf /etc/audit/rules.d/* ++rm /etc/audit/audit.rules ++ ++echo "-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification" >> /etc/audit/audit.rules ++echo "-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification" >> /etc/audit/audit.rules ++echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules ++echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules ++echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules ++echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/augen_correct_rules.pass.sh +similarity index 100% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/correct_rules.pass.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/augen_correct_rules.pass.sh +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/partial_rules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/partial_rules.fail.sh +new file mode 100644 +index 0000000000..4991b02369 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/partial_rules.fail.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++ ++echo "-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification" >> /etc/audit/rules.d/some.rules ++echo "-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification" >> /etc/audit/rules.d/some.rules ++echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules ++echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules ++echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules ++echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules + +From f488ee2cef17f8c5764b53d551beabdb8cbf0e60 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 29 Apr 2020 17:13:12 +0200 +Subject: [PATCH 3/3] fix metadata and rewrite remediation to use newer macro + +--- + .../ansible/shared.yml | 21 ++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml +index 3708226e66..fa07d5bf94 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml +@@ -1,11 +1,26 @@ + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +-# reboot = true ++# reboot =false + # strategy = restrict + # complexity = low + # disruption = low + # remediate syscalls +-{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification") }}} +-{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification") }}} ++# ++# What architecture are we on? ++# ++- name: Set architecture for audit tasks ++ set_fact: ++ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ ++- name: Remediate audit rules for network configuration for x86 ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} ++ ++- name: Remediate audit rules for network configuration for x86_64 ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} ++ when: audit_arch == "b64" + + # remediate watches + {{{ ansible_audit_augenrules_add_watch_rule(path='/etc/issue', permissions='wa', key='audit_rules_networkconfig_modification') }}} diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_kernel_module_loading_PR_5594.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_kernel_module_loading_PR_5594.patch new file mode 100644 index 0000000..4d63e76 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_kernel_module_loading_PR_5594.patch @@ -0,0 +1,117 @@ +From 12f8a8fbbf4e2bf4bec46e256f272a43fdc26a58 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 15 Apr 2020 13:18:23 +0200 +Subject: [PATCH 1/2] add ansible remediation + +--- + .../ansible/shared.yml | 81 +++++++++++++++++++ + 1 file changed, 81 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +new file mode 100644 +index 0000000000..8cc519c61b +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +@@ -0,0 +1,81 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++# ++# What architecture are we on? ++# ++- name: Set architecture for audit modules tasks ++ set_fact: ++ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ ++# ++# Inserts/replaces the rule in /etc/audit/rules.d ++# ++- name: Search /etc/audit/rules.d for other kernel module loading audit rules ++ find: ++ paths: "/etc/audit/rules.d" ++ recurse: no ++ contains: "-F key=modules$" ++ patterns: "*.rules" ++ register: find_modules ++ ++- name: If existing kernel module loading ruleset not found, use /etc/audit/rules.d/modules.rules as the recipient for the rule ++ set_fact: ++ all_files: ++ - /etc/audit/rules.d/modules.rules ++ when: find_modules.matched is defined and find_modules.matched == 0 ++ ++- name: Use matched file as the recipient for the rule ++ set_fact: ++ all_files: ++ - "{{ find_modules.files | map(attribute='path') | list | first }}" ++ when: find_modules.matched is defined and find_modules.matched > 0 ++ ++- name: Inserts/replaces the modules rule in rules.d when on x86 ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ {{% if product == "rhel6" %}} ++ line: "-a always,exit -F arch=b32 -S init_module -S delete_module -k modules" ++ {{% else %}} ++ line: "-a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules" ++ {{% endif %}} ++ create: yes ++ ++- name: Inserts/replaces the modules rule in rules.d when on x86_64 ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ {{% if product == "rhel6" %}} ++ line: "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" ++ {{% else %}} ++ line: "-a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules" ++ {{% endif %}} ++ create: yes ++ when: audit_arch is defined and audit_arch == 'b64' ++# ++# Inserts/replaces the rule in /etc/audit/audit.rules ++# ++- name: Inserts/replaces the modules rule in /etc/audit/audit.rules when on x86 ++ lineinfile: ++ {{% if product == "rhel6" %}} ++ line: "-a always,exit -F arch=b32 -S init_module -S delete_module -k modules" ++ {{% else %}} ++ line: "-a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules" ++ {{% endif %}} ++ state: present ++ dest: /etc/audit/audit.rules ++ create: yes ++ ++- name: Inserts/replaces the modules rule in audit.rules when on x86_64 ++ lineinfile: ++ {{% if product == "rhel6" %}} ++ line: "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" ++ {{% else %}} ++ line: "-a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules" ++ {{% endif %}} ++ state: present ++ dest: /etc/audit/audit.rules ++ create: yes ++ when: audit_arch is defined and audit_arch == 'b64' + +From 6295ba4c3bdc9fe24c0d39fb2db2284b803c5bb8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 15 Apr 2020 15:08:49 +0200 +Subject: [PATCH 2/2] fix test + +--- + .../tests/syscalls_one_per_arg.pass.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh +index 30eb4757ec..ccc2d4beee 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh +@@ -8,4 +8,4 @@ sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/sys + rm -f /etc/audit/rules.d/* + + # cut out irrelevant rules for this test +-sed '1,14d' test_audit.rules > /etc/audit/audit.rules ++sed '1,13d' test_audit.rules > /etc/audit/audit.rules diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_mac_modification_PR_5638.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_mac_modification_PR_5638.patch new file mode 100644 index 0000000..32ad47b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_mac_modification_PR_5638.patch @@ -0,0 +1,341 @@ +From 0be72ebcc3b8782ed617a8e99b1f188e4072f8a2 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 17 Apr 2020 14:51:57 +0200 +Subject: [PATCH 1/5] create tests + +--- + .../tests/auditctl_correct.pass.sh | 6 ++++++ + .../tests/auditctl_missing.fail.sh | 6 ++++++ + .../tests/auditctl_wrong_value.fail.sh | 7 +++++++ + .../tests/augen_correct.pass.sh | 3 +++ + .../tests/augen_missing.fail.sh | 3 +++ + .../tests/augen_wrong_value.fail.sh | 4 ++++ + 6 files changed, 29 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_missing.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_wrong_value.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_missing.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_wrong_value.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh +new file mode 100644 +index 0000000000..398980456a +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# use auditctl ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++echo "-w /etc/selinux/ -p wa -k MAC-policy" > /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_missing.fail.sh +new file mode 100644 +index 0000000000..733436ecaf +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_missing.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# use auditctl ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++echo "some value" > /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_wrong_value.fail.sh +new file mode 100644 +index 0000000000..9ef870a12b +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_wrong_value.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++# use auditctl ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++echo "-w /etc/passwd -p w -k MAC-policy" > /etc/audit/audit.rules ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh +new file mode 100644 +index 0000000000..a814e1b7ea +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "-w /etc/selinux/ -p wa -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_missing.fail.sh +new file mode 100644 +index 0000000000..0997495e4b +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_missing.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++rm -rf /etc/audit/rules.d/* +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_wrong_value.fail.sh +new file mode 100644 +index 0000000000..2208fcd089 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_wrong_value.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++rm -rf /etc/audit/rules.d/* ++echo "-w /etc/group -p w -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules + +From 62aa3afacab14b888da8b8af28ac60d10c400c7f Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 17 Apr 2020 15:15:10 +0200 +Subject: [PATCH 2/5] add ansible remediation + +--- + .../ansible/shared.yml | 46 +++++++++++++++++++ + 1 file changed, 46 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml +new file mode 100644 +index 0000000000..c2e0aa856d +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml +@@ -0,0 +1,46 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++ ++# ++# Inserts/replaces the rule in /etc/audit/rules.d ++# ++- name: Search /etc/audit/rules.d for other MAC modification audit rules ++ find: ++ paths: "/etc/audit/rules.d" ++ recurse: no ++ contains: "-k MAC-policy$" ++ patterns: "*.rules" ++ register: find_mac ++ ++- name: If existing MAC modification ruleset not found, use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule ++ set_fact: ++ all_files: ++ - /etc/audit/rules.d/MAC-policy.rules ++ when: find_mac.matched is defined and find_mac.matched == 0 ++ ++- name: Use matched file as the recipient for the rule ++ set_fact: ++ all_files: ++ - "{{ find_mac.files | map(attribute='path') | list | first }}" ++ when: find_mac.matched is defined and find_mac.matched > 0 ++ ++- name: Inserts/replaces the MAC modification rule in rules.d ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ line: "-w /etc/selinux/ -p wa -k MAC-policy" ++ create: yes ++ ++ ++# ++# Inserts/replaces the rule in /etc/audit/audit.rules ++# ++- name: Inserts/replaces the MAC modifications rule in /etc/audit/audit.rules ++ lineinfile: ++ line: "-w /etc/selinux/ -p wa -k MAC-policy" ++ state: present ++ dest: /etc/audit/audit.rules ++ create: yes + +From 2d84f563fc8f083e0356b82dced0cc5f4960bcf6 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 20 Apr 2020 15:55:11 +0200 +Subject: [PATCH 3/5] check for already existing rule before remediation + +--- + .../ansible/shared.yml | 24 ++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml +index c2e0aa856d..656707eafc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml +@@ -4,35 +4,52 @@ + # complexity = low + # disruption = low + ++- name: detect if rule does not already exist in /etc/audit/rules.d/* ++ find: ++ paths: "/etc/audit/rules.d" ++ recurse: no ++ contains: '-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' ++ patterns: "*.rules" ++ register: find_existing_rules_d ++ ++- name: detect if rule does not already exist in /etc/audit/audit.rules ++ find: ++ paths: "/etc/audit/" ++ contains: '-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' ++ patterns: "audit.rules" ++ register: find_existing_audit_rules ++ + + # + # Inserts/replaces the rule in /etc/audit/rules.d + # +-- name: Search /etc/audit/rules.d for other MAC modification audit rules ++- name: Search /etc/audit/rules.d for other rules with MAC-policy key + find: + paths: "/etc/audit/rules.d" + recurse: no + contains: "-k MAC-policy$" + patterns: "*.rules" + register: find_mac ++ when: find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 + + - name: If existing MAC modification ruleset not found, use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/MAC-policy.rules +- when: find_mac.matched is defined and find_mac.matched == 0 ++ when: find_mac.matched is defined and find_mac.matched == 0 and find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - "{{ find_mac.files | map(attribute='path') | list | first }}" +- when: find_mac.matched is defined and find_mac.matched > 0 ++ when: find_mac.matched is defined and find_mac.matched > 0 and find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 + + - name: Inserts/replaces the MAC modification rule in rules.d + lineinfile: + path: "{{ all_files[0] }}" + line: "-w /etc/selinux/ -p wa -k MAC-policy" + create: yes ++ when: find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 + + + # +@@ -44,3 +61,4 @@ + state: present + dest: /etc/audit/audit.rules + create: yes ++ when: find_existing_audit_rules.matched is defined and find_existing_audit_rules.matched == 0 + +From db78a47435f5136ce3ab9f8593547630c5205e9a Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 20 Apr 2020 17:07:59 +0200 +Subject: [PATCH 4/5] feedback to review + +anchoring regexes, name fixes +--- + .../ansible/shared.yml | 26 +++++++++---------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml +index 656707eafc..8622138f82 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml +@@ -4,20 +4,20 @@ + # complexity = low + # disruption = low + +-- name: detect if rule does not already exist in /etc/audit/rules.d/* ++- name: Check if rule does not already exist in /etc/audit/rules.d/* + find: + paths: "/etc/audit/rules.d" + recurse: no +- contains: '-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' ++ contains: '^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' + patterns: "*.rules" +- register: find_existing_rules_d ++ register: find_existing_mac_rules_d + +-- name: detect if rule does not already exist in /etc/audit/audit.rules ++- name: Check if rule does not already exist in /etc/audit/audit.rules + find: + paths: "/etc/audit/" +- contains: '-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' ++ contains: '^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' + patterns: "audit.rules" +- register: find_existing_audit_rules ++ register: find_existing_mac_audit_rules + + + # +@@ -29,27 +29,27 @@ + recurse: no + contains: "-k MAC-policy$" + patterns: "*.rules" +- register: find_mac +- when: find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 ++ register: find_mac_key ++ when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 + + - name: If existing MAC modification ruleset not found, use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/MAC-policy.rules +- when: find_mac.matched is defined and find_mac.matched == 0 and find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 ++ when: find_mac_key.matched is defined and find_mac_key.matched == 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: +- - "{{ find_mac.files | map(attribute='path') | list | first }}" +- when: find_mac.matched is defined and find_mac.matched > 0 and find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 ++ - "{{ find_mac_key.files | map(attribute='path') | list | first }}" ++ when: find_mac_key.matched is defined and find_mac_key.matched > 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 + + - name: Inserts/replaces the MAC modification rule in rules.d + lineinfile: + path: "{{ all_files[0] }}" + line: "-w /etc/selinux/ -p wa -k MAC-policy" + create: yes +- when: find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 ++ when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 + + + # +@@ -61,4 +61,4 @@ + state: present + dest: /etc/audit/audit.rules + create: yes +- when: find_existing_audit_rules.matched is defined and find_existing_audit_rules.matched == 0 ++ when: find_existing_mac_audit_rules.matched is defined and find_existing_mac_audit_rules.matched == 0 + +From ba04156742e3f577f4b4144136ccacb7edf034ae Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 21 Apr 2020 11:11:20 +0200 +Subject: [PATCH 5/5] cosmetic fixes + +--- + .../audit_rules_mac_modification/ansible/shared.yml | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml +index 8622138f82..65d935c8f4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml +@@ -4,7 +4,11 @@ + # complexity = low + # disruption = low + +-- name: Check if rule does not already exist in /etc/audit/rules.d/* ++# ++# check if rules already exist ++# ++ ++- name: Check if rule already exists in /etc/audit/rules.d/* + find: + paths: "/etc/audit/rules.d" + recurse: no +@@ -12,7 +16,7 @@ + patterns: "*.rules" + register: find_existing_mac_rules_d + +-- name: Check if rule does not already exist in /etc/audit/audit.rules ++- name: Check if rule already exists in /etc/audit/audit.rules + find: + paths: "/etc/audit/" + contains: '^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_media_export_PR_5590.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_media_export_PR_5590.patch new file mode 100644 index 0000000..3f3a5d3 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_media_export_PR_5590.patch @@ -0,0 +1,81 @@ +From 9525e4ccb79ad245a8b3df48927c55a0c2589911 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 15 Apr 2020 11:25:09 +0200 +Subject: [PATCH] add ansible remediation + +--- + .../ansible/shared.yml | 65 +++++++++++++++++++ + 1 file changed, 65 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml +new file mode 100644 +index 0000000000..12a61b6d1c +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml +@@ -0,0 +1,65 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++# ++# What architecture are we on? ++# ++- name: Set architecture for audit media export tasks ++ set_fact: ++ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ ++# ++# Inserts/replaces the rule in /etc/audit/rules.d ++# ++- name: Search /etc/audit/rules.d for other media export audit rules ++ find: ++ paths: "/etc/audit/rules.d" ++ recurse: no ++ contains: "-F key=export$" ++ patterns: "*.rules" ++ register: find_mount ++ ++- name: If existing media export ruleset not found, use /etc/audit/rules.d/export.rules as the recipient for the rule ++ set_fact: ++ all_files: ++ - /etc/audit/rules.d/export.rules ++ when: find_mount.matched is defined and find_mount.matched == 0 ++ ++- name: Use matched file as the recipient for the rule ++ set_fact: ++ all_files: ++ - "{{ find_mount.files | map(attribute='path') | list | first }}" ++ when: find_mount.matched is defined and find_mount.matched > 0 ++ ++- name: Inserts/replaces the media export rule in rules.d when on x86 ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ line: "-a always,exit -F arch=b32 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export" ++ create: yes ++ ++- name: Inserts/replaces the media export rule in rules.d when on x86_64 ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ line: "-a always,exit -F arch=b64 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export" ++ create: yes ++ when: audit_arch is defined and audit_arch == 'b64' ++# ++# Inserts/replaces the rule in /etc/audit/audit.rules ++# ++- name: Inserts/replaces the media export rule in /etc/audit/audit.rules when on x86 ++ lineinfile: ++ line: "-a always,exit -F arch=b32 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export" ++ state: present ++ dest: /etc/audit/audit.rules ++ create: yes ++ ++- name: Inserts/replaces the media export rule in audit.rules when on x86_64 ++ lineinfile: ++ line: "-a always,exit -F arch=b64 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export" ++ state: present ++ dest: /etc/audit/audit.rules ++ create: yes ++ when: audit_arch is defined and audit_arch == 'b64' diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_session_events_PR_5721.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_session_events_PR_5721.patch new file mode 100644 index 0000000..77ae510 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_session_events_PR_5721.patch @@ -0,0 +1,113 @@ +From c0edf5074b0b8dd7ed7cfab74a8b4f278b0e51c5 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 29 Apr 2020 12:57:58 +0200 +Subject: [PATCH 1/2] add ansible remediation + +--- + .../audit_rules_session_events/ansible/shared.yml | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml +new file mode 100644 +index 0000000000..08694d3032 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml +@@ -0,0 +1,12 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++{{{ ansible_audit_augenrules_add_watch_rule(path='/var/run/utmp', permissions='wa', key='session') }}} ++{{{ ansible_audit_auditctl_add_watch_rule(path='/var/run/utmp', permissions='wa', key='session') }}} ++{{{ ansible_audit_augenrules_add_watch_rule(path='/var/log/btmp', permissions='wa', key='session') }}} ++{{{ ansible_audit_auditctl_add_watch_rule(path='/var/log/btmp', permissions='wa', key='session') }}} ++{{{ ansible_audit_augenrules_add_watch_rule(path='/var/log/wtmp', permissions='wa', key='session') }}} ++{{{ ansible_audit_auditctl_add_watch_rule(path='/var/log/wtmp', permissions='wa', key='session') }}} + +From b8d3dc253ee62a5c4e725b2a89ab6f22f4870e66 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 29 Apr 2020 12:58:17 +0200 +Subject: [PATCH 2/2] att tests + +--- + .../tests/auditctl_correct.pass.sh | 11 +++++++++++ + .../tests/auditctl_rules_missing.fail.sh | 7 +++++++ + .../tests/augen_correct.pass.ah | 9 +++++++++ + .../tests/augen_partial_rules.fail.sh | 6 ++++++ + .../tests/augen_rules_missing.fail.sh | 3 +++ + 5 files changed, 36 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_correct.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_rules_missing.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_correct.pass.ah + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_partial_rules.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_rules_missing.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_correct.pass.sh +new file mode 100644 +index 0000000000..82d53db8e5 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_correct.pass.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++ ++# use auditctl ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++rm -rf /etc/audit/rules.d/* ++rm /etc/audit/audit.rules ++ ++echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/audit.rules ++echo "-w /var/log/btmp -p wa -k session" >> /etc/audit/audit.rules ++echo "-w /var/log/wtmp -p wa -k session" >> /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_rules_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_rules_missing.fail.sh +new file mode 100644 +index 0000000000..a9bac580e8 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_rules_missing.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++# use auditctl ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++rm -rf /etc/audit/rules.d/* ++rm /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_correct.pass.ah b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_correct.pass.ah +new file mode 100644 +index 0000000000..32e5686026 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_correct.pass.ah +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++rm -rf /etc/audit/rules.d/* ++rm /etc/audit/audit.rules ++ ++echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/rules.d/session.rules ++echo "-w /var/log/btmp -p wa -k session" >> /etc/audit/rules.d/session.rules ++echo "-w /var/log/wtmp -p wa -k session" >> /etc/audit/rules.d/session.rules ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_partial_rules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_partial_rules.fail.sh +new file mode 100644 +index 0000000000..26862281f7 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_partial_rules.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++rm -rf /etc/audit/rules.d/* ++rm -f /etc/audit/audit.rules ++ ++echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_rules_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_rules_missing.fail.sh +new file mode 100644 +index 0000000000..0997495e4b +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_rules_missing.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++rm -rf /etc/audit/rules.d/* diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_time_rules_PR_5720.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_time_rules_PR_5720.patch new file mode 100644 index 0000000..d9dad8c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_time_rules_PR_5720.patch @@ -0,0 +1,246 @@ +From 03c44366cd4bc16808e000eac7b3eb548851cb1a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 29 Apr 2020 10:59:43 +0200 +Subject: [PATCH 1/4] Add Ansible remediations for syscall time changes + +Uses Ansible audit macros to add remediations for: +- adjtimex +- settimeofday +- stime +--- + .../ansible/shared.yml | 20 +++++++++++++++++++ + .../ansible/shared.yml | 20 +++++++++++++++++++ + .../audit_rules_time_stime/ansible/shared.yml | 14 +++++++++++++ + 3 files changed, 54 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml +new file mode 100644 +index 0000000000..2ecbf5f998 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml +@@ -0,0 +1,20 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Set architecture for audit tasks ++ set_fact: ++ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ ++- name: Perform remediation of Audit rules for adjtimex for x86 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} ++ ++- name: Perform remediation of Audit rules for adjtimex for x86_64 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} ++ when: audit_arch == "b64" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml +new file mode 100644 +index 0000000000..e97a752298 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml +@@ -0,0 +1,20 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Set architecture for audit tasks ++ set_fact: ++ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ ++- name: Perform remediation of Audit rules for settimeofday for x86 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} ++ ++- name: Perform remediation of Audit rules for settimeofday for x86_64 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} ++ when: audit_arch == "b64" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml +new file mode 100644 +index 0000000000..b1e9380781 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml +@@ -0,0 +1,14 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Set architecture for audit tasks ++ set_fact: ++ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ ++- name: Perform remediation of Audit rules for stime syscall for x86 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["stime"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}} + +From c004e5bdceb4a942585adff1cb085165e6dcbc1b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 29 Apr 2020 12:02:23 +0200 +Subject: [PATCH 2/4] time_adjtimex: Rename, simplify and add tests + +--- + .../tests/correct_syscall.pass.sh | 7 +++++++ + .../audit_rules_time_adjtimex/tests/correct_value.pass.sh | 8 -------- + .../tests/line_not_there.fail.sh | 5 ----- + .../tests/syscall_not_there.fail.sh | 5 +++++ + 4 files changed, 12 insertions(+), 13 deletions(-) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh + delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh + delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh +new file mode 100644 +index 0000000000..51c8e8705e +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_cis ++ ++rm -rf /etc/audit/rules.d/*.rules ++echo "-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules ++echo "-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh +deleted file mode 100644 +index d37d624763..0000000000 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh ++++ /dev/null +@@ -1,8 +0,0 @@ +-#!/bin/bash +- +-# profiles = xccdf_org.ssgproject.content_profile_ospp +- +-if grep -qv "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$" /etc/audit/rules.d/*.rules; then +- echo "-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules +- echo "-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules +-fi +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh +deleted file mode 100644 +index bdf8c837f2..0000000000 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh ++++ /dev/null +@@ -1,5 +0,0 @@ +-#!/bin/bash +- +-# profiles = xccdf_org.ssgproject.content_profile_ospp +- +-sed -i "/^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/d" /etc/audit/rules.d/*.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh +new file mode 100644 +index 0000000000..73eec5e777 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_cis ++ ++rm -rf /etc/audit/rules.d/*.rules + +From f09c6fd53814d00d85a1ca311887dea11c48d3ad Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 30 Apr 2020 10:47:00 +0200 +Subject: [PATCH 3/4] Add Ansible remedation to watch for time changes + +--- + .../audit_rules_time_watch_localtime/ansible/shared.yml | 8 ++++++++ + 1 file changed, 8 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml +new file mode 100644 +index 0000000000..629dea88bb +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml +@@ -0,0 +1,8 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++{{{ ansible_audit_augenrules_add_watch_rule(path="/etc/localtime", permissions="wa", key="audit_time_rules") }}} ++{{{ ansible_audit_auditctl_add_watch_rule(path="/etc/localtime", permissions="wa", key="audit_time_rules") }}} + +From fe5e3be44528cd331ab7697daa2d0373e01d8d62 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 30 Apr 2020 16:32:08 +0200 +Subject: [PATCH 4/4] Fix arch parameter and useless arch task + +--- + .../audit_rules_time_adjtimex/ansible/shared.yml | 4 ++-- + .../audit_rules_time_settimeofday/ansible/shared.yml | 4 ++-- + .../audit_rules_time_stime/ansible/shared.yml | 6 +----- + 3 files changed, 5 insertions(+), 9 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml +index 2ecbf5f998..921b8e34cb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml +@@ -10,11 +10,11 @@ + + - name: Perform remediation of Audit rules for adjtimex for x86 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} + + - name: Perform remediation of Audit rules for adjtimex for x86_64 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} + when: audit_arch == "b64" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml +index e97a752298..b1a25c2776 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml +@@ -10,11 +10,11 @@ + + - name: Perform remediation of Audit rules for settimeofday for x86 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} + + - name: Perform remediation of Audit rules for settimeofday for x86_64 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} + when: audit_arch == "b64" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml +index b1e9380781..b57c71ce21 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml +@@ -4,11 +4,7 @@ + # complexity = low + # disruption = low + +-- name: Set architecture for audit tasks +- set_fact: +- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" +- + - name: Perform remediation of Audit rules for stime syscall for x86 platform + block: +- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["stime"], key="audit_time_rules")|indent(4) }}} ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}} + {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}} diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_ensure_logrotate_activated_PR_5753.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_ensure_logrotate_activated_PR_5753.patch new file mode 100644 index 0000000..e859c54 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_ansible_ensure_logrotate_activated_PR_5753.patch @@ -0,0 +1,71 @@ +From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 May 2020 08:17:20 +0200 +Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated + +--- + .../ansible/shared.yml | 33 +++++++++++++++++++ + 1 file changed, 33 insertions(+) + create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml + +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml +new file mode 100644 +index 0000000000..5d76b3c073 +--- /dev/null ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml +@@ -0,0 +1,33 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++ ++- name: Configure daily log rotation in /etc/logrotate.conf ++ lineinfile: ++ create: yes ++ dest: "/etc/logrotate.conf" ++ regexp: "^daily$" ++ line: "daily" ++ ++- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf ++ lineinfile: ++ create: no ++ dest: "/etc/logrotate.conf" ++ regexp: "^(weekly|monthly|yearly)$" ++ state: absent ++ ++- name: Configure cron.daily if not already ++ block: ++ - name: Add shebang ++ lineinfile: ++ path: "/etc/cron.daily/logrotate" ++ line: "#!/bin/sh" ++ insertbefore: BOF ++ create: yes ++ - name: Add logrotate call ++ lineinfile: ++ path: "/etc/cron.daily/logrotate" ++ line: '/usr/sbin/logrotate /etc/logrotate.conf' ++ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$' + +From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 May 2020 14:48:15 +0200 +Subject: [PATCH 2/2] Add test for ensure_logrotate_activated + +Test scenario when monthly is there, but weekly is not. +--- + .../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++ + 1 file changed, 4 insertions(+) + create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh + +diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh +new file mode 100644 +index 0000000000..b10362989b +--- /dev/null ++++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++sed -i "s/weekly/daily/g" /etc/logrotate.conf ++echo "monthly" >> /etc/logrotate.conf diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_ipv6_option_disabled_PR_5737.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_ipv6_option_disabled_PR_5737.patch new file mode 100644 index 0000000..def994b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_ansible_ipv6_option_disabled_PR_5737.patch @@ -0,0 +1,64 @@ +From e14418e1bfbecde7f7091173c8ad9c84b28bd8ee Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 4 May 2020 18:51:13 +0200 +Subject: [PATCH] Add Ansible for kernel_module_ipv6_option_disabled + +The remediation does more than disabling only one kernel module, so it +is not suitable for "templation" (use of templating system). +--- + .../ansible/shared.yml | 22 +++++++++++++++++++ + .../tests/module_disabled.pass.sh | 4 ++++ + .../tests/module_enabled.fail.sh | 4 ++++ + 3 files changed, 30 insertions(+) + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh + +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml +new file mode 100644 +index 0000000000..a6d6229bdc +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml +@@ -0,0 +1,22 @@ ++# platform = multi_platform_all ++# reboot = true ++# strategy = disable ++# complexity = low ++# disruption = medium ++ ++- name: Disable IPv6 Networking kernel module ++ lineinfile: ++ create: yes ++ dest: "/etc/modprobe.d/ipv6.conf" ++ regexp: "^options\\s+ipv6\\s+disable=\\d" ++ line: "options ipv6 disable=1" ++ ++- name: Ensure disable_ipv6 (all and default) is set to 1 ++ sysctl: ++ name: "{{ item }}" ++ value: "1" ++ state: present ++ reload: yes ++ with_items: ++ - "net.ipv6.conf.all.disable_ipv6" ++ - "net.ipv6.conf.default.disable_ipv6" +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh +new file mode 100644 +index 0000000000..f22b37b8e8 +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 7 ++ ++echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh +new file mode 100644 +index 0000000000..82122fea40 +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 7 ++ ++echo "options ipv6 disable=0" > /etc/modprobe.d/ipv6.conf diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_macro_syscall_rule_PR_5709.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_macro_syscall_rule_PR_5709.patch new file mode 100644 index 0000000..ade0667 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_ansible_macro_syscall_rule_PR_5709.patch @@ -0,0 +1,738 @@ +From 8dd8ca19bc7608db27ba79ac0df90cbc502dcfa8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 27 Apr 2020 14:51:22 +0200 +Subject: [PATCH 1/7] create macro + +--- + shared/macros-ansible.jinja | 176 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 176 insertions(+) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 884b562ae4..7ccab981d2 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -346,3 +346,179 @@ The macro requires following parameters: + create: yes + when: find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + {{%- endmacro %}} ++ ++{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}} ++# ++# What architecture are we on? ++# ++- name: Set architecture for audit modules tasks ++ set_fact: ++ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ ++- name: Declare list of syscals ++ set_fact: ++ syscalls: {{{ syscalls }}} ++ ++- name: Declare number of syscalls ++ set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" ++ ++- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/ ++ find: ++ paths: "/etc/audit/rules.d" ++ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' ++ patterns: "*.rules" ++ register: audit_syscalls_found_32_rules_d ++ loop: "{{ syscalls }}" ++ ++- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/ ++ set_fact: audit_syscalls_matched_32_rules_d="{{audit_syscalls_found_32_rules_d.results|sum(attribute='matched')|int }}" ++ ++{{% if arch == "64" %}} ++- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ ++ find: ++ paths: "/etc/audit/rules.d" ++ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' ++ patterns: "*.rules" ++ register: audit_syscalls_found_64_rules_d ++ loop: "{{ syscalls }}" ++ ++- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/ ++ set_fact: audit_syscalls_matched_64_rules_d="{{audit_syscalls_found_64_rules_d.results|sum(attribute='matched')|int }}" ++{{% endif %}} ++ ++- name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} ++ find: ++ paths: "/etc/audit/rules.d" ++ recurse: no ++ contains: '(-F key=)|(-k\s+){{{ key }}}$' ++ patterns: "*.rules" ++ register: find_syscalls_files ++ ++- name: Use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule ++ set_fact: ++ all_files: ++ - /etc/audit/rules.d/{{{ key }}}.rules ++ when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 ++ ++- name: Use matched file as the recipient for the rule ++ set_fact: ++ all_files: ++ - "{{ find_syscalls_files.files | map(attribute='path') | list | first }}" ++ when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 ++ ++- name: "Insert the modules rule in {{ all_files[0] }} when on x86" ++ block: ++ - name: "Construct rule: add rule list, action and arch" ++ set_fact: tmpline="-a always,exit -F arch=b32 " ++ - name: "Construct rule: add syscalls" ++ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" ++ loop: "{{ audit_syscalls_found_32_rules_d.results }}" ++ when: item.matched is defined and item.matched == 0 ++ - name: "Construct rule: add key" ++ set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" ++ - name: "Insert the line in {{ all_files[0] }}" ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ line: "{{ tmpline }}" ++ create: true ++ state: present ++ when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls ++ ++{{% if arch == "64" %}} ++- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64" ++ block: ++ - name: "Construct rule: add rule list, action and arch" ++ set_fact: tmpline="-a always,exit -F arch=b64 " ++ - name: "Construct rule: add syscalls" ++ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" ++ loop: "{{ audit_syscalls_found_64_rules_d.results }}" ++ when: item.matched is defined and item.matched == 0 ++ - name: "Construct rule: add key" ++ set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" ++ - name: "Insert the line in {{ all_files[0] }}" ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ line: "{{ tmpline }}" ++ create: true ++ state: present ++ when: audit_syscalls_matched_64_rules_d < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' ++{{% endif %}} ++{{%- endmacro %}} ++ ++{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}} ++# ++# What architecture are we on? ++# ++- name: Set architecture for audit modules tasks ++ set_fact: ++ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ ++- name: Declare list of syscals ++ set_fact: ++ syscalls: {{{ syscalls }}} ++ ++- name: Declare number of syscalls ++ set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" ++ ++- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules ++ find: ++ paths: "/etc/audit" ++ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' ++ patterns: "audit.rules" ++ register: audit_syscalls_found_32_audit_rules ++ loop: "{{ syscalls }}" ++ ++- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules ++ set_fact: audit_syscalls_matched_32_audit_rules="{{audit_syscalls_found_32_audit_rules.results|sum(attribute='matched')|int }}" ++ ++{{% if arch == "64" %}} ++- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules ++ find: ++ paths: "/etc/audit" ++ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' ++ patterns: "audit.rules" ++ register: audit_syscalls_found_64_audit_rules ++ loop: "{{ syscalls }}" ++ ++- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/* ++ set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}" ++{{% endif %}} ++ ++- name: Insert the modules rule in /etc/audit/audit.rules when on x86 ++ block: ++ - name: "Construct rule: add rule list, action and arch" ++ set_fact: tmpline="-a always,exit -F arch=b32 " ++ - name: "Construct rule: add syscalls" ++ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" ++ loop: "{{ audit_syscalls_found_32_audit_rules.results }}" ++ when: item.matched is defined and item.matched == 0 ++ - name: "Construct rule: add key" ++ set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" ++ - name: Insert the line in /etc/audit/audit.rules ++ lineinfile: ++ path: "/etc/audit/audit.rules" ++ line: "{{ tmpline }}" ++ create: true ++ state: present ++ when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls ++ ++{{% if arch == "64" %}} ++- name: Insert the modules rule in /etc/audit/rules.d when on x86_64 ++ block: ++ - name: "Construct rule: add rule list, action and arch" ++ set_fact: tmpline="-a always,exit -F arch=b64 " ++ - name: "Construct rule: add syscalls" ++ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" ++ loop: "{{ audit_syscalls_found_64_audit_rules.results }}" ++ when: item.matched is defined and item.matched == 0 ++ - name: "Construct rule: add key" ++ set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" ++ - name: Insert the line in /etc/audit/audit.rules ++ lineinfile: ++ path: "/etc/audit/audit.rules" ++ line: "{{ tmpline }}" ++ create: true ++ state: present ++ when: audit_syscalls_matched_64_audit_rules < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' ++{{% endif %}} ++{{%- endmacro %}} + +From afefec951b00a9b068a3a9c7fe9e22c6b73c79b1 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 27 Apr 2020 14:51:40 +0200 +Subject: [PATCH 2/7] use macro in example rule + +--- + .../ansible/shared.yml | 167 +----------------- + 1 file changed, 4 insertions(+), 163 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +index 9d028a598d..ac448523c6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +@@ -4,166 +4,7 @@ + # complexity = low + # disruption = low + +-# +-# What architecture are we on? +-# +-- name: Set architecture for audit modules tasks +- set_fact: +- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" +- +-- name: Declare list of syscals +- set_fact: +- syscalls: +- - "init_module" +- - "delete_module" +- {{% if product != "rhel6" %}} +- - "finit_module" +- {{% endif %}} +- +-- name: Declare number of syscalls +- set_fact: audit_kernel_number_of_syscalls="{{ syscalls|length|int }}" +- +-# +-#rules in /etc/audit/rules.d/* +-# +- +-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/ +- find: +- paths: "/etc/audit/rules.d" +- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' +- patterns: "*.rules" +- register: audit_kernel_found_32_rules_d +- loop: "{{ syscalls }}" +- +-- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/ +- set_fact: audit_kernel_matched_32_rules_d="{{audit_kernel_found_32_rules_d.results|sum(attribute='matched')|int }}" +- +-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ +- find: +- paths: "/etc/audit/rules.d" +- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' +- patterns: "*.rules" +- register: audit_kernel_found_64_rules_d +- loop: "{{ syscalls }}" +- +-- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/ +- set_fact: audit_kernel_matched_64_rules_d="{{audit_kernel_found_64_rules_d.results|sum(attribute='matched')|int }}" +- +-- name: Search /etc/audit/rules.d for other kernel module loading audit rules +- find: +- paths: "/etc/audit/rules.d" +- recurse: no +- contains: "(-F key=modules)|(-k modules)$" +- patterns: "*.rules" +- register: find_modules +- +-- name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule +- set_fact: +- all_files: +- - /etc/audit/rules.d/modules.rules +- when: find_modules.matched is defined and find_modules.matched == 0 +- +-- name: Use matched file as the recipient for the rule +- set_fact: +- all_files: +- - "{{ find_modules.files | map(attribute='path') | list | first }}" +- when: find_modules.matched is defined and find_modules.matched > 0 +- +-- name: "Insert the modules rule in {{ all_files[0] }} when on x86" +- block: +- - name: "Construct rule: add rule list, action and arch" +- set_fact: tmpline="-a always,exit -F arch=b32 " +- - name: "Construct rule: add syscalls" +- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" +- loop: "{{ audit_kernel_found_32_rules_d.results }}" +- when: item.matched is defined and item.matched == 0 +- - name: "Construct rule: add key" +- set_fact: tmpline="{{ tmpline + '-k modules' }}" +- - name: "Insert the line in {{ all_files[0] }}" +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "{{ tmpline }}" +- create: true +- state: present +- when: audit_kernel_matched_32_rules_d < audit_kernel_number_of_syscalls +- +-- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64" +- block: +- - name: "Construct rule: add rule list, action and arch" +- set_fact: tmpline="-a always,exit -F arch=b64 " +- - name: "Construct rule: add syscalls" +- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" +- loop: "{{ audit_kernel_found_64_rules_d.results }}" +- when: item.matched is defined and item.matched == 0 +- - name: "Construct rule: add key" +- set_fact: tmpline="{{ tmpline + '-k modules' }}" +- - name: "Insert the line in {{ all_files[0] }}" +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "{{ tmpline }}" +- create: true +- state: present +- when: audit_kernel_matched_64_rules_d < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' +- +- +-# +-# rules in /etc/audit/audit.rules +-# +- +-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules +- find: +- paths: "/etc/audit" +- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' +- patterns: "audit.rules" +- register: audit_kernel_found_32_audit_rules +- loop: "{{ syscalls }}" +- +-- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules +- set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}" +- +-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules +- find: +- paths: "/etc/audit" +- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' +- patterns: "audit.rules" +- register: audit_kernel_found_64_audit_rules +- loop: "{{ syscalls }}" +- +-- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/* +- set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}" +- +-- name: Insert the modules rule in /etc/audit/audit.rules when on x86 +- block: +- - name: "Construct rule: add rule list, action and arch" +- set_fact: tmpline="-a always,exit -F arch=b32 " +- - name: "Construct rule: add syscalls" +- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" +- loop: "{{ audit_kernel_found_32_audit_rules.results }}" +- when: item.matched is defined and item.matched == 0 +- - name: "Construct rule: add key" +- set_fact: tmpline="{{ tmpline + '-k modules' }}" +- - name: Insert the line in /etc/audit/audit.rules +- lineinfile: +- path: "/etc/audit/audit.rules" +- line: "{{ tmpline }}" +- create: true +- state: present +- when: audit_kernel_matched_32_audit_rules < audit_kernel_number_of_syscalls +- +-- name: Insert the modules rule in /etc/audit/rules.d when on x86_64 +- block: +- - name: "Construct rule: add rule list, action and arch" +- set_fact: tmpline="-a always,exit -F arch=b64 " +- - name: "Construct rule: add syscalls" +- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" +- loop: "{{ audit_kernel_found_64_audit_rules.results }}" +- when: item.matched is defined and item.matched == 0 +- - name: "Construct rule: add key" +- set_fact: tmpline="{{ tmpline + '-k modules' }}" +- - name: Insert the line in /etc/audit/audit.rules +- lineinfile: +- path: "/etc/audit/audit.rules" +- line: "{{ tmpline }}" +- create: true +- state: present +- when: audit_kernel_matched_64_audit_rules < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' ++{{{ ansible_audit_augenrules_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} ++{{{ ansible_audit_augenrules_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} ++{{{ ansible_audit_auditctl_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} ++{{{ ansible_audit_auditctl_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} + +From 08504829c3ef3cda866425986b60df0d457d59cd Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 27 Apr 2020 16:14:56 +0200 +Subject: [PATCH 3/7] add documentation, fix task naming + +--- + shared/macros-ansible.jinja | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 7ccab981d2..a61ca4528d 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -347,6 +347,15 @@ The macro requires following parameters: + when: find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + {{%- endmacro %}} + ++{{# ++The following macro remediates Audit syscall rule in /etc/audit/rules.d directory. ++The macro requires following parameters: ++- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used. ++- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. ++- key: a key to use as rule identifier. ++Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file. ++#}} ++ + {{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}} + # + # What architecture are we on? +@@ -406,7 +415,7 @@ The macro requires following parameters: + - "{{ find_syscalls_files.files | map(attribute='path') | list | first }}" + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + +-- name: "Insert the modules rule in {{ all_files[0] }} when on x86" ++- name: "Insert the syscall rule in {{ all_files[0] }} when on x86" + block: + - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b32 " +@@ -425,7 +434,7 @@ The macro requires following parameters: + when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls + + {{% if arch == "64" %}} +-- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64" ++- name: "Insert the syscall rule in {{ all_files[0] }} when on x86_64" + block: + - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b64 " +@@ -445,6 +454,13 @@ The macro requires following parameters: + {{% endif %}} + {{%- endmacro %}} + ++{{# ++The following macro remediates Audit syscall rule in /etc/audit/audit.rules file. ++The macro requires following parameters: ++- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used. ++- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. ++- key: a key to use as rule identifier. ++#}} + {{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}} + # + # What architecture are we on? +@@ -484,7 +500,7 @@ The macro requires following parameters: + set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}" + {{% endif %}} + +-- name: Insert the modules rule in /etc/audit/audit.rules when on x86 ++- name: Insert the syscall rule in /etc/audit/audit.rules when on x86 + block: + - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b32 " +@@ -503,7 +519,7 @@ The macro requires following parameters: + when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls + + {{% if arch == "64" %}} +-- name: Insert the modules rule in /etc/audit/rules.d when on x86_64 ++- name: Insert the syscall rule in /etc/audit/rules.d when on x86_64 + block: + - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b64 " + +From 7b5a2f5efd8c39aee066eb8c59e034612129f00a Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 28 Apr 2020 11:31:40 +0200 +Subject: [PATCH 4/7] remove arch argument from macros + +modify the example rule +add rhel6 condition to the rule +--- + .../ansible/shared.yml | 11 +++++++---- + shared/macros-ansible.jinja | 18 ++++++------------ + 2 files changed, 13 insertions(+), 16 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +index ac448523c6..3b16dd1989 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +@@ -4,7 +4,10 @@ + # complexity = low + # disruption = low + +-{{{ ansible_audit_augenrules_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} +-{{{ ansible_audit_augenrules_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} +-{{{ ansible_audit_auditctl_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} +-{{{ ansible_audit_auditctl_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} ++{{% if product == "rhel6" %}} ++{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}} ++{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}} ++{{% else %}} ++{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} ++{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} ++{{% endif %}} +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index a61ca4528d..09b80bf114 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -350,13 +350,14 @@ The macro requires following parameters: + {{# + The following macro remediates Audit syscall rule in /etc/audit/rules.d directory. + The macro requires following parameters: +-- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used. + - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. + - key: a key to use as rule identifier. + Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file. ++The rule determines the architecture of the system and apply appropriate remediations. ++It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture. + #}} + +-{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}} ++{{% macro ansible_audit_augenrules_add_syscall_rule(syscalls=[], key="") -%}} + # + # What architecture are we on? + # +@@ -382,7 +383,6 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul + - name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_32_rules_d="{{audit_syscalls_found_32_rules_d.results|sum(attribute='matched')|int }}" + +-{{% if arch == "64" %}} + - name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ + find: + paths: "/etc/audit/rules.d" +@@ -393,7 +393,6 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul + + - name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_64_rules_d="{{audit_syscalls_found_64_rules_d.results|sum(attribute='matched')|int }}" +-{{% endif %}} + + - name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} + find: +@@ -433,7 +432,6 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul + state: present + when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls + +-{{% if arch == "64" %}} + - name: "Insert the syscall rule in {{ all_files[0] }} when on x86_64" + block: + - name: "Construct rule: add rule list, action and arch" +@@ -451,17 +449,17 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul + create: true + state: present + when: audit_syscalls_matched_64_rules_d < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' +-{{% endif %}} + {{%- endmacro %}} + + {{# + The following macro remediates Audit syscall rule in /etc/audit/audit.rules file. + The macro requires following parameters: +-- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used. + - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. + - key: a key to use as rule identifier. ++The rule determines the architecture of the system and apply appropriate remediations. ++It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture. + #}} +-{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}} ++{{% macro ansible_audit_auditctl_add_syscall_rule(syscalls=[], key="") -%}} + # + # What architecture are we on? + # +@@ -487,7 +485,6 @@ The macro requires following parameters: + - name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_32_audit_rules="{{audit_syscalls_found_32_audit_rules.results|sum(attribute='matched')|int }}" + +-{{% if arch == "64" %}} + - name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules + find: + paths: "/etc/audit" +@@ -498,7 +495,6 @@ The macro requires following parameters: + + - name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/* + set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}" +-{{% endif %}} + + - name: Insert the syscall rule in /etc/audit/audit.rules when on x86 + block: +@@ -518,7 +514,6 @@ The macro requires following parameters: + state: present + when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls + +-{{% if arch == "64" %}} + - name: Insert the syscall rule in /etc/audit/rules.d when on x86_64 + block: + - name: "Construct rule: add rule list, action and arch" +@@ -536,5 +531,4 @@ The macro requires following parameters: + create: true + state: present + when: audit_syscalls_matched_64_audit_rules < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' +-{{% endif %}} + {{%- endmacro %}} + +From 2d2e18a8f21a076ea31dc91463611359cd220ad5 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 28 Apr 2020 17:07:19 +0200 +Subject: [PATCH 5/7] add tests for augen-rules + +--- + ...ass.sh => auditctl_syscalls_multiple_per_arg.pass.sh} | 0 + ...arg.pass.sh => auditctl_syscalls_one_per_arg.pass.sh} | 0 + ...ne.pass.sh => auditctl_syscalls_one_per_line.pass.sh} | 0 + ...> auditctl_syscalls_one_per_line_one_missing.fail.sh} | 0 + .../tests/augen_syscalls_multiple_per_arg.pass.sh | 9 +++++++++ + .../tests/augen_syscalls_one_per_arg.pass.sh | 8 ++++++++ + .../tests/augen_syscalls_one_per_line.pass.sh | 7 +++++++ + .../augen_syscalls_one_per_line_one_missing.fail.sh | 7 +++++++ + 8 files changed, 31 insertions(+) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_multiple_per_arg.pass.sh => auditctl_syscalls_multiple_per_arg.pass.sh} (100%) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_one_per_arg.pass.sh => auditctl_syscalls_one_per_arg.pass.sh} (100%) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_one_per_line.pass.sh => auditctl_syscalls_one_per_line.pass.sh} (100%) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_one_per_line_one_missing.fail.sh => auditctl_syscalls_one_per_line_one_missing.fail.sh} (100%) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh +similarity index 100% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh +similarity index 100% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh +similarity index 100% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line_one_missing.fail.sh +similarity index 100% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line_one_missing.fail.sh +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh +new file mode 100644 +index 0000000000..c50695a586 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S ++ ++ ++rm -f /etc/audit/rules.d/* ++ ++# cut out irrelevant rules for this test ++sed '1,10d' test_audit.rules > /etc/audit/rules.d/test.rules ++sed -i '5,8d' /etc/audit/rules.d/test.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh +new file mode 100644 +index 0000000000..c086da0b0f +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S ++ ++ ++rm -f /etc/audit/rules.d/* ++ ++# cut out irrelevant rules for this test ++sed '1,13d' test_audit.rules > /etc/audit/rules.d/test.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh +new file mode 100644 +index 0000000000..76a868ab17 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S ++ ++rm -f /etc/audit/rules.d/* ++ ++# cut out irrelevant rules for this test ++sed '11,18d' test_audit.rules > /etc/audit/rules.d/test.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh +new file mode 100644 +index 0000000000..43f3d07e8f +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S ++ ++rm -f /etc/audit/rules.d/* ++ ++# cut out irrelevant rules for this test ++sed -e '11,18d' -e '/.*init.*/d' test_audit.rules > /etc/audit/rules.d/test.rules + +From 6d4065c9dfbf216343b032fd41c4bca605513521 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 28 Apr 2020 17:07:40 +0200 +Subject: [PATCH 6/7] remove recurse from tasks, fix regex + +--- + shared/macros-ansible.jinja | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 09b80bf114..e24fa5caa7 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -397,8 +397,7 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur + - name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} + find: + paths: "/etc/audit/rules.d" +- recurse: no +- contains: '(-F key=)|(-k\s+){{{ key }}}$' ++ contains: '^.*(?:-F key=|-k\s+){{{ key }}}$' + patterns: "*.rules" + register: find_syscalls_files + + +From 31db4018d4aab3148f48b7afe1743fe6cf5c011d Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 28 Apr 2020 17:19:52 +0200 +Subject: [PATCH 7/7] remove mention of modules from task description + +--- + shared/macros-ansible.jinja | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index e24fa5caa7..f54f73e866 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -361,7 +361,7 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur + # + # What architecture are we on? + # +-- name: Set architecture for audit modules tasks ++- name: Set architecture for audit tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +@@ -462,7 +462,7 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur + # + # What architecture are we on? + # +-- name: Set architecture for audit modules tasks ++- name: Set architecture for audit tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_macro_watch_rule_PR_5658.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_macro_watch_rule_PR_5658.patch new file mode 100644 index 0000000..1b2146d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_ansible_macro_watch_rule_PR_5658.patch @@ -0,0 +1,336 @@ +From dbb2a306a3f3b1ec10fd331f48ea1e094a0359f8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 24 Apr 2020 13:19:17 +0200 +Subject: [PATCH 1/4] add macro for ansible remediation of audit watches + +--- + shared/macros-ansible.jinja | 54 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index b020246ef2..4fc381f5e0 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -277,3 +277,57 @@ regex_replace("\(n\)\*", "\\n") + {{% macro ansible_deregexify_banner_backslash() -%}} + regex_replace("\\", "") + {{%- endmacro %}} ++ ++{{% macro remediate_audit_watch_rules_d(path='', permissions='', key='') -%}} ++- name: Check if rule already exists in /etc/audit/rules.d/* ++ find: ++ paths: "/etc/audit/rules.d" ++ recurse: no ++ contains: '^\s*-w\s+{{{ path }}}\s+-p\s+{{{ permissions }}}(\s|$)+' ++ patterns: "*.rules" ++ register: find_existing_mac_rules_d ++- name: Search /etc/audit/rules.d for other rules with specified key ++ find: ++ paths: "/etc/audit/rules.d" ++ recurse: no ++ contains: "^.*(-F key=)(|-k ){{{ key }}}$" ++ patterns: "*.rules" ++ register: find_mac_key ++ when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 ++ ++- name: If existing ruleset with key {{{ key }}} not found, use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule ++ set_fact: ++ all_files: ++ - /etc/audit/rules.d/{{{ key }}}.rules ++ when: find_mac_key.matched is defined and find_mac_key.matched == 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 ++ ++- name: Use matched file as the recipient for the rule ++ set_fact: ++ all_files: ++ - "{{ find_mac_key.files | map(attribute='path') | list | first }}" ++ when: find_mac_key.matched is defined and find_mac_key.matched > 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 ++ ++- name: Inserts/replaces the rule in rules.d ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}" ++ create: yes ++ when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 ++{{%- endmacro %}} ++ ++{{% macro remediate_audit_watch_audit_rules(path='', permissions='', key='') -%}} ++- name: Check if rule already exists in /etc/audit/audit.rules ++ find: ++ paths: "/etc/audit/" ++ contains: '^\s*-w\s+{{{ path }}}\s+-p\s+{{{ permissions }}}(\s|$)+' ++ patterns: "audit.rules" ++ register: find_existing_mac_audit_rules ++ ++- name: Inserts/replaces the MAC modifications rule in /etc/audit/audit.rules ++ lineinfile: ++ line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}" ++ state: present ++ dest: /etc/audit/audit.rules ++ create: yes ++ when: find_existing_mac_audit_rules.matched is defined and find_existing_mac_audit_rules.matched == 0 ++{{%- endmacro %}} + +From e0b54991b9e299b47f2a40c873b5661cff69fe93 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 24 Apr 2020 13:19:42 +0200 +Subject: [PATCH 2/4] switch example rule to macro + +--- + .../ansible/shared.yml | 63 +------------------ + 1 file changed, 2 insertions(+), 61 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml +index 65d935c8f4..779db85509 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml +@@ -4,65 +4,6 @@ + # complexity = low + # disruption = low + +-# +-# check if rules already exist +-# ++{{{ remediate_audit_watch_rules_d(path="/etc/selinux/", permissions="wa", key="MAC-policy") }}} + +-- name: Check if rule already exists in /etc/audit/rules.d/* +- find: +- paths: "/etc/audit/rules.d" +- recurse: no +- contains: '^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' +- patterns: "*.rules" +- register: find_existing_mac_rules_d +- +-- name: Check if rule already exists in /etc/audit/audit.rules +- find: +- paths: "/etc/audit/" +- contains: '^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' +- patterns: "audit.rules" +- register: find_existing_mac_audit_rules +- +- +-# +-# Inserts/replaces the rule in /etc/audit/rules.d +-# +-- name: Search /etc/audit/rules.d for other rules with MAC-policy key +- find: +- paths: "/etc/audit/rules.d" +- recurse: no +- contains: "-k MAC-policy$" +- patterns: "*.rules" +- register: find_mac_key +- when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 +- +-- name: If existing MAC modification ruleset not found, use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule +- set_fact: +- all_files: +- - /etc/audit/rules.d/MAC-policy.rules +- when: find_mac_key.matched is defined and find_mac_key.matched == 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 +- +-- name: Use matched file as the recipient for the rule +- set_fact: +- all_files: +- - "{{ find_mac_key.files | map(attribute='path') | list | first }}" +- when: find_mac_key.matched is defined and find_mac_key.matched > 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 +- +-- name: Inserts/replaces the MAC modification rule in rules.d +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "-w /etc/selinux/ -p wa -k MAC-policy" +- create: yes +- when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 +- +- +-# +-# Inserts/replaces the rule in /etc/audit/audit.rules +-# +-- name: Inserts/replaces the MAC modifications rule in /etc/audit/audit.rules +- lineinfile: +- line: "-w /etc/selinux/ -p wa -k MAC-policy" +- state: present +- dest: /etc/audit/audit.rules +- create: yes +- when: find_existing_mac_audit_rules.matched is defined and find_existing_mac_audit_rules.matched == 0 ++{{{ remediate_audit_watch_audit_rules(path="/etc/selinux/", permissions="wa", key="MAC-policy") }}} + +From 127e93d8a2159911e95778394373e491ee0896b3 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 24 Apr 2020 14:57:54 +0200 +Subject: [PATCH 3/4] add documentation, rename variables + +--- + shared/macros-ansible.jinja | 37 ++++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 4fc381f5e0..2b88d3c8b6 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -277,7 +277,14 @@ regex_replace("\(n\)\*", "\\n") + {{% macro ansible_deregexify_banner_backslash() -%}} + regex_replace("\\", "") + {{%- endmacro %}} +- ++{{# ++The following macro remediates one audit watch rule in /etc/audit/rules.d directory. ++The macro requires following parameters: ++- path: path to watch ++- permissions: permissions changes to watch for ++- key: key to use as identifier. Note that if there exists any other rule with the same find_mac_key ++in some file within /etc/audit/rules.d/, the new rule will be appended to this file. ++#}} + {{% macro remediate_audit_watch_rules_d(path='', permissions='', key='') -%}} + - name: Check if rule already exists in /etc/audit/rules.d/* + find: +@@ -285,49 +292,57 @@ regex_replace("\\", "") + recurse: no + contains: '^\s*-w\s+{{{ path }}}\s+-p\s+{{{ permissions }}}(\s|$)+' + patterns: "*.rules" +- register: find_existing_mac_rules_d ++ register: find_existing_watch_rules_d ++ + - name: Search /etc/audit/rules.d for other rules with specified key + find: + paths: "/etc/audit/rules.d" + recurse: no + contains: "^.*(-F key=)(|-k ){{{ key }}}$" + patterns: "*.rules" +- register: find_mac_key +- when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 ++ register: find_watch_key ++ when: find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + + - name: If existing ruleset with key {{{ key }}} not found, use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/{{{ key }}}.rules +- when: find_mac_key.matched is defined and find_mac_key.matched == 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 ++ when: find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: +- - "{{ find_mac_key.files | map(attribute='path') | list | first }}" +- when: find_mac_key.matched is defined and find_mac_key.matched > 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 ++ - "{{ find_watch_key.files | map(attribute='path') | list | first }}" ++ when: find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + + - name: Inserts/replaces the rule in rules.d + lineinfile: + path: "{{ all_files[0] }}" + line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}" + create: yes +- when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 ++ when: find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + {{%- endmacro %}} + ++{{# ++The following macro remediates one audit watch rule in /etc/audit/audit.rules. ++The macro requires following parameters: ++- path: path to watch ++- permissions: permissions changes to watch for ++- key: key to use as identifier. ++#}} + {{% macro remediate_audit_watch_audit_rules(path='', permissions='', key='') -%}} + - name: Check if rule already exists in /etc/audit/audit.rules + find: + paths: "/etc/audit/" + contains: '^\s*-w\s+{{{ path }}}\s+-p\s+{{{ permissions }}}(\s|$)+' + patterns: "audit.rules" +- register: find_existing_mac_audit_rules ++ register: find_existing_watch_audit_rules + +-- name: Inserts/replaces the MAC modifications rule in /etc/audit/audit.rules ++- name: Inserts/replaces the rule in /etc/audit/audit.rules + lineinfile: + line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}" + state: present + dest: /etc/audit/audit.rules + create: yes +- when: find_existing_mac_audit_rules.matched is defined and find_existing_mac_audit_rules.matched == 0 ++ when: find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 + {{%- endmacro %}} + +From 46f058b7a9048a4c97651df1e8708c8d928a7618 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 27 Apr 2020 09:17:11 +0200 +Subject: [PATCH 4/4] rename macros, fix task names + +--- + .../ansible/shared.yml | 4 ++-- + shared/macros-ansible.jinja | 16 ++++++++-------- + 2 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml +index 779db85509..4633be5a18 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml +@@ -4,6 +4,6 @@ + # complexity = low + # disruption = low + +-{{{ remediate_audit_watch_rules_d(path="/etc/selinux/", permissions="wa", key="MAC-policy") }}} ++{{{ ansible_audit_augenrules_add_watch_rule(path="/etc/selinux/", permissions="wa", key="MAC-policy") }}} + +-{{{ remediate_audit_watch_audit_rules(path="/etc/selinux/", permissions="wa", key="MAC-policy") }}} ++{{{ ansible_audit_auditctl_add_watch_rule(path="/etc/selinux/", permissions="wa", key="MAC-policy") }}} +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 2b88d3c8b6..884b562ae4 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -285,8 +285,8 @@ The macro requires following parameters: + - key: key to use as identifier. Note that if there exists any other rule with the same find_mac_key + in some file within /etc/audit/rules.d/, the new rule will be appended to this file. + #}} +-{{% macro remediate_audit_watch_rules_d(path='', permissions='', key='') -%}} +-- name: Check if rule already exists in /etc/audit/rules.d/* ++{{% macro ansible_audit_augenrules_add_watch_rule(path='', permissions='', key='') -%}} ++- name: Check if watch rule for {{{ path }}} already exists in /etc/audit/rules.d/ + find: + paths: "/etc/audit/rules.d" + recurse: no +@@ -294,7 +294,7 @@ in some file within /etc/audit/rules.d/, the new rule will be appended to this f + patterns: "*.rules" + register: find_existing_watch_rules_d + +-- name: Search /etc/audit/rules.d for other rules with specified key ++- name: Search /etc/audit/rules.d for other rules with specified key {{{ key }}} + find: + paths: "/etc/audit/rules.d" + recurse: no +@@ -303,7 +303,7 @@ in some file within /etc/audit/rules.d/, the new rule will be appended to this f + register: find_watch_key + when: find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + +-- name: If existing ruleset with key {{{ key }}} not found, use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule ++- name: Use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/{{{ key }}}.rules +@@ -315,7 +315,7 @@ in some file within /etc/audit/rules.d/, the new rule will be appended to this f + - "{{ find_watch_key.files | map(attribute='path') | list | first }}" + when: find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 + +-- name: Inserts/replaces the rule in rules.d ++- name: Add watch rule for {{{ path }}} in /etc/audit/rules.d/ + lineinfile: + path: "{{ all_files[0] }}" + line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}" +@@ -330,15 +330,15 @@ The macro requires following parameters: + - permissions: permissions changes to watch for + - key: key to use as identifier. + #}} +-{{% macro remediate_audit_watch_audit_rules(path='', permissions='', key='') -%}} +-- name: Check if rule already exists in /etc/audit/audit.rules ++{{% macro ansible_audit_auditctl_add_watch_rule(path='', permissions='', key='') -%}} ++- name: Check if watch rule for {{{ path }}} already exists in /etc/audit/audit.rules + find: + paths: "/etc/audit/" + contains: '^\s*-w\s+{{{ path }}}\s+-p\s+{{{ permissions }}}(\s|$)+' + patterns: "audit.rules" + register: find_existing_watch_audit_rules + +-- name: Inserts/replaces the rule in /etc/audit/audit.rules ++- name: Add watch rule for {{{ path }}} in /etc/audit/audit.rules + lineinfile: + line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}" + state: present diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_sshd_set_max_auth_tries_PR_5597.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_sshd_set_max_auth_tries_PR_5597.patch new file mode 100644 index 0000000..90df5b9 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_ansible_sshd_set_max_auth_tries_PR_5597.patch @@ -0,0 +1,149 @@ +From dcefd47e94095cbb39059f5d0ec9ef42593ae595 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 15 Apr 2020 17:15:39 +0200 +Subject: [PATCH] Add ansible and bash remediation for rule + sshd_set_max_auth_tries. + +--- + .../ssh_server/sshd_set_max_auth_tries/ansible/shared.yml | 8 ++++++++ + .../ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh | 8 ++++++++ + .../ssh/ssh_server/sshd_set_max_auth_tries/rule.yml | 4 ++-- + .../sshd_set_max_auth_tries/tests/comment.fail.sh | 8 ++++++++ + .../sshd_set_max_auth_tries/tests/correct_value.pass.sh | 8 ++++++++ + .../tests/correct_value_less_than.pass.sh | 8 ++++++++ + .../sshd_set_max_auth_tries/tests/line_not_there.fail.sh | 3 +++ + .../sshd_set_max_auth_tries/tests/wrong_value.fail.sh | 8 ++++++++ + rhel7/profiles/cis.profile | 1 + + 9 files changed, 54 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml +new file mode 100644 +index 0000000000..28f3ef0cd2 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml +@@ -0,0 +1,8 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++- (xccdf-var sshd_max_auth_tries_value) ++ ++{{{ ansible_sshd_set(parameter="MaxAuthTries", value="{{ sshd_max_auth_tries_value }}") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh +new file mode 100644 +index 0000000000..eebe07158c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh +@@ -0,0 +1,8 @@ ++# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++populate sshd_max_auth_tries_value ++ ++{{{ bash_sshd_config_set(parameter="MaxAuthTries", value="$sshd_max_auth_tries_value") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +index 7b5750ee0d..437c4dd8c7 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +@@ -6,7 +6,7 @@ description: |- + The MaxAuthTries parameter specifies the maximum number of authentication attempts + permitted per connection. Once the number of failures reaches half this value, additional failures are logged. + to set MaxAUthTries edit /etc/ssh/sshd_config as follows: +- 
MaxAuthTries tries
++ 
MaxAuthTries
+ + rationale: |- + Setting the MaxAuthTries parameter to a low number will minimize the risk of successful +@@ -30,4 +30,4 @@ ocil: |- + To ensure the MaxAuthTries parameter is set, run the following command: + 
$ sudo grep MaxAuthTries /etc/ssh/sshd_config
+ If properly configured, output should be: +- 
MaxAuthTries tries
++ 
MaxAuthTries
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh +new file mode 100644 +index 0000000000..caf18a73c6 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++SSHD_CONFIG="/etc/ssh/sshd_config" ++ ++if grep -q "^MaxAuthTries" $SSHD_CONFIG; then ++ sed -i "s/^MaxAuthTries.*/# MaxAuthTries 4/" $SSHD_CONFIG ++else ++ echo "# MaxAuthTries 4" >> $SSHD_CONFIG ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh +new file mode 100644 +index 0000000000..32233d3a82 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++SSHD_CONFIG="/etc/ssh/sshd_config" ++ ++if grep -q "^MaxAuthTries" $SSHD_CONFIG; then ++ sed -i "s/^MaxAuthTries.*/MaxAuthTries 4/" $SSHD_CONFIG ++else ++ echo "MaxAuthTries 4" >> $SSHD_CONFIG ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh +new file mode 100644 +index 0000000000..e98176320d +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++SSHD_CONFIG="/etc/ssh/sshd_config" ++ ++if grep -q "^MaxAuthTries" $SSHD_CONFIG; then ++ sed -i "s/^MaxAuthTries.*/MaxAuthTries 2/" $SSHD_CONFIG ++else ++ echo "MaxAuthTries 2" >> $SSHD_CONFIG ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh +new file mode 100644 +index 0000000000..f038aa9be0 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++sed -i "/^MaxAuthTries.*/d" /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh +new file mode 100644 +index 0000000000..79940bded3 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++SSHD_CONFIG="/etc/ssh/sshd_config" ++ ++if grep -q "^MaxAuthTries" $SSHD_CONFIG; then ++ sed -i "s/^MaxAuthTries.*/MaxAuthTries 50/" $SSHD_CONFIG ++else ++ echo "MaxAuthTries 50" >> $SSHD_CONFIG ++fi +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 2e68e73f34..886e9a963a 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -581,6 +581,7 @@ selections: + - sshd_disable_x11_forwarding + + ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored) ++ - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries + + ### 5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored) diff --git a/SOURCES/scap-security-guide-0.1.50-add_arch_support_macro_syscall_PR_5723.patch b/SOURCES/scap-security-guide-0.1.50-add_arch_support_macro_syscall_PR_5723.patch new file mode 100644 index 0000000..2fa39dd --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_arch_support_macro_syscall_PR_5723.patch @@ -0,0 +1,351 @@ +From 361033952354561b569d0429d0671b30154cbfbd Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 29 Apr 2020 17:01:28 +0200 +Subject: [PATCH 1/4] rewrite macro + +--- + shared/macros-ansible.jinja | 119 +++++++----------------------------- + 1 file changed, 22 insertions(+), 97 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 8f94f1803a..f9a5b53302 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -349,21 +349,12 @@ The macro requires following parameters: + {{# + The following macro remediates Audit syscall rule in /etc/audit/rules.d directory. + The macro requires following parameters: ++- arch: an architecture to be used in the Audit rule (b32, b64) + - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. + - key: a key to use as rule identifier. + Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file. +-The rule determines the architecture of the system and apply appropriate remediations. +-It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture. + #}} +- +-{{% macro ansible_audit_augenrules_add_syscall_rule(syscalls=[], key="") -%}} +-# +-# What architecture are we on? +-# +-- name: Set architecture for audit tasks +- set_fact: +- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" +- ++{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}} + - name: Declare list of syscals + set_fact: + syscalls: {{{ syscalls }}} +@@ -371,27 +362,16 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + +-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/ +- find: +- paths: "/etc/audit/rules.d" +- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' +- patterns: "*.rules" +- register: audit_syscalls_found_32_rules_d +- loop: "{{ syscalls }}" +- +-- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/ +- set_fact: audit_syscalls_matched_32_rules_d="{{audit_syscalls_found_32_rules_d.results|sum(attribute='matched')|int }}" +- +-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ ++- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/ + find: + paths: "/etc/audit/rules.d" +- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' ++ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' + patterns: "*.rules" +- register: audit_syscalls_found_64_rules_d ++ register: audit_syscalls_found_{{{ arch }}}_rules_d + loop: "{{ syscalls }}" + +-- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/ +- set_fact: audit_syscalls_matched_64_rules_d="{{audit_syscalls_found_64_rules_d.results|sum(attribute='matched')|int }}" ++- name: Get number of matched syscalls for architecture {{{ arch }}}in /etc/audit/rules.d/ ++ set_fact: audit_syscalls_matched_{{{ arch }}}_rules_d="{{audit_syscalls_found_{{{ arch }}}_rules_d.results|sum(attribute='matched')|int }}" + + - name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} + find: +@@ -412,31 +392,13 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur + - "{{ find_syscalls_files.files | map(attribute='path') | list | first }}" + when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 + +-- name: "Insert the syscall rule in {{ all_files[0] }} when on x86" +- block: +- - name: "Construct rule: add rule list, action and arch" +- set_fact: tmpline="-a always,exit -F arch=b32 " +- - name: "Construct rule: add syscalls" +- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" +- loop: "{{ audit_syscalls_found_32_rules_d.results }}" +- when: item.matched is defined and item.matched == 0 +- - name: "Construct rule: add key" +- set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" +- - name: "Insert the line in {{ all_files[0] }}" +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "{{ tmpline }}" +- create: true +- state: present +- when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls +- +-- name: "Insert the syscall rule in {{ all_files[0] }} when on x86_64" ++- name: "Insert the syscall rule in {{ all_files[0] }}" + block: + - name: "Construct rule: add rule list, action and arch" +- set_fact: tmpline="-a always,exit -F arch=b64 " ++ set_fact: tmpline="-a always,exit -F arch={{{ arch }}} " + - name: "Construct rule: add syscalls" + set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" +- loop: "{{ audit_syscalls_found_64_rules_d.results }}" ++ loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}" + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" +@@ -446,25 +408,17 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur + line: "{{ tmpline }}" + create: true + state: present +- when: audit_syscalls_matched_64_rules_d < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' ++ when: audit_syscalls_matched_{{{ arch }}}_rules_d < audit_syscalls_number_of_syscalls + {{%- endmacro %}} + + {{# + The following macro remediates Audit syscall rule in /etc/audit/audit.rules file. + The macro requires following parameters: ++- arch: an architecture to be used in the Audit rule (b32, b64) + - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. + - key: a key to use as rule identifier. +-The rule determines the architecture of the system and apply appropriate remediations. +-It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture. + #}} +-{{% macro ansible_audit_auditctl_add_syscall_rule(syscalls=[], key="") -%}} +-# +-# What architecture are we on? +-# +-- name: Set architecture for audit tasks +- set_fact: +- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" +- ++{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}} + - name: Declare list of syscals + set_fact: + syscalls: {{{ syscalls }}} +@@ -472,53 +426,24 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + +-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules ++- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules + find: + paths: "/etc/audit" +- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' ++ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' + patterns: "audit.rules" +- register: audit_syscalls_found_32_audit_rules ++ register: audit_syscalls_found_{{{ arch }}}_audit_rules + loop: "{{ syscalls }}" + +-- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules +- set_fact: audit_syscalls_matched_32_audit_rules="{{audit_syscalls_found_32_audit_rules.results|sum(attribute='matched')|int }}" +- +-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules +- find: +- paths: "/etc/audit" +- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' +- patterns: "audit.rules" +- register: audit_syscalls_found_64_audit_rules +- loop: "{{ syscalls }}" +- +-- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/* +- set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}" +- +-- name: Insert the syscall rule in /etc/audit/audit.rules when on x86 +- block: +- - name: "Construct rule: add rule list, action and arch" +- set_fact: tmpline="-a always,exit -F arch=b32 " +- - name: "Construct rule: add syscalls" +- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" +- loop: "{{ audit_syscalls_found_32_audit_rules.results }}" +- when: item.matched is defined and item.matched == 0 +- - name: "Construct rule: add key" +- set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" +- - name: Insert the line in /etc/audit/audit.rules +- lineinfile: +- path: "/etc/audit/audit.rules" +- line: "{{ tmpline }}" +- create: true +- state: present +- when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls ++- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules ++ set_fact: audit_syscalls_matched_{{{ arch }}}_audit_rules="{{audit_syscalls_found_{{{ arch }}}_audit_rules.results|sum(attribute='matched')|int }}" + +-- name: Insert the syscall rule in /etc/audit/rules.d when on x86_64 ++- name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: "Construct rule: add rule list, action and arch" +- set_fact: tmpline="-a always,exit -F arch=b64 " ++ set_fact: tmpline="-a always,exit -F arch={{{ arch }}} " + - name: "Construct rule: add syscalls" + set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" +- loop: "{{ audit_syscalls_found_64_audit_rules.results }}" ++ loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}" + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" +@@ -528,5 +453,5 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur + line: "{{ tmpline }}" + create: true + state: present +- when: audit_syscalls_matched_64_audit_rules < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' ++ when: audit_syscalls_matched_{{{ arch }}}_audit_rules < audit_syscalls_number_of_syscalls + {{%- endmacro %}} + +From c1b10847d740f289f6be58a1409df6433f1b84d5 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 29 Apr 2020 17:01:43 +0200 +Subject: [PATCH 2/4] rewrite rule + +--- + .../ansible/shared.yml | 34 +++++++++++++++---- + 1 file changed, 27 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +index 3b16dd1989..d2dcc8c1fe 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +@@ -3,11 +3,31 @@ + # strategy = restrict + # complexity = low + # disruption = low ++# ++# What architecture are we on? ++# ++- name: Set architecture for audit tasks ++ set_fact: ++ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-{{% if product == "rhel6" %}} +-{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}} +-{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}} +-{{% else %}} +-{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} +-{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} +-{{% endif %}} ++ ++- name: perform remediation of Audit rules for kernel module loading for x86 platform ++ block: ++ {{% if product == "rhel6" %}} ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} ++ {{% else %}} ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} ++ {{% endif %}} ++ ++- name: perform remediation of Audit rules for kernel module loading for x86_64 platform ++ block: ++ {{% if product == "rhel6" %}} ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} ++ {{% else %}} ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} ++ {{% endif %}} ++ when: audit_arch == "b64" + +From 1505ef7f1632eeb76743410a88b9e50a8f9c44c4 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 29 Apr 2020 17:15:37 +0200 +Subject: [PATCH 3/4] fix task names + +--- + .../audit_rules_kernel_module_loading/ansible/shared.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +index d2dcc8c1fe..c80f836b6c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +@@ -11,7 +11,7 @@ + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + + +-- name: perform remediation of Audit rules for kernel module loading for x86 platform ++- name: Perform remediation of Audit rules for kernel module loading for x86 platform + block: + {{% if product == "rhel6" %}} + {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} +@@ -21,7 +21,7 @@ + {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} + {{% endif %}} + +-- name: perform remediation of Audit rules for kernel module loading for x86_64 platform ++- name: Perform remediation of Audit rules for kernel module loading for x86_64 platform + block: + {{% if product == "rhel6" %}} + {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} + +From 7474ee0d7eb901f417336d7b75a4cfa61dfab7ca Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 30 Apr 2020 09:27:28 +0200 +Subject: [PATCH 4/4] use variable, remove duplicate code + +--- + .../ansible/shared.yml | 24 ++++++++----------- + shared/macros-ansible.jinja | 2 +- + 2 files changed, 11 insertions(+), 15 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +index c80f836b6c..c1ba35bf25 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +@@ -10,24 +10,20 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + ++# set list of syscalls based on rhel version ++{{% if product == "rhel6" %}} ++{{% set audit_syscalls = ["init_module", "delete_module"] %}} ++{{% else %}} ++{{% set audit_syscalls = ["init_module", "delete_module", "finit_module"] %}} ++{{% endif %}} + + - name: Perform remediation of Audit rules for kernel module loading for x86 platform + block: +- {{% if product == "rhel6" %}} +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} +- {{% else %}} +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} +- {{% endif %}} ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}} + + - name: Perform remediation of Audit rules for kernel module loading for x86_64 platform + block: +- {{% if product == "rhel6" %}} +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} +- {{% else %}} +- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} +- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} +- {{% endif %}} ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}} + when: audit_arch == "b64" +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index f9a5b53302..03e4306051 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -370,7 +370,7 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul + register: audit_syscalls_found_{{{ arch }}}_rules_d + loop: "{{ syscalls }}" + +-- name: Get number of matched syscalls for architecture {{{ arch }}}in /etc/audit/rules.d/ ++- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_{{{ arch }}}_rules_d="{{audit_syscalls_found_{{{ arch }}}_rules_d.results|sum(attribute='matched')|int }}" + + - name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} diff --git a/SOURCES/scap-security-guide-0.1.50-add_audit_rules_immutable_PR_5609.patch b/SOURCES/scap-security-guide-0.1.50-add_audit_rules_immutable_PR_5609.patch new file mode 100644 index 0000000..2846d3f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_audit_rules_immutable_PR_5609.patch @@ -0,0 +1,301 @@ +From d5533786f8d34442754cf60234877f4f9768fdae Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 16 Apr 2020 11:35:14 +0200 +Subject: [PATCH 1/4] add ansible remediation + +--- + .../audit_rules_immutable/ansible/shared.yml | 45 +++++++++++++++++++ + 1 file changed, 45 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +new file mode 100644 +index 0000000000..20266d394f +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +@@ -0,0 +1,45 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: add /etc/audit/audit.rules to the list of files to be searched ++ set_fact: ++ files_to_search: ++ - /etc/audit/audit.rules ++ ++- name: Search /etc/audit/rules.d for files containing the -e option ++ find: ++ paths: "/etc/audit/rules.d" ++ recurse: true ++ contains: "-e[\\s]+.*" ++ patterns: "*.rules" ++ register: find_immutable ++ ++- name: add found files to the list of files to be searched ++ set_fact: ++ files_to_search: "{{ files_to_search + [item.path] }}" ++ with_items: "{{ find_immutable.files }}" ++ when: find_immutable.matched is defined and find_immutable.matched >= 1 ++ ++- name: remove the config line from /etc/audit/audit.rules and any file in /etc/audit/rules.d directory ++ lineinfile: ++ path: "{{ item }}" ++ regexp: "-e[\\s]+.*" ++ state: absent ++ with_items: "{{ files_to_search }}" ++ ++- name: insert lines at the end of /etc/audit/audit.rules and /etc/audit/rules.d/immutable.rules ++ blockinfile: ++ path: "{{ item }}" ++ create: True ++ marker: "" ++ block: |+ ++ # Set the audit.rules configuration immutable per security requirements ++ # Reboot is required to change audit rules once this setting is applied ++ ++ -e 2 ++ with_items: ++ - /etc/audit/audit.rules ++ - /etc/audit/rules.d/immutable.rules + +From 8f1c60ba4efd625c2df20a109710e0dbf423e44a Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 16 Apr 2020 11:35:37 +0200 +Subject: [PATCH 2/4] add tests + +--- + .../audit_rules_immutable/tests/auditctl_correct.pass.sh | 6 ++++++ + .../audit_rules_immutable/tests/auditctl_missing.fail.sh | 6 ++++++ + .../tests/auditctl_wrong_value.fail.sh | 7 +++++++ + .../audit_rules_immutable/tests/augen_correct.pass.sh | 3 +++ + .../audit_rules_immutable/tests/augen_missing.fail.sh | 3 +++ + .../audit_rules_immutable/tests/augen_wrong_value.fail.sh | 4 ++++ + 6 files changed, 29 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh +new file mode 100644 +index 0000000000..36478840c1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# use auditctl ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++echo "-e 2" > /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh +new file mode 100644 +index 0000000000..733436ecaf +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# use auditctl ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++echo "some value" > /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh +new file mode 100644 +index 0000000000..e3369107dd +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++# use auditctl ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++echo "-e 1" > /etc/audit/audit.rules ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh +new file mode 100644 +index 0000000000..fa5b7231df +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "-e 2" > /etc/audit/rules.d/immutable.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh +new file mode 100644 +index 0000000000..0997495e4b +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++rm -rf /etc/audit/rules.d/* +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh +new file mode 100644 +index 0000000000..a8c2d53830 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++rm -rf /etc/audit/rules.d/* ++echo "-e 1" > /etc/audit/rules.d/immutable.rules + +From 2bba06ada88cb359a19288725232e79387931aee Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 4 May 2020 15:29:10 +0200 +Subject: [PATCH 3/4] do not use explaining comment in ansible remediation + +--- + .../audit_rules_immutable/ansible/shared.yml | 58 ++++++++++--------- + 1 file changed, 32 insertions(+), 26 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +index 20266d394f..4e1b2f9569 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +@@ -1,45 +1,51 @@ + # platform = multi_platform_all +-# reboot = false ++# reboot = true + # strategy = restrict + # complexity = low + # disruption = low + +-- name: add /etc/audit/audit.rules to the list of files to be searched +- set_fact: +- files_to_search: +- - /etc/audit/audit.rules ++- name: Check if the file /etc/audit/audit.rules contains the -e option ++ find: ++ paths: "/etc/audit" ++ contains: '^\s*-e\s+.*$' ++ patterns: "audit.rules" ++ register: find_immutable_audit_rules + + - name: Search /etc/audit/rules.d for files containing the -e option + find: + paths: "/etc/audit/rules.d" +- recurse: true +- contains: "-e[\\s]+.*" ++ contains: '^\s*-e\s+.*$' + patterns: "*.rules" +- register: find_immutable ++ register: find_immutable_rules_d + +-- name: add found files to the list of files to be searched +- set_fact: +- files_to_search: "{{ files_to_search + [item.path] }}" +- with_items: "{{ find_immutable.files }}" +- when: find_immutable.matched is defined and find_immutable.matched >= 1 ++- name: Construct list of Audit config files containing the -e option ++ block: ++ - name: Initialize empty list for files to be edited ++ set_fact: ++ files_to_edit: [] ++ - name: Add matched files from /etc/audit/rules.d ++ set_fact: ++ files_to_edit: "{{ files_to_edit + [item.path] }}" ++ loop: "{{ find_immutable_rules_d.files }}" ++ - name: Add /etc/audit/audit.rules to the list of files ++ set_fact: ++ files_to_edit: "{{ files_to_edit + ['/etc/audit/audit.rules'] }}" ++ when: find_immutable_audit_rules is defined and find_immutable_audit_rules.matched >= 1 ++ when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1) + +-- name: remove the config line from /etc/audit/audit.rules and any file in /etc/audit/rules.d directory ++- name: Remove the -e option from all Audit config files + lineinfile: + path: "{{ item }}" + regexp: "-e[\\s]+.*" + state: absent +- with_items: "{{ files_to_search }}" ++ loop: "{{ files_to_edit }}" ++ when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1) + +-- name: insert lines at the end of /etc/audit/audit.rules and /etc/audit/rules.d/immutable.rules +- blockinfile: ++- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules ++ lineinfile: + path: "{{ item }}" + create: True +- marker: "" +- block: |+ +- # Set the audit.rules configuration immutable per security requirements +- # Reboot is required to change audit rules once this setting is applied +- +- -e 2 +- with_items: +- - /etc/audit/audit.rules +- - /etc/audit/rules.d/immutable.rules ++ line: "-e 2" ++ loop: ++ - "/etc/audit/audit.rules" ++ - "/etc/audit/rules.d/immutable.rules" + +From dbf87484436e142a771ebd22a1bada61a429cceb Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 5 May 2020 14:44:24 +0200 +Subject: [PATCH 4/4] simplify remediation + +--- + .../audit_rules_immutable/ansible/shared.yml | 34 +++---------------- + 1 file changed, 5 insertions(+), 29 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +index 4e1b2f9569..5ac7b3dabb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +@@ -4,42 +4,18 @@ + # complexity = low + # disruption = low + +-- name: Check if the file /etc/audit/audit.rules contains the -e option ++- name: Collect all files from /etc/audit/rules.d with .rules extension + find: +- paths: "/etc/audit" +- contains: '^\s*-e\s+.*$' +- patterns: "audit.rules" +- register: find_immutable_audit_rules +- +-- name: Search /etc/audit/rules.d for files containing the -e option +- find: +- paths: "/etc/audit/rules.d" +- contains: '^\s*-e\s+.*$' ++ paths: "/etc/audit/rules.d/" + patterns: "*.rules" +- register: find_immutable_rules_d +- +-- name: Construct list of Audit config files containing the -e option +- block: +- - name: Initialize empty list for files to be edited +- set_fact: +- files_to_edit: [] +- - name: Add matched files from /etc/audit/rules.d +- set_fact: +- files_to_edit: "{{ files_to_edit + [item.path] }}" +- loop: "{{ find_immutable_rules_d.files }}" +- - name: Add /etc/audit/audit.rules to the list of files +- set_fact: +- files_to_edit: "{{ files_to_edit + ['/etc/audit/audit.rules'] }}" +- when: find_immutable_audit_rules is defined and find_immutable_audit_rules.matched >= 1 +- when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1) ++ register: find_rules_d + + - name: Remove the -e option from all Audit config files + lineinfile: + path: "{{ item }}" +- regexp: "-e[\\s]+.*" ++ regexp: '^\s*(?:-e)\s+.*$' + state: absent +- loop: "{{ files_to_edit }}" +- when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1) ++ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" + + - name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules + lineinfile: diff --git a/SOURCES/scap-security-guide-0.1.50-add_chrony_rules_PR_5273.patch b/SOURCES/scap-security-guide-0.1.50-add_chrony_rules_PR_5273.patch new file mode 100644 index 0000000..5ea1200 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_chrony_rules_PR_5273.patch @@ -0,0 +1,820 @@ +From b5379d0850f2ee366c7259512c74355d86babf2f Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 10 Mar 2020 19:05:57 +0100 +Subject: [PATCH 01/10] create new chrony rules for CIS + +add package_chrony_installed +add service_chronyd_enabled +add chrony_specify_remote_server +add default value to chrony_multiple_servers variable +--- + .../bash/shared.sh | 9 +++++ + .../oval/shared.xml | 15 ++++++++ + .../chronyd_specify_remote_server/rule.yml | 35 +++++++++++++++++ + .../ntp/package_chrony_installed/rule.yml | 34 +++++++++++++++++ + .../ntp/service_chronyd_enabled/rule.yml | 38 +++++++++++++++++++ + .../ntp/var_multiple_time_servers.var | 3 +- + shared/templates/extra_ovals.yml | 6 --- + 7 files changed, 133 insertions(+), 7 deletions(-) + create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh + create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml + create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml + create mode 100644 linux_os/guide/services/ntp/package_chrony_installed/rule.yml + create mode 100644 linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +new file mode 100644 +index 0000000000..ab9aab8732 +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +@@ -0,0 +1,9 @@ ++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol ++. /usr/share/scap-security-guide/remediation_functions ++populate var_multiple_time_servers ++ ++config_file="/etc/chrony.conf" ++ ++if ! grep -q ^server "$config_file" ; then ++ {{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}} ++fi +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml +new file mode 100644 +index 0000000000..0045c93a2d +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml +@@ -0,0 +1,15 @@ ++ ++ ++ ++ Specify Remote NTP chronyd Server for Time Data ++ {{{- oval_affected(products) }}} ++ A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met) ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +new file mode 100644 +index 0000000000..062d382709 +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +@@ -0,0 +1,35 @@ ++documentation_complete: true ++ ++prodtype: fedora,ocp4,ol8,rhel8 ++ ++title: 'A remote NTP server for Chrony is configured' ++ ++description: |- ++ chrony is a daemon which implements the Network Time Protocol (NTP) is designed to ++ synchronize system clocks across a variety of systems and use a source that is highly ++ accurate. More information on chrony can be found at ++ {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. ++ Chrony can be configured to be a client and/or a server. ++ Add or edit server or pool lines to /etc/chrony.conf as appropriate: ++ 
server <remote-server>
++ Multiple servers may be configured. ++ ++rationale: |- ++ If chrony is in use on the system proper configuration is vital to ensuring time ++ synchronization is working properly. ++ ++severity: medium ++ ++platform: machine ++ ++identifiers: ++ cce@rhel8: 82734-5 ++ ++references: ++ cis@rhel8: 2.2.1.2 ++ ++ocil_clause: 'The remote NTP server for Chrony is not configured' ++ ++ocil: |- ++ Run the following command and verify remote server is configured properly: ++ 
# grep -E "^(server|pool)" /etc/chrony.conf
+diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +new file mode 100644 +index 0000000000..36cae252e0 +--- /dev/null ++++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++prodtype: fedora,ocp4,ol8,rhel8 ++ ++title: 'The Chrony package is enabled' ++ ++description: |- ++ System time should be synchronized between all systems in an environment. This is ++ typically done by establishing an authoritative time server or set of servers and having all ++ systems synchronize their clocks to them. ++ You can install the package with the following command: ++ 
# dnf install chrony
++ ++rationale: |- ++ Time synchronization is important to support time sensitive security mechanisms like ++ Kerberos and also ensures log files have consistent time records across the enterprise, ++ which aids in forensic investigations. ++ ++severity: medium ++ ++platform: machine ++ ++identifiers: ++ cce@rhel8: 82730-3 ++ ++references: ++ cis@rhel8: 2.2.1.1 ++ ++{{{ complete_ocil_entry_package(package="chrony") }}} ++ ++template: ++ name: package_installed ++ vars: ++ pkgname: chrony +diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +new file mode 100644 +index 0000000000..37adcae640 +--- /dev/null ++++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +@@ -0,0 +1,38 @@ ++documentation_complete: true ++ ++prodtype: fedora,ocp4,ol8,rhel8 ++ ++title: 'The Chronyd service is enabled' ++ ++description: |- ++ chrony is a daemon which implements the Network Time Protocol (NTP) is designed to ++ synchronize system clocks across a variety of systems and use a source that is highly ++ accurate. More information on chrony can be found at ++ {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. ++ Chrony can be configured to be a client and/or a server. ++ To enable Chronyd service, you can run: ++ # systemctl enable chronyd.service ++ This recommendation only applies if chrony is in use on the system. ++ ++rationale: |- ++ If chrony is in use on the system proper configuration is vital to ensuring time ++ synchronization is working properly. ++ ++severity: medium ++ ++platform: machine ++ ++identifiers: ++ cce@rhel8: 82729-5 ++ ++references: ++ cis@rhel8: 2.2.1.2 ++ ++ocil_clause: 'The chronyd process is not running' ++ ++ocil: '{{{ ocil_service_enabled(service="chronyd") }}}' ++ ++template: ++ name: service_enabled ++ vars: ++ servicename: chronyd +diff --git a/linux_os/guide/services/ntp/var_multiple_time_servers.var b/linux_os/guide/services/ntp/var_multiple_time_servers.var +index 32deb2b851..47c6594ad2 100644 +--- a/linux_os/guide/services/ntp/var_multiple_time_servers.var ++++ b/linux_os/guide/services/ntp/var_multiple_time_servers.var +@@ -6,9 +6,10 @@ description: 'The list of vendor-approved time servers' + + type: string + +-interactive: false ++interactive: true + + options: ++ default: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org" + fedora: "0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org" + rhel: "0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org" + ol: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org" +diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml +index 9768f5c5c4..948912c228 100644 +--- a/shared/templates/extra_ovals.yml ++++ b/shared/templates/extra_ovals.yml +@@ -43,12 +43,6 @@ package_prelink_removed: + vars: + pkgname: prelink + +-service_chronyd_enabled: +- name: service_enabled +- vars: +- servicename: chronyd +- packagename: chrony +- + service_sssd_disabled: + name: service_disabled + vars: + +From e6145398300fae26e9765dc2798d7eec602be70c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 11 Mar 2020 11:05:17 +0100 +Subject: [PATCH 02/10] add tests and ansible remediation + +remove shared oval for checking chronyd_specify_remote_server +--- + .../ansible/shared.yml | 13 ++++++++ + .../bash/shared.sh | 2 +- + .../oval/shared.xml | 32 +++++++++++++------ + .../tests/correct.pass.sh | 7 ++++ + .../tests/file_empty.fail.sh | 6 ++++ + .../tests/file_missing.fail.sh | 6 ++++ + .../tests/line_missing.fail.sh | 7 ++++ + .../tests/multiple_servers.pass.sh | 7 ++++ + .../tests/server_not_specified.fail.sh | 6 ++++ + .../oval/chronyd_specify_remote_server.xml | 29 ----------------- + 10 files changed, 76 insertions(+), 39 deletions(-) + create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml + create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh + create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh + create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh + create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh + create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh + create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh + delete mode 100644 shared/checks/oval/chronyd_specify_remote_server.xml + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml +new file mode 100644 +index 0000000000..ad93be3580 +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml +@@ -0,0 +1,13 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++- (xccdf-var var_multiple_time_servers) ++ ++- name: "Ensure Chrony is installed" ++ package: ++ name: "chrony" ++ state: present ++ ++{{{ ansible_lineinfile(msg='Ensure remote servers are specified in chrony.conf', path='/etc/chrony.conf', regex='^[\s]*server[\s]+[\w]+', new_line='server {{ item }}', create='yes', state='present', with_items='{{ var_multiple_time_servers.split(",") }}') }}} +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +index ab9aab8732..9fdb46d419 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +@@ -4,6 +4,6 @@ populate var_multiple_time_servers + + config_file="/etc/chrony.conf" + +-if ! grep -q ^server "$config_file" ; then ++if ! grep -q '^[\s]*server[\s]+[\w]+' "$config_file" ; then + {{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}} + fi +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml +index 0045c93a2d..744ea925c9 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml +@@ -1,15 +1,29 @@ +- ++ + + +- Specify Remote NTP chronyd Server for Time Data +- {{{- oval_affected(products) }}} +- A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met) ++ Specify a Remote NTP Server for Time Data ++ ++ multi_platform_all ++ ++ A remote NTP Server for time synchronization should be ++ specified (and dependencies are met) + +- +- +- +- ++ ++ + +- + ++ ++ ++ ++ ++ ++ ++ /etc/chrony.conf ++ ^[\s]*server[\s]+.+$ ++ 1 ++ ++ + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh +new file mode 100644 +index 0000000000..d5db6a6fb3 +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++ ++ ++yum -y install chrony ++ ++echo "server 0.pool.ntp.org" > /etc/chrony.conf +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh +new file mode 100644 +index 0000000000..15c414d9fc +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++ ++yum -y install chrony ++ ++echo "" > /etc/chrony.conf +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh +new file mode 100644 +index 0000000000..4e02f34c0f +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++ ++yum -y install chrony ++ ++rm -f /etc/chrony.conf +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh +new file mode 100644 +index 0000000000..acae68b7ee +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++ ++yum -y install chrony ++ ++echo "some line" > /etc/chrony.conf ++echo "another line" >> /etc/chrony.conf +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh +new file mode 100644 +index 0000000000..d239a76dda +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++ ++yum -y install chrony ++ ++echo "server 0.pool.ntp.org" > /etc/chrony.conf ++echo "server 1.pool.ntp.org" >> /etc/chrony.conf +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh +new file mode 100644 +index 0000000000..63c2a7f0a4 +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++ ++yum -y install chrony ++ ++echo "server " > /etc/chrony.conf +diff --git a/shared/checks/oval/chronyd_specify_remote_server.xml b/shared/checks/oval/chronyd_specify_remote_server.xml +deleted file mode 100644 +index 744ea925c9..0000000000 +--- a/shared/checks/oval/chronyd_specify_remote_server.xml ++++ /dev/null +@@ -1,29 +0,0 @@ +- +- +- +- Specify a Remote NTP Server for Time Data +- +- multi_platform_all +- +- A remote NTP Server for time synchronization should be +- specified (and dependencies are met) +- +- +- +- +- +- +- +- +- +- +- +- /etc/chrony.conf +- ^[\s]*server[\s]+.+$ +- 1 +- +- +- + +From bc61c4eb7552012761223d75870c8bee36d5acc0 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Mar 2020 17:05:12 +0100 +Subject: [PATCH 03/10] fix typos and fix oval affected products + +--- + .../ntp/chronyd_specify_remote_server/oval/shared.xml | 4 +--- + .../services/ntp/chronyd_specify_remote_server/rule.yml | 2 +- + .../guide/services/ntp/package_chrony_installed/rule.yml | 5 ++--- + 3 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml +index 744ea925c9..3a3c2895ce 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml +@@ -2,9 +2,7 @@ + + + Specify a Remote NTP Server for Time Data +- +- multi_platform_all +- ++ {{{- oval_affected(products) }}} + A remote NTP Server for time synchronization should be + specified (and dependencies are met) + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +index 062d382709..3befba9de8 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +@@ -5,7 +5,7 @@ prodtype: fedora,ocp4,ol8,rhel8 + title: 'A remote NTP server for Chrony is configured' + + description: |- +- chrony is a daemon which implements the Network Time Protocol (NTP) is designed to ++ chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to + synchronize system clocks across a variety of systems and use a source that is highly + accurate. More information on chrony can be found at + {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. +diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +index 36cae252e0..1e99e241dd 100644 +--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml ++++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +@@ -2,14 +2,13 @@ documentation_complete: true + + prodtype: fedora,ocp4,ol8,rhel8 + +-title: 'The Chrony package is enabled' ++title: 'The Chrony package is installed' + + description: |- + System time should be synchronized between all systems in an environment. This is + typically done by establishing an authoritative time server or set of servers and having all + systems synchronize their clocks to them. +- You can install the package with the following command: +- 
# dnf install chrony
++ {{{ describe_package_install(package="chrony") }}} + + rationale: |- + Time synchronization is important to support time sensitive security mechanisms like + +From 88ed5b1b1a44dcc9eb98cb1c514542059b7882e8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 17 Mar 2020 11:55:44 +0100 +Subject: [PATCH 04/10] make rules available for all platforms + +--- + .../services/ntp/chronyd_specify_remote_server/bash/shared.sh | 2 +- + .../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 1 - + linux_os/guide/services/ntp/package_chrony_installed/rule.yml | 2 -- + linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 2 -- + 4 files changed, 1 insertion(+), 6 deletions(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +index 9fdb46d419..6be57c219b 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol ++# platform = multi_platform_all + . /usr/share/scap-security-guide/remediation_functions + populate var_multiple_time_servers + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +index 3befba9de8..912a359080 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +@@ -1,6 +1,5 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol8,rhel8 + + title: 'A remote NTP server for Chrony is configured' + +diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +index 1e99e241dd..6e2c455201 100644 +--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml ++++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +@@ -1,7 +1,5 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol8,rhel8 +- + title: 'The Chrony package is installed' + + description: |- +diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +index 37adcae640..e0b21d81af 100644 +--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml ++++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +@@ -1,7 +1,5 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol8,rhel8 +- + title: 'The Chronyd service is enabled' + + description: |- + +From bd704e243821225440f1dd7c426922624cd6c08a Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 17 Mar 2020 14:47:53 +0100 +Subject: [PATCH 05/10] make oval accept also pool + +add test for it +--- + .../ntp/chronyd_specify_remote_server/oval/shared.xml | 2 +- + .../tests/correct_pool.pass.sh | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml +index 3a3c2895ce..31cde36bc9 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml +@@ -20,7 +20,7 @@ + + /etc/chrony.conf +- ^[\s]*server[\s]+.+$ ++ ^[\s]*(?:server|pool)[\s]+.+$ + 1 + + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh +new file mode 100644 +index 0000000000..aa6e8aea2a +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++ ++ ++yum -y install chrony ++ ++echo "pool 0.pool.ntp.org" > /etc/chrony.conf + +From 387e404f2aa33ffd36305d899e5ba2846b0e99a8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 17 Mar 2020 14:58:52 +0100 +Subject: [PATCH 06/10] modify bash macro not to add iburst + +--- + shared/macros-bash.jinja | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index bc6c6f6486..01b9e62e7b 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -348,7 +348,7 @@ done + {{%- macro bash_ensure_there_are_servers_in_ntp_compatible_config_file(config_file, servers_list) -%}} + if ! grep -q '#[[:space:]]*server' "{{{ config_file }}}" ; then + for server in $(echo "{{{ servers_list }}}" | tr ',' '\n') ; do +- printf '\nserver %s iburst' "$server" >> "{{{ config_file }}}" ++ printf '\nserver %s' "$server" >> "{{{ config_file }}}" + done + else + sed -i 's/#[ \t]*server/server/g' "{{{ config_file }}}" + +From eb953fba0979a795743bf669270709539dca5dc4 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 17 Mar 2020 17:41:58 +0100 +Subject: [PATCH 07/10] fix remediations + +--- + .../ansible/shared.yml | 19 ++++++++++++++----- + .../bash/shared.sh | 2 +- + .../chronyd_specify_remote_server/rule.yml | 2 +- + 3 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml +index ad93be3580..747226601b 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml +@@ -5,9 +5,18 @@ + # disruption = low + - (xccdf-var var_multiple_time_servers) + +-- name: "Ensure Chrony is installed" +- package: +- name: "chrony" +- state: present ++- name: "Detect if chrony is already configured with pools or servers" ++ find: ++ path: /etc ++ patterns: chrony.conf ++ contains: '^[\s]*(?:server|pool)[\s]+[\w]+' ++ register: chrony_servers + +-{{{ ansible_lineinfile(msg='Ensure remote servers are specified in chrony.conf', path='/etc/chrony.conf', regex='^[\s]*server[\s]+[\w]+', new_line='server {{ item }}', create='yes', state='present', with_items='{{ var_multiple_time_servers.split(",") }}') }}} ++- name: "Add server configuration if none found in previous task" ++ lineinfile: ++ path: /etc/chrony.conf ++ line: 'server {{ item }}' ++ state: present ++ create: True ++ loop: '{{ var_multiple_time_servers.split(",") }}' ++ when: chrony_servers.matched == 0 +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +index 6be57c219b..e566219788 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +@@ -4,6 +4,6 @@ populate var_multiple_time_servers + + config_file="/etc/chrony.conf" + +-if ! grep -q '^[\s]*server[\s]+[\w]+' "$config_file" ; then ++if ! grep -q '^[\s]*(?:server|pool)[\s]+[\w]+' "$config_file" ; then + {{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}} + fi +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +index 912a359080..28224c2383 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +@@ -4,7 +4,7 @@ documentation_complete: true + title: 'A remote NTP server for Chrony is configured' + + description: |- +- chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to ++ Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to + synchronize system clocks across a variety of systems and use a source that is highly + accurate. More information on chrony can be found at + {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. + +From 2106f716f5662f265a2e05b351e0fd7cb91dd698 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 17 Mar 2020 17:50:10 +0100 +Subject: [PATCH 08/10] fix description + +--- + .../ntp/chronyd_specify_remote_server/rule.yml | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +index 28224c2383..af250d0288 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +@@ -4,22 +4,22 @@ documentation_complete: true + title: 'A remote NTP server for Chrony is configured' + + description: |- +- Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to ++ Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to + synchronize system clocks across a variety of systems and use a source that is highly +- accurate. More information on chrony can be found at ++ accurate. More information on chrony can be found at + {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. +- Chrony can be configured to be a client and/or a server. ++ Chrony can be configured to be a client and/or a server. + Add or edit server or pool lines to /etc/chrony.conf as appropriate: + 
server <remote-server>
+ Multiple servers may be configured. + + rationale: |- +- If chrony is in use on the system proper configuration is vital to ensuring time ++ If chrony is in use on the system proper configuration is vital to ensuring time + synchronization is working properly. + + severity: medium + +-platform: machine ++platform: chrony + + identifiers: + cce@rhel8: 82734-5 +@@ -27,7 +27,7 @@ identifiers: + references: + cis@rhel8: 2.2.1.2 + +-ocil_clause: 'The remote NTP server for Chrony is not configured' ++ocil_clause: 'the remote NTP server for Chrony is not configured' + + ocil: |- + Run the following command and verify remote server is configured properly: + +From 6058590f752af869716a4bc166091d22cdda71e6 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 17 Mar 2020 18:07:00 +0100 +Subject: [PATCH 09/10] fix cces + +--- + .../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 2 +- + linux_os/guide/services/ntp/package_chrony_installed/rule.yml | 2 +- + linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 4 ++-- + 4 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +index af250d0288..fbd457d2de 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +@@ -22,7 +22,7 @@ severity: medium + platform: chrony + + identifiers: +- cce@rhel8: 82734-5 ++ cce@rhel8: 82873-1 + + references: + cis@rhel8: 2.2.1.2 +diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +index 6e2c455201..2549f48b71 100644 +--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml ++++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +@@ -18,7 +18,7 @@ severity: medium + platform: machine + + identifiers: +- cce@rhel8: 82730-3 ++ cce@rhel8: 82874-9 + + references: + cis@rhel8: 2.2.1.1 +diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +index e0b21d81af..829d662afe 100644 +--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml ++++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +@@ -21,12 +21,12 @@ severity: medium + platform: machine + + identifiers: +- cce@rhel8: 82729-5 ++ cce@rhel8: 82875-6 + + references: + cis@rhel8: 2.2.1.2 + +-ocil_clause: 'The chronyd process is not running' ++ocil_clause: 'the chronyd process is not running' + + ocil: '{{{ ocil_service_enabled(service="chronyd") }}}' + +From e70adc47f0c1cdcc7c652b5a6f19701aa61fe8f8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 18 Mar 2020 10:53:45 +0100 +Subject: [PATCH 10/10] small wording changes + +--- + .../ntp/chronyd_specify_remote_server/ansible/shared.yml | 2 +- + .../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml +index 747226601b..0c812bdc2a 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml +@@ -12,7 +12,7 @@ + contains: '^[\s]*(?:server|pool)[\s]+[\w]+' + register: chrony_servers + +-- name: "Add server configuration if none found in previous task" ++- name: "Configure remote time servers" + lineinfile: + path: /etc/chrony.conf + line: 'server {{ item }}' +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +index fbd457d2de..b2177fc76e 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +@@ -27,7 +27,7 @@ identifiers: + references: + cis@rhel8: 2.2.1.2 + +-ocil_clause: 'the remote NTP server for Chrony is not configured' ++ocil_clause: 'a remote time server is not configured' + + ocil: |- + Run the following command and verify remote server is configured properly: diff --git a/SOURCES/scap-security-guide-0.1.50-add_configure_etc_hosts_deny_PR_5332.patch b/SOURCES/scap-security-guide-0.1.50-add_configure_etc_hosts_deny_PR_5332.patch new file mode 100644 index 0000000..8561364 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_configure_etc_hosts_deny_PR_5332.patch @@ -0,0 +1,201 @@ +From de575924082e17ff0e2fe537a3c72adf87942a55 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 23 Mar 2020 16:02:21 +0100 +Subject: [PATCH 1/3] create rule + +--- + .../ansible/shared.yml | 7 +++++ + .../configure_etc_hosts_deny/bash/shared.sh | 3 ++ + .../configure_etc_hosts_deny/oval/shared.xml | 1 + + .../configure_etc_hosts_deny/rule.yml | 31 +++++++++++++++++++ + .../tests/correct.pass.sh | 6 ++++ + .../tests/file_empty.fail.sh | 6 ++++ + .../tests/file_missing.fail.sh | 6 ++++ + .../tests/wrong.fail.sh | 6 ++++ + shared/references/cce-redhat-avail.txt | 1 - + 9 files changed, 66 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml +new file mode 100644 +index 0000000000..480bde9f80 +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml +@@ -0,0 +1,7 @@ ++# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = medium ++ ++{{{ ansible_lineinfile(msg='', path='/etc/hosts.deny', regex='', new_line='ALL: ALL', create='true', state='present') }}} +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh +new file mode 100644 +index 0000000000..e1def7a9ab +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh +@@ -0,0 +1,3 @@ ++# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 ++ ++{{{ set_config_file(path="/etc/hosts.deny", parameter="ALL:", value="ALL", create=true, insert_after="EOF", insert_before="", insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml +new file mode 100644 +index 0000000000..de1e7261a6 +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml +@@ -0,0 +1 @@ ++{{{ oval_check_config_file(path='/etc/hosts.deny', prefix_regex='^[ \\t]*', parameter='ALL:', separator_regex='[ \\t]+', value='ALL', missing_parameter_pass=false, missing_config_file_fail=true) }}} +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml +new file mode 100644 +index 0000000000..f81259ab25 +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++prodtype: ol7,rhel7 ++ ++title: 'Ensure /etc/hosts.deny is configured' ++ ++description: |- ++ The file /etc/hosts.deny together with /etc/hosts.allow provides a ++ simple access control mechanism for network services supporting TCP wrappers. ++ The following line in the file ensures that access to services supporting this mechanism is denied to any clients ++ not mentioned in /etc/hosts.allow: ++ 
ALL: ALL
++ ++rationale: |- ++ Correct configuration in /etc/hosts.deny ensures that no explicitly mentioned clients will be able to connect to services supporting this access controll mechanism. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83391-3 ++ ++references: ++ cis@rhel7: 3.4.3 ++ ++ocil_clause: 'access to services supporting TCP wrappers is not properly configured' ++ ++ocil: |- ++ Display contents of the file: ++ 
cat /etc/hosts.deny
++ Verify that the output contains the following line: ++ 
ALL: ALL
+diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh +new file mode 100644 +index 0000000000..cbd4e9467a +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# this is done to ensure that we don't lose ssh connection to the machine ++echo "ALL: ALL" > /etc/hosts.allow ++# this is the actual test case ++echo "ALL: ALL" > /etc/hosts.deny +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh +new file mode 100644 +index 0000000000..d61a08a119 +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# this is done to ensure that we don't lose ssh connection to the machine ++echo "ALL: ALL" > /etc/hosts.allow ++# this is the actual test case ++echo "" > /etc/hosts.deny +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh +new file mode 100644 +index 0000000000..78c99cc73a +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh +@@ -0,0 +1,6 @@ ++#!(bin/bash ++ ++# this is done to ensure that we don't lose ssh connection to the machine ++echo "ALL: ALL" > /etc/hosts.allow ++# this is the actual test case ++rm -f /etc/hosts.deny +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh +new file mode 100644 +index 0000000000..efc958523d +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++# this is done to ensure that we don't lose ssh connection to the machine ++echo "ALL: ALL" > /etc/hosts.allow ++# this is the actual test case ++echo "something different" > /etc/hosts.deny +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 6a2445d0bf..6c2b6aee41 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -96,7 +96,6 @@ CCE-83387-1 + CCE-83388-9 + CCE-83389-7 + CCE-83390-5 +-CCE-83391-3 + CCE-83392-1 + CCE-83393-9 + CCE-83394-7 + +From bd3d76598f4790efc7d589d6f4916aa207f4aa4b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 23 Mar 2020 16:02:43 +0100 +Subject: [PATCH 2/3] add rule to rhel7 cis profile + +--- + rhel7/profiles/cis.profile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 486fcf9a33..4727adaaf5 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -352,6 +352,8 @@ selections: + + ### 3.4.2 Ensure /etc/hosts.allow is configured (Scored) + ### 3.4.3 Ensure /etc/hosts.deny is configured (Scored) ++ - configure_etc_hosts_deny ++ + ### 3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored) + ### 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored) + + +From d25cbb63a67af1ea749afda7c2fb7590de388538 Mon Sep 17 00:00:00 2001 +From: vojtapolasek +Date: Tue, 24 Mar 2020 08:57:21 +0100 +Subject: [PATCH 3/3] fix typo +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-Authored-By: Jan Černý +--- + .../obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml +index f81259ab25..ea657a8f79 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml +@@ -12,7 +12,7 @@ description: |- + 
ALL: ALL
+ + rationale: |- +- Correct configuration in /etc/hosts.deny ensures that no explicitly mentioned clients will be able to connect to services supporting this access controll mechanism. ++ Correct configuration in /etc/hosts.deny ensures that no explicitly mentioned clients will be able to connect to services supporting this access control mechanism. + + severity: medium + diff --git a/SOURCES/scap-security-guide-0.1.50-add_etc_hosts_deny_to_unselect_list_PR_5348.patch b/SOURCES/scap-security-guide-0.1.50-add_etc_hosts_deny_to_unselect_list_PR_5348.patch new file mode 100644 index 0000000..b0879c4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_etc_hosts_deny_to_unselect_list_PR_5348.patch @@ -0,0 +1,19 @@ +From 9fda2e206f9a9a97453b564c74cae24a1d64b04d Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 26 Mar 2020 10:34:15 +0100 +Subject: [PATCH] add configure_etc_hosts_deny to ignored rules because it + breaks ssh connections + +--- + tests/unselect_rules_list | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tests/unselect_rules_list b/tests/unselect_rules_list +index b65c177a1e..8ccbb14e95 100644 +--- a/tests/unselect_rules_list ++++ b/tests/unselect_rules_list +@@ -12,3 +12,4 @@ xccdf_org.ssgproject.content_rule_sshd_disable_root_login + xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords + xccdf_org.ssgproject.content_rule_disable_host_auth + xccdf_org.ssgproject.content_rule_harden_sshd_crypto_policy ++xccdf_org.ssgproject.content_rule_configure_etc_hosts_deny diff --git a/SOURCES/scap-security-guide-0.1.50-add_field_support_macro_syscall_PR_5724.patch b/SOURCES/scap-security-guide-0.1.50-add_field_support_macro_syscall_PR_5724.patch new file mode 100644 index 0000000..52e57d8 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_field_support_macro_syscall_PR_5724.patch @@ -0,0 +1,341 @@ +From 66b01d9b55ee6b1d791383467827a6444673a51c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 29 Apr 2020 18:36:39 +0200 +Subject: [PATCH 1/6] Add fields arg to ansbile audit syscall macros + +The field arg allows one to specify syscall fields for the audit rule. +These fields can be auid, exit, argument, or any field used by audit. +Reference: +https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events#field-names +--- + shared/macros-ansible.jinja | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 03e4306051..7674c290fa 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -352,9 +352,11 @@ The macro requires following parameters: + - arch: an architecture to be used in the Audit rule (b32, b64) + - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. + - key: a key to use as rule identifier. ++- fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100); ++ Add them in the order you expect them to be in the audit rule. + Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file. + #}} +-{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}} ++{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="", fields=[]) -%}} + - name: Declare list of syscals + set_fact: + syscalls: {{{ syscalls }}} +@@ -362,10 +364,17 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + ++{{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}} ++{{% set fields_data = { 'regex' : "", 'list': "" } %}} ++{{% for field in fields %}} ++ {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F\s+' + field + ')'}) %}} ++ {{% set not_used = fields_data.update({'list': fields_data.list+ ' -F ' + field }) %}} ++{{% endfor %}} ++ + - name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/ + find: + paths: "/etc/audit/rules.d" +- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' ++ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*{{{ fields_data.regex }}}(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' + patterns: "*.rules" + register: audit_syscalls_found_{{{ arch }}}_rules_d + loop: "{{ syscalls }}" +@@ -401,7 +410,7 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul + loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}" + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add key" +- set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" ++ set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}" + - name: "Insert the line in {{ all_files[0] }}" + lineinfile: + path: "{{ all_files[0] }}" +@@ -417,8 +426,10 @@ The macro requires following parameters: + - arch: an architecture to be used in the Audit rule (b32, b64) + - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. + - key: a key to use as rule identifier. ++- fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100); ++ Add them in the order you expect them to be in the audit rule. + #}} +-{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}} ++{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="", fields=[]) -%}} + - name: Declare list of syscals + set_fact: + syscalls: {{{ syscalls }}} +@@ -426,10 +437,17 @@ The macro requires following parameters: + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + ++{{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}} ++{{% set fields_data = { 'regex' : "", 'list': "" } %}} ++{{% for field in fields %}} ++ {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F\s+' + field + ')'}) %}} ++ {{% set not_used = fields_data.update({'list': fields_data.list + ' -F ' + field }) %}} ++{{% endfor %}} ++ + - name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules + find: + paths: "/etc/audit" +- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' ++ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*{{{ fields_data.regex }}}(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' + patterns: "audit.rules" + register: audit_syscalls_found_{{{ arch }}}_audit_rules + loop: "{{ syscalls }}" +@@ -445,8 +463,8 @@ The macro requires following parameters: + set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" + loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}" + when: item.matched is defined and item.matched == 0 +- - name: "Construct rule: add key" +- set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" ++ - name: "Construct rule: add fields and key" ++ set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: "/etc/audit/audit.rules" + +From 5de069a558c4456d0610764d8fc9da23f0ba294e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 29 Apr 2020 18:43:08 +0200 +Subject: [PATCH 2/6] Fix spacing between syscalls and fields + +By having the white space at the beginning of the token, it is easy to +concatenate them without worries. +--- + shared/macros-ansible.jinja | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 7674c290fa..2aaf0c366b 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -404,12 +404,12 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul + - name: "Insert the syscall rule in {{ all_files[0] }}" + block: + - name: "Construct rule: add rule list, action and arch" +- set_fact: tmpline="-a always,exit -F arch={{{ arch }}} " ++ set_fact: tmpline="-a always,exit -F arch={{{ arch }}}" + - name: "Construct rule: add syscalls" +- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" ++ set_fact: tmpline="{{tmpline + ' -S ' + item.item }}" + loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}" + when: item.matched is defined and item.matched == 0 +- - name: "Construct rule: add key" ++ - name: "Construct rule: add fields and key" + set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}" + - name: "Insert the line in {{ all_files[0] }}" + lineinfile: +@@ -458,9 +458,9 @@ The macro requires following parameters: + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + - name: "Construct rule: add rule list, action and arch" +- set_fact: tmpline="-a always,exit -F arch={{{ arch }}} " ++ set_fact: tmpline="-a always,exit -F arch={{{ arch }}}" + - name: "Construct rule: add syscalls" +- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" ++ set_fact: tmpline="{{tmpline + ' -S ' + item.item }}" + loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}" + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add fields and key" + +From 80a3b0cca2b3af62e1a7cff578a45e844bd12fb4 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 30 Apr 2020 09:10:41 +0200 +Subject: [PATCH 3/6] Add tests for audit_rules_time_clock_settime + +--- + .../tests/correct_syscall.pass.sh | 7 +++++++ + .../tests/incorrect_arg_field.fail.sh | 7 +++++++ + .../tests/incorrect_syscall.fail.sh | 7 +++++++ + 3 files changed, 21 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/correct_syscall.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_arg_field.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_syscall.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/correct_syscall.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/correct_syscall.pass.sh +new file mode 100644 +index 0000000000..b71cc454bc +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/correct_syscall.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_cis ++ ++rm -rf /etc/audit/rules.d/*.rules ++echo "-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change" >> /etc/audit/rules.d/time.rules ++echo "-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change" >> /etc/audit/rules.d/time.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_arg_field.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_arg_field.fail.sh +new file mode 100644 +index 0000000000..add0722747 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_arg_field.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_cis ++ ++rm -rf /etc/audit/rules.d/*.rules ++echo "-a always,exit -F arch=b32 -S clock_settime -F a0=0x1 -k time-change" >> /etc/audit/rules.d/time.rules ++echo "-a always,exit -F arch=b64 -S clock_settime -F a0=0x1 -k time-change" >> /etc/audit/rules.d/time.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_syscall.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_syscall.fail.sh +new file mode 100644 +index 0000000000..9ab5cc3bc4 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_syscall.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_cis ++ ++rm -rf /etc/audit/rules.d/*.rules ++echo "-a always,exit -F arch=b32 -S stime -F a0=0x0 -k time-change" >> /etc/audit/rules.d/time.rules ++echo "-a always,exit -F arch=b64 -S stime -F a0=0x0 -k time-change" >> /etc/audit/rules.d/time.rules + +From a5b36f8400f821e35fc5a7e77b36a9fee0124702 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 30 Apr 2020 09:34:35 +0200 +Subject: [PATCH 4/6] Add Ansible for audit syscall clock_settime + +Also demonstrates how to use the fields parameter in ansible audit +syscall macro. +--- + .../ansible/shared.yml | 22 +++++++++++++++++++ + 1 file changed, 22 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml +new file mode 100644 +index 0000000000..e77850fa25 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml +@@ -0,0 +1,22 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++# What architecture are we on? ++# ++- name: Set architecture for audit tasks ++ set_fact: ++ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ ++- name: Perform remediation of Audit rules for clock_settime for x86 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} ++ ++- name: Perform remediation of Audit rules for clock_settime for x86_64 platform ++ block: ++ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} ++ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} ++ when: audit_arch == "b64" + +From fe179d4d870878d29b603e7ab5a8bc79cb8eb05c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 30 Apr 2020 11:54:03 +0200 +Subject: [PATCH 5/6] Fix regex spacing between fields and the key + +There needs to be a space between them. +Change syntax to be consistent with rest of regex. +--- + shared/macros-ansible.jinja | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 2aaf0c366b..eeafe5f6d5 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -367,7 +367,7 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul + {{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}} + {{% set fields_data = { 'regex' : "", 'list': "" } %}} + {{% for field in fields %}} +- {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F\s+' + field + ')'}) %}} ++ {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}} + {{% set not_used = fields_data.update({'list': fields_data.list+ ' -F ' + field }) %}} + {{% endfor %}} + +@@ -440,7 +440,7 @@ The macro requires following parameters: + {{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}} + {{% set fields_data = { 'regex' : "", 'list': "" } %}} + {{% for field in fields %}} +- {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F\s+' + field + ')'}) %}} ++ {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}} + {{% set not_used = fields_data.update({'list': fields_data.list + ' -F ' + field }) %}} + {{% endfor %}} + + +From 5e13b1a6698d4403cf4108664fd2c33be5ee9109 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 30 Apr 2020 14:41:59 +0200 +Subject: [PATCH 6/6] Improve macro documenation and clarify var name + +--- + shared/macros-ansible.jinja | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index eeafe5f6d5..7b64341fb7 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -364,11 +364,14 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + +-{{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}} +-{{% set fields_data = { 'regex' : "", 'list': "" } %}} ++{{# ++This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope. ++See official documentation: https://jinja.palletsprojects.com/en/2.11.x/templates/#assignments ++#}} ++{{% set fields_data = { 'regex' : "", 'plain_text': "" } %}} + {{% for field in fields %}} + {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}} +- {{% set not_used = fields_data.update({'list': fields_data.list+ ' -F ' + field }) %}} ++ {{% set not_used = fields_data.update({'plain_text': fields_data.plain_text + ' -F ' + field }) %}} + {{% endfor %}} + + - name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/ +@@ -410,7 +413,7 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul + loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}" + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add fields and key" +- set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}" ++ set_fact: tmpline="{{ tmpline + '{{{ fields_data.plain_text }}} -k {{{ key }}}' }}" + - name: "Insert the line in {{ all_files[0] }}" + lineinfile: + path: "{{ all_files[0] }}" +@@ -437,11 +440,14 @@ The macro requires following parameters: + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + +-{{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}} +-{{% set fields_data = { 'regex' : "", 'list': "" } %}} ++{{# ++This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope. ++See official documentation: https://jinja.palletsprojects.com/en/2.11.x/templates/#assignments ++#}} ++{{% set fields_data = { 'regex' : "", 'plain_text': "" } %}} + {{% for field in fields %}} + {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}} +- {{% set not_used = fields_data.update({'list': fields_data.list + ' -F ' + field }) %}} ++ {{% set not_used = fields_data.update({'plain_text': fields_data.plain_text + ' -F ' + field }) %}} + {{% endfor %}} + + - name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules +@@ -464,7 +470,7 @@ The macro requires following parameters: + loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}" + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add fields and key" +- set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}" ++ set_fact: tmpline="{{ tmpline + '{{{ fields_data.plain_text }}} -k {{{ key }}}' }}" + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: "/etc/audit/audit.rules" diff --git a/SOURCES/scap-security-guide-0.1.50-add_grub2_disable_ipv6_PR_5324.patch b/SOURCES/scap-security-guide-0.1.50-add_grub2_disable_ipv6_PR_5324.patch new file mode 100644 index 0000000..7882c3e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_grub2_disable_ipv6_PR_5324.patch @@ -0,0 +1,351 @@ +From 0f919eef79444dfbbf105d58258f4935596d617d Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 20 Mar 2020 11:15:10 +0100 +Subject: [PATCH 1/5] add rule + +--- + .../grub2_disable_ipv6/rule.yml | 94 +++++++++++++++++++ + 2 files changed, 94 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml + +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml +new file mode 100644 +index 0000000000..ab3137e57e +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml +@@ -0,0 +1,94 @@ ++documentation_complete: true ++ ++prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4 ++ ++title: 'Ensure IPv6 is disabled through kernel boot parameter' ++ ++description: |- ++ To disable IPv6 protocol support in the Linux kernel, ++ add the argument ipv6.disable=1 to the default ++ GRUB 2 command line for the Linux operating system in ++{{% if product in ["rhel7", "ol7", "rhv4"] %}} ++ /etc/default/grub, so that the line looks similar to ++ 
GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
++ In case the GRUB_DISABLE_RECOVERY is set to true, then the parameter should be added to the GRUB_CMDLINE_LINUX_DEFAULT instead. ++{{% else %}} ++ /boot/grub2/grubenv, in the manner below: ++ 
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
++{{% endif %}} ++ ++ ++rationale: |- ++ Any unnecessary network stacks - including IPv6 - should be disabled, to reduce ++ the vulnerability to exploitation. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 82886-3 ++ cce@rhel8: 82887-1 ++ ++references: ++ cis@rhel7: 3.3.3 ++ cis@rhel8: "3.6" ++ ++ocil_clause: 'IPv6 is not disabled' ++ ++ocil: |- ++ {{% if product in ["rhel7", "ol7", "rhv4"] %}} ++ Inspect the form of default GRUB 2 command line for the Linux operating system ++ in /etc/default/grub. If it includes ipv6.disable=1, then IPv6 ++ is disabled at boot time. ++ First check if the GRUB recovery is enabled: ++ 
$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
++ If this option is set to true, then check that a line is output by the following command: ++ 
$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
++ If the recovery is disabled, check the line with ++ 
$ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. ++ Moreover, current Grub2 config file in /etc/grub2/grub.cfg must be checked. ++ 
# grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
++ This command should not return any output. If it does, update the configuration with ++ 
# grub2-mkconfig -o /boot/grub2/grub.cfg
++

++ Alternatively, to ensure ipv6.disable=1 is configured on all installed kernels, the ++ following command may be used: ++
++ 
$ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
++
++{{% else %}} ++ Inspect the form of default GRUB 2 command line for the Linux operating system ++ in /boot/grub2/grubenv. If they include ipv6.disable=1, then IPv6 ++ is disabled at boot time. ++ 
# grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
++

++ To ensure ipv6.disable=1 is configured on all installed kernels, the ++ following command may be used: ++
++ 
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
++
++{{% endif %}} ++ ++ ++warnings: ++ - management: |- ++ The GRUB 2 configuration file, grub.cfg, ++ is automatically updated each time a new kernel is installed. Note that any ++ changes to /etc/default/grub require rebuilding the grub.cfg ++ file. To update the GRUB 2 configuration file manually, use the ++ 
grub2-mkconfig -o
command as follows: ++
    ++
  • On BIOS-based machines, issue the following command as root: ++ 
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
    • ++
  • On UEFI-based machines, issue the following command as root: ++{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}} ++ 
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    • ++{{% else %}} ++ 
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    ++{{% endif %}} ++
++ ++template: ++ name: grub2_bootloader_argument ++ vars: ++ arg_name: ipv6.disable ++ arg_value: '1' + +From 847faabaa90a70a4c1c4c896c287f8f05b40579c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 20 Mar 2020 15:06:45 +0100 +Subject: [PATCH 2/5] add rule to rhel7 and rhel8 cis + +--- + rhel7/profiles/cis.profile | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index b66594f594..88b27c7a71 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -350,6 +350,7 @@ selections: + - sysctl_net_ipv6_conf_default_accept_redirects + + ### 3.3.3 Ensure IPv6 is disabled (Not Scored) ++ - grub2_disable_ipv6 + + ## 3.4 TCP Wrappers + ### 3.4.1 Ensure TCP Wrappers is installed (Scored) + +From 95e501a09061ade19d5c6363967bc48a5e28ef41 Mon Sep 17 00:00:00 2001 +From: vojtapolasek +Date: Mon, 23 Mar 2020 08:49:06 +0100 +Subject: [PATCH 3/5] fix wording in rule.yml + +Co-Authored-By: Shawn Wells +--- + .../disabling_ipv6/grub2_disable_ipv6/rule.yml | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml +index ab3137e57e..06fd3b2a36 100644 +--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml +@@ -7,7 +7,7 @@ title: 'Ensure IPv6 is disabled through kernel boot parameter' + description: |- + To disable IPv6 protocol support in the Linux kernel, + add the argument ipv6.disable=1 to the default +- GRUB 2 command line for the Linux operating system in ++ GRUB2 command line for the Linux operating system in + {{% if product in ["rhel7", "ol7", "rhv4"] %}} + /etc/default/grub, so that the line looks similar to + 
GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
+@@ -19,7 +19,7 @@ description: |- + + + rationale: |- +- Any unnecessary network stacks - including IPv6 - should be disabled, to reduce ++ Any unnecessary network stacks, including IPv6, should be disabled to reduce + the vulnerability to exploitation. + + severity: medium +@@ -36,7 +36,7 @@ ocil_clause: 'IPv6 is not disabled' + + ocil: |- + {{% if product in ["rhel7", "ol7", "rhv4"] %}} +- Inspect the form of default GRUB 2 command line for the Linux operating system ++ Inspect the form of default GRUB2 command line for the Linux operating system + in /etc/default/grub. If it includes ipv6.disable=1, then IPv6 + is disabled at boot time. + First check if the GRUB recovery is enabled: +@@ -45,7 +45,7 @@ ocil: |- + 
$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
+ If the recovery is disabled, check the line with + 
$ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. +- Moreover, current Grub2 config file in /etc/grub2/grub.cfg must be checked. ++ Moreover, current GRUB2 config file in /etc/grub2/grub.cfg must be checked. + 
# grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
+ This command should not return any output. If it does, update the configuration with + 
# grub2-mkconfig -o /boot/grub2/grub.cfg
+@@ -56,7 +56,7 @@ ocil: |- + 
$ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
+
+ {{% else %}} +- Inspect the form of default GRUB 2 command line for the Linux operating system ++ Inspect the form of default GRUB2 command line for the Linux operating system + in /boot/grub2/grubenv. If they include ipv6.disable=1, then IPv6 + is disabled at boot time. + 
# grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
+ +From 3006d2025e472c2c457f5665ab0096f22e84766c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 23 Mar 2020 14:13:15 +0100 +Subject: [PATCH 4/5] change severity, reorder prodtypes, and add sudo instead + of root + +--- + .../grub2_disable_ipv6/rule.yml | 32 +++++++++---------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml +index 06fd3b2a36..1c6d2388d1 100644 +--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4 ++prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 + + title: 'Ensure IPv6 is disabled through kernel boot parameter' + +@@ -14,7 +14,7 @@ description: |- + In case the GRUB_DISABLE_RECOVERY is set to true, then the parameter should be added to the GRUB_CMDLINE_LINUX_DEFAULT instead. + {{% else %}} + /boot/grub2/grubenv, in the manner below: +- 
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
++ 
sudo  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
+ {{% endif %}} + + +@@ -22,7 +22,7 @@ rationale: |- + Any unnecessary network stacks, including IPv6, should be disabled to reduce + the vulnerability to exploitation. + +-severity: medium ++severity: low + + identifiers: + cce@rhel7: 82886-3 +@@ -40,31 +40,31 @@ ocil: |- + in /etc/default/grub. If it includes ipv6.disable=1, then IPv6 + is disabled at boot time. + First check if the GRUB recovery is enabled: +- 
$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
++ 
grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+ If this option is set to true, then check that a line is output by the following command: +- 
$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
++ 
grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
+ If the recovery is disabled, check the line with +- 
$ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. ++ 
grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. + Moreover, current GRUB2 config file in /etc/grub2/grub.cfg must be checked. +- 
# grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
++ 
sudo grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
+ This command should not return any output. If it does, update the configuration with +- 
# grub2-mkconfig -o /boot/grub2/grub.cfg
++ 
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
+

+ Alternatively, to ensure ipv6.disable=1 is configured on all installed kernels, the + following command may be used: +
+- 
$ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
++ 
sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
+
+ {{% else %}} + Inspect the form of default GRUB2 command line for the Linux operating system + in /boot/grub2/grubenv. If they include ipv6.disable=1, then IPv6 + is disabled at boot time. +- 
# grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
++ 
sudo grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
+

+ To ensure ipv6.disable=1 is configured on all installed kernels, the + following command may be used: +
+- 
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
++ 
sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
+
+ {{% endif %}} + +@@ -77,13 +77,13 @@ warnings: + file. To update the GRUB 2 configuration file manually, use the + 
grub2-mkconfig -o
command as follows: +
    +-
  • On BIOS-based machines, issue the following command as root: +- 
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
    • +-
  • On UEFI-based machines, issue the following command as root: ++
  • On BIOS-based machines, issue the following command: ++ 
    sudo grub2-mkconfig -o /boot/grub2/grub.cfg
    • ++
  • On UEFI-based machines, issue the following command: + {{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}} +- 
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    • ++ 
    sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    + {{% else %}} +- 
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    ++ 
    sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    + {{% endif %}} +
+ + +From 18529b39aa08084c6a73adec2771b48eac89ce7f Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 25 Mar 2020 09:54:05 +0100 +Subject: [PATCH 5/5] make description and ocil clearer + +--- + .../grub2_disable_ipv6/rule.yml | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml +index 1c6d2388d1..e128654204 100644 +--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml +@@ -12,6 +12,10 @@ description: |- + /etc/default/grub, so that the line looks similar to + 
GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
+ In case the GRUB_DISABLE_RECOVERY is set to true, then the parameter should be added to the GRUB_CMDLINE_LINUX_DEFAULT instead. ++ Run one of following command to ensure that the configuration is applied when booting currently installed kernels: ++ 
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
++ or ++ 
sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
+ {{% else %}} + /boot/grub2/grubenv, in the manner below: + 
sudo  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
+@@ -37,28 +41,23 @@ ocil_clause: 'IPv6 is not disabled' + ocil: |- + {{% if product in ["rhel7", "ol7", "rhv4"] %}} + Inspect the form of default GRUB2 command line for the Linux operating system +- in /etc/default/grub. If it includes ipv6.disable=1, then IPv6 +- is disabled at boot time. ++ in /etc/default/grub. Check if it includes ipv6.disable=1. + First check if the GRUB recovery is enabled: + 
grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+- If this option is set to true, then check that a line is output by the following command: ++ If this option is set to true, then check that the following line is output by the following command: + 
grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
+ If the recovery is disabled, check the line with + 
grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. + Moreover, current GRUB2 config file in /etc/grub2/grub.cfg must be checked. + 
sudo grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
+- This command should not return any output. If it does, update the configuration with ++ This command should not return any output. If it does, update the configuration with one of following commands: + 
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
+-

+- Alternatively, to ensure ipv6.disable=1 is configured on all installed kernels, the +- following command may be used: +-
++ or + 
sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
+
+ {{% else %}} + Inspect the form of default GRUB2 command line for the Linux operating system +- in /boot/grub2/grubenv. If they include ipv6.disable=1, then IPv6 +- is disabled at boot time. ++ in /boot/grub2/grubenv. Check if it includes ipv6.disable=1. + 
sudo grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
+

+ To ensure ipv6.disable=1 is configured on all installed kernels, the diff --git a/SOURCES/scap-security-guide-0.1.50-add_missing_cces_PR_5546.patch b/SOURCES/scap-security-guide-0.1.50-add_missing_cces_PR_5546.patch new file mode 100644 index 0000000..388a393 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_missing_cces_PR_5546.patch @@ -0,0 +1,48 @@ +From b0f940d192e7a649970cb160647d90a5e5e3649c Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Mon, 30 Mar 2020 13:19:46 +0200 +Subject: [PATCH] Add RHEL7 CCEs to chronyd_specify_remote_server, + package_chrony_installed, and service_chronyd_enabled. + +--- + .../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 1 + + linux_os/guide/services/ntp/package_chrony_installed/rule.yml | 1 + + linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 1 + + 4 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +index ea4c955c8e..8179f5dbfb 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +@@ -22,6 +22,7 @@ severity: medium + platform: chrony + + identifiers: ++ cce@rhel7: 83418-4 + cce@rhel8: 82873-1 + + references: +diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +index f6dc1f427f..19be2af6b9 100644 +--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml ++++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +@@ -18,6 +18,7 @@ severity: medium + platform: machine + + identifiers: ++ cce@rhel7: 83419-2 + cce@rhel8: 82874-9 + + references: +diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +index 94269dfd54..b0e28d3a6d 100644 +--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml ++++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +@@ -21,6 +21,7 @@ severity: medium + platform: machine + + identifiers: ++ cce@rhel7: 83420-0 + cce@rhel8: 82875-6 + + references: diff --git a/SOURCES/scap-security-guide-0.1.50-add_missing_cces_for_cis_PR_5329.patch b/SOURCES/scap-security-guide-0.1.50-add_missing_cces_for_cis_PR_5329.patch new file mode 100644 index 0000000..d70eb17 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_missing_cces_for_cis_PR_5329.patch @@ -0,0 +1,123 @@ +From 7dc066ba15b4afa2eb5b55dfa468e6c506904b9c Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Mon, 23 Mar 2020 13:17:41 +0100 +Subject: [PATCH 1/2] Add missing CCEs for rules from CIS profile in RHEL7. + +--- + .../system/accounts/accounts-banners/banner_etc_motd/rule.yml | 3 +++ + .../network-uncommon/kernel_module_tipc_disabled/rule.yml | 1 + + 3 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +index bcd5593d6b..4345173e72 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +@@ -48,6 +48,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel7: 83394-7 ++ + ocil_clause: 'it does not display the required banner' + + ocil: |- +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml +index ec4ee3d5a1..71aa0dcd2d 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml +@@ -23,6 +23,7 @@ severity: medium + + identifiers: + cce@rhel6: 26696-5 ++ cce@rhel7: 83395-4 + cce@rhel8: 82297-3 + cce@ocp4: 82520-8 + + +From d757e03b3af18b416a3f11e43b0a721f0c5bc134 Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Mon, 23 Mar 2020 13:24:57 +0100 +Subject: [PATCH 2/2] Add missing CCEs for rules from CIS profile in RHEL8. + +--- + .../ssh/ssh_server/sshd_set_max_auth_tries/rule.yml | 1 + + .../accounts/accounts-banners/banner_etc_motd/rule.yml | 1 + + .../wireless_software/wireless_disable_interfaces/rule.yml | 1 + + .../files/file_permissions_ungroupowned/rule.yml | 1 + + .../permissions/files/no_files_unowned_by_user/rule.yml | 1 + + .../mounting/kernel_module_squashfs_disabled/rule.yml | 1 + + 7 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +index 1661b78773..7b5750ee0d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +@@ -16,6 +16,7 @@ severity: medium + + identifiers: + cce@rhel7: 82354-2 ++ cce@rhel8: 83500-9 + + references: + cis@debian8: 9.3.5 +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +index 4345173e72..8e872c0944 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +@@ -50,6 +50,7 @@ severity: medium + + identifiers: + cce@rhel7: 83394-7 ++ cce@rhel8: 83496-0 + + ocil_clause: 'it does not display the required banner' + +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +index 3b16dbf456..76d94fe8f1 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel6: 27057-9 + cce@rhel7: 27358-1 ++ cce@rhel8: 83501-7 + cce@ocp4: 82660-2 + + references: +diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +index 2fe8c27da3..6ee1e123cb 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel6: 26872-2 + cce@rhel7: 80135-7 ++ cce@rhel8: 83497-8 + + references: + disa@rhel6: '224' +diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +index a8bf12ff81..70515fd9a6 100644 +--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml ++++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel6: 27032-2 + cce@rhel7: 80134-0 ++ cce@rhel8: 83499-4 + + references: + disa@rhel6: '224' +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml +index 5eae44757d..94898a2a4f 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml +@@ -22,6 +22,7 @@ severity: low + identifiers: + cce@rhel6: 26404-4 + cce@rhel7: 80142-3 ++ cce@rhel8: 83498-6 + cce@ocp4: 82717-0 + + references: diff --git a/SOURCES/scap-security-guide-0.1.50-add_missing_cces_kernel_modules_PR_5236.patch b/SOURCES/scap-security-guide-0.1.50-add_missing_cces_kernel_modules_PR_5236.patch new file mode 100644 index 0000000..e51c8ad --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_missing_cces_kernel_modules_PR_5236.patch @@ -0,0 +1,48 @@ +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml +index 6e01799d88..cf3b2ca4b7 100644 +--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml +@@ -19,9 +19,12 @@ severity: medium + + identifiers: + cce@rhel6: 27153-6 ++ cce@rhel7: 82871-5 ++ cce@rhel8: 82872-3 + + references: + disa@rhel6: "1551" ++ cis@rhel8: "3.6" + nist: CM-7(a),CM-7(b),CM-6(a) + nist-csf: PR.IP-1,PR.PT-3 + srg@rhel6: SRG-OS-999999 +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml +index f19e548863..54cfc9fa41 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml +@@ -4,7 +4,7 @@ title: 'Disable RDS Support' + + description: |- + The Reliable Datagram Sockets (RDS) protocol is a transport +- layer protocol designed to provide reliable high- bandwidth, ++ layer protocol designed to provide reliable high-bandwidth, + low-latency communications between nodes in a cluster. + {{{ describe_module_disable(module="rds") }}} + +@@ -12,13 +12,16 @@ rationale: |- + Disabling RDS protects + the system against exploitation of any flaws in its implementation. + +-severity: unknown ++severity: low + + identifiers: + cce@rhel6: 26239-4 ++ cce@rhel7: 82869-9 ++ cce@rhel8: 82870-7 + + references: + disa@rhel6: "382" ++ cis@rhel8: 3.3.3 + nist: CM-7(a),CM-7(b),CM-6(a) + nist-csf: PR.IP-1,PR.PT-3 + srg@rhel6: SRG-OS-000096 diff --git a/SOURCES/scap-security-guide-0.1.50-add_ntp_and_chrony_cpes_PR_5299.patch b/SOURCES/scap-security-guide-0.1.50-add_ntp_and_chrony_cpes_PR_5299.patch new file mode 100644 index 0000000..dad2a32 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_ntp_and_chrony_cpes_PR_5299.patch @@ -0,0 +1,612 @@ +From cf35976d0c455158fd6a49b8a82c13e383d85565 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 17 Mar 2020 13:19:47 +0100 +Subject: [PATCH] add ntp and chrony cpes + +--- + debian10/cpe/debian10-cpe-dictionary.xml | 10 ++++++++++ + debian8/cpe/debian8-cpe-dictionary.xml | 10 ++++++++++ + debian9/cpe/debian9-cpe-dictionary.xml | 10 ++++++++++ + fedora/cpe/fedora-cpe-dictionary.xml | 10 ++++++++++ + ocp4/cpe/ocp4-cpe-dictionary.xml | 5 +++++ + ol7/cpe/ol7-cpe-dictionary.xml | 10 ++++++++++ + ol8/cpe/ol8-cpe-dictionary.xml | 5 +++++ + opensuse/cpe/opensuse-cpe-dictionary.xml | 10 ++++++++++ + rhel6/cpe/rhel6-cpe-dictionary.xml | 10 ++++++++++ + rhel7/cpe/rhel7-cpe-dictionary.xml | 10 ++++++++++ + rhel8/cpe/rhel8-cpe-dictionary.xml | 5 +++++ + rhv4/cpe/rhv4-cpe-dictionary.xml | 5 +++++ + .../oval/installed_env_has_chrony_package.xml | 20 +++++++++++++++++++ + .../oval/installed_env_has_ntp_package.xml | 20 +++++++++++++++++++ + sle11/cpe/sle11-cpe-dictionary.xml | 10 ++++++++++ + sle12/cpe/sle12-cpe-dictionary.xml | 10 ++++++++++ + ssg/constants.py | 2 ++ + ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 10 ++++++++++ + ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 10 ++++++++++ + ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 10 ++++++++++ + .../cpe/wrlinux1019-cpe-dictionary.xml | 16 ++++++++++++--- + wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 16 ++++++++++++--- + 22 files changed, 218 insertions(+), 6 deletions(-) + create mode 100644 shared/checks/oval/installed_env_has_chrony_package.xml + create mode 100644 shared/checks/oval/installed_env_has_ntp_package.xml + +diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml +index 50b1cf598f..5cc27ceb79 100644 +--- a/debian10/cpe/debian10-cpe-dictionary.xml ++++ b/debian10/cpe/debian10-cpe-dictionary.xml +@@ -17,6 +17,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -32,6 +37,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml +index c5832137be..38d490138a 100644 +--- a/debian8/cpe/debian8-cpe-dictionary.xml ++++ b/debian8/cpe/debian8-cpe-dictionary.xml +@@ -17,6 +17,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -32,6 +37,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml +index 471823055b..f01770b044 100644 +--- a/debian9/cpe/debian9-cpe-dictionary.xml ++++ b/debian9/cpe/debian9-cpe-dictionary.xml +@@ -17,6 +17,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -32,6 +37,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml +index fdf1aa72be..2964e320c2 100644 +--- a/fedora/cpe/fedora-cpe-dictionary.xml ++++ b/fedora/cpe/fedora-cpe-dictionary.xml +@@ -52,6 +52,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -67,6 +72,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/ocp4/cpe/ocp4-cpe-dictionary.xml b/ocp4/cpe/ocp4-cpe-dictionary.xml +index 97e2801453..81047b6f45 100644 +--- a/ocp4/cpe/ocp4-cpe-dictionary.xml ++++ b/ocp4/cpe/ocp4-cpe-dictionary.xml +@@ -12,6 +12,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml +index 2b8363ea67..c153272121 100644 +--- a/ol7/cpe/ol7-cpe-dictionary.xml ++++ b/ol7/cpe/ol7-cpe-dictionary.xml +@@ -17,6 +17,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -32,6 +37,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml +index d3d642c9fd..3fd74e53ca 100644 +--- a/ol8/cpe/ol8-cpe-dictionary.xml ++++ b/ol8/cpe/ol8-cpe-dictionary.xml +@@ -17,6 +17,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml +index 659045ac65..1ab4e85ea8 100644 +--- a/opensuse/cpe/opensuse-cpe-dictionary.xml ++++ b/opensuse/cpe/opensuse-cpe-dictionary.xml +@@ -32,6 +32,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -47,6 +52,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml +index 39f844e2ab..2c8a82ebc5 100644 +--- a/rhel6/cpe/rhel6-cpe-dictionary.xml ++++ b/rhel6/cpe/rhel6-cpe-dictionary.xml +@@ -37,6 +37,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -52,6 +57,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml +index a34b30c62f..a5214e36f0 100644 +--- a/rhel7/cpe/rhel7-cpe-dictionary.xml ++++ b/rhel7/cpe/rhel7-cpe-dictionary.xml +@@ -47,6 +47,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -62,6 +67,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml +index c6594e169c..694cbb5a4e 100644 +--- a/rhel8/cpe/rhel8-cpe-dictionary.xml ++++ b/rhel8/cpe/rhel8-cpe-dictionary.xml +@@ -22,6 +22,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml +index c53ae56254..56ea1abf8c 100644 +--- a/rhv4/cpe/rhv4-cpe-dictionary.xml ++++ b/rhv4/cpe/rhv4-cpe-dictionary.xml +@@ -22,6 +22,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +diff --git a/shared/checks/oval/installed_env_has_chrony_package.xml b/shared/checks/oval/installed_env_has_chrony_package.xml +new file mode 100644 +index 0000000000..b3a835c02e +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_chrony_package.xml +@@ -0,0 +1,20 @@ ++ ++ ++ ++ ++ Package chrony is installed ++ ++ multi_platform_all ++ ++ Checks if package chrony is installed. ++ ++ ++ ++ ++ ++ ++ ++ {{{ oval_test_package_installed(package='chrony', evr='', test_id='test_env_has_chrony_installed') }}} ++ ++ +diff --git a/shared/checks/oval/installed_env_has_ntp_package.xml b/shared/checks/oval/installed_env_has_ntp_package.xml +new file mode 100644 +index 0000000000..6babd17a0f +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_ntp_package.xml +@@ -0,0 +1,20 @@ ++ ++ ++ ++ ++ Package ntp is installed ++ ++ multi_platform_all ++ ++ Checks if package ntp is installed. ++ ++ ++ ++ ++ ++ ++ ++ {{{ oval_test_package_installed(package='ntp', evr='', test_id='test_env_has_ntp_installed') }}} ++ ++ +diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml +index f4af2c6330..c732ecb48a 100644 +--- a/sle11/cpe/sle11-cpe-dictionary.xml ++++ b/sle11/cpe/sle11-cpe-dictionary.xml +@@ -22,6 +22,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -37,6 +42,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml +index ae70f01bce..79daa31412 100644 +--- a/sle12/cpe/sle12-cpe-dictionary.xml ++++ b/sle12/cpe/sle12-cpe-dictionary.xml +@@ -22,6 +22,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -37,6 +42,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/ssg/constants.py b/ssg/constants.py +index 813e529b50..08af04138e 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -439,9 +439,11 @@ + XCCDF_PLATFORM_TO_CPE = { + "machine": "cpe:/a:machine", + "container": "cpe:/a:container", ++ "chrony": "cpe:/a:chrony", + "gdm": "cpe:/a:gdm", + "libuser": "cpe:/a:libuser", + "nss-pam-ldapd": "cpe:/a:nss-pam-ldapd", ++ "ntp": "cpe:/a:ntp", + "pam": "cpe:/a:pam", + "login_defs": "cpe:/a:login_defs", + "sssd": "cpe:/a:sssd", +diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml +index 60a2a68823..df5abff723 100644 +--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml ++++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml +@@ -17,6 +17,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -32,6 +37,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml +index b53643d1c5..6269344376 100644 +--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml ++++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml +@@ -17,6 +17,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -32,6 +37,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml +index 46579d36ab..ccb285768e 100644 +--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml ++++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml +@@ -17,6 +17,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -32,6 +37,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml +index 0c708dc1d0..73e419c9ab 100644 +--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml ++++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml +@@ -2,10 +2,10 @@ + +- +- Wind River Linux 1019 ++ ++ Wind River Linux 1019 + installed_OS_is_wrlinux1019 +- ++ + + Container + +@@ -16,6 +16,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -31,6 +36,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + +diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml +index 1421e79ac0..8449ea1416 100644 +--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml ++++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml +@@ -2,10 +2,10 @@ + +- +- Wind River Linux 8 ++ ++ Wind River Linux 8 + installed_OS_is_wrlinux8 +- ++ + + Container + +@@ -16,6 +16,11 @@ + + installed_env_is_a_machine + ++ ++ Package chrony is installed ++ ++ installed_env_has_chrony_package ++ + + Package gdm is installed + +@@ -31,6 +36,11 @@ + + installed_env_has_nss-pam-ldapd_package + ++ ++ Package ntp is installed ++ ++ installed_env_has_ntp_package ++ + + Package pam is installed + diff --git a/SOURCES/scap-security-guide-0.1.50-add_package_libselinux_installed_PR_5312.patch b/SOURCES/scap-security-guide-0.1.50-add_package_libselinux_installed_PR_5312.patch new file mode 100644 index 0000000..0166346 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_package_libselinux_installed_PR_5312.patch @@ -0,0 +1,79 @@ +From c10f34d8c3932784d69eb0d7b5cff640139ded52 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 19 Mar 2020 09:55:24 +0100 +Subject: [PATCH 1/3] add new rule + +--- + .../package_libselinux_installed/rule.yml | 38 +++++++++++++++++++ + 2 files changed, 38 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/system/selinux/package_libselinux_installed/rule.yml + +diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml +new file mode 100644 +index 0000000000..a9970fb2c2 +--- /dev/null ++++ b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml +@@ -0,0 +1,38 @@ ++documentation_complete: true ++ ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,ocp4 ++ ++title: 'Install libselinux Package' ++ ++description: |- ++ {{{ describe_package_install(package="libselinux") }}} ++ ++rationale: |- ++ Security-enhanced Linux is a feature of the Linux kernel and a number of utilities ++ with enhanced security functionality designed to add mandatory access controls to Linux. ++ The Security-enhanced Linux kernel contains new architectural components originally ++ developed to improve security of the Flask operating system. These architectural components ++ provide general support for the enforcement of many kinds of mandatory access control ++ policies, including those based on the concepts of Type Enforcement, Role-based Access ++ Control, and Multi-level Security. ++ ++ The libselinux package contains the core library of the Security-enhanced Linux system. ++ ++severity: high ++ ++identifiers: ++ cce@rhel7: 82876-4 ++ cce@rhel8: 82877-2 ++ ++references: ++ cis@rhel7: 1.6.2 ++ cis@rhel8: 1.7.1.1 ++ ++ocil_clause: 'the package is not installed' ++ ++ocil: '{{{ ocil_package(package="libselinux") }}}' ++ ++template: ++ name: package_installed ++ vars: ++ pkgname: libselinux +From 80e8674b374cd82510abcf923a18235bae3e5948 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 19 Mar 2020 15:48:10 +0100 +Subject: [PATCH 3/3] change wording of rationale + +--- + .../system/selinux/package_libselinux_installed/rule.yml | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml +index a9970fb2c2..2855c21c90 100644 +--- a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml ++++ b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml +@@ -10,11 +10,6 @@ description: |- + rationale: |- + Security-enhanced Linux is a feature of the Linux kernel and a number of utilities + with enhanced security functionality designed to add mandatory access controls to Linux. +- The Security-enhanced Linux kernel contains new architectural components originally +- developed to improve security of the Flask operating system. These architectural components +- provide general support for the enforcement of many kinds of mandatory access control +- policies, including those based on the concepts of Type Enforcement, Role-based Access +- Control, and Multi-level Security. + + The libselinux package contains the core library of the Security-enhanced Linux system. + diff --git a/SOURCES/scap-security-guide-0.1.50-add_package_openldap-clients_installed_PR_5316.patch b/SOURCES/scap-security-guide-0.1.50-add_package_openldap-clients_installed_PR_5316.patch new file mode 100644 index 0000000..16190e3 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_package_openldap-clients_installed_PR_5316.patch @@ -0,0 +1,98 @@ +From 9f7a12207d136211a5906df39490104ef02e3e0c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 19 Mar 2020 15:35:47 +0100 +Subject: [PATCH 1/4] add rule + +--- + .../package_openldap-clients_removed/rule.yml | 32 +++++++++++++++++++ + 2 files changed, 32 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml + +diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +new file mode 100644 +index 0000000000..e8dfc04020 +--- /dev/null ++++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +@@ -0,0 +1,32 @@ ++documentation_complete: true ++ ++title: 'Ensure LDAP client is not installed' ++ ++description: |- ++ The Lightweight Directory Access Protocol (LDAP) is a service that provideso ++ a method for looking up information from a central database. ++ {{{ describe_package_remove("openldap-clients") }}} ++ ++rationale: ++ If the system does not need to act as an LDAP client, it is recommended that the software is ++ removed to reduce the potential attack surface. ++ ++severity: low ++ ++identifiers: ++ cce@rhel7: 82884-8 ++ cce@rhel8: 82885-5 ++ ++references: ++ cis@rhel7: 2.3.5 ++ cis@rhel8: 2.3.3 ++ ++ocil_clause: 'the package is installed' ++ ++ocil: |- ++ {{{ ocil_package("openldap-clients") }}} ++ ++template: ++ name: package_removed ++ vars: ++ pkgname: openldap-clients +From b21593567c0c758710461bc7a3d59651503f84c9 Mon Sep 17 00:00:00 2001 +From: vojtapolasek +Date: Thu, 19 Mar 2020 16:40:55 +0100 +Subject: [PATCH 2/4] Update + linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-Authored-By: Jan Černý +--- + .../openldap_client/package_openldap-clients_removed/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +index e8dfc04020..1339137fb4 100644 +--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml ++++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +@@ -3,7 +3,7 @@ documentation_complete: true + title: 'Ensure LDAP client is not installed' + + description: |- +- The Lightweight Directory Access Protocol (LDAP) is a service that provideso ++ The Lightweight Directory Access Protocol (LDAP) is a service that provides + a method for looking up information from a central database. + {{{ describe_package_remove("openldap-clients") }}} + + +From 82c734902f7f215286168f6aa3e3bfaff99fc336 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 19 Mar 2020 16:58:02 +0100 +Subject: [PATCH 3/4] add missing prodtype + +--- + .../openldap_client/package_openldap-clients_removed/rule.yml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +index 1339137fb4..aee1aa315a 100644 +--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml ++++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +@@ -1,5 +1,7 @@ + documentation_complete: true + ++prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4 ++ + title: 'Ensure LDAP client is not installed' + + description: |- + diff --git a/SOURCES/scap-security-guide-0.1.50-add_rhel7_cis_kickstart_PR_5545.patch b/SOURCES/scap-security-guide-0.1.50-add_rhel7_cis_kickstart_PR_5545.patch new file mode 100644 index 0000000..fc86492 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_rhel7_cis_kickstart_PR_5545.patch @@ -0,0 +1,163 @@ +From 89f8c585e3eb05dddd95f601df13664335bc4b14 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 30 Mar 2020 11:34:38 +0200 +Subject: [PATCH] add kickstarts for cis into rhel7 and rhel8 + +--- + rhel7/kickstart/ssg-rhel7-cis-ks.cfg | 147 +++++++++++++++++++++++++++ + 2 files changed, 293 insertions(+) + create mode 100644 rhel7/kickstart/ssg-rhel7-cis-ks.cfg + +diff --git a/rhel7/kickstart/ssg-rhel7-cis-ks.cfg b/rhel7/kickstart/ssg-rhel7-cis-ks.cfg +new file mode 100644 +index 0000000000..85c592de8a +--- /dev/null ++++ b/rhel7/kickstart/ssg-rhel7-cis-ks.cfg +@@ -0,0 +1,147 @@ ++# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 7 Server ++# Version: 0.0.1 ++# Date: 2020-03-30 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow ++# Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++# Ensure /var/tmp Located On Separate Partition ++logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 ++# Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 ++# Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++ ++ ++# Harden installation with CIS profile ++# For more details and configuration options see command %addon org_fedora_oscap in ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cis ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.50-add_rhel7_cis_profile_PR_5306.patch b/SOURCES/scap-security-guide-0.1.50-add_rhel7_cis_profile_PR_5306.patch new file mode 100644 index 0000000..0851355 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_rhel7_cis_profile_PR_5306.patch @@ -0,0 +1,745 @@ +From 50474e08bd7326ad0331b2d97ddad9ab56fd7d6c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 18 Mar 2020 12:30:16 +0100 +Subject: [PATCH] Add Initial CIS profile + +--- + rhel7/profiles/cis.profile | 729 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 729 insertions(+) + create mode 100644 rhel7/profiles/cis.profile + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +new file mode 100644 +index 0000000000..486fcf9a33 +--- /dev/null ++++ b/rhel7/profiles/cis.profile +@@ -0,0 +1,729 @@ ++documentation_complete: true ++ ++title: 'CIS Red Hat Enterprise Linux 7 Benchmark' ++ ++description: |- ++ This baseline aligns to the Center for Internet Security ++ Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released ++ 12-27-2017. ++ ++selections: ++ # Necessary for dconf rules ++ - dconf_db_up_to_date ++ ++ # 1 Initial Setup ++ ## 1.1 Filesystem Configuration ++ ### 1.1.1 Disable unused filesystems ++ #### 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Scored) ++ - kernel_module_cramfs_disabled ++ ++ #### 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled (Scored) ++ - kernel_module_freevxfs_disabled ++ ++ #### 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Scored) ++ - kernel_module_jffs2_disabled ++ ++ #### 1.1.1.4 Ensure mounting of hfs filesystems is disabled (Scored) ++ - kernel_module_hfs_disabled ++ ++ #### 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled (Scored) ++ - kernel_module_hfsplus_disabled ++ ++ #### 1.1.1.6 Ensure mounting of squashfs filesystems is disabled (Scored) ++ - kernel_module_squashfs_disabled ++ ++ #### 1.1.1.7 Ensure mounting of udf filesystems is disabled (Scored) ++ - kernel_module_udf_disabled ++ ++ #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Scored) ++ - kernel_module_vfat_disabled ++ ++ ### 1.1.2 Ensure separate partition exists for /tmp (Scored) ++ - partition_for_tmp ++ ++ ### 1.1.3 Ensure nodev option set on /tmp partition (Scored) ++ - mount_option_tmp_nodev ++ ++ ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored) ++ - mount_option_tmp_nosuid ++ ++ ### 1.1.5 Ensure noexec option set on /tmp partition (Scored) ++ - mount_option_tmp_noexec ++ ++ ### 1.1.6 Ensure separate partition exists for /var (Scored) ++ - partition_for_var ++ ++ ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored) ++ - partition_for_var_tmp ++ ++ ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) ++ - mount_option_var_tmp_nodev ++ ++ ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) ++ - mount_option_var_tmp_nosuid ++ ++ ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) ++ - mount_option_var_tmp_noexec ++ ++ ### 1.1.11 Ensure separate partition exists for /var/log (Scored) ++ - partition_for_var_log ++ ++ ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) ++ - partition_for_var_log_audit ++ ++ ### 1.1.13 Ensure separate partition exists for /home (Scored) ++ - partition_for_home ++ ++ ### 1.1.14 Ensure nodev option set on /home partition (Scored) ++ - mount_option_home_nodev ++ ++ ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) ++ - mount_option_dev_shm_nodev ++ ++ ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) ++ - mount_option_dev_shm_nosuid ++ ++ ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) ++ - mount_option_dev_shm_noexec ++ ++ ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored) ++ - mount_option_nodev_removable_partitions ++ ++ ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored) ++ - mount_option_nosuid_removable_partitions ++ ++ ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored) ++ - mount_option_noexec_removable_partitions ++ ++ ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored) ++ - dir_perms_world_writable_sticky_bits ++ ++ ### 1.1.22 Disable Automounting (Scored) ++ - service_autofs_disabled ++ ++ ## 1.2 Configure Software Updates ++ ### 1.2.1 Ensure package manager repositories are configured (Not Scored) ++ ### 1.2.2 Ensure gpgcheck is globally activated (Scored) ++ - ensure_gpgcheck_globally_activated ++ ++ ### 1.2.3 Ensure GPG keys are configured (Not Scored) ++ - ensure_redhat_gpgkey_installed ++ ++ ### 1.2.4 Ensure Red Hat Subscription Manager connection is configured (Not Scored) ++ ++ ### 1.2.5 Disable the rhnsd Daemon (Not Scored) ++ - service_rhnsd_disabled ++ ++ ## 1.3 Filesystem Integrity Checking ++ ### 1.3.1 Ensure AIDE is installed (Scored) ++ - package_aide_installed ++ ++ ### 1.3.2 Ensure filesystem integrity is regularly checked (Scored) ++ - aide_periodic_cron_checking ++ ++ ## 1.4 Secure Boot Settings ++ ### 1.4.1 Ensure permissions on bootloader config are configured (Scored) ++ - file_owner_grub2_cfg ++ - file_groupowner_grub2_cfg ++ - file_permissions_grub2_cfg ++ ++ ### 1.4.2 Ensure bootloader password is set (Scored) ++ - grub2_password ++ ++ ### 1.4.3 Ensure authentication required for single user mode (Scored) ++ - require_singleuser_auth ++ ++ ## 1.5 Additional Process Hardening ++ ### 1.5.1 Ensure core dumps are restricted (Scored) ++ - disable_users_coredumps ++ - sysctl_fs_suid_dumpable ++ ++ ### 1.5.2 Ensure XD/NX support is enabled (Not Scored) ++ - sysctl_kernel_exec_shield ++ - bios_enable_execution_restrictions ++ - install_PAE_kernel_on_x86-32 ++ ++ ### 1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored) ++ - sysctl_kernel_randomize_va_space ++ ++ ### 1.5.4 Ensure prelink is disabled (Scored) ++ - disable_prelink ++ ++ ## 1.6 Mandatory Access Control ++ ### 1.6.1 Configure SELinux ++ #### 1.6.1.1 Ensure SELinux is not disabled in bootloader configuration (Scored) ++ - grub2_enable_selinux ++ ++ #### 1.6.1.2 Ensure the SELinux state is enforcing (Scored) ++ - var_selinux_state=enforcing ++ - selinux_state ++ ++ #### 1.6.1.3 Ensure SELinux policy is configured (Scored) ++ - var_selinux_policy_name=targeted ++ - selinux_policytype ++ ++ #### 1.6.1.4 Ensure SETroubleshoot is not installed (Scored) ++ - package_setroubleshoot_removed ++ ++ #### 1.6.1.5 Ensure the MCS Translation Service (mcstrans) is not installed (Scored) ++ - package_mcstrans_removed ++ ++ #### 1.6.1.6 Ensure no unconfined daemons exist (Scored) ++ - selinux_confinement_of_daemons ++ ++ ### 1.6.2 Ensure SELinux is installed (Scored) ++ ++ ## 1.7 Warning Banners ++ #### 1.7.1.1 Ensure message of the day is configured properly (Scored) ++ - banner_etc_motd ++ ++ #### 1.7.1.2 Ensure local login warning banner is configured properly (Not Scored) ++ - banner_etc_issue ++ # TODO define banner text ++ #- login_banner_text= ++ ++ #### 1.7.1.3 Ensure remote login warning banner is configured properly (Not Scored) ++ ++ #### 1.7.1.4 Ensure permissions on /etc/motd are configured (Not Scored) ++ #### 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored) ++ #### 1.7.1.6 Ensure permissions on /etc/issue.net are configured (Not Scored) ++ ++ ### 1.7.2 Ensure GDM login banner is configured (Scored) ++ - dconf_gnome_login_banner_text ++ - dconf_gnome_banner_enabled ++ ++ ## 1.8 Ensure updates, patches, and additional security software are installed (Scored) ++ - security_patches_up_to_date ++ ++ # 2 Services ++ ++ ## 2.1 inetd Services ++ ++ ### 2.1.1 Ensure chargen services are not enabled (Scored) ++ ### 2.1.2 Ensure daytime services are not enabled (Scored) ++ ### 2.1.3 Ensure discard services are not enabled (Scored) ++ ### 2.1.4 Ensure echo services are not enabled (Scored) ++ ### 2.1.5 Ensure time services are not enabled (Scored) ++ ### 2.1.6 Ensure tftp server is not enabled (Scored) ++ ++ ### 2.1.7 Ensure xinetd is not enabled (Scored) ++ - service_xinetd_disabled ++ ++ ## 2.2 Special Purpose Services ++ #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) ++ - service_chronyd_or_ntpd_enabled ++ ++ #### 2.2.1.2 Ensure ntp is configured (Scored) ++ # restrict is not checkec by rules below ++ - chronyd_or_ntpd_specify_remote_server ++ ++ #### 2.2.1.3 Ensure chrony is configured (Scored) ++ ++ ### 2.2.2 Ensure X Window System is not installed (Scored) ++ - package_xorg-x11-server-common_removed ++ ++ ### 2.2.3 Ensure Avahi Server is not enabled (Scored) ++ - service_avahi-daemon_disabled ++ ++ ### 2.2.4 Ensure CUPS is not enabled (Scored) ++ - service_cups_disabled ++ ++ ### 2.2.5 Ensure DHCP Server is not enabled (Scored) ++ - service_dhcpd_disabled ++ ++ ### 2.2.6 Ensure LDAP server is not enabled (Scored) ++ - package_openldap-servers_removed ++ ++ ### 2.2.7 Ensure NFS and RPC are not enabled (Scored) ++ - service_nfs_disabled ++ - service_rpcbind_disabled ++ ++ ### 2.2.8 Ensure DNS Server is not enabled (Scored) ++ - service_named_disabled ++ ++ ### 2.2.9 Ensure FTP Server is not enabled (Scored) ++ - service_vsftpd_disabled ++ ++ ### 2.2.10 Ensure HTTP server is not enabled (Scored) ++ - service_httpd_disabled ++ ++ ### 2.2.11 Ensure IMAP and POP3 server is not enabled (Scored) ++ - service_dovecot_disabled ++ ++ ### 2.2.12 Ensure Samba is not enabled (Scored) ++ - service_smb_disabled ++ ++ ### 2.2.13 Ensure HTTP Proxy Server is not enabled (Scored) ++ - service_squid_disabled ++ ++ ### 2.2.14 Ensure SNMP Server is not enabled (Scored) ++ - service_snmpd_disabled ++ ++ ### 2.2.15 Ensure mail transfer agent is configured for local-only mode (Scored) ++ - postfix_network_listening_disabled ++ ++ ### 2.2.16 Ensure NIS Server is not enabled (Scored) ++ - package_ypserv_removed ++ ++ ### 2.2.17 Ensure rsh server is not enabled (Scored) ++ - service_rsh_disabled ++ - service_rlogin_disabled ++ - service_rexec_disabled ++ ++ ### 2.2.18 Ensure talk server is not enabled (Scored) ++ - package_talk-server_removed ++ ++ ### 2.2.19 Ensure telnet server is not enabled (Scored) ++ - service_telnet_disabled ++ ++ ### 2.2.20 Ensure tftp server is not enabled (Scored) ++ - service_tftp_disabled ++ ++ ### 2.2.21 Ensure rsync service is not enabled (Scored) ++ ++ ## 2.3 Service Clients ++ ### 2.3.1 Ensure NIS Client is not installed (Scored) ++ - package_ypbind_removed ++ ++ ### 2.3.2 Ensure rsh client is not installed (Scored) ++ - package_rsh_removed ++ ++ ### 2.3.3 Ensure talk client is not installed (Scored) ++ - package_talk_removed ++ ++ ### 2.3.4 Ensure telnet client is not installed (Scored) ++ - package_telnet_removed ++ ++ ### 2.3.5 Ensure LDAP client is not installed (Scored) ++ ++ # 3 Network Configuration ++ ## 3.1 Network Parameters (Host Only) ++ ### 3.1.1 Ensure IP forwarding is disabled (Scored) ++ - sysctl_net_ipv4_ip_forward ++ ++ ### 3.1.2 Ensure packet redirect sending is disabled (Scored) ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects ++ ++ ## 3.2 Network Parameters (Host and Router) ++ ### 3.2.1 Ensure source routed packets are not accepted (Scored) ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ ++ ### 3.2.2 Ensure ICMP redirects are not accepted (Scored) ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects ++ ++ ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) ++ - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects ++ ++ ### 3.2.4 Ensure suspicious packets are logged (Scored) ++ - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians ++ ++ ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ ++ ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored) ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ ++ ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) ++ - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter ++ ++ ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) ++ - sysctl_net_ipv4_tcp_syncookies ++ ++ ## 3.3 IPv6 ++ ### 3.3.1 Ensure IPv6 router advertisements are not accepted (Not Scored) ++ - sysctl_net_ipv6_conf_all_accept_ra ++ - sysctl_net_ipv6_conf_default_accept_ra ++ ++ ### 3.3.2 Ensure IPv6 redirects are not accepted (Not Scored) ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_default_accept_redirects ++ ++ ### 3.3.3 Ensure IPv6 is disabled (Not Scored) ++ ++ ## 3.4 TCP Wrappers ++ ### 3.4.1 Ensure TCP Wrappers is installed (Scored) ++ - package_tcp_wrappers_installed ++ ++ ### 3.4.2 Ensure /etc/hosts.allow is configured (Scored) ++ ### 3.4.3 Ensure /etc/hosts.deny is configured (Scored) ++ ### 3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored) ++ ### 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored) ++ ++ ## 3.5 Uncommon Network Protocols ++ ### 3.5.1 Ensure DCCP is disabled (Not Scored) ++ - kernel_module_dccp_disabled ++ ++ ### 3.5.2 Ensure SCTP is disabled (Not Scored) ++ - kernel_module_sctp_disabled ++ ++ ### 3.5.3 Ensure RDS is disabled (Not Scored) ++ ++ ### 3.5.4 Ensure TIPC is disabled (Not Scored) ++ - kernel_module_tipc_disabled ++ ++ ## 3.6 Firewall Configuration ++ ### 3.6.1 Ensure iptables is installed (Scored) ++ - package_iptables_installed ++ ++ ### 3.6.2 Ensure default deny firewall policy (Scored) ++ ### 3.6.3 Ensure loopback traffic is configured (Scored) ++ ### 3.6.4 Ensure outbound and established connections are configured (Not Scored) ++ ### 3.6.5 Ensure firewall rules exist for all open ports (Scored) ++ ## 3.7 Ensure wireless interfaces are disabled (Not Scored) ++ ++ # 4 Logging and Auditing ++ ## 4.1 Configure System Accounting (auditd) ++ #### 4.1.1.1 Ensure audit log storage size is configured (Not Scored) ++ - auditd_data_retention_max_log_file ++ ++ #### 4.1.1.2 Ensure system is disabled when audit logs are full (Scored) ++ - var_auditd_space_left_action=email ++ - auditd_data_retention_space_left_action ++ - var_auditd_action_mail_acct=root ++ - auditd_data_retention_action_mail_acct ++ - var_auditd_admin_space_left_action=halt ++ - auditd_data_retention_admin_space_left_action ++ ++ #### 4.1.1.3 Ensure audit logs are not automatically deleted (Scored) ++ - var_auditd_max_log_file_action=keep_logs ++ - auditd_data_retention_max_log_file_action ++ ++ ### 4.1.2 Ensure auditd service is enabled (Scored) ++ - service_auditd_enabled ++ ++ ### 4.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored) ++ - grub2_audit_argument ++ ++ ### 4.1.4 Ensure events that modify date and time information are collected (Scored) ++ - audit_rules_time_adjtimex ++ - audit_rules_time_settimeofday ++ - audit_rules_time_stime ++ - audit_rules_time_clock_settime ++ - audit_rules_time_watch_localtime ++ ++ ### 4.1.5 Ensure events that modify user/group information are collected (Scored) ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_shadow ++ - audit_rules_usergroup_modification_opasswd ++ ++ ### 4.1.6 Ensure events that modify the system's network environment are collected (Scored) ++ - audit_rules_networkconfig_modification # needs update to cover network-sripts and system-locale ++ ++ ### 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored) ++ - audit_rules_mac_modification ++ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264 ++ ++ ### 4.1.8 Ensure login and logout events are collected (Scored) ++ - audit_rules_login_events_lastlog ++ - audit_rules_login_events_faillock ++ ++ ### 4.1.9 Ensure session initiation information is collected (Scored) ++ - audit_rules_session_events ++ ++ ### 4.1.10 Ensure discretionary access control permission modification events are collected (Scored) ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_fchmod ++ - audit_rules_dac_modification_fchmodat ++ - audit_rules_dac_modification_chown ++ - audit_rules_dac_modification_fchown ++ - audit_rules_dac_modification_fchownat ++ - audit_rules_dac_modification_lchown ++ - audit_rules_dac_modification_setxattr ++ - audit_rules_dac_modification_lsetxattr ++ - audit_rules_dac_modification_fsetxattr ++ - audit_rules_dac_modification_removexattr ++ - audit_rules_dac_modification_lremovexattr ++ - audit_rules_dac_modification_fremovexattr ++ ++ ### 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored) ++ - audit_rules_unsuccessful_file_modification_creat ++ - audit_rules_unsuccessful_file_modification_open ++ - audit_rules_unsuccessful_file_modification_openat ++ - audit_rules_unsuccessful_file_modification_truncate ++ - audit_rules_unsuccessful_file_modification_ftruncate ++ # Opinionated selection ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at ++ ++ ### 4.1.12 Ensure use of privileged commands is collected (Scored) ++ - audit_rules_privileged_commands ++ ++ ### 4.1.13 Ensure successful file system mounts are collected (Scored) ++ - audit_rules_media_export ++ ++ ### 4.1.14 Ensure file deletion events by users are collected (Scored) ++ - audit_rules_file_deletion_events_unlink ++ - audit_rules_file_deletion_events_unlinkat ++ - audit_rules_file_deletion_events_rename ++ - audit_rules_file_deletion_events_renameat ++ # Opinionated selection ++ - audit_rules_file_deletion_events_rmdir ++ ++ ### 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored) ++ - audit_rules_sysadmin_actions ++ ++ ### 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored) ++ ++ ### 4.1.17 Ensure kernel module loading and unloading is collected (Scored) ++ - audit_rules_kernel_module_loading ++ ++ ### 4.1.18 Ensure the audit configuration is immutable (Scored) ++ - audit_rules_immutable ++ ++ ## 4.2 Configure Logging ++ #### 4.2.1.1 Ensure rsyslog Service is enabled (Scored) ++ - service_rsyslog_enabled ++ ++ #### 4.2.1.2 Ensure logging is configured (Not Scored) ++ ++ #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) ++ - rsyslog_files_permissions ++ ++ #### 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored) ++ - rsyslog_remote_loghost ++ ++ #### 4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. (Not Scored) ++ - rsyslog_nolisten ++ - rsyslog_accept_remote_messages_tcp ++ - rsyslog_accept_remote_messages_udp ++ ++ #### 4.2.2.1 Ensure syslog-ng service is enabled (Scored) ++ #### 4.2.2.2 Ensure logging is configured (Not Scored) ++ #### 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored) ++ #### 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored) ++ #### 4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored) ++ ++ ### 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored) ++ - package_rsyslog_installed ++ ++ ### 4.2.4 Ensure permissions on all logfiles are configured (Scored) ++ ++ ## 4.3 Ensure logrotate is configured (Not Scored) ++ - ensure_logrotate_activated ++ ++ # 5 Access, Authentication and Authorization ++ ## 5.1 Configure cron ++ ### 5.1.1 Ensure cron daemon is enabled (Scored) ++ - service_crond_enabled ++ ++ ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) ++ - file_groupowner_crontab ++ - file_owner_crontab ++ - file_permissions_crontab ++ ++ ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) ++ - file_groupowner_cron_hourly ++ - file_owner_cron_hourly ++ - file_permissions_cron_hourly ++ ++ ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) ++ - file_groupowner_cron_daily ++ - file_owner_cron_daily ++ - file_permissions_cron_daily ++ ++ ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) ++ - file_groupowner_cron_weekly ++ - file_owner_cron_weekly ++ - file_permissions_cron_weekly ++ ++ ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) ++ - file_groupowner_cron_monthly ++ - file_owner_cron_monthly ++ - file_permissions_cron_monthly ++ ++ ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) ++ - file_groupowner_cron_d ++ - file_owner_cron_d ++ - file_permissions_cron_d ++ ++ ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored) ++ ++ ## 5.2 SSH Server Configuration ++ ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) ++ - file_groupowner_sshd_config ++ - file_owner_sshd_config ++ - file_permissions_sshd_config ++ ++ ### 5.2.2 Ensure SSH Protocol is set to 2 (Scored) ++ - sshd_allow_only_protocol2 ++ ++ ### 5.2.3 Ensure SSH LogLevel is set to INFO (Scored) ++ - sshd_set_loglevel_info ++ ++ ### 5.2.4 Ensure SSH X11 forwarding is disabled (Scored) ++ - sshd_enable_x11_forwarding ++ ++ ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored) ++ - sshd_set_max_auth_tries ++ ++ ### 5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored) ++ - sshd_disable_rhosts ++ ++ ### 5.2.7 Ensure SSH HostbasedAuthentication is disabled (Scored) ++ - disable_host_auth ++ ++ ### 5.2.8 Ensure SSH root login is disabled (Scored) ++ - sshd_disable_root_login ++ ++ ### 5.2.9 Ensure SSH PermitEmptyPasswords is disabled (Scored) ++ - sshd_disable_empty_passwords ++ ++ ### 5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored) ++ - sshd_do_not_permit_user_env ++ ++ ### 5.2.11 Ensure only approved MAC algorithms are used (Scored) ++ - sshd_use_approved_macs # TODO: approved macs don't match ++ ++ ### 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored) ++ - sshd_set_idle_timeout ++ - sshd_set_keepalive ++ ++ ### 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored) ++ ### 5.2.14 Ensure SSH access is limited (Scored) ++ - sshd_limit_user_access ++ # TODO: cover AllowUsers, AllowGroups, DenyGroups ++ ++ ### 5.2.15 Ensure SSH warning banner is configured (Scored) ++ - sshd_enable_warning_banner ++ ++ ## 5.3 Configure PAM ++ ### 5.3.1 Ensure password creation requirements are configured (Scored) ++ - accounts_password_pam_retry ++ # TODO: looks like try_first_pass is not covered ++ - var_password_pam_minlen=14 ++ - accounts_password_pam_minlen ++ - var_password_pam_dcredit=1 ++ - accounts_password_pam_dcredit ++ - var_password_pam_ucredit=1 ++ - accounts_password_pam_ucredit ++ - var_password_pam_ocredit=1 ++ - accounts_password_pam_ocredit ++ - var_password_pam_lcredit=1 ++ - accounts_password_pam_lcredit ++ ++ ### 5.3.2 Ensure lockout for failed password attempts is configured (Scored) ++ - var_accounts_passwords_pam_faillock_unlock_time=900 ++ - var_accounts_passwords_pam_faillock_deny=5 ++ - accounts_passwords_pam_faillock_unlock_time ++ - accounts_passwords_pam_faillock_deny ++ ++ ### 5.3.3 Ensure password reuse is limited (Scored) ++ - var_password_pam_unix_remember=5 ++ - accounts_password_pam_unix_remember ++ ++ ### 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored) ++ - set_password_hashing_algorithm_systemauth ++ # TODO: password-auth is not covered ++ ++ ## 5.4 User Accounts and Environment ++ ### 5.4.1 Set Shadow Password Suite Parameters ++ #### 5.4.1.1 Ensure password expiration is 365 days or less (Scored) ++ - var_accounts_maximum_age_login_defs=90 ++ - accounts_maximum_age_login_defs ++ ++ #### 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored) ++ - var_accounts_minimum_age_login_defs=7 ++ - accounts_minimum_age_login_defs ++ ++ #### 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored) ++ - var_accounts_password_warn_age_login_defs=7 ++ - accounts_password_warn_age_login_defs ++ ++ #### 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored) ++ - var_account_disable_post_pw_expiration=30 ++ - account_disable_post_pw_expiration ++ ++ #### 5.4.1.5 Ensure all users last password change date is in the past (Scored) ++ ### 5.4.2 Ensure system accounts are non-login (Scored) ++ - no_shelllogin_for_systemaccounts ++ ++ ### 5.4.3 Ensure default group for the root account is GID 0 (Scored) ++ ### 5.4.4 Ensure default user umask is 027 or more restrictive (Scored) ++ - accounts_umask_etc_bashrc ++ - accounts_umask_etc_profile ++ ++ ### 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored) ++ - accounts_tmout ++ ++ ## 5.5 Ensure root login is restricted to system console (Not Scored) ++ - no_direct_root_logins ++ ++ ## 5.6 Ensure access to the su command is restricted (Scored) ++ ++ # 6 System Maintenance ++ ## 6.1 System File Permissions ++ ### 6.1.1 Audit system file permissions (Not Scored) ++ - rpm_verify_permissions ++ - rpm_verify_ownership ++ ++ ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) ++ - file_owner_etc_passwd ++ - file_groupowner_etc_passwd ++ - file_permissions_etc_passwd ++ ++ ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) ++ - file_owner_etc_shadow ++ - file_groupowner_etc_shadow ++ - file_permissions_etc_shadow ++ ++ ### 6.1.4 Ensure permissions on /etc/group are configured (Scored) ++ - file_owner_etc_group ++ - file_groupowner_etc_group ++ - file_permissions_etc_group ++ ++ ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) ++ - file_owner_etc_gshadow ++ - file_groupowner_etc_gshadow ++ - file_permissions_etc_gshadow ++ ++ ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) ++ ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) ++ ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) ++ ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) ++ ++ ### 6.1.10 Ensure no world writable files exist (Scored) ++ - file_permissions_unauthorized_world_writable ++ ++ ### 6.1.11 Ensure no unowned files or directories exist (Scored) ++ - no_files_unowned_by_user ++ ++ ### 6.1.12 Ensure no ungrouped files or directories exist (Scored) ++ - file_permissions_ungroupowned ++ ++ ### 6.1.13 Audit SUID executables (Not Scored) ++ - file_permissions_unauthorized_suid ++ ++ ### 6.1.14 Audit SGID executables (Not Scored) ++ - file_permissions_unauthorized_sgid ++ ++ ## 6.2 User and Group Settings ++ ### 6.2.1 Ensure password fields are not empty (Scored) ++ ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) ++ ### 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow (Scored) ++ ### 6.2.4 Ensure no legacy "+" entries exist in /etc/group (Scored) ++ ### 6.2.5 Ensure root is the only UID 0 account (Scored) ++ - accounts_no_uid_except_zero ++ ++ ### 6.2.6 Ensure root PATH Integrity (Scored) ++ ### 6.2.7 Ensure all users' home directories exist (Scored) ++ ### 6.2.8 Ensure users' home directories permissions are 750 or more restrictive (Scored) ++ ### 6.2.9 Ensure users own their home directories (Scored) ++ ### 6.2.10 Ensure users' dot files are not group or world writable (Scored) ++ ### 6.2.11 Ensure no users have .forward files (Scored) ++ ### 6.2.12 Ensure no users have .netrc files (Scored) ++ ### 6.2.13 Ensure users' .netrc Files are not group or world accessible (Scored) ++ ### 6.2.14 Ensure no users have .rhosts files (Scored) ++ - no_rsh_trust_files ++ ++ ### 6.2.15 Ensure all groups in /etc/passwd exist in /etc/group (Scored) ++ ### 6.2.16 Ensure no duplicate UIDs exist (Scored) ++ ### 6.2.17 Ensure no duplicate GIDs exist (Scored) ++ ### 6.2.18 Ensure no duplicate user names exist (Scored) ++ ### 6.2.19 Ensure no duplicate group names exist (Scored) diff --git a/SOURCES/scap-security-guide-0.1.50-add_rpm_verify_warnings_PR_5755.patch b/SOURCES/scap-security-guide-0.1.50-add_rpm_verify_warnings_PR_5755.patch new file mode 100644 index 0000000..e308713 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_rpm_verify_warnings_PR_5755.patch @@ -0,0 +1,108 @@ +From 1e2617161624f5df945d2223f9a80f1186116f6b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 May 2020 14:59:41 +0200 +Subject: [PATCH 1/3] Warn about findings from rpm_verify_permissions + +There can be cases in which a Profile requires that a file permission be +more strict than package default permissions. In this cases this rule +will report the file changed by the Profile itself as a finding. + +Not all permission changes make sense to be incorporated by the +package, and currently there is no mechanism to waive these findings. +--- + .../rpm_verification/rpm_verify_permissions/rule.yml | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +index 863e2d05a3..0a91ce0108 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +@@ -67,8 +67,10 @@ ocil: |- + is expected by the RPM database: + 
$ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
+ +-{{% if product == "rhel6" %}} + warnings: ++ - general: |- ++ Profiles may require that specific files have stricter file permissions than defined by the vendor. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment. ++{{% if product == "rhel6" %}} + - general: |- + Note: Due to a bug in the gdm package, + the RPM verify command may continue to fail even after file permissions have + +From b372888797152c859b332efae9722813b7f62ec0 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 May 2020 17:21:25 +0200 +Subject: [PATCH 2/3] Warn about findings from rpm_verify_ownership + +There can be cases in which a Profile requires that a file be owned +by root, while the package default owner is a different user. +In these cases this rule will report the change in file ownership +done by the Profile itself as a finding. + +Not all ownership changes make sense to be incorporated by the +package, and currently there is no mechanism to waive these +findings. +--- + .../rpm_verification/rpm_verify_ownership/rule.yml | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml +index 7ae3f61919..f888db3b2c 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml +@@ -58,8 +58,10 @@ ocil: |- + is expected by the RPM database: + 
$ rpm -Va | rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'
+ +-{{% if product == "rhel6" %}} + warnings: ++ - general: |- ++ Profiles may require that specific files be owned by root while the default owner defined by the vendor is different. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment. ++{{% if product == "rhel6" %}} + - general: |- + Note: Due to a bug in the gdm package, + the RPM verify command may continue to fail even after file permissions have + +From c3210e05aba0b479a3122f84dc149241e5866f5a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 May 2020 17:29:44 +0200 +Subject: [PATCH 3/3] Warning readability changes + +--- + .../rpm_verification/rpm_verify_ownership/rule.yml | 5 ++++- + .../rpm_verification/rpm_verify_permissions/rule.yml | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml +index f888db3b2c..e353ecef4c 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml +@@ -60,7 +60,10 @@ ocil: |- + + warnings: + - general: |- +- Profiles may require that specific files be owned by root while the default owner defined by the vendor is different. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment. ++ Profiles may require that specific files be owned by root while the default owner defined ++ by the vendor is different. ++ Such files will be reported as a finding and need to be evaluated according to your policy ++ and deployment environment. + {{% if product == "rhel6" %}} + - general: |- + Note: Due to a bug in the gdm package, +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +index 0a91ce0108..677a239f3a 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +@@ -69,7 +69,10 @@ ocil: |- + + warnings: + - general: |- +- Profiles may require that specific files have stricter file permissions than defined by the vendor. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment. ++ Profiles may require that specific files have stricter file permissions than defined by the ++ vendor. ++ Such files will be reported as a finding and need to be evaluated according to your policy ++ and deployment environment. + {{% if product == "rhel6" %}} + - general: |- + Note: Due to a bug in the gdm package, diff --git a/SOURCES/scap-security-guide-0.1.50-add_rule_sshd_disable_x11_forwarding_PR_5554.patch b/SOURCES/scap-security-guide-0.1.50-add_rule_sshd_disable_x11_forwarding_PR_5554.patch new file mode 100644 index 0000000..91a4368 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_rule_sshd_disable_x11_forwarding_PR_5554.patch @@ -0,0 +1,375 @@ +From ff69d42fd57e64112af50b15ed03526a205b0f98 Mon Sep 17 00:00:00 2001 +From: eradot4027 +Date: Thu, 2 Apr 2020 13:29:17 -0400 +Subject: [PATCH 01/12] Initial commit of rule for issue 5524 + +--- + .../sshd_disable_x11_forwarding/rule.yml | 46 +++++++++++++++++++ + 1 file changed, 46 insertions(+) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +new file mode 100644 +index 0000000000..c0c01728e9 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -0,0 +1,46 @@ ++documentation_complete: true ++ ++title: 'Disable X11 Forwarding' ++ ++description: |- ++ The X11Forwarding parameter provides the ability to tunnel X11 traffic ++ through the connection to enable remote graphic connections. ++ SSH has the capability to encrypt remote X11 connections when SSH's ++ X11Forwarding option is enabled. ++

++ To disable X11 Forwarding, add or correct the ++ following line in /etc/ssh/sshd_config: ++ 
X11Forwarding no
++ ++rationale: |- ++ Disable X11 forwarding unless there is an operational requirement to use X11 ++ applications directly. There is a small risk that the remote X11 servers of ++ users who are logged in via SSH with X11 forwarding could be compromised by ++ other users on the X11 server. Note that even if X11 forwarding is disabled, ++ users can always install their own forwarders. ++ ++severity: low ++ ++references: ++ cui: 3.1.13 ++ disa: "366" ++ nist: CM-6(a),AC-17(a),AC-17(2) ++ nist-csf: DE.AE-1,PR.DS-7,PR.IP-1 ++ srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel7: "040710" ++ stigid@sle12: "030260" ++ isa-62443-2013: 'SR 7.6' ++ isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3 ++ cobit5: BAI03.08,BAI07.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS03.01 ++ iso27001-2013: A.12.1.1,A.12.1.2,A.12.1.4,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.14.2.2,A.14.2.3,A.14.2.4 ++ cis-csc: 1,11,12,13,15,16,18,20,3,4,6,9 ++ ++{{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} ++ ++template: ++ name: sshd_lineinfile ++ vars: ++ missing_parameter_pass: 'false' ++ parameter: X11Forwarding ++ rule_id: sshd_disable_x11_forwarding ++ value: 'no' + +From f1bc29396cf2953fb4cb9cb17d6b8537f7be22f1 Mon Sep 17 00:00:00 2001 +From: eradot4027 +Date: Thu, 2 Apr 2020 13:34:02 -0400 +Subject: [PATCH 02/12] Haven't found references except for Solaris 11. Remove + reference section + +--- + .../sshd_disable_x11_forwarding/rule.yml | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +index c0c01728e9..66872d01ab 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -21,20 +21,6 @@ rationale: |- + + severity: low + +-references: +- cui: 3.1.13 +- disa: "366" +- nist: CM-6(a),AC-17(a),AC-17(2) +- nist-csf: DE.AE-1,PR.DS-7,PR.IP-1 +- srg: SRG-OS-000480-GPOS-00227 +- stigid@rhel7: "040710" +- stigid@sle12: "030260" +- isa-62443-2013: 'SR 7.6' +- isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3 +- cobit5: BAI03.08,BAI07.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS03.01 +- iso27001-2013: A.12.1.1,A.12.1.2,A.12.1.4,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.14.2.2,A.14.2.3,A.14.2.4 +- cis-csc: 1,11,12,13,15,16,18,20,3,4,6,9 +- + {{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} + + template: + +From fb105b63c1ae36f309ede1831b8bae7a8d3ca4c7 Mon Sep 17 00:00:00 2001 +From: eradot4027 +Date: Thu, 2 Apr 2020 13:56:05 -0400 +Subject: [PATCH 03/12] Added CIS Reference + +--- + .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +index 66872d01ab..88ed64c681 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -23,6 +23,9 @@ severity: low + + {{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} + ++references: ++ cis@rhel8: 5.2.6 ++ + template: + name: sshd_lineinfile + vars: + +From 93f1dd883c3bef0e0df0a0eab87a8eaa75134637 Mon Sep 17 00:00:00 2001 +From: eradot4027 +Date: Thu, 2 Apr 2020 13:58:34 -0400 +Subject: [PATCH 04/12] CIS RHEL 7 Benchmark Reference + +--- + .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +index 88ed64c681..c56d498972 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -24,8 +24,9 @@ severity: low + {{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} + + references: ++ cis@rhel7: 5.2.5 + cis@rhel8: 5.2.6 +- ++ + template: + name: sshd_lineinfile + vars: + +From 96a51e5a2496c40aa28d9aace336ee75c26afdeb Mon Sep 17 00:00:00 2001 +From: eradot4027 +Date: Thu, 2 Apr 2020 14:09:25 -0400 +Subject: [PATCH 05/12] MOre CIS References + +--- + .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +index c56d498972..92cdbc2151 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -26,6 +26,8 @@ severity: low + references: + cis@rhel7: 5.2.5 + cis@rhel8: 5.2.6 ++ cis@sle12: 5.2.4 ++ cis@sle15: 5.2.6 + + template: + name: sshd_lineinfile + +From da6fb541c8085d3f6a29f2569615201f3c88bda4 Mon Sep 17 00:00:00 2001 +From: eradot4027 +Date: Thu, 2 Apr 2020 15:39:53 -0400 +Subject: [PATCH 06/12] Modified per pull request comments. + +--- + .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +index 92cdbc2151..bea57e74aa 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -21,7 +21,9 @@ rationale: |- + + severity: low + +-{{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} ++ocil_clause: "that the X11Forwarding option exists and is enabled" ++ ++ocil: '{{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}' + + references: + cis@rhel7: 5.2.5 +@@ -32,7 +34,7 @@ references: + template: + name: sshd_lineinfile + vars: +- missing_parameter_pass: 'false' ++ missing_parameter_pass: 'true' + parameter: X11Forwarding + rule_id: sshd_disable_x11_forwarding + value: 'no' + +From b0b3524c550d3007b33a2d3bdda7d8925dd2fe00 Mon Sep 17 00:00:00 2001 +From: eradot4027 +Date: Thu, 2 Apr 2020 16:17:05 -0400 +Subject: [PATCH 07/12] Modified per comment + +--- + .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +index bea57e74aa..14771fcc9a 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -23,7 +23,8 @@ severity: low + + ocil_clause: "that the X11Forwarding option exists and is enabled" + +-ocil: '{{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}' ++ocil: |- ++ {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}} + + references: + cis@rhel7: 5.2.5 + +From 84f97ae10eaf3c4118f8efa00d7d887ec44db150 Mon Sep 17 00:00:00 2001 +From: eradot4027 +Date: Thu, 2 Apr 2020 16:24:28 -0400 +Subject: [PATCH 08/12] Added check to RHEL7,8 CIS Profile per request + +--- + rhel7/profiles/cis.profile | 3 ++- + 2 files changed, 11 insertions(+), 10 deletions(-) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 739ed27200..ba413cb1d8 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -578,7 +578,8 @@ selections: + - sshd_set_loglevel_info + + ### 5.2.4 Ensure SSH X11 forwarding is disabled (Scored) +- ++ - sshd_disable_x11_forwarding ++ + ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored) + - sshd_set_max_auth_tries + + +From 1618a15fb61c447770fd54e131c15445f765eabc Mon Sep 17 00:00:00 2001 +From: eradot4027 +Date: Thu, 2 Apr 2020 20:16:53 -0400 +Subject: [PATCH 09/12] Fixed OCIL Clause + +--- + .../services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +index 14771fcc9a..09dd808e99 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -26,6 +26,7 @@ ocil_clause: "that the X11Forwarding option exists and is enabled" + ocil: |- + {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}} + ++ + references: + cis@rhel7: 5.2.5 + cis@rhel8: 5.2.6 + +From e593461ca7cc38b5125f4413c445c4f9e9261c4e Mon Sep 17 00:00:00 2001 +From: eradot4027 +Date: Fri, 3 Apr 2020 10:49:57 -0400 +Subject: [PATCH 10/12] Added OVAL and tests + +--- + .../sshd_disable_x11_forwarding/oval/shared.xml | 1 + + .../sshd_disable_x11_forwarding/tests/comment.pass.sh | 9 +++++++++ + .../tests/correct_value.pass.sh | 9 +++++++++ + .../tests/line_not_there.pass.sh | 5 +++++ + .../tests/wrong_value.fail.sh | 9 +++++++++ + 5 files changed, 33 insertions(+) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml +new file mode 100644 +index 0000000000..88b4e756f5 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml +@@ -0,0 +1 @@ ++{{{ oval_sshd_config(parameter="X11Forwarding", value="no", missing_parameter_pass=true) }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh +new file mode 100644 +index 0000000000..2b2e7869af +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then ++ sed -i "s/^X11Forwarding.*/# X11Forwarding no/" /etc/ssh/sshd_config ++else ++ echo "# X11Forwarding no" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh +new file mode 100644 +index 0000000000..f8b1ed4685 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then ++ sed -i "s/^X11Forwarding.*/X11Forwarding no/" /etc/ssh/sshd_config ++else ++ echo "X11Forwarding no" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh +new file mode 100644 +index 0000000000..53a3d754b8 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++sed -i "/^X11Forwarding.*/d" /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh +new file mode 100644 +index 0000000000..bbb09f62d0 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then ++ sed -i "s/^X11Forwarding.*/X11Forwarding yes/" /etc/ssh/sshd_config ++else ++ echo "X11Forwarding yes" >> /etc/ssh/sshd_config ++fi + +From 192c1ee531a838c91db37108f49124295cc5cec3 Mon Sep 17 00:00:00 2001 +From: eradot4027 +Date: Fri, 3 Apr 2020 13:10:49 -0400 +Subject: [PATCH 11/12] Removed OVAL in favor of template + +--- + .../ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml | 1 - + 1 file changed, 1 deletion(-) + delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml +deleted file mode 100644 +index 88b4e756f5..0000000000 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml ++++ /dev/null +@@ -1 +0,0 @@ +-{{{ oval_sshd_config(parameter="X11Forwarding", value="no", missing_parameter_pass=true) }}} + diff --git a/SOURCES/scap-security-guide-0.1.50-add_rules_accounts_backup_files_PR_5317.patch b/SOURCES/scap-security-guide-0.1.50-add_rules_accounts_backup_files_PR_5317.patch new file mode 100644 index 0000000..25a58ef --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_rules_accounts_backup_files_PR_5317.patch @@ -0,0 +1,1025 @@ +From f657a1b61509c591a9b1c031865b520bd2c8bbbe Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Mar 2020 15:23:05 +0100 +Subject: [PATCH 1/8] Add rules for /etc/passwd- permissions and owner + +--- + .../rule.yml | 31 +++++++++++++++++ + .../file_owner_backup_etc_passwd/rule.yml | 31 +++++++++++++++++ + .../rule.yml | 33 +++++++++++++++++++ + 4 files changed, 95 insertions(+), 6 deletions(-) + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml +new file mode 100644 +index 0000000000..b4ece4eda7 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++title: 'Verify Group Who Owns Backup passwd File' ++ ++description: '{{{ describe_file_group_owner(file="/etc/passwd-", group="root") }}}' ++ ++rationale: |- ++ The /etc/passwd- file is a backup file of the /etc/passwd file and as such ++ it also contains information about the users that are configured on the system. ++ Protection of this file is critical for system security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83323-6 ++ cce@rhel8: 83324-4 ++ ++references: ++ cis@rhel7: 6.1.6 ++ cis@rhel8: 6.1.6 ++ ++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/passwd-", group="root") }}}' ++ ++ocil: '{{{ ocil_file_group_owner(file="/etc/passwd-", group="root") }}}' ++ ++template: ++ name: file_groupowner ++ vars: ++ filepath: /etc/passwd- ++ filegid: '0' ++ missing_file_pass: 'true' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml +new file mode 100644 +index 0000000000..28ceaf57e2 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++title: 'Verify User Who Owns Backup passwd File' ++ ++description: '{{{ describe_file_owner(file="/etc/passwd-", owner="root") }}}' ++ ++rationale: |- ++ The /etc/passwd- file is a backup file of the /etc/passwd file and as such ++ it also contains information about the users that are configured on the system. ++ Protection of this file is critical for system security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83325-1 ++ cce@rhel8: 83326-9 ++ ++references: ++ cis@rhel7: 6.1.6 ++ cis@rhel8: 6.1.6 ++ ++ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/passwd-", owner="root") }}}' ++ ++ocil: '{{{ ocil_file_owner(file="/etc/passwd-", owner="root") }}}' ++ ++template: ++ name: file_owner ++ vars: ++ filepath: /etc/passwd- ++ fileuid: '0' ++ missing_file_pass: 'true' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml +new file mode 100644 +index 0000000000..3620e8d0d8 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml +@@ -0,0 +1,33 @@ ++documentation_complete: true ++ ++title: 'Verify Permissions on Backup passwd File' ++ ++description: |- ++ {{{ describe_file_permissions(file="/etc/passwd-", perms="0600") }}} ++ ++rationale: |- ++ The /etc/passwd- file is a backup file of the /etc/passwd file and as such ++ it also contains information about the users that are configured on the system. ++ Protection of this file is critical for system security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83331-9 ++ cce@rhel8: 83332-7 ++ ++references: ++ cis@rhel7: 6.1.6 ++ cis@rhel8: 6.1.6 ++ ++ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-------") }}}' ++ ++ocil: |- ++ {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-------") }}} ++ ++template: ++ name: file_permissions ++ vars: ++ filepath: /etc/passwd- ++ filemode: '0600' ++ missing_file_pass: 'true' +From 5e641c50c9cb21cc664f2b6fe2ea820b96d3bde4 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Mar 2020 15:44:25 +0100 +Subject: [PATCH 2/8] Add rules for /etc/shadow- permissions and owner + +--- + .../rule.yml | 37 ++++++++++++++++++ + .../file_owner_backup_etc_shadow/rule.yml | 31 +++++++++++++++ + .../rule.yml | 39 +++++++++++++++++++ + 4 files changed, 107 insertions(+), 6 deletions(-) + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml +new file mode 100644 +index 0000000000..6f4744e6cc +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml +@@ -0,0 +1,37 @@ ++documentation_complete: true ++ ++title: 'Verify User Who Owns Backup shadow File' ++ ++description: '{{{ describe_file_group_owner(file="/etc/shadow-", group="root") }}}' ++ ++rationale: |- ++ The /etc/shadow- file is a backup file of the /etc/shadow file, and as such ++ it also contains the list of local system accounts and password hashes. ++ Protection of this file is critical for system security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83414-3 ++ cce@rhel8: 83415-0 ++ ++references: ++ cis@rhel7: 6.1.7 ++ cis@rhel8: 6.1.7 ++ ++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group="root") }}}' ++ ++ocil: '{{{ ocil_file_group_owner(file="/etc/shadow-", group="root") }}}' ++ ++template: ++ name: file_groupowner ++ vars: ++ filepath: /etc/shadow- ++ filegid: '0' ++ filegid@debian8: '42' ++ filegid@debian9: '42' ++ filegid@debian10: '42' ++ filegid@ubuntu1404: '42' ++ filegid@ubuntu1604: '42' ++ filegid@ubuntu1804: '42' ++ missing_file_pass: 'true' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml +new file mode 100644 +index 0000000000..2b5a17d6bf +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++title: 'Verify Group Who Owns Backup shadow File' ++ ++description: '{{{ describe_file_owner(file="/etc/shadow-", owner="root") }}}' ++ ++rationale: |- ++ The /etc/shadow- file is a backup file of the /etc/shadow file, and as such ++ it also contains the list of local system accounts and password hashes. ++ Protection of this file is critical for system security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83412-7 ++ cce@rhel8: 83413-5 ++ ++references: ++ cis@rhel7: 6.1.7 ++ cis@rhel8: 6.1.7 ++ ++ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/shadow-", owner="root") }}}' ++ ++ocil: '{{{ ocil_file_owner(file="/etc/shadow-", owner="root") }}}' ++ ++template: ++ name: file_owner ++ vars: ++ filepath: /etc/shadow- ++ fileuid: '0' ++ missing_file_pass: 'true' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +new file mode 100644 +index 0000000000..6090201c11 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +@@ -0,0 +1,39 @@ ++documentation_complete: true ++ ++title: 'Verify Permissions on Backup shadow File' ++ ++description: |- ++ {{{ describe_file_permissions(file="/etc/shadow-", perms="0000") }}} ++ ++rationale: |- ++ The /etc/shadow- file is a backup file of the /etc/shadow file, and as such ++ it also contains the list of local system accounts and password hashes. ++ Protection of this file is critical for system security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83416-8 ++ cce@rhel8: 83417-6 ++ ++references: ++ cis@rhel7: 6.1.7 ++ cis@rhel8: 6.1.7 ++ ++ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow-", perms="----------") }}}' ++ ++ocil: |- ++ {{{ ocil_file_permissions(file="/etc/shadow-", perms="----------") }}} ++ ++template: ++ name: file_permissions ++ vars: ++ filepath: /etc/shadow- ++ filemode: '0000' ++ filemode@debian8: '0640' ++ filemode@debian9: '0640' ++ filemode@debian10: '0640' ++ filemode@ubuntu1404: '0640' ++ filemode@ubuntu1604: '0640' ++ filemode@ubuntu1804: '0640' ++ missing_file_pass: 'true' +From 9f206c3dede1f1fe41288559f8b465dcfe252b9e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Mar 2020 16:07:26 +0100 +Subject: [PATCH 3/8] Add rules for /etc/group- permissions and owner + +--- + .../file_groupowner_backup_etc_group/rule.yml | 31 +++++++++++++++++ + .../file_owner_backup_etc_group/rule.yml | 31 +++++++++++++++++ + .../rule.yml | 33 +++++++++++++++++++ + 4 files changed, 95 insertions(+), 6 deletions(-) + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml +new file mode 100644 +index 0000000000..6663d25ee6 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++title: 'Verify Group Who Owns Backup group File' ++ ++description: '{{{ describe_file_group_owner(file="/etc/group-", group="root") }}}' ++ ++rationale: |- ++ The /etc/group- file is a backup file of the /etc/group, and as such ++ it also contains information regarding groups that are configured on the system. ++ Protection of this file is important for system security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83474-7 ++ cce@rhel8: 83475-4 ++ ++references: ++ cis@rhel7: 6.1.8 ++ cis@rhel8: 6.1.8 ++ ++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/group-", group="root") }}}' ++ ++ocil: '{{{ ocil_file_group_owner(file="/etc/group", group="root") }}}' ++ ++template: ++ name: file_groupowner ++ vars: ++ filepath: /etc/group- ++ filegid: '0' ++ missing_file_pass: 'true' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml +new file mode 100644 +index 0000000000..43f508a788 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++title: 'Verify User Who Owns Backup group File' ++ ++description: '{{{ describe_file_owner(file="/etc/group-", owner="root") }}}' ++ ++rationale: |- ++ The /etc/group- file is a backup file of the /etc/group, and as such ++ it also contains information regarding groups that are configured on the system. ++ Protection of this file is important for system security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83472-1 ++ cce@rhel8: 83473-9 ++ ++references: ++ cis@rhel7: 6.1.8 ++ cis@rhel8: 6.1.8 ++ ++ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/group-", owner="root") }}}' ++ ++ocil: '{{{ ocil_file_owner(file="/etc/group-", owner="root") }}}' ++ ++template: ++ name: file_owner ++ vars: ++ filepath: /etc/group- ++ fileuid: '0' ++ missing_file_pass: 'true' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml +new file mode 100644 +index 0000000000..d8e4ed220b +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml +@@ -0,0 +1,33 @@ ++documentation_complete: true ++ ++title: 'Verify Permissions on Backup group File' ++ ++description: |- ++ {{{ describe_file_permissions(file="/etc/group-", perms="0644") }}} ++ ++rationale: |- ++ The /etc/group- file is a backup file of the /etc/group, and as such ++ it also contains information regarding groups that are configured on the system. ++ Protection of this file is important for system security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83482-0 ++ cce@rhel8: 83483-8 ++ ++references: ++ cis@rhel7: 6.1.8 ++ cis@rhel8: 6.1.8 ++ ++ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/group-", perms="-rw-r--r--") }}}' ++ ++ocil: |- ++ {{{ ocil_file_permissions(file="/etc/passwd", perms="-rw-r--r--") }}} ++ ++template: ++ name: file_permissions ++ vars: ++ filepath: /etc/group- ++ filemode: '0644' ++ missing_file_pass: 'true' +From 8be59a951380245f9c163731d40a0fdbbddb2ccd Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Mar 2020 16:18:25 +0100 +Subject: [PATCH 4/8] Add rules for /etc/gshadow- permissions and owner + +--- + .../rule.yml | 36 ++++++++++++++++++ + .../file_owner_backup_etc_gshadow/rule.yml | 30 +++++++++++++++ + .../rule.yml | 38 +++++++++++++++++++ + 4 files changed, 104 insertions(+), 6 deletions(-) + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +new file mode 100644 +index 0000000000..d27abdad03 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++title: 'Verify Group Who Owns Backup gshadow File' ++ ++description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group="root") }}}' ++ ++rationale: |- ++ The /etc/gshadow- file is a backup of the /etc/gshadow, and as such it ++ contains group password hashes. Protection of this file is critical for system security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83534-8 ++ cce@rhel8: 83535-5 ++ ++references: ++ cis@rhel7: 6.1.9 ++ cis@rhel8: 6.1.9 ++ ++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group="root") }}}' ++ ++ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow-", group="root") }}}' ++ ++template: ++ name: file_groupowner ++ vars: ++ filepath: /etc/gshadow- ++ filegid: '0' ++ filegid@debian8: '42' ++ filegid@debian9: '42' ++ filegid@debian10: '42' ++ filegid@ubuntu1404: '42' ++ filegid@ubuntu1604: '42' ++ filegid@ubuntu1804: '42' ++ missing_file_pass: 'true' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml +new file mode 100644 +index 0000000000..a840f6ef55 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml +@@ -0,0 +1,30 @@ ++documentation_complete: true ++ ++title: 'Verify User Who Owns Backup gshadow File' ++ ++description: '{{{ describe_file_owner(file="/etc/gshadow-", owner="root") }}}' ++ ++rationale: |- ++ The /etc/gshadow- file is a backup of the /etc/gshadow, and as such it ++ contains group password hashes. Protection of this file is critical for system security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83532-2 ++ cce@rhel8: 83533-0 ++ ++references: ++ cis@rhel7: 6.1.9 ++ cis@rhel8: 6.1.9 ++ ++ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/gshadow-", owner="root") }}}' ++ ++ocil: '{{{ ocil_file_owner(file="/etc/gshadow-", owner="root") }}}' ++ ++template: ++ name: file_owner ++ vars: ++ filepath: /etc/gshadow- ++ fileuid: '0' ++ missing_file_pass: 'true' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +new file mode 100644 +index 0000000000..29c9556298 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +@@ -0,0 +1,38 @@ ++documentation_complete: true ++ ++title: 'Verify Permissions on Backup gshadow File' ++ ++description: |- ++ {{{ describe_file_permissions(file="/etc/gshadow-", perms="0000") }}} ++ ++rationale: |- ++ The /etc/gshadow- file is a backup of the /etc/gshadow, and as such it ++ contains group password hashes. Protection of this file is critical for system security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83572-8 ++ cce@rhel8: 83573-6 ++ ++references: ++ cis@rhel7: 6.1.9 ++ cis@rhel8: 6.1.9 ++ ++ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms="----------") }}}' ++ ++ocil: |- ++ {{{ ocil_file_permissions(file="/etc/gshadow-", perms="----------") }}} ++ ++template: ++ name: file_permissions ++ vars: ++ filepath: /etc/gshadow- ++ filemode: '0000' ++ filemode@debian8: '0640' ++ filemode@debian9: '0640' ++ filemode@debian10: '0640' ++ filemode@ubuntu1404: '0640' ++ filemode@ubuntu1604: '0640' ++ filemode@ubuntu1804: '0640' ++ missing_file_pass: 'true' +From 7957bfd07621000047e0784a717ffc0e3e0cf769 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Mar 2020 17:28:03 +0100 +Subject: [PATCH 6/8] Fix language and inconsistencies in rationale + +--- + .../file_groupowner_backup_etc_group/rule.yml | 4 ++-- + .../file_groupowner_backup_etc_gshadow/rule.yml | 4 ++-- + .../file_groupowner_backup_etc_passwd/rule.yml | 4 ++-- + .../file_groupowner_backup_etc_shadow/rule.yml | 4 ++-- + .../file_owner_backup_etc_group/rule.yml | 4 ++-- + .../file_owner_backup_etc_gshadow/rule.yml | 4 ++-- + .../file_owner_backup_etc_passwd/rule.yml | 4 ++-- + .../file_owner_backup_etc_shadow/rule.yml | 4 ++-- + .../file_permissions_backup_etc_group/rule.yml | 4 ++-- + .../file_permissions_backup_etc_gshadow/rule.yml | 4 ++-- + .../file_permissions_backup_etc_passwd/rule.yml | 4 ++-- + .../file_permissions_backup_etc_shadow/rule.yml | 4 ++-- + 12 files changed, 24 insertions(+), 24 deletions(-) + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml +index 6663d25ee6..00bbfd8615 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml +@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup group File' + description: '{{{ describe_file_group_owner(file="/etc/group-", group="root") }}}' + + rationale: |- +- The /etc/group- file is a backup file of the /etc/group, and as such +- it also contains information regarding groups that are configured on the system. ++ The /etc/group- file is a backup file of /etc/group, and as such, ++ it contains information regarding groups that are configured on the system. + Protection of this file is important for system security. + + severity: medium +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +index d27abdad03..fcd4dfc0cb 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup gshadow File' + description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group="root") }}}' + + rationale: |- +- The /etc/gshadow- file is a backup of the /etc/gshadow, and as such it +- contains group password hashes. Protection of this file is critical for system security. ++ The /etc/gshadow- file is a backup of /etc/gshadow, and as such, ++ it contains group password hashes. Protection of this file is critical for system security. + + severity: medium + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml +index b4ece4eda7..0855e37012 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml +@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup passwd File' + description: '{{{ describe_file_group_owner(file="/etc/passwd-", group="root") }}}' + + rationale: |- +- The /etc/passwd- file is a backup file of the /etc/passwd file and as such +- it also contains information about the users that are configured on the system. ++ The /etc/passwd- file is a backup file of /etc/passwd, and as such, ++ it contains information about the users that are configured on the system. + Protection of this file is critical for system security. + + severity: medium +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml +index 6f4744e6cc..bbcf2deb48 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml +@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup shadow File' + description: '{{{ describe_file_group_owner(file="/etc/shadow-", group="root") }}}' + + rationale: |- +- The /etc/shadow- file is a backup file of the /etc/shadow file, and as such +- it also contains the list of local system accounts and password hashes. ++ The /etc/shadow- file is a backup file of /etc/shadow, and as such, ++ it contains the list of local system accounts and password hashes. + Protection of this file is critical for system security. + + severity: medium +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml +index 43f508a788..1e2cf1ae1a 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml +@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup group File' + description: '{{{ describe_file_owner(file="/etc/group-", owner="root") }}}' + + rationale: |- +- The /etc/group- file is a backup file of the /etc/group, and as such +- it also contains information regarding groups that are configured on the system. ++ The /etc/group- file is a backup file of /etc/group, and as such, ++ it contains information regarding groups that are configured on the system. + Protection of this file is important for system security. + + severity: medium +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml +index a840f6ef55..d90826e407 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml +@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup gshadow File' + description: '{{{ describe_file_owner(file="/etc/gshadow-", owner="root") }}}' + + rationale: |- +- The /etc/gshadow- file is a backup of the /etc/gshadow, and as such it +- contains group password hashes. Protection of this file is critical for system security. ++ The /etc/gshadow- file is a backup of /etc/gshadow, and as such, ++ it contains group password hashes. Protection of this file is critical for system security. + + severity: medium + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml +index 28ceaf57e2..180f474d96 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml +@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup passwd File' + description: '{{{ describe_file_owner(file="/etc/passwd-", owner="root") }}}' + + rationale: |- +- The /etc/passwd- file is a backup file of the /etc/passwd file and as such +- it also contains information about the users that are configured on the system. ++ The /etc/passwd- file is a backup file of /etc/passwd, and as such, ++ it contains information about the users that are configured on the system. + Protection of this file is critical for system security. + + severity: medium +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml +index 2b5a17d6bf..260810b94f 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml +@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup shadow File' + description: '{{{ describe_file_owner(file="/etc/shadow-", owner="root") }}}' + + rationale: |- +- The /etc/shadow- file is a backup file of the /etc/shadow file, and as such +- it also contains the list of local system accounts and password hashes. ++ The /etc/shadow- file is a backup file of /etc/shadow, and as such, ++ it contains the list of local system accounts and password hashes. + Protection of this file is critical for system security. + + severity: medium +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml +index d8e4ed220b..68782db132 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml +@@ -6,8 +6,8 @@ description: |- + {{{ describe_file_permissions(file="/etc/group-", perms="0644") }}} + + rationale: |- +- The /etc/group- file is a backup file of the /etc/group, and as such +- it also contains information regarding groups that are configured on the system. ++ The /etc/group- file is a backup file of /etc/group, and as such, ++ it contains information regarding groups that are configured on the system. + Protection of this file is important for system security. + + severity: medium +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +index 29c9556298..8dc2ca59dc 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +@@ -6,8 +6,8 @@ description: |- + {{{ describe_file_permissions(file="/etc/gshadow-", perms="0000") }}} + + rationale: |- +- The /etc/gshadow- file is a backup of the /etc/gshadow, and as such it +- contains group password hashes. Protection of this file is critical for system security. ++ The /etc/gshadow- file is a backup of /etc/gshadow, and as such, ++ it contains group password hashes. Protection of this file is critical for system security. + + severity: medium + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml +index 3620e8d0d8..b2c524d879 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml +@@ -6,8 +6,8 @@ description: |- + {{{ describe_file_permissions(file="/etc/passwd-", perms="0600") }}} + + rationale: |- +- The /etc/passwd- file is a backup file of the /etc/passwd file and as such +- it also contains information about the users that are configured on the system. ++ The /etc/passwd- file is a backup file of /etc/passwd, and as such, ++ it contains information about the users that are configured on the system. + Protection of this file is critical for system security. + + severity: medium +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +index 6090201c11..05a7bd867f 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +@@ -6,8 +6,8 @@ description: |- + {{{ describe_file_permissions(file="/etc/shadow-", perms="0000") }}} + + rationale: |- +- The /etc/shadow- file is a backup file of the /etc/shadow file, and as such +- it also contains the list of local system accounts and password hashes. ++ The /etc/shadow- file is a backup file of /etc/shadow, and as such, ++ it contains the list of local system accounts and password hashes. + Protection of this file is critical for system security. + + severity: medium + +From 96e63d853d7e5ec42924a7ce5a06463dfc85b4b6 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 24 Mar 2020 11:32:09 +0100 +Subject: [PATCH 7/8] Describe different group owners of shadow files + +The group owner of shadow files in debian based distros should +be the shadow group. +--- + .../file_groupowner_backup_etc_gshadow/rule.yml | 12 +++++++++--- + .../file_groupowner_backup_etc_shadow/rule.yml | 12 +++++++++--- + .../file_groupowner_etc_gshadow/rule.yml | 12 +++++++++--- + .../file_groupowner_etc_shadow/rule.yml | 12 +++++++++--- + 4 files changed, 36 insertions(+), 12 deletions(-) + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +index fcd4dfc0cb..6ad814ea96 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml +@@ -2,7 +2,13 @@ documentation_complete: true + + title: 'Verify Group Who Owns Backup gshadow File' + +-description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group="root") }}}' ++{{% if "ubuntu" in product or "debian" in product %}} ++ {{% set target_group="shadow" %}} ++{{% else %}} ++ {{% set target_group="root" %}} ++{{% endif %}} ++ ++description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group=target_group) }}}' + + rationale: |- + The /etc/gshadow- file is a backup of /etc/gshadow, and as such, +@@ -18,9 +24,9 @@ references: + cis@rhel7: 6.1.9 + cis@rhel8: 6.1.9 + +-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group="root") }}}' ++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group=target_group) }}}' + +-ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow-", group="root") }}}' ++ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow-", group=target_group) }}}' + + template: + name: file_groupowner +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml +index bbcf2deb48..51f6076c0a 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml +@@ -2,7 +2,13 @@ documentation_complete: true + + title: 'Verify User Who Owns Backup shadow File' + +-description: '{{{ describe_file_group_owner(file="/etc/shadow-", group="root") }}}' ++{{% if "ubuntu" in product or "debian" in product %}} ++ {{% set target_group="shadow" %}} ++{{% else %}} ++ {{% set target_group="root" %}} ++{{% endif %}} ++ ++description: '{{{ describe_file_group_owner(file="/etc/shadow-", group=target_group) }}}' + + rationale: |- + The /etc/shadow- file is a backup file of /etc/shadow, and as such, +@@ -19,9 +25,9 @@ references: + cis@rhel7: 6.1.7 + cis@rhel8: 6.1.7 + +-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group="root") }}}' ++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group=target_group) }}}' + +-ocil: '{{{ ocil_file_group_owner(file="/etc/shadow-", group="root") }}}' ++ocil: '{{{ ocil_file_group_owner(file="/etc/shadow-", group=target_group) }}}' + + template: + name: file_groupowner +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +index c2e12377ef..2720754282 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +@@ -2,7 +2,13 @@ documentation_complete: true + + title: 'Verify Group Who Owns gshadow File' + +-description: '{{{ describe_file_group_owner(file="/etc/gshadow", group="root") }}}' ++{{% if "ubuntu" in product or "debian" in product %}} ++ {{% set target_group="shadow" %}} ++{{% else %}} ++ {{% set target_group="root" %}} ++{{% endif %}} ++ ++description: '{{{ describe_file_group_owner(file="/etc/gshadow", group=target_group) }}}' + + rationale: |- + The /etc/gshadow file contains group password hashes. Protection of this file +@@ -29,9 +35,9 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + +-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow", group="root") }}}' ++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow", group=target_group) }}}' + +-ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow", group="root") }}}' ++ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow", group=target_group) }}}' + + template: + name: file_groupowner +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +index d8a9d04142..b86a219e40 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +@@ -2,7 +2,13 @@ documentation_complete: true + + title: 'Verify Group Who Owns shadow File' + +-description: '{{{ describe_file_group_owner(file="/etc/shadow", group="root") }}}' ++{{% if "ubuntu" in product or "debian" in product %}} ++ {{% set target_group="shadow" %}} ++{{% else %}} ++ {{% set target_group="root" %}} ++{{% endif %}} ++ ++description: '{{{ describe_file_group_owner(file="/etc/shadow", group=target_group) }}}' + + rationale: |- + The /etc/shadow file stores password hashes. Protection of this file is +@@ -31,9 +37,9 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + +-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow", group="root") }}}' ++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow", group=target_group) }}}' + +-ocil: '{{{ ocil_file_group_owner(file="/etc/shadow", group="root") }}}' ++ocil: '{{{ ocil_file_group_owner(file="/etc/shadow", group=target_group) }}}' + + template: + name: file_groupowner + +From 3896f75e95d902c865b8738c4a3988daa5e3091b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 24 Mar 2020 12:11:58 +0100 +Subject: [PATCH 8/8] Describe different permissions of shadow files + +The permissions of shadow files in debian based distros are expected to +be different. +--- + .../file_permissions_backup_etc_gshadow/rule.yml | 16 ++++++++++++---- + .../file_permissions_backup_etc_shadow/rule.yml | 14 +++++++++++--- + .../file_permissions_etc_gshadow/rule.yml | 14 +++++++++++--- + .../file_permissions_etc_shadow/rule.yml | 14 +++++++++++--- + 4 files changed, 45 insertions(+), 13 deletions(-) + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +index 8dc2ca59dc..6e6857027f 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +@@ -2,8 +2,16 @@ documentation_complete: true + + title: 'Verify Permissions on Backup gshadow File' + ++{{% if "ubuntu" in product or "debian" in product %}} ++ {{% set target_perms_octal="0640" %}} ++ {{% set target_perms="-rw-r-----" %}} ++{{% else %}} ++ {{% set target_perms_octal="0000" %}} ++ {{% set target_perms="----------" %}} ++{{% endif %}} ++ + description: |- +- {{{ describe_file_permissions(file="/etc/gshadow-", perms="0000") }}} ++ {{{ describe_file_permissions(file="/etc/gshadow-", perms=target_perms_octal) }}} + + rationale: |- + The /etc/gshadow- file is a backup of /etc/gshadow, and as such, +@@ -19,10 +27,10 @@ references: + cis@rhel7: 6.1.9 + cis@rhel8: 6.1.9 + +-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms="----------") }}}' ++ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms=target_perms) }}}' + +-ocil: |- +- {{{ ocil_file_permissions(file="/etc/gshadow-", perms="----------") }}} ++ocil: - ++ {{{ ocil_file_permissions(file="/etc/gshadow-", perms=target_perms) }}} + + template: + name: file_permissions +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +index 05a7bd867f..bba9f3de6c 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +@@ -1,9 +1,17 @@ + documentation_complete: true + ++{{% if "ubuntu" in product or "debian" in product %}} ++ {{% set target_perms_octal="0640" %}} ++ {{% set target_perms="-rw-r-----" %}} ++{{% else %}} ++ {{% set target_perms_octal="0000" %}} ++ {{% set target_perms="----------" %}} ++{{% endif %}} ++ + title: 'Verify Permissions on Backup shadow File' + + description: |- +- {{{ describe_file_permissions(file="/etc/shadow-", perms="0000") }}} ++ {{{ describe_file_permissions(file="/etc/shadow-", perms=target_perms_octal) }}} + + rationale: |- + The /etc/shadow- file is a backup file of /etc/shadow, and as such, +@@ -20,10 +28,10 @@ references: + cis@rhel7: 6.1.7 + cis@rhel8: 6.1.7 + +-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow-", perms="----------") }}}' ++ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow-", perms=target_perms) }}}' + + ocil: |- +- {{{ ocil_file_permissions(file="/etc/shadow-", perms="----------") }}} ++ {{{ ocil_file_permissions(file="/etc/shadow-", perms=target_perms) }}} + + template: + name: file_permissions +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +index d1ed4475fb..7e226951ce 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +@@ -2,8 +2,16 @@ documentation_complete: true + + title: 'Verify Permissions on gshadow File' + ++{{% if "ubuntu" in product or "debian" in product %}} ++ {{% set target_perms_octal="0640" %}} ++ {{% set target_perms="-rw-r-----" %}} ++{{% else %}} ++ {{% set target_perms_octal="0000" %}} ++ {{% set target_perms="----------" %}} ++{{% endif %}} ++ + description: |- +- {{{ describe_file_permissions(file="/etc/gshadow", perms="0000") }}} ++ {{{ describe_file_permissions(file="/etc/gshadow", perms=target_perms_octal) }}} + + rationale: |- + The /etc/gshadow file contains group password hashes. Protection of this file +@@ -31,10 +39,10 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + +-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow", perms="----------") }}}' ++ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow", perms=target_perms) }}}' + + ocil: |- +- {{{ ocil_file_permissions(file="/etc/gshadow", perms="----------") }}} ++ {{{ ocil_file_permissions(file="/etc/gshadow", perms=target_perms) }}} + + template: + name: file_permissions +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +index 61f4fb6cce..e66583627d 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +@@ -2,8 +2,16 @@ documentation_complete: true + + title: 'Verify Permissions on shadow File' + ++{{% if "ubuntu" in product or "debian" in product %}} ++ {{% set target_perms_octal="0640" %}} ++ {{% set target_perms="-rw-r-----" %}} ++{{% else %}} ++ {{% set target_perms_octal="0000" %}} ++ {{% set target_perms="----------" %}} ++{{% endif %}} ++ + description: |- +- {{{ describe_file_permissions(file="/etc/shadow", perms="0000") }}} ++ {{{ describe_file_permissions(file="/etc/shadow", perms=target_perms_octal) }}} + + rationale: |- + The /etc/shadow file contains the list of local +@@ -36,10 +44,10 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + +-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow", perms="----------") }}}' ++ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow", perms=target_perms) }}}' + + ocil: |- +- {{{ ocil_file_permissions(file="/etc/shadow", perms="----------") }}} ++ {{{ ocil_file_permissions(file="/etc/shadow", perms=target_perms) }}} + + template: + name: file_permissions diff --git a/SOURCES/scap-security-guide-0.1.50-add_rules_etc_hosts_file_permissions_PR_5323.patch b/SOURCES/scap-security-guide-0.1.50-add_rules_etc_hosts_file_permissions_PR_5323.patch new file mode 100644 index 0000000..b513780 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_rules_etc_hosts_file_permissions_PR_5323.patch @@ -0,0 +1,513 @@ +From af42925709b8cd1512fea9e4c532fb22ada45fe3 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 20 Mar 2020 14:33:53 +0100 +Subject: [PATCH 1/4] Rules for /etc/hosts.allow permissions and owner + +--- + .../file_groupowner_etc_hosts_allow/rule.yml | 34 +++++++++++++++++++ + .../file_owner_etc_hosts_allow/rule.yml | 34 +++++++++++++++++++ + .../file_permissions_etc_hosts_allow/rule.yml | 34 +++++++++++++++++++ + rhel7/profiles/cis.profile | 4 +++ + shared/references/cce-redhat-avail.txt | 6 ---- + 5 files changed, 106 insertions(+), 6 deletions(-) + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml +new file mode 100644 +index 0000000000..7d43f93c42 +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++prodtype: ol7,rhel6,rhel7 ++ ++title: 'Verify Group Who Owns /etc/hosts.allow' ++ ++description: |- ++ {{{ describe_file_group_owner(file="/etc/hosts.allow", group="root") }}} ++ ++rationale: |- ++ The /etc/hosts.allow file is used to control access of clients to daemons in the ++ server. Insecure groupownership of this file could allow users to grant clients unrestricted ++ access or no access at all to services in the server. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83823-5 ++ cce@rhel8: 83824-3 ++ ++references: ++ cis@rhel7: 3.4.4 ++ ++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/hosts.allow", group="root") }}}' ++ ++ocil: |- ++ {{{ ocil_file_group_owner(file="/etc/hosts.allow", group="root") }}} ++ ++template: ++ name: file_groupowner ++ vars: ++ filepath: /etc/hosts.allow ++ filegid: '0' ++ missing_file_pass: 'true' +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml +new file mode 100644 +index 0000000000..a301406b45 +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++prodtype: ol7,rhel6,rhel7 ++ ++title: 'Verify User Who Owns /etc/hosts.allow' ++ ++description: |- ++ {{{ describe_file_owner(file="/etc/hosts.allow", owner="root") }}} ++ ++rationale: |- ++ The /etc/hosts.allow file is used to control access of clients to daemons in the ++ server. Insecure groupownership of this file could allow users to grant clients unrestricted ++ access or no access at all to services in the server. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83825-0 ++ cce@rhel8: 83826-8 ++ ++references: ++ cis@rhel7: 3.4.4 ++ ++ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/hosts.allow", owner="root") }}}' ++ ++ocil: |- ++ {{{ ocil_file_owner(file="/etc/hosts.allow", owner="root") }}} ++ ++template: ++ name: file_owner ++ vars: ++ filepath: /etc/hosts.allow ++ fileuid: '0' ++ missing_file_pass: 'true' +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml +new file mode 100644 +index 0000000000..0a35cbf57e +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++prodtype: ol7,rhel6,rhel7 ++ ++title: 'Verify Permissions on /etc/hosts.allow' ++ ++description: |- ++ {{{ describe_file_permissions(file="/etc/hosts.allow", perms="0644") }}} ++ ++rationale: |- ++ The /etc/hosts.allow file is used to control access of clients to daemons in the ++ server. Insecure groupownership of this file could allow users to grant clients unrestricted ++ access or no access at all to services in the server. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83827-6 ++ cce@rhel8: 83828-4 ++ ++references: ++ cis@rhel7: 3.4.4 ++ ++ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/hosts.allow", perms="-rw-r--r--") }}}' ++ ++ocil: |- ++ {{{ ocil_file_permissions(file="/etc/hosts.allow", perms="-rw-r--r--") }}} ++ ++template: ++ name: file_permissions ++ vars: ++ filepath: /etc/hosts.allow ++ filemode: '0644' ++ missing_file_pass: 'true' +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 486fcf9a33..e50d8ddb43 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -353,6 +353,10 @@ selections: + - configure_etc_hosts_deny + + ### 3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored) ++ - file_owner_etc_hosts_allow ++ - file_groupowner_etc_hosts_allow ++ - file_permissions_etc_hosts_allow ++ + ### 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored) + + ## 3.5 Uncommon Network Protocols +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index a0b117a964..e67f56f9aa 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -528,12 +528,6 @@ CCE-83819-3 + CCE-83820-1 + CCE-83821-9 + CCE-83822-7 +-CCE-83823-5 +-CCE-83824-3 +-CCE-83825-0 +-CCE-83826-8 +-CCE-83827-6 +-CCE-83828-4 + CCE-83829-2 + CCE-83830-0 + CCE-83831-8 + +From 0f43573a6c193e70e1ff02f92a0c2bf9957d2e1c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 20 Mar 2020 15:01:58 +0100 +Subject: [PATCH 2/4] Rules for /etc/hosts.deny permissions and owner + +--- + .../file_groupowner_etc_hosts_deny/rule.yml | 34 +++++++++++++++++++ + .../file_owner_etc_hosts_deny/rule.yml | 34 +++++++++++++++++++ + .../file_permissions_etc_hosts_deny/rule.yml | 34 +++++++++++++++++++ + rhel7/profiles/cis.profile | 3 ++ + shared/references/cce-redhat-avail.txt | 6 ---- + 5 files changed, 105 insertions(+), 6 deletions(-) + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml + create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml +new file mode 100644 +index 0000000000..db3105eb71 +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++prodtype: ol7,rhel6,rhel7 ++ ++title: 'Verify Group Who Owns /etc/hosts.deny' ++ ++description: |- ++ {{{ describe_file_group_owner(file="/etc/hosts.deny", group="root") }}} ++ ++rationale: |- ++ The /etc/hosts.deny file is used to control access of clients to daemons in the ++ server. Insecure groupownership of this file could allow users to grant clients unrestricted ++ access or no access at all to services in the server. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 84030-6 ++ cce@rhel8: 84031-4 ++ ++references: ++ cis@rhel7: 3.4.4 ++ ++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/hosts.deny", group="root") }}}' ++ ++ocil: |- ++ {{{ ocil_file_group_owner(file="/etc/hosts.deny", group="root") }}} ++ ++template: ++ name: file_groupowner ++ vars: ++ filepath: /etc/hosts.deny ++ filegid: '0' ++ missing_file_pass: 'true' +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml +new file mode 100644 +index 0000000000..75380c7311 +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++prodtype: ol7,rhel6,rhel7 ++ ++title: 'Verify User Who Owns /etc/hosts.deny' ++ ++description: |- ++ {{{ describe_file_owner(file="/etc/hosts.deny", owner="root") }}} ++ ++rationale: |- ++ The /etc/hosts.deny file is used to control access of clients to daemons in the ++ server. Insecure groupownership of this file could allow users to grant clients unrestricted ++ access or no access at all to services in the server. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 84032-2 ++ cce@rhel8: 84033-0 ++ ++references: ++ cis@rhel7: 3.4.5 ++ ++ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/hosts.deny", owner="root") }}}' ++ ++ocil: |- ++ {{{ ocil_file_owner(file="/etc/hosts.deny", owner="root") }}} ++ ++template: ++ name: file_owner ++ vars: ++ filepath: /etc/hosts.deny ++ fileuid: '0' ++ missing_file_pass: 'true' +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml +new file mode 100644 +index 0000000000..ea73fe48cd +--- /dev/null ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++prodtype: ol7,rhel6,rhel7 ++ ++title: 'Verify Permissions on /etc/hosts.deny' ++ ++description: |- ++ {{{ describe_file_permissions(file="/etc/hosts.deny", perms="0644") }}} ++ ++rationale: |- ++ The /etc/hosts.deny file is used to control access of clients to daemons in the ++ server. Insecure groupownership of this file could allow users to grant clients unrestricted ++ access or no access at all to services in the server. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 84034-8 ++ cce@rhel8: 84035-5 ++ ++references: ++ cis@rhel7: 3.4.5 ++ ++ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/hosts.deny", perms="-rw-r--r--") }}}' ++ ++ocil: |- ++ {{{ ocil_file_permissions(file="/etc/hosts.deny", perms="-rw-r--r--") }}} ++ ++template: ++ name: file_permissions ++ vars: ++ filepath: /etc/hosts.deny ++ filemode: '0644' ++ missing_file_pass: 'true' +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index e50d8ddb43..5ac119768f 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -358,6 +358,9 @@ selections: + - file_permissions_etc_hosts_allow + + ### 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored) ++ - file_owner_etc_hosts_deny ++ - file_groupowner_etc_hosts_deny ++ - file_permissions_etc_hosts_deny + + ## 3.5 Uncommon Network Protocols + ### 3.5.1 Ensure DCCP is disabled (Not Scored) +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index e67f56f9aa..bb234a3131 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -729,12 +729,6 @@ CCE-84026-4 + CCE-84027-2 + CCE-84028-0 + CCE-84029-8 +-CCE-84030-6 +-CCE-84031-4 +-CCE-84032-2 +-CCE-84033-0 +-CCE-84034-8 +-CCE-84035-5 + CCE-84036-3 + CCE-84037-1 + CCE-84038-9 + +From d53500477288c69027127257802bb42355ca7848 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 20 Mar 2020 16:08:57 +0100 +Subject: [PATCH 3/4] Fix cce assignmetns and references + +Rules for /etc/hosts.allow and /etc/hosts.deny apply to rhel6 and rhel7 +--- + .../file_groupowner_etc_hosts_allow/rule.yml | 4 ++-- + .../file_groupowner_etc_hosts_deny/rule.yml | 6 +++--- + .../inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml | 4 ++-- + .../inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml | 4 ++-- + .../file_permissions_etc_hosts_allow/rule.yml | 4 ++-- + .../file_permissions_etc_hosts_deny/rule.yml | 4 ++-- + 6 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml +index 7d43f93c42..aa531e6ace 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml +@@ -15,8 +15,8 @@ rationale: |- + severity: medium + + identifiers: +- cce@rhel7: 83823-5 +- cce@rhel8: 83824-3 ++ cce@rhel6: 83823-5 ++ cce@rhel7: 83824-3 + + references: + cis@rhel7: 3.4.4 +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml +index db3105eb71..fa024f1c27 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml +@@ -15,11 +15,11 @@ rationale: |- + severity: medium + + identifiers: +- cce@rhel7: 84030-6 +- cce@rhel8: 84031-4 ++ cce@rhel6: 84030-6 ++ cce@rhel7: 84031-4 + + references: +- cis@rhel7: 3.4.4 ++ cis@rhel7: 3.4.5 + + ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/hosts.deny", group="root") }}}' + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml +index a301406b45..80d5630c48 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml +@@ -15,8 +15,8 @@ rationale: |- + severity: medium + + identifiers: +- cce@rhel7: 83825-0 +- cce@rhel8: 83826-8 ++ cce@rhel6: 83825-0 ++ cce@rhel7: 83826-0 + + references: + cis@rhel7: 3.4.4 +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml +index 75380c7311..2fc5f74355 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml +@@ -15,8 +15,8 @@ rationale: |- + severity: medium + + identifiers: +- cce@rhel7: 84032-2 +- cce@rhel8: 84033-0 ++ cce@rhel6: 84032-2 ++ cce@rhel7: 84033-0 + + references: + cis@rhel7: 3.4.5 +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml +index 0a35cbf57e..dc1560852a 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml +@@ -15,8 +15,8 @@ rationale: |- + severity: medium + + identifiers: +- cce@rhel7: 83827-6 +- cce@rhel8: 83828-4 ++ cce@rhel6: 83827-6 ++ cce@rhel7: 83828-4 + + references: + cis@rhel7: 3.4.4 +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml +index ea73fe48cd..da806139ec 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml +@@ -15,8 +15,8 @@ rationale: |- + severity: medium + + identifiers: +- cce@rhel7: 84034-8 +- cce@rhel8: 84035-5 ++ cce@rhel6: 84034-8 ++ cce@rhel7: 84035-5 + + references: + cis@rhel7: 3.4.5 + +From b7dc44d2feb734ed89736d1dea813b051e83cfb7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 23 Mar 2020 14:18:24 +0100 +Subject: [PATCH 4/4] Rewrite title of ownership rules + +Rewrite title of rules for ownerhip and group ownership of of +/etc/hosts.allow and /etc/hosts.deny +--- + .../inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml | 2 +- + .../inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml | 2 +- + .../inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml | 2 +- + .../inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml +index aa531e6ace..cee37ed9c6 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + prodtype: ol7,rhel6,rhel7 + +-title: 'Verify Group Who Owns /etc/hosts.allow' ++title: 'Verify Group Ownership of /etc/hosts.allow' + + description: |- + {{{ describe_file_group_owner(file="/etc/hosts.allow", group="root") }}} +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml +index fa024f1c27..403e99908b 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + prodtype: ol7,rhel6,rhel7 + +-title: 'Verify Group Who Owns /etc/hosts.deny' ++title: 'Verify Group Ownership of /etc/hosts.deny' + + description: |- + {{{ describe_file_group_owner(file="/etc/hosts.deny", group="root") }}} +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml +index 80d5630c48..b34be48968 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + prodtype: ol7,rhel6,rhel7 + +-title: 'Verify User Who Owns /etc/hosts.allow' ++title: 'Verify Ownership of /etc/hosts.allow' + + description: |- + {{{ describe_file_owner(file="/etc/hosts.allow", owner="root") }}} +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml +index 2fc5f74355..e53ee5bc12 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + prodtype: ol7,rhel6,rhel7 + +-title: 'Verify User Who Owns /etc/hosts.deny' ++title: 'Verify Ownership of /etc/hosts.deny' + + description: |- + {{{ describe_file_owner(file="/etc/hosts.deny", owner="root") }}} diff --git a/SOURCES/scap-security-guide-0.1.50-add_rules_legacy_plus_in_passwd_PR_5339.patch b/SOURCES/scap-security-guide-0.1.50-add_rules_legacy_plus_in_passwd_PR_5339.patch new file mode 100644 index 0000000..cf621f8 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_rules_legacy_plus_in_passwd_PR_5339.patch @@ -0,0 +1,545 @@ +From d97c8749052a095771eb48621f39530f46603acd Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 24 Mar 2020 10:02:19 +0100 +Subject: [PATCH] add rule for passwd add rule for /etc/group add rule for + /etc/shadow add rules to rhel7 and rhel8 cis profiles + +--- + .../ansible/shared.yml | 17 ++++++++++ + .../bash/shared.sh | 7 +++++ + .../oval/shared.xml | 26 ++++++++++++++++ + .../no_legacy_plus_entries_etc_group/rule.yml | 31 +++++++++++++++++++ + .../tests/correct.pass.sh | 3 ++ + .../tests/include_everything.fail.sh | 4 +++ + .../tests/include_group.fail.sh | 3 ++ + .../tests/include_name.fail.sh | 3 ++ + .../tests/multiple.fail.sh | 5 +++ + .../ansible/shared.yml | 17 ++++++++++ + .../bash/shared.sh | 7 +++++ + .../oval/shared.xml | 26 ++++++++++++++++ + .../rule.yml | 31 +++++++++++++++++++ + .../tests/correct.pass.sh | 3 ++ + .../tests/include_everything.fail.sh | 4 +++ + .../tests/include_group.fail.sh | 3 ++ + .../tests/include_name.fail.sh | 3 ++ + .../tests/multiple.fail.sh | 5 +++ + .../ansible/shared.yml | 17 ++++++++++ + .../bash/shared.sh | 7 +++++ + .../oval/shared.xml | 26 ++++++++++++++++ + .../rule.yml | 31 +++++++++++++++++++ + .../tests/correct.pass.sh | 3 ++ + .../tests/include_everything.fail.sh | 4 +++ + .../tests/include_group.fail.sh | 3 ++ + .../tests/include_name.fail.sh | 3 ++ + .../tests/multiple.fail.sh | 5 +++ + rhel7/profiles/cis.profile | 6 ++++ + 30 files changed, 314 insertions(+), 6 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml +new file mode 100644 +index 000000000..acf0496e1 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml +@@ -0,0 +1,17 @@ ++# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = medium ++ ++- name: "Backup the old /etc/group file" ++ copy: ++ src: /etc/group ++ dest: /etc/group- ++ remote_src: true ++ ++- name: "Remove lines starting with + from /etc/group" ++ lineinfile: ++ regexp: '^\+.*$' ++ state: absent ++ path: /etc/group +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh +new file mode 100644 +index 000000000..524cf10d5 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 ++ ++if grep -q '^\+' /etc/group; then ++# backup old file to /etc/group- ++ cp /etc/group /etc/group- ++ sed -i '/^\+.*$/d' /etc/group ++fi +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml +new file mode 100644 +index 000000000..01ddaa125 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml +@@ -0,0 +1,26 @@ ++ ++ ++ ++ Ensure there are no legacy + NIS entries in /etc/group ++ {{{- oval_affected(products) }}} ++ No lines starting with + are in /etc/group ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/group ++ ^\+.*$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml +new file mode 100644 +index 000000000..a47fd1089 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 ++ ++title: 'Ensure there are no legacy + NIS entries in /etc/group' ++ ++description: |- ++ The + character in /etc/group file marks a place where ++ entries from a network information service (NIS) should be directly inserted. ++ ++rationale: |- ++ Using this method to include entries into /etc/group is considered legacy ++ and should be avoided. These entries may provide a way for an attacker ++ to gain access to the system. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83388-9 ++ cce@rhel8: 83389-7 ++ ++references: ++ cis@rhel7: 6.2.4 ++ cis@rhel8: 6.2.5 ++ ++ocil_clause: 'the file contains legacy lines' ++ ++ocil: |- ++ To check for legacy lines in /etc/group, run the following command: ++ 
 grep '^\+' /etc/group
++ The command should not return any output. +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh +new file mode 100644 +index 000000000..1adc7ac56 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++sed -i '/^\+.*$/d' /etc/group +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh +new file mode 100644 +index 000000000..1ef667771 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++ ++echo "+" >> /etc/group +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh +new file mode 100644 +index 000000000..9192157bd +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "+@group" >> /etc/group +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh +new file mode 100644 +index 000000000..709937f75 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "+name" >> /etc/group +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh +new file mode 100644 +index 000000000..79cbd5456 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++echo "+name" >> /etc/group ++echo "+" >> /etc/group ++echo "+@group" >> /etc/group +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml +new file mode 100644 +index 000000000..5baef2580 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml +@@ -0,0 +1,17 @@ ++# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = medium ++ ++- name: "Backup the old /etc/passwd file" ++ copy: ++ src: /etc/passwd ++ dest: /etc/passwd- ++ remote_src: true ++ ++- name: "Remove lines starting with + from /etc/passwd" ++ lineinfile: ++ regexp: '^\+.*$' ++ state: absent ++ path: /etc/passwd +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh +new file mode 100644 +index 000000000..4bb73e017 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 ++ ++if grep -q '^\+' /etc/passwd; then ++# backup old file to /etc/passwd- ++ cp /etc/passwd /etc/passwd- ++ sed -i '/^\+.*$/d' /etc/passwd ++fi +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml +new file mode 100644 +index 000000000..210437adb +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml +@@ -0,0 +1,26 @@ ++ ++ ++ ++ Ensure there are no legacy + NIS entries in /etc/passwd ++ {{{- oval_affected(products) }}} ++ No lines starting with + are in /etc/passwd ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/passwd ++ ^\+.*$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml +new file mode 100644 +index 000000000..e7c5f9832 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 ++ ++title: 'Ensure there are no legacy + NIS entries in /etc/passwd' ++ ++description: |- ++ The + character in /etc/passwd file marks a place where ++ entries from a network information service (NIS) should be directly inserted. ++ ++rationale: |- ++ Using this method to include entries into /etc/passwd is considered legacy ++ and should be avoided. These entries may provide a way for an attacker ++ to gain access to the system. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 82889-7 ++ cce@rhel8: 82890-5 ++ ++references: ++ cis@rhel7: 6.2.2 ++ cis@rhel8: 6.2.2 ++ ++ocil_clause: 'the file contains legacy lines' ++ ++ocil: |- ++ To check for legacy lines in /etc/passwd, run the following command: ++ 
 grep '^\+' /etc/passwd
++ The command should not return any output. +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh +new file mode 100644 +index 000000000..ac0b47f7a +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++sed -i '/^\+.*$/d' /etc/passwd +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh +new file mode 100644 +index 000000000..94a980029 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++ ++echo "+" >> /etc/passwd +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh +new file mode 100644 +index 000000000..90b717cc1 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "+@group" >> /etc/passwd +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh +new file mode 100644 +index 000000000..0c036c3e2 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "+name" >> /etc/passwd +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh +new file mode 100644 +index 000000000..cf16444d7 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++echo "+name" >> /etc/passwd ++echo "+" >> /etc/passwd ++echo "+@group" >> /etc/passwd +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml +new file mode 100644 +index 000000000..c969414d2 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml +@@ -0,0 +1,17 @@ ++# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = medium ++ ++- name: "Backup the old /etc/shadow file" ++ copy: ++ src: /etc/shadow ++ dest: /etc/shadow- ++ remote_src: true ++ ++- name: "Remove lines starting with + from /etc/shadow" ++ lineinfile: ++ regexp: '^\+.*$' ++ state: absent ++ path: /etc/shadow +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh +new file mode 100644 +index 000000000..f8874c9f0 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 ++ ++if grep -q '^\+' /etc/shadow; then ++# backup old file to /etc/shadow- ++ cp /etc/shadow /etc/shadow- ++ sed -i '/^\+.*$/d' /etc/shadow ++fi +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml +new file mode 100644 +index 000000000..8fad2c384 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml +@@ -0,0 +1,26 @@ ++ ++ ++ ++ Ensure there are no legacy + NIS entries in /etc/shadow ++ {{{- oval_affected(products) }}} ++ No lines starting with + are in /etc/shadow ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/shadow ++ ^\+.*$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml +new file mode 100644 +index 000000000..beb3772b2 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 ++ ++title: 'Ensure there are no legacy + NIS entries in /etc/shadow' ++ ++description: |- ++ The + character in /etc/shadow file marks a place where ++ entries from a network information service (NIS) should be directly inserted. ++ ++rationale: |- ++ Using this method to include entries into /etc/shadow is considered legacy ++ and should be avoided. These entries may provide a way for an attacker ++ to gain access to the system. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83390-5 ++ cce@rhel8: 84290-6 ++ ++references: ++ cis@rhel7: 6.2.3 ++ cis@rhel8: 6.2.4 ++ ++ocil_clause: 'the file contains legacy lines' ++ ++ocil: |- ++ To check for legacy lines in /etc/shadow, run the following command: ++ 
 grep '^\+' /etc/shadow
++ The command should not return any output. +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh +new file mode 100644 +index 000000000..4647b544e +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++sed -i '/^\+.*$/d' /etc/shadow +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh +new file mode 100644 +index 000000000..881e23676 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++ ++echo "+" >> /etc/shadow +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh +new file mode 100644 +index 000000000..39076bdcc +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "+@group" >> /etc/shadow +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh +new file mode 100644 +index 000000000..6cbc6e885 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "+name" >> /etc/shadow +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh +new file mode 100644 +index 000000000..b2daf1bc2 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++echo "+name" >> /etc/shadow ++echo "+" >> /etc/shadow ++echo "+@group" >> /etc/shadow +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index b66594f59..bfb1508b6 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -735,8 +735,14 @@ selections: + ## 6.2 User and Group Settings + ### 6.2.1 Ensure password fields are not empty (Scored) + ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) ++ - no_legacy_plus_entries_etc_passwd ++ + ### 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow (Scored) ++ - no_legacy_plus_entries_etc_shadow ++ + ### 6.2.4 Ensure no legacy "+" entries exist in /etc/group (Scored) ++ - no_legacy_plus_entries_etc_group ++ + ### 6.2.5 Ensure root is the only UID 0 account (Scored) + - accounts_no_uid_except_zero + +-- +2.21.1 + diff --git a/SOURCES/scap-security-guide-0.1.50-add_service_rsyncd_disabled_PR_5318.patch b/SOURCES/scap-security-guide-0.1.50-add_service_rsyncd_disabled_PR_5318.patch new file mode 100644 index 0000000..719a99d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-add_service_rsyncd_disabled_PR_5318.patch @@ -0,0 +1,63 @@ +From f2024fe66e871a4f7dc54454065f59f4b2bf31db Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 19 Mar 2020 16:48:52 +0100 +Subject: [PATCH] add rule + +--- + .../obsolete/service_rsyncd_disabled/rule.yml | 33 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 2 -- + 2 files changed, 33 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml + +diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +new file mode 100644 +index 0000000000..9cb9d15dcc +--- /dev/null ++++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +@@ -0,0 +1,33 @@ ++documentation_complete: true ++ ++prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4 ++ ++title: 'Ensure rsyncd service is diabled' ++ ++description: |- ++ {{{ describe_service_disable("rsyncd") }}} ++ ++rationale: |- ++ The rsyncd service presents a security risk as it uses unencrypted protocols for ++ communication. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83334-3 ++ cce@rhel8: 83335-0 ++ ++references: ++ cis@rhel7: 2.2.21 ++ cis@rhel8: 2.2.3 ++ ++ocil_clause: 'the service is not disabled' ++ ++ocil: |- ++ {{{ ocil_service_disabled("rsyncd") }}} ++ ++template: ++ name: service_disabled ++ vars: ++ servicename: rsyncd ++ packagename: rsync +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index a0b117a964..67fa853d75 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -45,8 +45,6 @@ CCE-83330-1 + CCE-83331-9 + CCE-83332-7 + CCE-83333-5 +-CCE-83334-3 +-CCE-83335-0 + CCE-83336-8 + CCE-83337-6 + CCE-83338-4 diff --git a/SOURCES/scap-security-guide-0.1.50-ansible_audit_avoid_duplicates_PR_5650.patch b/SOURCES/scap-security-guide-0.1.50-ansible_audit_avoid_duplicates_PR_5650.patch new file mode 100644 index 0000000..0f3a069 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-ansible_audit_avoid_duplicates_PR_5650.patch @@ -0,0 +1,1397 @@ +From 92ff3c1ee5dbeae8260d8ebbb9926cc63296c72a Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 21 Apr 2020 11:04:43 +0200 +Subject: [PATCH 1/8] fix audit_rules_media_export ansible remediation + +--- + .../ansible/shared.yml | 44 +++++++++++++++++-- + 1 file changed, 40 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml +index 12a61b6d1c..944a69cfaf 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml +@@ -11,6 +11,39 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + ++# ++# check if rules are already present ++# ++ ++- name: Check if the rule for x86_64 is already present in /etc/audit/rules.d/* ++ find: ++ paths: "/etc/audit/rules.d/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+mount\s+-F\s+auid>={{{ auid }}}\s+-F\s+auid!=unset(\s|$)+' ++ patterns: "*.rules" ++ register: find_existing_media_export_64_rules_d ++ ++- name: Check if the rule for x86 is already present in /etc/audit/rules.d/* ++ find: ++ paths: "/etc/audit/rules.d/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+mount\s+-F\s+auid>={{{ auid }}}\s+-F\s+auid!=unset(\s|$)+' ++ patterns: "*.rules" ++ register: find_existing_media_export_32_rules_d ++ ++- name: Check if the rule for x86_64 is already present in /etc/audit/audit.rules ++ find: ++ paths: "/etc/audit/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+mount\s+-F\s+auid>={{{ auid }}}\s+-F\s+auid!=unset(\s|$)+' ++ patterns: "audit.rules" ++ register: find_existing_media_export_64_audit_rules ++ ++- name: Check if the rule for x86 is already present in /etc/audit/rules.d/* ++ find: ++ paths: "/etc/audit/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+mount\s+-F\s+auid>={{{ auid }}}\s+-F\s+auid!=unset(\s|$)+' ++ patterns: "audit.rules" ++ register: find_existing_media_export_32_audit_rules ++ ++ + # + # Inserts/replaces the rule in /etc/audit/rules.d + # +@@ -21,31 +54,33 @@ + contains: "-F key=export$" + patterns: "*.rules" + register: find_mount ++ when: (find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0) or (find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0) + + - name: If existing media export ruleset not found, use /etc/audit/rules.d/export.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/export.rules +- when: find_mount.matched is defined and find_mount.matched == 0 ++ when: find_mount.matched is defined and find_mount.matched == 0 and ((find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0) or (find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0)) + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - "{{ find_mount.files | map(attribute='path') | list | first }}" +- when: find_mount.matched is defined and find_mount.matched > 0 ++ when: find_mount.matched is defined and find_mount.matched > 0 and ((find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0) or (find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0)) + + - name: Inserts/replaces the media export rule in rules.d when on x86 + lineinfile: + path: "{{ all_files[0] }}" + line: "-a always,exit -F arch=b32 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export" + create: yes ++ when: find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0 + + - name: Inserts/replaces the media export rule in rules.d when on x86_64 + lineinfile: + path: "{{ all_files[0] }}" + line: "-a always,exit -F arch=b64 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export" + create: yes +- when: audit_arch is defined and audit_arch == 'b64' ++ when: audit_arch is defined and audit_arch == 'b64' and find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0 + # + # Inserts/replaces the rule in /etc/audit/audit.rules + # +@@ -55,6 +90,7 @@ + state: present + dest: /etc/audit/audit.rules + create: yes ++ when: find_existing_media_export_32_audit_rules is defined and find_existing_media_export_32_audit_rules.matched == 0 + + - name: Inserts/replaces the media export rule in audit.rules when on x86_64 + lineinfile: +@@ -62,4 +98,4 @@ + state: present + dest: /etc/audit/audit.rules + create: yes +- when: audit_arch is defined and audit_arch == 'b64' ++ when: audit_arch is defined and audit_arch == 'b64' and find_existing_media_export_64_audit_rules is defined and find_existing_media_export_64_audit_rules.matched == 0 + +From ffdfd62dc6e19ca655132f119b3998f01dea98fe Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 21 Apr 2020 14:42:40 +0200 +Subject: [PATCH 2/8] make audit_rules_kernel_module_loading ansible + remediation robust + +add test +--- + .../ansible/shared.yml | 282 ++++++++++++++++-- + .../syscalls_one_per_line_one_missing.fail.sh | 11 + + 2 files changed, 271 insertions(+), 22 deletions(-) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +index 8cc519c61b..17eb72a99d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +@@ -11,6 +11,95 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + ++# ++# check if rules don't exist already ++# ++ ++- name: Check if rule for x86 init_module already exists in /etc/audit/rules.d/* ++ find: ++ paths: "/etc/audit/rules.d/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+init_module[\s$]+' ++ patterns: "*.rules" ++ register: find_existing_kernel_init_module_32_rules_d ++ ++- name: Check if rule for x86 delete_module already exists in /etc/audit/rules.d/* ++ find: ++ paths: "/etc/audit/rules.d/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+delete_module[\s$]+' ++ patterns: "*.rules" ++ register: find_existing_kernel_delete_module_32_rules_d ++ ++- name: Check if rule for x86 finit_module already exists in /etc/audit/rules.d/* ++ find: ++ paths: "/etc/audit/rules.d/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+finit_module[\s$]+' ++ patterns: "*.rules" ++ register: find_existing_kernel_finit_module_32_rules_d ++ ++- name: Check if rule for x86_64 init_module already exists in /etc/audit/rules.d/* ++ find: ++ paths: "/etc/audit/rules.d/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+init_module[\s$]+' ++ patterns: "*.rules" ++ register: find_existing_kernel_init_module_64_rules_d ++ ++- name: Check if rule for x86_64 delete_module already exists in /etc/audit/rules.d/* ++ find: ++ paths: "/etc/audit/rules.d/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+delete_module[\s$]+' ++ patterns: "*.rules" ++ register: find_existing_kernel_delete_module_64_rules_d ++ ++- name: Check if rule for x86_64 finit_module already exists in /etc/audit/rules.d/* ++ find: ++ paths: "/etc/audit/rules.d/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+finit_module[\s$]+' ++ patterns: "*.rules" ++ register: find_existing_kernel_finit_module_64_rules_d ++ ++- name: Check if rule for x86 init_module already exists in /etc/audit/audit.rules ++ find: ++ paths: "/etc/audit/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+init_module[\s$]+' ++ patterns: "audit.rules" ++ register: find_existing_kernel_init_module_32_audit_rules ++ ++- name: Check if rule for x86 delete_module already exists in /etc/audit/audit.rules ++ find: ++ paths: "/etc/audit/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+delete_module[\s$]+' ++ patterns: "audit.rules" ++ register: find_existing_kernel_delete_module_32_audit_rules ++ ++- name: Check if rule for x86 finit_module already exists in /etc/audit/audit.rules ++ find: ++ paths: "/etc/audit/audit.rules" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+finit_module[\s$]+' ++ patterns: "audit.rules" ++ register: find_existing_kernel_finit_module_32_audit_rules ++ ++- name: Check if rule for x86_64 init_module already exists in /etc/audit/audit.rules ++ find: ++ paths: "/etc/audit/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+init_module[\s$]+' ++ patterns: "audit.rules" ++ register: find_existing_kernel_init_module_64_audit_rules ++ ++- name: Check if rule for x86_64 delete_module already exists in /etc/audit/audit.rules ++ find: ++ paths: "/etc/audit/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+delete_module[\s$]+' ++ patterns: "audit.rules" ++ register: find_existing_kernel_delete_module_64_audit_rules ++ ++- name: Check if rule for x86_64 finit_module already exists in /etc/audit/audit.rules ++ find: ++ paths: "/etc/audit/" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+finit_module[\s$]+' ++ patterns: "audit.rules" ++ register: find_existing_kernel_finit_module_64_audit_rules ++ ++ + # + # Inserts/replaces the rule in /etc/audit/rules.d + # +@@ -34,48 +123,197 @@ + - "{{ find_modules.files | map(attribute='path') | list | first }}" + when: find_modules.matched is defined and find_modules.matched > 0 + ++# ++# create resulting lines to be inserted into appropriate files ++# ++ ++- name: Start creating remediation line for 32 bit rule in /etc/audit/rules.d ++ set_fact: ++ audit_kernel_line_32_rules_d = "-a always,exit -F arch=b32 " ++ {{% if product == "rhel6" %}} ++ when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) ++ {{% else %}} ++ when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) ++ {{% endif %}} ++ ++- name: add init_module into line for 32 bit rules.d ++ set_fact: ++ audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S init_module ' }} ++ when: find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined ++ ++- name: add delete_module into line for 32 bit rules.d ++ set_fact: ++ audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S delete_module ' }} ++ when: find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined ++ ++{{% if product != "rhel6" %}} ++- name: add finit_module into line for 32 bit rules.d ++ set_fact: ++ audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S finit_module ' }} ++ when: find_existing_kernel_finit_module_32_rules_d is defined and find_existing_finit_delete_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined ++{{% endif %}} ++ ++- name: Finish creating remediation line for 32 bit rule in /etc/audit/rules.d ++ set_fact: ++ audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-k modules' }} ++ {{% if product == "rhel6" %}} ++ when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined ++ {{% else %}} ++ when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined ++ {{% endif %}} ++ ++- name: Start creating remediation line for 64 bit rule in /etc/audit/rules.d ++ set_fact: ++ audit_kernel_line_64_rules_d = "-a always,exit -F arch=b64 " ++ {{% if product == "rhel6" %}} ++ when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) ++ {{% else %}} ++ when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) ++ {{% endif %}} ++ ++- name: add init_module into line for 64 bit rules.d ++ set_fact: ++ audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S init_module ' }} ++ when: find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined ++ ++- name: add delete_module into line for 64 bit rules.d ++ set_fact: ++ audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S delete_module ' }} ++ when: find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined ++ ++{{% if product != "rhel6" %}} ++- name: add finit_module into line for 64 bit rules.d ++ set_fact: ++ audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S finit_module ' }} ++ when: find_existing_kernel_finit_module_64_rules_d is defined and find_existing_finit_delete_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined ++{{% endif %}} ++ ++- name: Finish creating remediation line for 64 bit rule in /etc/audit/rules.d ++ set_fact: ++ audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-k modules' }} ++ {{% if product == "rhel6" %}} ++ when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined ++ {{% else %}} ++ when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined ++ {{% endif %}} ++ ++- name: Start creating remediation line for 32 bit rule in /etc/audit/audit.rules ++ set_fact: ++ audit_kernel_line_32_audit_rules = "-a always,exit -F arch=b32 " ++ {{% if product == "rhel6" %}} ++ when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) ++ {{% else %}} ++ when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) ++ {{% endif %}} ++ ++- name: add init_module into line for 32 bit rules.d ++ set_fact: ++ audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S init_module ' }} ++ when: find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined ++ ++- name: add delete_module into line for 32 bit rules.d ++ set_fact: ++ audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S delete_module ' }} ++ when: find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined ++ ++{{% if product != "rhel6" %}} ++- name: add finit_module into line for 32 bit rules.d ++ set_fact: ++ audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S finit_module ' }} ++ when: find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_finit_delete_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined ++{{% endif %}} ++ ++- name: Finish creating remediation line for 32 bit rule in /etc/audit/audit.rules ++ set_fact: ++ audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-k modules' }} ++ {{% if product == "rhel6" %}} ++ when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined ++ {{% else %}} ++ when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined ++ {{% endif %}} ++ ++- name: Start creating remediation line for 64 bit rule in /etc/audit/audit.rules ++ set_fact: ++ audit_kernel_line_64_audit_rules = "-a always,exit -F arch=b64 " ++ {{% if product == "rhel6" %}} ++ when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) ++ {{% else %}} ++ when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) ++ {{% endif %}} ++ ++- name: add init_module into line for 64 bit rules.d ++ set_fact: ++ audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S init_module ' }} ++ when: find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined ++ ++- name: add delete_module into line for 64 bit rules.d ++ set_fact: ++ audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S delete_module ' }} ++ when: find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined ++ ++{{% if product != "rhel6" %}} ++- name: add finit_module into line for 64 bit rules.d ++ set_fact: ++ audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S finit_module ' }} ++ when: find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_finit_delete_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined ++{{% endif %}} ++ ++- name: Finish creating remediation line for 64 bit rule in /etc/audit/audit.rules ++ set_fact: ++ audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-k modules' }} ++ {{% if product == "rhel6" %}} ++ when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined ++ {{% else %}} ++ when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined ++ {{% endif %}} ++ ++ ++ + - name: Inserts/replaces the modules rule in rules.d when on x86 + lineinfile: + path: "{{ all_files[0] }}" +- {{% if product == "rhel6" %}} +- line: "-a always,exit -F arch=b32 -S init_module -S delete_module -k modules" +- {{% else %}} +- line: "-a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules" +- {{% endif %}} ++ line: "{{ audit_kernel_line_32_rules_d }}" + create: yes ++ {{% if product == "rhel6" %}} ++ when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined ++ {{% else %}} ++ when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined ++ {{% endif %}} + + - name: Inserts/replaces the modules rule in rules.d when on x86_64 + lineinfile: + path: "{{ all_files[0] }}" +- {{% if product == "rhel6" %}} +- line: "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" +- {{% else %}} +- line: "-a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules" +- {{% endif %}} ++ line: "{{ audit_kernel_line_32_rules_d }}" + create: yes +- when: audit_arch is defined and audit_arch == 'b64' ++ {{% if product == "rhel6" %}} ++ when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined ++ {{% else %}} ++ when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined ++ {{% endif %}} ++ + # + # Inserts/replaces the rule in /etc/audit/audit.rules + # + - name: Inserts/replaces the modules rule in /etc/audit/audit.rules when on x86 + lineinfile: +- {{% if product == "rhel6" %}} +- line: "-a always,exit -F arch=b32 -S init_module -S delete_module -k modules" +- {{% else %}} +- line: "-a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules" +- {{% endif %}} ++ line: "{{ audit_kernel_line_32_audit_rules }}" + state: present + dest: /etc/audit/audit.rules + create: yes ++ {{% if product == "rhel6" %}} ++ when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined ++ {{% else %}} ++ when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined ++ {{% endif %}} + + - name: Inserts/replaces the modules rule in audit.rules when on x86_64 + lineinfile: +- {{% if product == "rhel6" %}} +- line: "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" +- {{% else %}} +- line: "-a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules" +- {{% endif %}} ++ line: "{{ audit_kernel_line_64_audit_rules }}" + state: present + dest: /etc/audit/audit.rules + create: yes +- when: audit_arch is defined and audit_arch == 'b64' ++ {{% if product == "rhel6" %}} ++ when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined ++ {{% else %}} ++ when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined ++ {{% endif %}} +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh +new file mode 100644 +index 0000000000..13219b7ece +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_C2S ++# remediation = bash ++ ++# Use auditctl, on RHEL7, default is to use augenrules ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++rm -f /etc/audit/rules.d/* ++ ++# cut out irrelevant rules for this test ++sed -e '11,18d' -e '/.*init.*/d' test_audit.rules > /etc/audit/audit.rules + +From 9ababe26e4ffb0ab96de75c5fd4f911811d1085a Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 24 Apr 2020 11:10:12 +0200 +Subject: [PATCH 3/8] fix metadata in tests + +--- + .../audit_rules_kernel_module_loading/tests/default.fail.sh | 2 +- + .../tests/syscalls_multiple_per_arg.pass.sh | 2 +- + .../tests/syscalls_one_per_arg.pass.sh | 2 +- + .../tests/syscalls_one_per_line.pass.sh | 2 +- + .../tests/syscalls_one_per_line_one_missing.fail.sh | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/default.fail.sh +index 43da7e67e5..c1ea54b990 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/default.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/default.fail.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_C2S +-# remediation = bash ++ + + rm -f /etc/audit/rules.d/* + > /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh +index af0ceda059..80d5e8d6d4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_C2S +-# remediation = bash ++ + + # Use auditctl, on RHEL7, default is to use augenrules + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh +index ccc2d4beee..0e162c7c94 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_C2S +-# remediation = bash ++ + + # Use auditctl, on RHEL7, default is to use augenrules + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh +index 48e03e071d..a043f787bc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_C2S +-# remediation = bash ++ + + # Use auditctl, on RHEL7, default is to use augenrules + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh +index 13219b7ece..4d717db422 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_C2S +-# remediation = bash ++ + + # Use auditctl, on RHEL7, default is to use augenrules + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service + +From d16f0eb2ee839209bc2ace51da49ca795003a27c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 24 Apr 2020 11:10:46 +0200 +Subject: [PATCH 4/8] rewrite audit_rules_kernel_module_loading remediation to + be effective + +--- + .../ansible/shared.yml | 364 ++++++------------ + 1 file changed, 108 insertions(+), 256 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +index 17eb72a99d..e417e147ea 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +@@ -11,103 +11,73 @@ + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" + +-# +-# check if rules don't exist already +-# +- +-- name: Check if rule for x86 init_module already exists in /etc/audit/rules.d/* +- find: +- paths: "/etc/audit/rules.d/" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+init_module[\s$]+' +- patterns: "*.rules" +- register: find_existing_kernel_init_module_32_rules_d ++- name: Declare list of syscals ++ set_fact: ++ syscalls: ++ - "init_module" ++ - "delete_module" ++ {{% if product != "rhel6" %}} ++ - "finit_module" ++ {{% endif %}} + +-- name: Check if rule for x86 delete_module already exists in /etc/audit/rules.d/* +- find: +- paths: "/etc/audit/rules.d/" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+delete_module[\s$]+' +- patterns: "*.rules" +- register: find_existing_kernel_delete_module_32_rules_d ++- name: declare number of syscalls ++ set_fact: audit_kernel_number_of_syscalls="{{ syscalls|length|int }}" + +-- name: Check if rule for x86 finit_module already exists in /etc/audit/rules.d/* +- find: +- paths: "/etc/audit/rules.d/" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+finit_module[\s$]+' +- patterns: "*.rules" +- register: find_existing_kernel_finit_module_32_rules_d + +-- name: Check if rule for x86_64 init_module already exists in /etc/audit/rules.d/* ++- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/* + find: +- paths: "/etc/audit/rules.d/" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+init_module[\s$]+' ++ paths: "/etc/audit/rules.d" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*{{ item }}.*$' + patterns: "*.rules" +- register: find_existing_kernel_init_module_64_rules_d ++ register: audit_kernel_found_32_rules_d ++ loop: "{{ syscalls }}" + +-- name: Check if rule for x86_64 delete_module already exists in /etc/audit/rules.d/* +- find: +- paths: "/etc/audit/rules.d/" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+delete_module[\s$]+' +- patterns: "*.rules" +- register: find_existing_kernel_delete_module_64_rules_d ++- name: get number of matched 32 bit syscalls in /etc/audit/rules.d/* ++ set_fact: audit_kernel_matched_32_rules_d="{{audit_kernel_found_32_rules_d.results|sum(attribute='matched')|int }}" + +-- name: Check if rule for x86_64 finit_module already exists in /etc/audit/rules.d/* ++- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/* + find: +- paths: "/etc/audit/rules.d/" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+finit_module[\s$]+' ++ paths: "/etc/audit/rules.d" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*{{ item }}.*$' + patterns: "*.rules" +- register: find_existing_kernel_finit_module_64_rules_d ++ register: audit_kernel_found_64_rules_d ++ loop: "{{ syscalls }}" + +-- name: Check if rule for x86 init_module already exists in /etc/audit/audit.rules +- find: +- paths: "/etc/audit/" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+init_module[\s$]+' +- patterns: "audit.rules" +- register: find_existing_kernel_init_module_32_audit_rules +- +-- name: Check if rule for x86 delete_module already exists in /etc/audit/audit.rules +- find: +- paths: "/etc/audit/" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+delete_module[\s$]+' +- patterns: "audit.rules" +- register: find_existing_kernel_delete_module_32_audit_rules ++- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* ++ set_fact: audit_kernel_matched_64_rules_d="{{audit_kernel_found_64_rules_d.results|sum(attribute='matched')|int }}" + +-- name: Check if rule for x86 finit_module already exists in /etc/audit/audit.rules ++- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules + find: +- paths: "/etc/audit/audit.rules" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+finit_module[\s$]+' ++ paths: "/etc/audit" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*{{ item }}.*$' + patterns: "audit.rules" +- register: find_existing_kernel_finit_module_32_audit_rules ++ register: audit_kernel_found_32_audit_rules ++ loop: "{{ syscalls }}" + +-- name: Check if rule for x86_64 init_module already exists in /etc/audit/audit.rules +- find: +- paths: "/etc/audit/" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+init_module[\s$]+' +- patterns: "audit.rules" +- register: find_existing_kernel_init_module_64_audit_rules ++- name: get number of matched 32 bit syscalls in /etc/audit/audit.rules ++ set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}" + +-- name: Check if rule for x86_64 delete_module already exists in /etc/audit/audit.rules ++- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules + find: +- paths: "/etc/audit/" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+delete_module[\s$]+' ++ paths: "/etc/audit" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*{{ item }}.*$' + patterns: "audit.rules" +- register: find_existing_kernel_delete_module_64_audit_rules ++ register: audit_kernel_found_64_audit_rules ++ loop: "{{ syscalls }}" + +-- name: Check if rule for x86_64 finit_module already exists in /etc/audit/audit.rules +- find: +- paths: "/etc/audit/" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+finit_module[\s$]+' +- patterns: "audit.rules" +- register: find_existing_kernel_finit_module_64_audit_rules ++- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* ++ set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}" + + + # + # Inserts/replaces the rule in /etc/audit/rules.d + # ++ + - name: Search /etc/audit/rules.d for other kernel module loading audit rules + find: + paths: "/etc/audit/rules.d" + recurse: no +- contains: "-F key=modules$" ++ contains: "(-F key=modules)|(-k modules)$" + patterns: "*.rules" + register: find_modules + +@@ -123,197 +93,79 @@ + - "{{ find_modules.files | map(attribute='path') | list | first }}" + when: find_modules.matched is defined and find_modules.matched > 0 + +-# +-# create resulting lines to be inserted into appropriate files +-# +- +-- name: Start creating remediation line for 32 bit rule in /etc/audit/rules.d +- set_fact: +- audit_kernel_line_32_rules_d = "-a always,exit -F arch=b32 " +- {{% if product == "rhel6" %}} +- when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) +- {{% else %}} +- when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) +- {{% endif %}} +- +-- name: add init_module into line for 32 bit rules.d +- set_fact: +- audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S init_module ' }} +- when: find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined +- +-- name: add delete_module into line for 32 bit rules.d +- set_fact: +- audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S delete_module ' }} +- when: find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined +- +-{{% if product != "rhel6" %}} +-- name: add finit_module into line for 32 bit rules.d +- set_fact: +- audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S finit_module ' }} +- when: find_existing_kernel_finit_module_32_rules_d is defined and find_existing_finit_delete_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined +-{{% endif %}} +- +-- name: Finish creating remediation line for 32 bit rule in /etc/audit/rules.d +- set_fact: +- audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-k modules' }} +- {{% if product == "rhel6" %}} +- when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined +- {{% else %}} +- when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined +- {{% endif %}} +- +-- name: Start creating remediation line for 64 bit rule in /etc/audit/rules.d +- set_fact: +- audit_kernel_line_64_rules_d = "-a always,exit -F arch=b64 " +- {{% if product == "rhel6" %}} +- when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) +- {{% else %}} +- when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) +- {{% endif %}} +- +-- name: add init_module into line for 64 bit rules.d +- set_fact: +- audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S init_module ' }} +- when: find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined +- +-- name: add delete_module into line for 64 bit rules.d +- set_fact: +- audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S delete_module ' }} +- when: find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined +- +-{{% if product != "rhel6" %}} +-- name: add finit_module into line for 64 bit rules.d +- set_fact: +- audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S finit_module ' }} +- when: find_existing_kernel_finit_module_64_rules_d is defined and find_existing_finit_delete_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined +-{{% endif %}} +- +-- name: Finish creating remediation line for 64 bit rule in /etc/audit/rules.d +- set_fact: +- audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-k modules' }} +- {{% if product == "rhel6" %}} +- when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined +- {{% else %}} +- when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined +- {{% endif %}} +- +-- name: Start creating remediation line for 32 bit rule in /etc/audit/audit.rules +- set_fact: +- audit_kernel_line_32_audit_rules = "-a always,exit -F arch=b32 " +- {{% if product == "rhel6" %}} +- when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) +- {{% else %}} +- when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) +- {{% endif %}} +- +-- name: add init_module into line for 32 bit rules.d +- set_fact: +- audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S init_module ' }} +- when: find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined +- +-- name: add delete_module into line for 32 bit rules.d +- set_fact: +- audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S delete_module ' }} +- when: find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined +- +-{{% if product != "rhel6" %}} +-- name: add finit_module into line for 32 bit rules.d +- set_fact: +- audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S finit_module ' }} +- when: find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_finit_delete_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined +-{{% endif %}} +- +-- name: Finish creating remediation line for 32 bit rule in /etc/audit/audit.rules +- set_fact: +- audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-k modules' }} +- {{% if product == "rhel6" %}} +- when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined +- {{% else %}} +- when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined +- {{% endif %}} +- +-- name: Start creating remediation line for 64 bit rule in /etc/audit/audit.rules +- set_fact: +- audit_kernel_line_64_audit_rules = "-a always,exit -F arch=b64 " +- {{% if product == "rhel6" %}} +- when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) +- {{% else %}} +- when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) +- {{% endif %}} +- +-- name: add init_module into line for 64 bit rules.d +- set_fact: +- audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S init_module ' }} +- when: find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined +- +-- name: add delete_module into line for 64 bit rules.d +- set_fact: +- audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S delete_module ' }} +- when: find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined +- +-{{% if product != "rhel6" %}} +-- name: add finit_module into line for 64 bit rules.d +- set_fact: +- audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S finit_module ' }} +- when: find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_finit_delete_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined +-{{% endif %}} +- +-- name: Finish creating remediation line for 64 bit rule in /etc/audit/audit.rules +- set_fact: +- audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-k modules' }} +- {{% if product == "rhel6" %}} +- when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined +- {{% else %}} +- when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined +- {{% endif %}} +- +- +- + - name: Inserts/replaces the modules rule in rules.d when on x86 +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "{{ audit_kernel_line_32_rules_d }}" +- create: yes +- {{% if product == "rhel6" %}} +- when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined +- {{% else %}} +- when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined +- {{% endif %}} ++ block: ++ - name: start the line ++ set_fact: tmpline="-a always,exit -F arch=b32 " ++ - name: add syscalls ++ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" ++ loop: "{{ audit_kernel_found_32_rules_d.results }}" ++ when: item.matched is defined and item.matched == 0 ++ - name: finish the line ++ set_fact: tmpline="{{ tmpline + '-k modules' }}" ++ - name: insert/replace the line in appropriate file ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ line: "{{ tmpline }}" ++ create: true ++ state: present ++ when: audit_kernel_matched_32_rules_d < audit_kernel_number_of_syscalls + + - name: Inserts/replaces the modules rule in rules.d when on x86_64 +- lineinfile: +- path: "{{ all_files[0] }}" +- line: "{{ audit_kernel_line_32_rules_d }}" +- create: yes +- {{% if product == "rhel6" %}} +- when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined +- {{% else %}} +- when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined +- {{% endif %}} ++ block: ++ - name: start the line ++ set_fact: tmpline="-a always,exit -F arch=b64 " ++ - name: add syscalls ++ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" ++ loop: "{{ audit_kernel_found_64_rules_d.results }}" ++ when: item.matched is defined and item.matched == 0 ++ - name: finish the line ++ set_fact: tmpline="{{ tmpline + '-k modules' }}" ++ - name: insert/replace the line in appropriate file ++ lineinfile: ++ path: "{{ all_files[0] }}" ++ line: "{{ tmpline }}" ++ create: true ++ state: present ++ when: audit_kernel_matched_64_rules_d < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' ++ + + # + # Inserts/replaces the rule in /etc/audit/audit.rules + # +-- name: Inserts/replaces the modules rule in /etc/audit/audit.rules when on x86 +- lineinfile: +- line: "{{ audit_kernel_line_32_audit_rules }}" +- state: present +- dest: /etc/audit/audit.rules +- create: yes +- {{% if product == "rhel6" %}} +- when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined +- {{% else %}} +- when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined +- {{% endif %}} + +-- name: Inserts/replaces the modules rule in audit.rules when on x86_64 +- lineinfile: +- line: "{{ audit_kernel_line_64_audit_rules }}" +- state: present +- dest: /etc/audit/audit.rules +- create: yes +- {{% if product == "rhel6" %}} +- when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined +- {{% else %}} +- when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined +- {{% endif %}} ++- name: Inserts/replaces the modules rule in audit.rules when on x86 ++ block: ++ - name: start the line ++ set_fact: tmpline="-a always,exit -F arch=b32 " ++ - name: add syscalls ++ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" ++ loop: "{{ audit_kernel_found_32_audit_rules.results }}" ++ when: item.matched is defined and item.matched == 0 ++ - name: finish the line ++ set_fact: tmpline="{{ tmpline + '-k modules' }}" ++ - name: insert/replace the line in appropriate file ++ lineinfile: ++ path: "/etc/audit/audit.rules" ++ line: "{{ tmpline }}" ++ create: true ++ state: present ++ when: audit_kernel_matched_32_audit_rules < audit_kernel_number_of_syscalls ++ ++- name: Inserts/replaces the modules rule in rules.d when on x86_64 ++ block: ++ - name: start the line ++ set_fact: tmpline="-a always,exit -F arch=b64 " ++ - name: add syscalls ++ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" ++ loop: "{{ audit_kernel_found_64_audit_rules.results }}" ++ when: item.matched is defined and item.matched == 0 ++ - name: finish the line ++ set_fact: tmpline="{{ tmpline + '-k modules' }}" ++ - name: insert/replace the line in appropriate file ++ lineinfile: ++ path: "/etc/audit/audit.rules" ++ line: "{{ tmpline }}" ++ create: true ++ state: present ++ when: audit_kernel_matched_64_audit_rules < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' + +From 9ab15b0a7926d8d017753d1ce9189ed22e81c35c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 24 Apr 2020 15:55:19 +0200 +Subject: [PATCH 5/8] fix regex and task descriptions + +--- + .../ansible/shared.yml | 52 +++++++++---------- + 1 file changed, 26 insertions(+), 26 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +index e417e147ea..c82077b57a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +@@ -27,7 +27,7 @@ + - name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/* + find: + paths: "/etc/audit/rules.d" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*{{ item }}.*$' ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' + patterns: "*.rules" + register: audit_kernel_found_32_rules_d + loop: "{{ syscalls }}" +@@ -38,7 +38,7 @@ + - name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/* + find: + paths: "/etc/audit/rules.d" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*{{ item }}.*$' ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' + patterns: "*.rules" + register: audit_kernel_found_64_rules_d + loop: "{{ syscalls }}" +@@ -49,7 +49,7 @@ + - name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules + find: + paths: "/etc/audit" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*{{ item }}.*$' ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' + patterns: "audit.rules" + register: audit_kernel_found_32_audit_rules + loop: "{{ syscalls }}" +@@ -60,7 +60,7 @@ + - name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules + find: + paths: "/etc/audit" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*{{ item }}.*$' ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' + patterns: "audit.rules" + register: audit_kernel_found_64_audit_rules + loop: "{{ syscalls }}" +@@ -70,7 +70,7 @@ + + + # +-# Inserts/replaces the rule in /etc/audit/rules.d ++# Inserts the rule in /etc/audit/rules.d + # + + - name: Search /etc/audit/rules.d for other kernel module loading audit rules +@@ -93,17 +93,17 @@ + - "{{ find_modules.files | map(attribute='path') | list | first }}" + when: find_modules.matched is defined and find_modules.matched > 0 + +-- name: Inserts/replaces the modules rule in rules.d when on x86 ++- name: Inserts the modules rule in rules.d when on x86 + block: +- - name: start the line ++ - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b32 " +- - name: add syscalls ++ - name: "Construct rule: add syscalls" + set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" + loop: "{{ audit_kernel_found_32_rules_d.results }}" + when: item.matched is defined and item.matched == 0 +- - name: finish the line ++ - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k modules' }}" +- - name: insert/replace the line in appropriate file ++ - name: insert the line in appropriate file + lineinfile: + path: "{{ all_files[0] }}" + line: "{{ tmpline }}" +@@ -111,17 +111,17 @@ + state: present + when: audit_kernel_matched_32_rules_d < audit_kernel_number_of_syscalls + +-- name: Inserts/replaces the modules rule in rules.d when on x86_64 ++- name: Inserts the modules rule in rules.d when on x86_64 + block: +- - name: start the line ++ - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b64 " +- - name: add syscalls ++ - name: "Construct rule: add syscalls" + set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" + loop: "{{ audit_kernel_found_64_rules_d.results }}" + when: item.matched is defined and item.matched == 0 +- - name: finish the line ++ - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k modules' }}" +- - name: insert/replace the line in appropriate file ++ - name: insert the line in appropriate file + lineinfile: + path: "{{ all_files[0] }}" + line: "{{ tmpline }}" +@@ -131,20 +131,20 @@ + + + # +-# Inserts/replaces the rule in /etc/audit/audit.rules ++# Inserts the rule in /etc/audit/audit.rules + # + +-- name: Inserts/replaces the modules rule in audit.rules when on x86 ++- name: Inserts the modules rule in audit.rules when on x86 + block: +- - name: start the line ++ - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b32 " +- - name: add syscalls ++ - name: "Construct rule: add syscalls" + set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" + loop: "{{ audit_kernel_found_32_audit_rules.results }}" + when: item.matched is defined and item.matched == 0 +- - name: finish the line ++ - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k modules' }}" +- - name: insert/replace the line in appropriate file ++ - name: insert the line in appropriate file + lineinfile: + path: "/etc/audit/audit.rules" + line: "{{ tmpline }}" +@@ -152,17 +152,17 @@ + state: present + when: audit_kernel_matched_32_audit_rules < audit_kernel_number_of_syscalls + +-- name: Inserts/replaces the modules rule in rules.d when on x86_64 ++- name: Inserts the modules rule in rules.d when on x86_64 + block: +- - name: start the line ++ - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b64 " +- - name: add syscalls ++ - name: "Construct rule: add syscalls" + set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" + loop: "{{ audit_kernel_found_64_audit_rules.results }}" + when: item.matched is defined and item.matched == 0 +- - name: finish the line ++ - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k modules' }}" +- - name: insert/replace the line in appropriate file ++ - name: insert the line in appropriate file + lineinfile: + path: "/etc/audit/audit.rules" + line: "{{ tmpline }}" + +From 391d2319bd0091271ff927300211eb0462aa84c3 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 24 Apr 2020 16:07:36 +0200 +Subject: [PATCH 6/8] reorder tasks to improve readability + +--- + .../ansible/shared.yml | 54 +++++++++---------- + 1 file changed, 26 insertions(+), 28 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +index c82077b57a..865e77ed40 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +@@ -23,6 +23,9 @@ + - name: declare number of syscalls + set_fact: audit_kernel_number_of_syscalls="{{ syscalls|length|int }}" + ++# ++#rules in /etc/audit/rules.d/* ++# + + - name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/* + find: +@@ -46,33 +49,6 @@ + - name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* + set_fact: audit_kernel_matched_64_rules_d="{{audit_kernel_found_64_rules_d.results|sum(attribute='matched')|int }}" + +-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules +- find: +- paths: "/etc/audit" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' +- patterns: "audit.rules" +- register: audit_kernel_found_32_audit_rules +- loop: "{{ syscalls }}" +- +-- name: get number of matched 32 bit syscalls in /etc/audit/audit.rules +- set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}" +- +-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules +- find: +- paths: "/etc/audit" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' +- patterns: "audit.rules" +- register: audit_kernel_found_64_audit_rules +- loop: "{{ syscalls }}" +- +-- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* +- set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}" +- +- +-# +-# Inserts the rule in /etc/audit/rules.d +-# +- + - name: Search /etc/audit/rules.d for other kernel module loading audit rules + find: + paths: "/etc/audit/rules.d" +@@ -131,9 +107,31 @@ + + + # +-# Inserts the rule in /etc/audit/audit.rules ++# rules in /etc/audit/audit.rules + # + ++- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules ++ find: ++ paths: "/etc/audit" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' ++ patterns: "audit.rules" ++ register: audit_kernel_found_32_audit_rules ++ loop: "{{ syscalls }}" ++ ++- name: get number of matched 32 bit syscalls in /etc/audit/audit.rules ++ set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}" ++ ++- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules ++ find: ++ paths: "/etc/audit" ++ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' ++ patterns: "audit.rules" ++ register: audit_kernel_found_64_audit_rules ++ loop: "{{ syscalls }}" ++ ++- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* ++ set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}" ++ + - name: Inserts the modules rule in audit.rules when on x86 + block: + - name: "Construct rule: add rule list, action and arch" + +From c665c7949d8cc765fd489f839b73e38404ec466b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 27 Apr 2020 09:32:01 +0200 +Subject: [PATCH 7/8] fix task names + +--- + .../ansible/shared.yml | 32 +++++++++---------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +index 865e77ed40..ba45d40dcb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +@@ -20,14 +20,14 @@ + - "finit_module" + {{% endif %}} + +-- name: declare number of syscalls ++- name: Declare number of syscalls + set_fact: audit_kernel_number_of_syscalls="{{ syscalls|length|int }}" + + # + #rules in /etc/audit/rules.d/* + # + +-- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/* ++- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/ + find: + paths: "/etc/audit/rules.d" + contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' +@@ -35,10 +35,10 @@ + register: audit_kernel_found_32_rules_d + loop: "{{ syscalls }}" + +-- name: get number of matched 32 bit syscalls in /etc/audit/rules.d/* ++- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/ + set_fact: audit_kernel_matched_32_rules_d="{{audit_kernel_found_32_rules_d.results|sum(attribute='matched')|int }}" + +-- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/* ++- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ + find: + paths: "/etc/audit/rules.d" + contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' +@@ -46,7 +46,7 @@ + register: audit_kernel_found_64_rules_d + loop: "{{ syscalls }}" + +-- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* ++- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/ + set_fact: audit_kernel_matched_64_rules_d="{{audit_kernel_found_64_rules_d.results|sum(attribute='matched')|int }}" + + - name: Search /etc/audit/rules.d for other kernel module loading audit rules +@@ -57,7 +57,7 @@ + patterns: "*.rules" + register: find_modules + +-- name: If existing kernel module loading ruleset not found, use /etc/audit/rules.d/modules.rules as the recipient for the rule ++- name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modules.rules +@@ -69,7 +69,7 @@ + - "{{ find_modules.files | map(attribute='path') | list | first }}" + when: find_modules.matched is defined and find_modules.matched > 0 + +-- name: Inserts the modules rule in rules.d when on x86 ++- name: "Insert the modules rule in {{ all_files[0] }} when on x86" + block: + - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b32 " +@@ -79,7 +79,7 @@ + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k modules' }}" +- - name: insert the line in appropriate file ++ - name: "Insert the line in {{ all_files[0] }}" + lineinfile: + path: "{{ all_files[0] }}" + line: "{{ tmpline }}" +@@ -87,7 +87,7 @@ + state: present + when: audit_kernel_matched_32_rules_d < audit_kernel_number_of_syscalls + +-- name: Inserts the modules rule in rules.d when on x86_64 ++- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64" + block: + - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b64 " +@@ -97,7 +97,7 @@ + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k modules' }}" +- - name: insert the line in appropriate file ++ - name: "Insert the line in {{ all_files[0] }}" + lineinfile: + path: "{{ all_files[0] }}" + line: "{{ tmpline }}" +@@ -118,7 +118,7 @@ + register: audit_kernel_found_32_audit_rules + loop: "{{ syscalls }}" + +-- name: get number of matched 32 bit syscalls in /etc/audit/audit.rules ++- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules + set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}" + + - name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules +@@ -129,10 +129,10 @@ + register: audit_kernel_found_64_audit_rules + loop: "{{ syscalls }}" + +-- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* ++- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/* + set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}" + +-- name: Inserts the modules rule in audit.rules when on x86 ++- name: Insert the modules rule in /etc/audit/audit.rules when on x86 + block: + - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b32 " +@@ -142,7 +142,7 @@ + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k modules' }}" +- - name: insert the line in appropriate file ++ - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: "/etc/audit/audit.rules" + line: "{{ tmpline }}" +@@ -150,7 +150,7 @@ + state: present + when: audit_kernel_matched_32_audit_rules < audit_kernel_number_of_syscalls + +-- name: Inserts the modules rule in rules.d when on x86_64 ++- name: Insert the modules rule in /etc/audit/rules.d when on x86_64 + block: + - name: "Construct rule: add rule list, action and arch" + set_fact: tmpline="-a always,exit -F arch=b64 " +@@ -160,7 +160,7 @@ + when: item.matched is defined and item.matched == 0 + - name: "Construct rule: add key" + set_fact: tmpline="{{ tmpline + '-k modules' }}" +- - name: insert the line in appropriate file ++ - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: "/etc/audit/audit.rules" + line: "{{ tmpline }}" + +From f8c997abea70edc40c29afd81f134da788f7c1b2 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 27 Apr 2020 11:59:25 +0200 +Subject: [PATCH 8/8] fix regex to prevent duplicate lines + +--- + .../audit_rules_kernel_module_loading/ansible/shared.yml | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +index ba45d40dcb..9d028a598d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml +@@ -30,7 +30,7 @@ + - name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/ + find: + paths: "/etc/audit/rules.d" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' ++ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' + patterns: "*.rules" + register: audit_kernel_found_32_rules_d + loop: "{{ syscalls }}" +@@ -41,7 +41,7 @@ + - name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ + find: + paths: "/etc/audit/rules.d" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' ++ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' + patterns: "*.rules" + register: audit_kernel_found_64_rules_d + loop: "{{ syscalls }}" +@@ -113,7 +113,7 @@ + - name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules + find: + paths: "/etc/audit" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' ++ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' + patterns: "audit.rules" + register: audit_kernel_found_32_audit_rules + loop: "{{ syscalls }}" +@@ -124,7 +124,7 @@ + - name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules + find: + paths: "/etc/audit" +- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' ++ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' + patterns: "audit.rules" + register: audit_kernel_found_64_audit_rules + loop: "{{ syscalls }}" diff --git a/SOURCES/scap-security-guide-0.1.50-ansible_audit_sysadmin_actions_PR_5288.patch b/SOURCES/scap-security-guide-0.1.50-ansible_audit_sysadmin_actions_PR_5288.patch new file mode 100644 index 0000000..ecf186e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-ansible_audit_sysadmin_actions_PR_5288.patch @@ -0,0 +1,185 @@ +From f65d1b37c7433085f19dc10454067be7d0bfb180 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 12 Mar 2020 16:27:53 +0100 +Subject: [PATCH 1/3] Fix remediatino for /etc/sudoers.d/ and OVAL check + +Add missing '/' to remediation and add OVAL checks for /etc/sudoers.d/. +--- + .../bash/shared.sh | 4 ++-- + .../oval/shared.xml | 20 +++++++++++++++++++ + 2 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh +index 8e38874006..b6a4e7ef41 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh +@@ -7,5 +7,5 @@ + fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions" + fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions" + +-fix_audit_watch_rule "auditctl" "/etc/sudoers.d" "wa" "actions" +-fix_audit_watch_rule "augenrules" "/etc/sudoers.d" "wa" "actions" ++fix_audit_watch_rule "auditctl" "/etc/sudoers.d/" "wa" "actions" ++fix_audit_watch_rule "augenrules" "/etc/sudoers.d/" "wa" "actions" +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml +index 172d2216b2..136630e695 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml +@@ -9,10 +9,12 @@ + + + ++ + + + + ++ + + + +@@ -26,6 +28,15 @@ + 1 + + ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ + + + +@@ -35,4 +46,13 @@ + 1 + + ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ + + +From 2aa6680981aa0f730c671106ca019c357b3beba7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 13 Mar 2020 18:33:38 +0100 +Subject: [PATCH 2/3] Add Ansible for audit_rules_sysadmin_actions + +--- + .../ansible/shared.yml | 53 +++++++++++++++++++ + 1 file changed, 53 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml +new file mode 100644 +index 0000000000..6700eea565 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml +@@ -0,0 +1,53 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++# Inserts/replaces the rule in /etc/audit/rules.d ++ ++- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions ++ find: ++ paths: "/etc/audit/rules.d" ++ recurse: no ++ contains: "^.*/etc/sudoers.*$" ++ patterns: "*.rules" ++ register: find_audit_sysadmin_actions ++ ++- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule ++ set_fact: ++ all_sysadmin_actions_files: ++ - /etc/audit/rules.d/actions.rules ++ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0 ++ ++- name: Use matched file as the recipient for the rule ++ set_fact: ++ all_sysadmin_actions_files: ++ - "{{ find_audit_sysadmin_actions.files | map(attribute='path') | list | first }}" ++ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0 ++ ++- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d ++ lineinfile: ++ path: "{{ all_sysadmin_actions_files[0] }}" ++ line: '-w /etc/sudoers -p wa -k actions' ++ create: yes ++ ++- name: Inserts/replaces audit rule for /etc/sudoers.d rule in rules.d ++ lineinfile: ++ path: "{{ all_sysadmin_actions_files[0] }}" ++ line: '-w /etc/sudoers.d/ -p wa -k actions' ++ create: yes ++ ++# Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules ++ ++- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules ++ lineinfile: ++ path: /etc/audit/audit.rules ++ line: '-w /etc/sudoers -p wa -k actions' ++ create: yes ++ ++- name: Inserts/replaces audit rule for /etc/sudoers.d in audit.rules ++ lineinfile: ++ path: /etc/audit/audit.rules ++ line: '-w /etc/sudoers.d/ -p wa -k actions' ++ create: yes + +From 3d5cc1d32fa7c4e2c3de11d178c33459804d1a58 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 13 Mar 2020 18:42:05 +0100 +Subject: [PATCH 3/3] Simple tests for audit_rules_sysadmin_actions + +--- + .../audit_rules_sysadmin_actions/tests/correct.pass.sh | 4 ++++ + .../audit_rules_sysadmin_actions/tests/empty.fail.sh | 4 ++++ + .../audit_rules_sysadmin_actions/tests/missing_slash.fail.sh | 4 ++++ + 3 files changed, 12 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh +new file mode 100644 +index 0000000000..4d5f09b7b8 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh +@@ -0,0 +1,4 @@ ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++ ++echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/rules.d/actions.rules ++echo "-w /etc/sudoers.d/ -p wa -k actions" >> /etc/audit/rules.d/actions.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh +new file mode 100644 +index 0000000000..c14af6a088 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh +@@ -0,0 +1,4 @@ ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++ ++rm -f /etc/audit/rules.d/* ++> /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh +new file mode 100644 +index 0000000000..09af980183 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh +@@ -0,0 +1,4 @@ ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++ ++echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/rules.d/actions.rules ++echo "-w /etc/sudoers.d -p wa -k actions" >> /etc/audit/rules.d/actions.rules diff --git a/SOURCES/scap-security-guide-0.1.50-audit_data_retention_reference_PR_5294.patch b/SOURCES/scap-security-guide-0.1.50-audit_data_retention_reference_PR_5294.patch new file mode 100644 index 0000000..e95b8f4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-audit_data_retention_reference_PR_5294.patch @@ -0,0 +1,23 @@ +From 3aac5ee7def088ed0e24540753c3d8cb8dd3ed56 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 16 Mar 2020 16:47:04 +0100 +Subject: [PATCH] Update audit data retention selects and variables + +Select variable values, and also fix rule selected twice. +--- + .../auditd_data_retention_space_left_action/rule.yml | 2 +- + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +index 1ffa489a3f..07747138ed 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +@@ -39,7 +39,7 @@ references: + srg@rhel6: SRG-OS-000045 + disa@rhel6: 140,143 + stigid@rhel7: "030340" +- cis: 5.2.1.2 ++ cis@rhel8: 4.1.2.3 + cjis: 5.4.1.1 + cui: 3.3.1 + disa: "1855" diff --git a/SOURCES/scap-security-guide-0.1.50-audit_installed_reference_PR_5292.patch b/SOURCES/scap-security-guide-0.1.50-audit_installed_reference_PR_5292.patch new file mode 100644 index 0000000..248d0e1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-audit_installed_reference_PR_5292.patch @@ -0,0 +1,22 @@ +From aa8d8a96e6598482ef4ed518d739bf50385dcbb9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 16 Mar 2020 16:11:31 +0100 +Subject: [PATCH] Add package_audit_installed + +Package audit depends on audit-libs. +--- + linux_os/guide/system/auditing/package_audit_installed/rule.yml | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml +index a5cea0c971..40ed326d2a 100644 +--- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml ++++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml +@@ -20,6 +20,7 @@ references: + nist: AC-7(a),AU-7(1),AU-7(2),AU-14,AU-12(2),AU-2(a),CM-6(a) + anssi: NT28(R50) + srg: SRG-OS-000480-GPOS-00227,SRG-OS-000122-GPOS-00063 ++ cis@rhel8: 4.1.1.1 + + template: + name: package_installed diff --git a/SOURCES/scap-security-guide-0.1.50-audit_login_events_references_PR_5296.patch b/SOURCES/scap-security-guide-0.1.50-audit_login_events_references_PR_5296.patch new file mode 100644 index 0000000..8174387 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-audit_login_events_references_PR_5296.patch @@ -0,0 +1,84 @@ +From f1889f8d92324bea16a6f41726ec0bbca52ef0f2 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 16 Mar 2020 17:34:12 +0100 +Subject: [PATCH 1/2] Select rules for audit login events + +--- + .../audit_login_events/audit_rules_login_events/rule.yml | 1 - + .../audit_rules_login_events_faillock/rule.yml | 1 + + .../audit_rules_login_events_lastlog/rule.yml | 2 +- + 4 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml +index 45367cf313..0a9a73caac 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml +@@ -34,7 +34,6 @@ identifiers: + references: + nist@rhel6: AC-3(10) + nist-csf@rhel6: PR.AC-4,PR.AC-6,PR.PT-3 +- cis: 5.2.8 + cjis: 5.4.1.1 + cui: 3.1.7 + disa: 172,2884 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +index 4d2af18816..257e99fb48 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +@@ -31,6 +31,7 @@ identifiers: + + references: + cis: 5.2.8 ++ cis@rhel8: 4.1.4 + cui: 3.1.7 + disa: 172,2884,126 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +index 355004ae98..7400d6a0d3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +@@ -30,7 +30,7 @@ identifiers: + cce@ocp4: 82584-4 + + references: +- cis: 5.2.8 ++ cis@rhel8: 4.1.4 + cui: 3.1.7 + disa: 172,2884,126 + hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) + +From a6d171b6fcea7042b17e07b2e8598c5523d92f28 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Mar 2020 11:44:51 +0100 +Subject: [PATCH 2/2] Add RHEL7 CIS references for login events rules + +--- + .../audit_rules_login_events_faillock/rule.yml | 2 +- + .../audit_rules_login_events_lastlog/rule.yml | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +index 257e99fb48..eacab5f522 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +@@ -30,7 +30,7 @@ identifiers: + cce@ocp4: 82583-6 + + references: +- cis: 5.2.8 ++ cis@rhel7: 4.1.8 + cis@rhel8: 4.1.4 + cui: 3.1.7 + disa: 172,2884,126 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +index 7400d6a0d3..7fce76ab02 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +@@ -30,6 +30,7 @@ identifiers: + cce@ocp4: 82584-4 + + references: ++ cis@rhel7: 4.1.8 + cis@rhel8: 4.1.4 + cui: 3.1.7 + disa: 172,2884,126 diff --git a/SOURCES/scap-security-guide-0.1.50-banner_permissions_and_owners_PR_5302.patch b/SOURCES/scap-security-guide-0.1.50-banner_permissions_and_owners_PR_5302.patch new file mode 100644 index 0000000..973b27d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-banner_permissions_and_owners_PR_5302.patch @@ -0,0 +1,416 @@ +From 6b015c09b43ecac4226c5bcf974794a1b2a8d557 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Mar 2020 17:27:09 +0100 +Subject: [PATCH 1/8] Add rule for permissions of /etc/motd + +--- + .../file_permissions_etc_motd/rule.yml | 33 +++++++++++++++++++ + 3 files changed, 35 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml +new file mode 100644 +index 0000000000..6d81eb43d1 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml +@@ -0,0 +1,33 @@ ++documentation_complete: true ++ ++title: 'Verify permissions on Message of the Day Banner' ++ ++description: |- ++ {{{ describe_file_permissions(file="/etc/motd", perms="0644") }}} ++ ++rationale: |- ++ Display of a standardized and approved use notification before granting ++ access to the operating system ensures privacy and security notification ++ verbiage used is consistent with applicable federal laws, Executive Orders, ++ directives, policies, regulations, standards, and guidance.
++ Proper permissions will ensure that only root user can modify the banner. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83337-6 ++ cce@rhel8: 83338-4 ++ ++references: ++ cis@rhel7: 1.7.1.4 ++ cis@rhel8: 1.8.1.4 ++ ++ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/motd", perms="-rw-r--r--") }}}' ++ ++ocil: '{{{ ocil_file_permissions(file="/etc/motd", perms="-rw-r--r--") }}}' ++ ++template: ++ name: file_permissions ++ vars: ++ filepath: /etc/motd ++ filemode: '0644' +From 9448111043016e27bc319cfc6606361edd235f38 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Mar 2020 17:47:09 +0100 +Subject: [PATCH 2/8] Add rule for permissions of /etc/issue + +--- + .../file_permissions_etc_issue/rule.yml | 33 +++++++++++++++++++ + 3 files changed, 35 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml +new file mode 100644 +index 0000000000..323c3b93b6 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml +@@ -0,0 +1,33 @@ ++documentation_complete: true ++ ++title: 'Verify permissions on System Login Banner' ++ ++description: |- ++ {{{ describe_file_permissions(file="/etc/issue", perms="0644") }}} ++ ++rationale: |- ++ Display of a standardized and approved use notification before granting ++ access to the operating system ensures privacy and security notification ++ verbiage used is consistent with applicable federal laws, Executive Orders, ++ directives, policies, regulations, standards, and guidance.
++ Proper permissions will ensure that only root user can modify the banner. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83347-5 ++ cce@rhel8: 83348-3 ++ ++references: ++ cis@rhel7: 1.7.1.5 ++ cis@rhel8: 1.8.1.5 ++ ++ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/issue", perms="-rw-r--r--") }}}' ++ ++ocil: '{{{ ocil_file_permissions(file="/etc/issue", perms="-rw-r--r--") }}}' ++ ++template: ++ name: file_permissions ++ vars: ++ filepath: /etc/issue ++ filemode: '0644' +From 927265b500b38a9ba0eefd94ecce5de4c8fc3ac2 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Mar 2020 19:12:48 +0100 +Subject: [PATCH 3/8] Select rules for /etc/crontab permissions + +--- + .../services/cron_and_at/file_groupowner_crontab/rule.yml | 3 ++- + .../guide/services/cron_and_at/file_owner_crontab/rule.yml | 3 ++- + .../services/cron_and_at/file_permissions_crontab/rule.yml | 3 ++- + 4 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +index 8df80cb535..29d0c882b4 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82223-9 + + references: +- cis: 5.1.2 ++ cis@rhel7: 5.1.2 ++ cis@rhel8: 5.1.2 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +index a10a283a86..6ac696229f 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82224-7 + + references: +- cis: 5.1.2 ++ cis@rhel7: 5.1.2 ++ cis@rhel8: 5.1.2 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +index 126bffd0bb..f587ab67ef 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82206-4 + + references: +- cis: 5.1.2 ++ cis@rhel7: 5.1.2 ++ cis@rhel8: 5.1.2 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +From 51d320c401981dd06d097bb2850c9a7aa6977059 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Mar 2020 19:16:22 +0100 +Subject: [PATCH 4/8] Select rules for /etc/cron.hourly permissions + +--- + .../cron_and_at/file_groupowner_cron_hourly/rule.yml | 3 ++- + .../services/cron_and_at/file_owner_cron_hourly/rule.yml | 3 ++- + .../cron_and_at/file_permissions_cron_hourly/rule.yml | 3 ++- + 4 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +index c3545bca73..514dc5510e 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82227-0 + + references: +- cis: 5.1.3 ++ cis@rhel7: 5.1.3 ++ cis@rhel8: 5.1.3 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +index 298a03bbec..2b4a8c6047 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82209-8 + + references: +- cis: 5.1.3 ++ cis@rhel7: 5.1.3 ++ cis@rhel8: 5.1.3 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +index 1d06872cf4..e726d64966 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82230-4 + + references: +- cis: 5.1.3 ++ cis@rhel7: 5.1.3 ++ cis@rhel8: 5.1.3 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +From 94cd82ae26481d8d7343fcc65e6b2f5e88cefd3b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Mar 2020 19:18:41 +0100 +Subject: [PATCH 5/8] Select rules for /etc/cron.daily permissions + +--- + .../cron_and_at/file_groupowner_cron_daily/rule.yml | 3 ++- + .../services/cron_and_at/file_owner_cron_daily/rule.yml | 3 ++- + .../cron_and_at/file_permissions_cron_daily/rule.yml | 3 ++- + 4 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +index 53e1800074..38e4fdde5e 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82234-6 + + references: +- cis: 5.1.4 ++ cis@rhel7: 5.1.4 ++ cis@rhel8: 5.1.4 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +index ed6e76e419..86625ac049 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82237-9 + + references: +- cis: 5.1.4 ++ cis@rhel7: 5.1.4 ++ cis@rhel8: 5.1.4 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +index 4313ffb6ab..6e57b028cd 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82240-3 + + references: +- cis: 5.1.4 ++ cis@rhel7: 5.1.4 ++ cis@rhel8: 5.1.4 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +From a8d0f1253631913f27bcb9f6d70b46234feda723 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Mar 2020 19:21:12 +0100 +Subject: [PATCH 6/8] Select rules for /etc/cron.weekly permissions + +--- + .../cron_and_at/file_groupowner_cron_weekly/rule.yml | 3 ++- + .../services/cron_and_at/file_owner_cron_weekly/rule.yml | 3 ++- + .../cron_and_at/file_permissions_cron_weekly/rule.yml | 3 ++- + 4 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +index de1ac8c656..4760ea55f6 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82244-5 + + references: +- cis: 5.1.5 ++ cis@rhel7: 5.1.5 ++ cis@rhel8: 5.1.5 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +index f5bba63516..e5e3de8cd1 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82247-8 + + references: +- cis: 5.1.5 ++ cis@rhel7: 5.1.5 ++ cis@rhel8: 5.1.5 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +index 523ea17731..daf345338a 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82253-6 + + references: +- cis: 5.1.5 ++ cis@rhel7: 5.1.5 ++ cis@rhel8: 5.1.5 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +From 35176b1486c57bfd6a981a8719de65f09d200380 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Mar 2020 19:25:12 +0100 +Subject: [PATCH 7/8] Select rules for /etc/cron.monthly permissions + +--- + .../cron_and_at/file_groupowner_cron_monthly/rule.yml | 3 ++- + .../services/cron_and_at/file_owner_cron_monthly/rule.yml | 3 ++- + .../cron_and_at/file_permissions_cron_monthly/rule.yml | 3 ++- + 4 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +index a664d78b0a..2a11340ec4 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82256-9 + + references: +- cis: 5.1.6 ++ cis@rhel7: 5.1.6 ++ cis@rhel8: 5.1.6 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +index 35f2bc19ed..76c671aa06 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82260-1 + + references: +- cis: 5.1.6 ++ cis@rhel7: 5.1.6 ++ cis@rhel8: 5.1.6 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +index b4d1863633..cc186ff7a1 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82263-5 + + references: +- cis: 5.1.6 ++ cis@rhel7: 5.1.6 ++ cis@rhel8: 5.1.6 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +From 5b839624790399a1dbca16478fef9b3e628df1d4 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Mar 2020 19:27:55 +0100 +Subject: [PATCH 8/8] Select rules for /etc/cron.d permissions + +--- + .../services/cron_and_at/file_groupowner_cron_d/rule.yml | 3 ++- + .../guide/services/cron_and_at/file_owner_cron_d/rule.yml | 3 ++- + .../services/cron_and_at/file_permissions_cron_d/rule.yml | 3 ++- + 4 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +index 3add79db18..6b1a3faf05 100644 +--- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82268-4 + + references: +- cis: 5.1.7 ++ cis@rhel7: 5.1.7 ++ cis@rhel8: 5.1.7 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +index 8778109761..88586a0268 100644 +--- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82272-6 + + references: +- cis: 5.1.7 ++ cis@rhel7: 5.1.7 ++ cis@rhel8: 5.1.7 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +index cd0dc6167a..f904dce932 100644 +--- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml ++++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml +@@ -20,7 +20,8 @@ identifiers: + cce@rhel8: 82277-5 + + references: +- cis: 5.1.7 ++ cis@rhel7: 5.1.7 ++ cis@rhel8: 5.1.7 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 diff --git a/SOURCES/scap-security-guide-0.1.50-change_disable_ipv6_rule_PR_5574.patch b/SOURCES/scap-security-guide-0.1.50-change_disable_ipv6_rule_PR_5574.patch new file mode 100644 index 0000000..5c3b38f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-change_disable_ipv6_rule_PR_5574.patch @@ -0,0 +1,23 @@ +From a75db592d49e0257a51c6aab782c50b3b60eab47 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 8 Apr 2020 12:35:45 +0200 +Subject: [PATCH] change rules for disabling ipv6 + +--- + rhel7/profiles/cis.profile | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 739ed27200..a99f87a3c8 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -351,7 +351,7 @@ selections: + - sysctl_net_ipv6_conf_default_accept_redirects + + ### 3.3.3 Ensure IPv6 is disabled (Not Scored) +- - grub2_ipv6_disable_argument ++ - kernel_module_ipv6_option_disabled + + ## 3.4 TCP Wrappers + ### 3.4.1 Ensure TCP Wrappers is installed (Scored) + diff --git a/SOURCES/scap-security-guide-0.1.50-check_banner_owners_and_groupowners_PR_5335.patch b/SOURCES/scap-security-guide-0.1.50-check_banner_owners_and_groupowners_PR_5335.patch new file mode 100644 index 0000000..e6e0901 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-check_banner_owners_and_groupowners_PR_5335.patch @@ -0,0 +1,344 @@ +From db7bff613cb14543378661c1bf78582ada09d84a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 24 Mar 2020 09:31:41 +0100 +Subject: [PATCH 1/4] Add rules to check owners of /etc/issue + +--- + .../file_groupowner_etc_issue/rule.yml | 35 +++++++++++++++++++ + .../file_owner_etc_issue/rule.yml | 35 +++++++++++++++++++ + .../file_permissions_etc_issue/rule.yml | 2 ++ + shared/references/cce-redhat-avail.txt | 4 --- + 4 files changed, 72 insertions(+), 4 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml +new file mode 100644 +index 0000000000..fe22c4ceda +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml +@@ -0,0 +1,35 @@ ++documentation_complete: true ++ ++prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++ ++title: 'Verify group ownership of System Login Banner' ++ ++description: |- ++ {{{ describe_file_group_owner(file="/etc/issue", group="root") }}} ++ ++rationale: |- ++ Display of a standardized and approved use notification before granting ++ access to the operating system ensures privacy and security notification ++ verbiage used is consistent with applicable federal laws, Executive Orders, ++ directives, policies, regulations, standards, and guidance.
++ Proper group ownership will ensure that only root user can modify the banner. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83707-0 ++ cce@rhel8: 83708-8 ++ ++references: ++ cis@rhel7: 1.7.1.5 ++ cis@rhel8: 1.8.1.5 ++ ++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/issue", group="root") }}}' ++ ++ocil: '{{{ ocil_file_group_owner(file="/etc/issue", group="root") }}}' ++ ++template: ++ name: file_groupowner ++ vars: ++ filepath: /etc/issue ++ filegid: '0' +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml +new file mode 100644 +index 0000000000..1a96fc1bee +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml +@@ -0,0 +1,35 @@ ++documentation_complete: true ++ ++prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++ ++title: 'Verify ownership of System Login Banner' ++ ++description: |- ++ {{{ describe_file_owner(file="/etc/issue", owner="root") }}} ++ ++rationale: |- ++ Display of a standardized and approved use notification before granting ++ access to the operating system ensures privacy and security notification ++ verbiage used is consistent with applicable federal laws, Executive Orders, ++ directives, policies, regulations, standards, and guidance.
++ Proper ownership will ensure that only root user can modify the banner. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83717-9 ++ cce@rhel8: 83718-7 ++ ++references: ++ cis@rhel7: 1.7.1.5 ++ cis@rhel8: 1.8.1.5 ++ ++ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/issue", owner="root") }}}' ++ ++ocil: '{{{ ocil_file_owner(file="/etc/issue", owner="root") }}}' ++ ++template: ++ name: file_owner ++ vars: ++ filepath: /etc/issue ++ fileuid: '0' +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml +index 323c3b93b6..6082783b89 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml +@@ -1,5 +1,7 @@ + documentation_complete: true + ++prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++ + title: 'Verify permissions on System Login Banner' + + description: |- +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 4a8668ed97..565be50dcf 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -394,8 +394,6 @@ CCE-83703-9 + CCE-83704-7 + CCE-83705-4 + CCE-83706-2 +-CCE-83707-0 +-CCE-83708-8 + CCE-83709-6 + CCE-83710-4 + CCE-83711-2 +@@ -404,8 +402,6 @@ CCE-83713-8 + CCE-83714-6 + CCE-83715-3 + CCE-83716-1 +-CCE-83717-9 +-CCE-83718-7 + CCE-83719-5 + CCE-83720-3 + CCE-83721-1 + +From ac323a919cd97ee34d17d96ca20d10e8ad25ac43 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 24 Mar 2020 09:50:54 +0100 +Subject: [PATCH 2/4] Add rules to check owners of /etc/motd + +--- + .../file_groupowner_etc_motd/rule.yml | 35 +++++++++++++++++++ + .../file_owner_etc_motd/rule.yml | 35 +++++++++++++++++++ + .../file_permissions_etc_motd/rule.yml | 2 ++ + shared/references/cce-redhat-avail.txt | 4 --- + 4 files changed, 72 insertions(+), 4 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +new file mode 100644 +index 0000000000..21ff3fb62a +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +@@ -0,0 +1,35 @@ ++documentation_complete: true ++ ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++ ++title: 'Verify group ownership of Message of the Day Banner' ++ ++description: |- ++ {{{ describe_file_group_owner(file="/etc/motd", group="root") }}} ++ ++rationale: |- ++ Display of a standardized and approved use notification before granting ++ access to the operating system ensures privacy and security notification ++ verbiage used is consistent with applicable federal laws, Executive Orders, ++ directives, policies, regulations, standards, and guidance.
++ Proper group ownerhip will ensure that only root user can modify the banner. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83727-8 ++ cce@rhel8: 83728-6 ++ ++references: ++ cis@rhel7: 1.7.1.4 ++ cis@rhel8: 1.8.1.4 ++ ++ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/motd", group="root") }}}' ++ ++ocil: '{{{ ocil_file_group_owner(file="/etc/motd", group="root") }}}' ++ ++template: ++ name: file_groupowner ++ vars: ++ filepath: /etc/motd ++ filegid: '0' +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml +new file mode 100644 +index 0000000000..27fed965fb +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml +@@ -0,0 +1,35 @@ ++documentation_complete: true ++ ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++ ++title: 'Verify ownership of Message of the Day Banner' ++ ++description: |- ++ {{{ describe_file_owner(file="/etc/motd", owner="root") }}} ++ ++rationale: |- ++ Display of a standardized and approved use notification before granting ++ access to the operating system ensures privacy and security notification ++ verbiage used is consistent with applicable federal laws, Executive Orders, ++ directives, policies, regulations, standards, and guidance.
++ Proper ownerhip will ensure that only root user can modify the banner. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: 83737-7 ++ cce@rhel8: 83738-5 ++ ++references: ++ cis@rhel7: 1.7.1.4 ++ cis@rhel8: 1.8.1.4 ++ ++ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/motd", owner="root") }}}' ++ ++ocil: '{{{ ocil_file_owner(file="/etc/motd", owner="root") }}}' ++ ++template: ++ name: file_owner ++ vars: ++ filepath: /etc/motd ++ fileuid: '0' +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml +index 6d81eb43d1..ca789dc6f8 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml +@@ -1,5 +1,7 @@ + documentation_complete: true + ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++ + title: 'Verify permissions on Message of the Day Banner' + + description: |- +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 565be50dcf..5986154a5a 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -410,8 +410,6 @@ CCE-83723-7 + CCE-83724-5 + CCE-83725-2 + CCE-83726-0 +-CCE-83727-8 +-CCE-83728-6 + CCE-83729-4 + CCE-83730-2 + CCE-83731-0 +@@ -420,8 +418,6 @@ CCE-83733-6 + CCE-83734-4 + CCE-83735-1 + CCE-83736-9 +-CCE-83737-7 +-CCE-83738-5 + CCE-83739-3 + CCE-83740-1 + CCE-83741-9 + +From 3f0c74420e052b6ea18cef45896a48f24cd3c5df Mon Sep 17 00:00:00 2001 +From: Watson Yuuma Sato +Date: Tue, 24 Mar 2020 13:32:34 +0100 +Subject: [PATCH 3/4] Update + linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-Authored-By: Jan Černý +--- + .../accounts/accounts-banners/file_groupowner_etc_motd/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +index 21ff3fb62a..9cebc074dd 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +@@ -12,7 +12,7 @@ rationale: |- + access to the operating system ensures privacy and security notification + verbiage used is consistent with applicable federal laws, Executive Orders, + directives, policies, regulations, standards, and guidance.
+- Proper group ownerhip will ensure that only root user can modify the banner. ++ Proper group ownership will ensure that only root user can modify the banner. + + severity: medium + + +From 3138bbcee2a997eb0c8f74eabdcac9f71944e191 Mon Sep 17 00:00:00 2001 +From: Watson Yuuma Sato +Date: Tue, 24 Mar 2020 13:33:40 +0100 +Subject: [PATCH 4/4] Fix typo in title of rule +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-Authored-By: Jan Černý +--- + .../accounts-banners/file_groupowner_etc_issue/rule.yml | 2 +- + .../accounts/accounts-banners/file_groupowner_etc_motd/rule.yml | 2 +- + .../accounts/accounts-banners/file_owner_etc_motd/rule.yml | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml +index fe22c4ceda..6ff4e0a95a 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + +-title: 'Verify group ownership of System Login Banner' ++title: 'Verify Group Ownership of System Login Banner' + + description: |- + {{{ describe_file_group_owner(file="/etc/issue", group="root") }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +index 9cebc074dd..8c66e997ac 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 + +-title: 'Verify group ownership of Message of the Day Banner' ++title: 'Verify Group Ownership of Message of the Day Banner' + + description: |- + {{{ describe_file_group_owner(file="/etc/motd", group="root") }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml +index 27fed965fb..8d963ae75d 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml +@@ -12,7 +12,7 @@ rationale: |- + access to the operating system ensures privacy and security notification + verbiage used is consistent with applicable federal laws, Executive Orders, + directives, policies, regulations, standards, and guidance.
+- Proper ownerhip will ensure that only root user can modify the banner. ++ Proper ownership will ensure that only root user can modify the banner. + + severity: medium + diff --git a/SOURCES/scap-security-guide-0.1.50-chrony_references_PR_5331.patch b/SOURCES/scap-security-guide-0.1.50-chrony_references_PR_5331.patch new file mode 100644 index 0000000..714012c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-chrony_references_PR_5331.patch @@ -0,0 +1,188 @@ +From c55c92fba234846412ae8d5947aee6bfeb3ca924 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 20 Mar 2020 11:50:25 +0100 +Subject: [PATCH 1/4] Remove sshd_enable_x11_forwarding + +--- + rhel7/profiles/cis.profile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 486fcf9a33..53d3819822 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -558,7 +558,6 @@ selections: + - sshd_set_loglevel_info + + ### 5.2.4 Ensure SSH X11 forwarding is disabled (Scored) +- - sshd_enable_x11_forwarding + + ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored) + - sshd_set_max_auth_tries + +From 9a719c47408b9b5aa980cd37affbff9180f253e0 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 23 Mar 2020 15:00:23 +0100 +Subject: [PATCH 2/4] Add a few more selections to rhel7 profile + +- Rule for libselinux installed +- Rule for service tftp disabled +- Rule for kernel module RDS disabled +--- + rhel7/profiles/cis.profile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 53d3819822..a9c78dc140 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -172,6 +172,7 @@ selections: + - selinux_confinement_of_daemons + + ### 1.6.2 Ensure SELinux is installed (Scored) ++ - package_libselinux_installed + + ## 1.7 Warning Banners + #### 1.7.1.1 Ensure message of the day is configured properly (Scored) +@@ -205,6 +206,7 @@ selections: + ### 2.1.4 Ensure echo services are not enabled (Scored) + ### 2.1.5 Ensure time services are not enabled (Scored) + ### 2.1.6 Ensure tftp server is not enabled (Scored) ++ - service_tftp_disabled + + ### 2.1.7 Ensure xinetd is not enabled (Scored) + - service_xinetd_disabled +@@ -363,6 +365,7 @@ selections: + - kernel_module_sctp_disabled + + ### 3.5.3 Ensure RDS is disabled (Not Scored) ++ - kernel_module_rds_disabled + + ### 3.5.4 Ensure TIPC is disabled (Not Scored) + - kernel_module_tipc_disabled + +From 1aaf4f300eb2304c81b962dfaab4dc475a1041ee Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 23 Mar 2020 15:16:48 +0100 +Subject: [PATCH 3/4] Select rule for Chrony and fix rhel7 references + +--- + .../guide/services/ntp/chronyd_run_as_chrony_user/rule.yml | 2 +- + .../services/ntp/chronyd_specify_remote_server/rule.yml | 1 + + .../guide/services/ntp/package_chrony_installed/rule.yml | 1 + + linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 1 + + rhel7/profiles/cis.profile | 5 ++++- + 5 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +index cd641ce0cb..2e5596b972 100644 +--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +@@ -24,7 +24,7 @@ severity: medium + platform: chrony + + references: +- cis@rhel7: 2.2.1.2 ++ cis@rhel7: 2.2.1.3 + cis@rhel8: 2.2.1.2 + + identifiers: +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +index bc8815b068..ea4c955c8e 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +@@ -25,6 +25,7 @@ identifiers: + cce@rhel8: 82873-1 + + references: ++ cis@rhel7: 2.2.1.3 + cis@rhel8: 2.2.1.2 + + ocil_clause: 'a remote time server is not configured' +diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +index 2549f48b71..f6dc1f427f 100644 +--- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml ++++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml +@@ -21,6 +21,7 @@ identifiers: + cce@rhel8: 82874-9 + + references: ++ cis@rhel7: 2.2.1.1 + cis@rhel8: 2.2.1.1 + + {{{ complete_ocil_entry_package(package="chrony") }}} +diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +index 7b3a0a2a13..94269dfd54 100644 +--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml ++++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +@@ -24,6 +24,7 @@ identifiers: + cce@rhel8: 82875-6 + + references: ++ cis@rhel7: 2.2.1.3 + cis@rhel8: 2.2.1.2 + + ocil_clause: 'the chronyd process is not running' +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index a9c78dc140..108a728bbf 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -213,13 +213,16 @@ selections: + + ## 2.2 Special Purpose Services + #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) +- - service_chronyd_or_ntpd_enabled ++ - package_chrony_installed + + #### 2.2.1.2 Ensure ntp is configured (Scored) + # restrict is not checkec by rules below + - chronyd_or_ntpd_specify_remote_server + + #### 2.2.1.3 Ensure chrony is configured (Scored) ++ - service_chronyd_enabled ++ - chronyd_specify_remote_server ++ - chronyd_run_as_chrony_user + + ### 2.2.2 Ensure X Window System is not installed (Scored) + - package_xorg-x11-server-common_removed + +From 54150d23a06043fdd11af3fd8be9e0c4845e6c55 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 23 Mar 2020 15:17:16 +0100 +Subject: [PATCH 4/4] Select rules for backup account files + +Select rules to check permissions and owner of important backup account +files. +--- + rhel7/profiles/cis.profile | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 108a728bbf..0fc919950f 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -689,9 +689,24 @@ selections: + - file_permissions_etc_gshadow + + ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) ++ - file_owner_backup_etc_passwd ++ - file_groupowner_backup_etc_passwd ++ - file_permissions_backup_etc_passwd ++ + ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) ++ - file_owner_backup_etc_shadow ++ - file_groupowner_backup_etc_shadow ++ - file_permissions_backup_etc_shadow ++ + ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) ++ - file_owner_backup_etc_group ++ - file_groupowner_backup_etc_group ++ - file_permissions_backup_etc_group ++ + ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) ++ - file_owner_backup_etc_gshadow ++ - file_groupowner_backup_etc_gshadow ++ - file_permissions_backup_etc_gshadow + + ### 6.1.10 Ensure no world writable files exist (Scored) + - file_permissions_unauthorized_world_writable diff --git a/SOURCES/scap-security-guide-0.1.50-drop_configure_etc_hosts_deny_remediation_PR_5652.patch b/SOURCES/scap-security-guide-0.1.50-drop_configure_etc_hosts_deny_remediation_PR_5652.patch new file mode 100644 index 0000000..965ca97 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-drop_configure_etc_hosts_deny_remediation_PR_5652.patch @@ -0,0 +1,125 @@ +From 74dfdeffe59ed7ed1e31151df3fefe98f1dc8876 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 21 Apr 2020 15:41:27 +0200 +Subject: [PATCH 1/3] remove remediations, add warning + +--- + .../configure_etc_hosts_deny/ansible/shared.yml | 7 ------- + .../configure_etc_hosts_deny/bash/shared.sh | 3 --- + .../configure_etc_hosts_deny/rule.yml | 12 ++++++++++++ + 3 files changed, 12 insertions(+), 10 deletions(-) + delete mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml + delete mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml +deleted file mode 100644 +index 480bde9f80..0000000000 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml ++++ /dev/null +@@ -1,7 +0,0 @@ +-# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 +-# reboot = false +-# strategy = restrict +-# complexity = low +-# disruption = medium +- +-{{{ ansible_lineinfile(msg='', path='/etc/hosts.deny', regex='', new_line='ALL: ALL', create='true', state='present') }}} +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh +deleted file mode 100644 +index e1def7a9ab..0000000000 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh ++++ /dev/null +@@ -1,3 +0,0 @@ +-# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 +- +-{{{ set_config_file(path="/etc/hosts.deny", parameter="ALL:", value="ALL", create=true, insert_after="EOF", insert_before="", insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml +index ec53cc799f..fb3143d24b 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml +@@ -10,6 +10,10 @@ description: |- + The following line in the file ensures that access to services supporting this mechanism is denied to any clients + not mentioned in /etc/hosts.allow: + 
ALL: ALL
++ It is advised to inspect available network services which might be affected by modification of file mentioned above prior to performing the remediation of this rule. ++ If there exist services which might be affected and access to them should not be blocked, ++ modify the /etc/hosts.deny file appropriately before performing the remediation. ++ + + rationale: |- + Correct configuration in /etc/hosts.deny ensures that no explicitly mentioned clients will be able to connect to services supporting this access control mechanism. +@@ -29,3 +33,11 @@ ocil: |- + 
cat /etc/hosts.deny
+ Verify that the output contains the following line: + 
ALL: ALL
++ ++warnings: ++ - management: |- ++ enabling this rule affects all connections to serviceswhich honor /etc/hosts.allow and /etc/hosts.deny files. ++ Connections to such servicesfrom any hosts which are not explicitly mentioned in /etc/hosts.allow will be rejected. ++ As the /etc/hosts.allow file is often left empty, there is a chance that remediation of this rule might prevent the system from accepting SSH connections and therefore limiting management access. ++ Therefore, this rule will not be remediated automatically. For information about manual process ++ of remediation see the rule description. + +From 3622b07d64f6a923143b0b5d34aa6b19571f3889 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 22 Apr 2020 12:42:20 +0200 +Subject: [PATCH 2/3] fix wording + +--- + .../configure_etc_hosts_deny/rule.yml | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml +index fb3143d24b..effed82fd8 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml +@@ -12,7 +12,7 @@ description: |- + 
ALL: ALL
+ It is advised to inspect available network services which might be affected by modification of file mentioned above prior to performing the remediation of this rule. + If there exist services which might be affected and access to them should not be blocked, +- modify the /etc/hosts.deny file appropriately before performing the remediation. ++ modify the /etc/hosts.allow file appropriately before performing the remediation. + + + rationale: |- +@@ -35,9 +35,9 @@ ocil: |- + 
ALL: ALL
+ + warnings: +- - management: |- +- enabling this rule affects all connections to serviceswhich honor /etc/hosts.allow and /etc/hosts.deny files. +- Connections to such servicesfrom any hosts which are not explicitly mentioned in /etc/hosts.allow will be rejected. +- As the /etc/hosts.allow file is often left empty, there is a chance that remediation of this rule might prevent the system from accepting SSH connections and therefore limiting management access. +- Therefore, this rule will not be remediated automatically. For information about manual process +- of remediation see the rule description. ++ - functionality: |- ++ This rule affects all access to serviceswhich honor /etc/hosts.allow and /etc/hosts.deny files. ++ Connections to services originating from hosts not explicitly mentioned in /etc/hosts.allow will be rejected. ++ As the /etc/hosts.allow is empty by default, make sure it is appropriately configured before applying remediation for this rule. ++ To avoid locking down all network access to the system, this rule doesn't perform automated remediation. ++ For information about manual process of remediation see the rule description. + +From 4f98610b8366c55c9e212a2cd6feeb2b4002c111 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 24 Apr 2020 11:48:57 +0200 +Subject: [PATCH 3/3] fix wording + +--- + .../inetd_and_xinetd/configure_etc_hosts_deny/rule.yml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml +index effed82fd8..f2fc86748f 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml +@@ -36,8 +36,7 @@ ocil: |- + + warnings: + - functionality: |- +- This rule affects all access to serviceswhich honor /etc/hosts.allow and /etc/hosts.deny files. ++ This rule affects all access to services which honor /etc/hosts.allow and /etc/hosts.deny files. + Connections to services originating from hosts not explicitly mentioned in /etc/hosts.allow will be rejected. +- As the /etc/hosts.allow is empty by default, make sure it is appropriately configured before applying remediation for this rule. + To avoid locking down all network access to the system, this rule doesn't perform automated remediation. + For information about manual process of remediation see the rule description. diff --git a/SOURCES/scap-security-guide-0.1.50-fix_ansible_macro_watch_rule_PR_5716.patch b/SOURCES/scap-security-guide-0.1.50-fix_ansible_macro_watch_rule_PR_5716.patch new file mode 100644 index 0000000..9039671 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_ansible_macro_watch_rule_PR_5716.patch @@ -0,0 +1,39 @@ +From b87b0e68c3c0cfb9439f8b9b5bb1c553d1a53de0 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 28 Apr 2020 17:10:25 +0200 +Subject: [PATCH] fix regex and remove recurse from tasks + +--- + shared/macros-ansible.jinja | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 884b562ae4..92ee35e08c 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -277,6 +277,7 @@ regex_replace("\(n\)\*", "\\n") + {{% macro ansible_deregexify_banner_backslash() -%}} + regex_replace("\\", "") + {{%- endmacro %}} ++ + {{# + The following macro remediates one audit watch rule in /etc/audit/rules.d directory. + The macro requires following parameters: +@@ -289,7 +290,6 @@ in some file within /etc/audit/rules.d/, the new rule will be appended to this f + - name: Check if watch rule for {{{ path }}} already exists in /etc/audit/rules.d/ + find: + paths: "/etc/audit/rules.d" +- recurse: no + contains: '^\s*-w\s+{{{ path }}}\s+-p\s+{{{ permissions }}}(\s|$)+' + patterns: "*.rules" + register: find_existing_watch_rules_d +@@ -297,8 +297,7 @@ in some file within /etc/audit/rules.d/, the new rule will be appended to this f + - name: Search /etc/audit/rules.d for other rules with specified key {{{ key }}} + find: + paths: "/etc/audit/rules.d" +- recurse: no +- contains: "^.*(-F key=)(|-k ){{{ key }}}$" ++ contains: '^.*(?:-F key=|-k\s+){{{ key }}}$' + patterns: "*.rules" + register: find_watch_key + when: find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 diff --git a/SOURCES/scap-security-guide-0.1.50-fix_ansible_postfix_listening_PR_5353.patch b/SOURCES/scap-security-guide-0.1.50-fix_ansible_postfix_listening_PR_5353.patch new file mode 100644 index 0000000..20659eb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_ansible_postfix_listening_PR_5353.patch @@ -0,0 +1,23 @@ +From 450492b27e3e77ca271a08cd14e4a03f1535c722 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 27 Mar 2020 10:46:07 +0100 +Subject: [PATCH] ansible remediation checks for package presence + +--- + .../postfix_network_listening_disabled/ansible/shared.yml | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml +index 18936b5fb3..f3d2af7614 100644 +--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml ++++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml +@@ -5,4 +5,8 @@ + # disruption = low + - (xccdf-var var_postfix_inet_interfaces) + +-{{{ ansible_lineinfile(msg='Ensure mail transfer agent is configured for local-only mode', path='/etc/postfix/main.cf', regex='^inet_interfaces\s*=\s.*', new_line='inet_interfaces = {{ var_postfix_inet_interfaces }}', create='no', state='present', insert_after='^inet_interfaces\s*=\s.*') }}} ++- name: "Gather list of packages" ++ package_facts: ++ manager: auto ++ ++{{{ ansible_lineinfile(msg='Make changes to Postfix configuration file', path='/etc/postfix/main.cf', regex='^inet_interfaces\s*=\s.*', new_line='inet_interfaces = {{ var_postfix_inet_interfaces }}', create='no', state='present', insert_after='^inet_interfaces\s*=\s.*', when='"postfix" in ansible_facts.packages') }}} diff --git a/SOURCES/scap-security-guide-0.1.50-fix_ansible_template_mount_options_PR_5752.patch b/SOURCES/scap-security-guide-0.1.50-fix_ansible_template_mount_options_PR_5752.patch new file mode 100644 index 0000000..275dced --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_ansible_template_mount_options_PR_5752.patch @@ -0,0 +1,208 @@ +From fa3e18fa8b1939b5173a889d2d6e696c67a49b56 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 11 May 2020 17:44:32 +0200 +Subject: [PATCH 1/6] Do not duplicate mount point options + +The Ansible remediation for mount options was always adding the option. +--- + shared/templates/template_ANSIBLE_mount_option | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option +index cfb55859ac..08fa14208f 100644 +--- a/shared/templates/template_ANSIBLE_mount_option ++++ b/shared/templates/template_ANSIBLE_mount_option +@@ -27,5 +27,6 @@ + state: "mounted" + fstype: "{{ mount_info.fstype }}" + when: ++ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options + - device_name.stdout is defined + - (device_name.stdout | length > 0) + +From 67f899077d542dbeb57b1772d6f86b029e0be066 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 11 May 2020 17:46:23 +0200 +Subject: [PATCH 2/6] Keep any already defined mount options + +When mount doesn't need to exist to remediate, check whether mtab sets +the mountpoint and extend any already configured option. +--- + shared/templates/template_ANSIBLE_mount_option | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option +index 08fa14208f..aa5b5e2f8d 100644 +--- a/shared/templates/template_ANSIBLE_mount_option ++++ b/shared/templates/template_ANSIBLE_mount_option +@@ -9,6 +9,16 @@ + failed_when: device_name.rc > 1 + changed_when: False + ++{{% if MOUNT_HAS_TO_EXIST == "no" %}} ++- name: Check mtab information associated to mountpoint ++ command: findmnt --mtab '{{{ MOUNTPOINT }}}' ++ register: device_name ++ failed_when: device_name.rc > 1 ++ changed_when: False ++ when: ++ - device_name.stdout is defined and device_name.stdout == "" ++{{% endif %}} ++ + - name: create mount_info dictionary variable + set_fact: + mount_info: "{{ mount_info|default({})|combine({item.0: item.1}) }}" + +From 035d388383195637c79a2d47f3f100753a96c43f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 11 May 2020 17:50:49 +0200 +Subject: [PATCH 3/6] Fix task naming in Ansible mount option template + +--- + shared/templates/template_ANSIBLE_mount_option | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option +index aa5b5e2f8d..7452dfbc05 100644 +--- a/shared/templates/template_ANSIBLE_mount_option ++++ b/shared/templates/template_ANSIBLE_mount_option +@@ -3,7 +3,7 @@ + # strategy = configure + # complexity = low + # disruption = high +-- name: get back mount information associated to mountpoint ++- name: Check fstab information associated to mountpoint + command: findmnt --fstab '{{{ MOUNTPOINT }}}' + register: device_name + failed_when: device_name.rc > 1 +@@ -19,7 +19,7 @@ + - device_name.stdout is defined and device_name.stdout == "" + {{% endif %}} + +-- name: create mount_info dictionary variable ++- name: Create mount_info dictionary variable + set_fact: + mount_info: "{{ mount_info|default({})|combine({item.0: item.1}) }}" + with_together: + +From 3c302161bc0aaa6dfb765e7e9abf40aff90c42ce Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 11 May 2020 18:04:05 +0200 +Subject: [PATCH 4/6] Add tests for mount option noexed in /dev/shm + +Tests added: +- No entry in fstab +- Entry in fstab without options +- Tests profile metadata fixed, they don't need to be tested using a + specific profile. +--- + .../mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh | 3 +++ + .../tests/multiple_entries_in_mtab.fail.sh | 1 - + .../tests/no_entry_in_fstab.fail.sh | 4 ++++ + 3 files changed, 7 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh + create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh +new file mode 100644 +index 0000000000..515d690e1f +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "tmpfs /dev/shm tmpfs rw,seclabel,nodev,nosuid 0 0" >> /etc/fstab +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh +index dd56f9bb6c..d7721b791d 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh +@@ -1,5 +1,4 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_ospp + + cat /etc/mtab > /etc/mtab.old + # destroy symlink +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh +new file mode 100644 +index 0000000000..f484a3614c +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++# make sure there is no entry for /dev/shm ++sed -i '/\/dev\/shm/d' /etc/fstab + +From f74beb900a0cf0d40bc1b85d518f8f7bf27f8d76 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 May 2020 12:06:53 +0200 +Subject: [PATCH 5/6] Update mount_option template documentation + +Now the 'mount_has_to_exist' parameter is used in Ansible remediations. +As 'mount_has_to_exist=no' is only used for /dev/shm rules, the Ansible +remediation will add options based on existing ones consulting +/etc/mtab. +--- + docs/manual/developer_guide.adoc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc +index 9d73e870f9..74fc869c51 100644 +--- a/docs/manual/developer_guide.adoc ++++ b/docs/manual/developer_guide.adoc +@@ -1574,7 +1574,7 @@ mount_option:: + ** *mountoption* - mount option, eg. `nosuid` + ** *filesystem* - filesystem in `/etc/fstab`, eg. `tmpfs`. Used only in Bash remediation. + ** *type* - filesystem type. Used only in Bash remediation. +-** *mount_has_to_exist* - Used only in Bash remediation. Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`. ++** *mount_has_to_exist* - Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`. + * Languages: Anaconda, Ansible, Bash, OVAL + + mount_option_remote_filesystems:: + +From 5abea4f5773d5099e57d1645f1565c5afeadf426 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 12 May 2020 12:51:23 +0200 +Subject: [PATCH 6/6] Check all tabfiles when entry in fstab can be created by + Ansible + +Skipped tasks still register facts! Instead of executing a task based on +results of fstab mounts, lets just change the actual task to check all +tab files. +--- + shared/templates/template_ANSIBLE_mount_option | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option +index 7452dfbc05..95bede25f9 100644 +--- a/shared/templates/template_ANSIBLE_mount_option ++++ b/shared/templates/template_ANSIBLE_mount_option +@@ -3,21 +3,18 @@ + # strategy = configure + # complexity = low + # disruption = high +-- name: Check fstab information associated to mountpoint +- command: findmnt --fstab '{{{ MOUNTPOINT }}}' +- register: device_name +- failed_when: device_name.rc > 1 +- changed_when: False + + {{% if MOUNT_HAS_TO_EXIST == "no" %}} +-- name: Check mtab information associated to mountpoint +- command: findmnt --mtab '{{{ MOUNTPOINT }}}' ++ {{% set TABFILE="" %}} ++{{% else %}} ++ {{% set TABFILE="--fstab" %}} ++{{% endif %}} ++ ++- name: Check information associated to mountpoint ++ command: findmnt {{{ TABFILE }}} '{{{ MOUNTPOINT }}}' + register: device_name + failed_when: device_name.rc > 1 + changed_when: False +- when: +- - device_name.stdout is defined and device_name.stdout == "" +-{{% endif %}} + + - name: Create mount_info dictionary variable + set_fact: diff --git a/SOURCES/scap-security-guide-0.1.50-fix_audit_privileged_commands_test_metadata_PR_5739.patch b/SOURCES/scap-security-guide-0.1.50-fix_audit_privileged_commands_test_metadata_PR_5739.patch new file mode 100644 index 0000000..23ea605 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_audit_privileged_commands_test_metadata_PR_5739.patch @@ -0,0 +1,21 @@ +From 76309b336d0b7837a12bea6546e44cecde3eede4 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 5 May 2020 15:34:54 +0200 +Subject: [PATCH] Remove outdated OSPP metadata from test scenario for + audit_rules_privileged_commands. + +--- + .../tests/augenrules_duplicated.fail.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh +index c01b95aa9e..429cbe67be 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_ospp,xccdf_org.ssgproject.content_profile_pci-dss ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss + # Remediation for this rule cannot remove the duplicates + # remediation = none + # platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 diff --git a/SOURCES/scap-security-guide-0.1.50-fix_audit_rules_privileged_commands.patch b/SOURCES/scap-security-guide-0.1.50-fix_audit_rules_privileged_commands.patch new file mode 100644 index 0000000..050b304 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_audit_rules_privileged_commands.patch @@ -0,0 +1,304 @@ +From e0a51fa56dbdf13392b9e7730fbb8caf58f6a4cc Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 3 Apr 2020 14:29:17 +0200 +Subject: [PATCH] Fix regex in remediation + +Binaries with common prefix (sudo vs sudoedit) were not handled properly +Force ordering of account and audit group +Rename rhel7 tests and make them applicable for rhel8 too +Add regression tests +Explain and make reordering pretty +--- + ...ctl_default.fail.sh => auditctl_default.fail.sh} | 2 +- + ...g_rule.fail.sh => auditctl_missing_rule.fail.sh} | 2 +- + ...l_one_rule.fail.sh => auditctl_one_rule.fail.sh} | 4 ++-- + ...ed.pass.sh => auditctl_rules_configured.pass.sh} | 2 +- + ...s_default.fail.sh => augenrules_default.fail.sh} | 2 +- + ...icated.fail.sh => augenrules_duplicated.fail.sh} | 2 +- + ...rule.fail.sh => augenrules_missing_rule.fail.sh} | 2 +- + .../tests/augenrules_one_rule.fail.sh | 7 +++++++ + ....pass.sh => augenrules_rules_configured.pass.sh} | 2 +- + ... augenrules_rules_configured_mixed_keys.pass.sh} | 2 +- + ...l.sh => augenrules_two_rules_mixed_keys.fail.sh} | 2 +- + ...il.sh => augenrules_two_rules_sep_files.fail.sh} | 2 +- + .../tests/rhel7_augenrules_one_rule.fail.sh | 7 ------- + ...h_own_key.pass.sh => rules_with_own_key.pass.sh} | 2 +- + ...m_audit_rules_privileged_commands_remediation.sh | 2 +- + ssg/build_yaml.py | 13 +++++++++++-- + 16 files changed, 32 insertions(+), 23 deletions(-) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_default.fail.sh => auditctl_default.fail.sh} (74%) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_missing_rule.fail.sh => auditctl_missing_rule.fail.sh} (82%) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_one_rule.fail.sh => auditctl_one_rule.fail.sh} (50%) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_rules_configured.pass.sh => auditctl_rules_configured.pass.sh} (80%) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_default.fail.sh => augenrules_default.fail.sh} (63%) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_duplicated.fail.sh => augenrules_duplicated.fail.sh} (85%) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_missing_rule.fail.sh => augenrules_missing_rule.fail.sh} (78%) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_rules_configured.pass.sh => augenrules_rules_configured.pass.sh} (74%) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_rules_configured_mixed_keys.pass.sh => augenrules_rules_configured_mixed_keys.pass.sh} (83%) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_two_rules_mixed_keys.fail.sh => augenrules_two_rules_mixed_keys.fail.sh} (84%) + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_two_rules_sep_files.fail.sh => augenrules_two_rules_sep_files.fail.sh} (84%) + delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh + rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_rules_with_own_key.pass.sh => rules_with_own_key.pass.sh} (70%) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh +similarity index 74% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_default.fail.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh +index 5668e9d59..b89717805 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_default.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_missing_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh +similarity index 82% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_missing_rule.fail.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh +index 9ff90cc2b..1b8f348c4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_missing_rule.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + + ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/audit.rules + sed -i '/newgrp/d' /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh +similarity index 50% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_one_rule.fail.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh +index c74a0cc7c..16c6fada0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_one_rule.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + +-echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules ++echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_rules_configured.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh +similarity index 80% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_rules_configured.pass.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh +index c9f338efd..911ce1798 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_rules_configured.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + + ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/audit.rules + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh +similarity index 63% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_default.fail.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh +index 4713a5360..6281f0751 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_default.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7,Fedora ++# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + + # augenrules is default for rhel7 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_duplicated.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh +similarity index 85% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_duplicated.fail.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh +index 19b12d090..c01b95aa9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_duplicated.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh +@@ -2,7 +2,7 @@ + # profiles = xccdf_org.ssgproject.content_profile_ospp,xccdf_org.ssgproject.content_profile_pci-dss + # Remediation for this rule cannot remove the duplicates + # remediation = none +-# platform = Red Hat Enterprise Linux 7,Fedora ++# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + + mkdir -p /etc/audit/rules.d + ./generate_privileged_commands_rule.sh 1000 privileged /tmp/privileged.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_missing_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh +similarity index 78% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_missing_rule.fail.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh +index c007f5dd2..ba3b8dd57 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_missing_rule.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7,Fedora ++# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + + mkdir -p /etc/audit/rules.d + ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh +new file mode 100644 +index 000000000..a136bb885 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = bash ++# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 ++ ++mkdir -p /etc/audit/rules.d ++echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh +similarity index 74% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured.pass.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh +index 913ca4402..2badda362 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7,Fedora ++# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + + mkdir -p /etc/audit/rules.d + ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured_mixed_keys.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh +similarity index 83% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured_mixed_keys.pass.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh +index a0ba4fac7..2a9c64215 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured_mixed_keys.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7,Fedora ++# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + + mkdir -p /etc/audit/rules.d + ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_mixed_keys.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh +similarity index 84% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_mixed_keys.fail.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh +index bc4a7c4bf..316d836d4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_mixed_keys.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7,Fedora ++# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + + mkdir -p /etc/audit/rules.d + echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_sep_files.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh +similarity index 84% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_sep_files.fail.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh +index 0e7091053..78db285d1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_sep_files.fail.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7,Fedora ++# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + + mkdir -p /etc/audit/rules.d + echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/priv.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh +deleted file mode 100644 +index 591109a01..000000000 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh ++++ /dev/null +@@ -1,7 +0,0 @@ +-#!/bin/bash +-# profiles = xccdf_org.ssgproject.content_profile_pci-dss +-# remediation = bash +-# platform = Red Hat Enterprise Linux 7 +- +-mkdir -p /etc/audit/rules.d +-echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_rules_with_own_key.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh +similarity index 70% +rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_rules_with_own_key.pass.sh +rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh +index c40fd133d..123dd6dcd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_rules_with_own_key.pass.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7,Fedora ++# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + + ./generate_privileged_commands_rule.sh 1000 own_key /etc/audit/rules.d/privileged.rules +diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh +index 6112f6adb..f595c71cb 100644 +--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh ++++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh +@@ -99,7 +99,7 @@ do + # * existing rule contains all arguments from expected rule form (though can contain + # them in arbitrary order) + +- base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \ ++ base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d' \ + -e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \ + -e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d' \ + -e '/-k \|-F key=/!d' "$afile") +diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py +index 5e681b7e0..e3e138283 100644 +--- a/ssg/build_yaml.py ++++ b/ssg/build_yaml.py +@@ -695,13 +695,22 @@ class Group(object): + # top level group, this ensures groups that further configure a package or service + # are after rules that install or remove it. + groups_in_group = list(self.groups.keys()) ++ # The account group has to precede audit group because ++ # the rule package_screen_installed is desired to be executed before the rule ++ # audit_rules_privileged_commands, othervise the rule ++ # does not catch newly installed screeen binary during remediation ++ # and report fail + # The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS. + # the firewalld_activation must come before ruleset_modifications, othervise + # remediations for ruleset_modifications won't work + # rules from group disabling_ipv6 must precede rules from configuring_ipv6, + # otherwise the remediation prints error although it is successful +- priority_order = ["fips", "crypto", "firewalld_activation", +- "ruleset_modifications", "disabling_ipv6", "configuring_ipv6"] ++ priority_order = [ ++ "accounts", "auditing", ++ "fips", "crypto", ++ "firewalld_activation", "ruleset_modifications", ++ "disabling_ipv6", "configuring_ipv6" ++ ] + groups_in_group = reorder_according_to_ordering(groups_in_group, priority_order) + for group_id in groups_in_group: + _group = self.groups[group_id] +-- +2.21.1 + diff --git a/SOURCES/scap-security-guide-0.1.50-fix_banner_etc_motd_PR_5319.patch b/SOURCES/scap-security-guide-0.1.50-fix_banner_etc_motd_PR_5319.patch new file mode 100644 index 0000000..3c0314f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_banner_etc_motd_PR_5319.patch @@ -0,0 +1,217 @@ +From 023412217f4a73e47a7b5d8786b2b10974015615 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Mar 2020 16:55:29 +0100 +Subject: [PATCH 1/4] Make banner_etc_motd like banner_etc_issue + +Both rules source the banner from the same XCCDF variable. +--- + .../banner_etc_motd/bash/shared.sh | 18 +++++++++++++----- + .../banner_etc_motd/oval/shared.xml | 8 +++++++- + 2 files changed, 20 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh +index ac04d93dd5..d731063b5a 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh +@@ -2,12 +2,20 @@ + . /usr/share/scap-security-guide/remediation_functions + populate login_banner_text + +-# There was a regular-expression matching various banners, needs to be expanded +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g') +-formatted=$(echo "$expanded" | fold -sw 80) ++# Multiple regexes transform the banner regex into a usable banner ++# 0 - Remove anchors around the banner text ++{{{ bash_deregexify_banner_anchors("login_banner_text") }}} ++# 1 - Keep only the first banners if there are multiple ++# (dod_banners contains the long and short banner) ++{{{ bash_deregexify_multiple_banners("login_banner_text") }}} ++# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") ++{{{ bash_deregexify_banner_space("login_banner_text") }}} ++# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") ++{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}} ++# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). ++{{{ bash_deregexify_banner_backslash("login_banner_text") }}} ++formatted=$(echo "$login_banner_text" | fold -sw 80) + + cat </etc/motd + $formatted + EOF +- +-printf "\n" >> /etc/motd +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml +index dfd3bb69c0..9b20ee032a 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml +@@ -18,14 +18,20 @@ + + + ++ + + + ++ + /etc/motd +- ++ ^(.*)$ + 1 + + ++ ++ ++ ++ + + + + +From 38e7680395d78371a12d3afd2561533d9f1860c3 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Mar 2020 16:59:45 +0100 +Subject: [PATCH 2/4] Add Ansible for banner_etc_motd + +--- + .../banner_etc_motd/ansible/shared.yml | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml +new file mode 100644 +index 0000000000..dfc1c519b7 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml +@@ -0,0 +1,17 @@ ++# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = false ++# strategy = unknown ++# complexity = low ++# disruption = medium ++- (xccdf-var login_banner_text) ++ ++- name: "{{{ rule_title }}} - remove incorrect banner" ++ file: ++ state: absent ++ path: /etc/motd ++ ++- name: "{{{ rule_title }}} - add correct banner" ++ lineinfile: ++ dest: /etc/motd ++ line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' ++ create: yes + +From c6ea356cef8678cdf248fc8363767d8615fb7423 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Mar 2020 17:20:38 +0100 +Subject: [PATCH 3/4] Use profile "all" to test banner_etc_motd + +When the profile doesn't do any selection, the default value is used. +When the variable doesn't define a default value, the first value is +considered the default. + +The test scenarios of banner_etcmotd are aligned with the first value of +login_banner_text. +--- + .../tests/banner_etc_motd_disa_dod_default_banner.pass.sh | 2 -- + .../tests/banner_etc_motd_disa_dod_short.pass.sh | 2 -- + .../tests/banner_etc_motd_disa_double_banner.fail.sh | 2 -- + .../tests/banner_etc_motd_disa_usgcb_banner.fail.sh | 2 -- + .../tests/banner_etc_motd_ospp_usbcg_banner.fail.sh | 2 -- + .../tests/banner_etc_motd_ospp_usbcg_banner.pass.sh | 2 -- + 6 files changed, 12 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh +index a926abd7dd..96e5e11e5b 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh +@@ -1,6 +1,4 @@ + #!/bin/bash +-# +-# profiles = xccdf_org.ssgproject.content_profile_stig + + # dod_default banner + echo "You are accessing a U.S. Government (USG) Information System (IS) that is +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh +index a2624e1066..ddf1efa43c 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh +@@ -1,6 +1,4 @@ + #!/bin/bash +-# +-# profiles = xccdf_org.ssgproject.content_profile_stig + + # dod_short banner + echo "I've read & consent to terms in IS user agreem't." > /etc/motd +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh +index 93c00cfde7..8cd0d30fa9 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh +@@ -1,6 +1,4 @@ + #!/bin/bash +-# +-# profiles = xccdf_org.ssgproject.content_profile_stig + + # dod_default|dod_short banner + echo "You are accessing a U.S. Government (USG) Information System (IS) that is +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh +index 3878983a19..5abacbb535 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh +@@ -1,6 +1,4 @@ + #!/bin/bash +-# +-# profiles = xccdf_org.ssgproject.content_profile_stig + + # usgcb_default banner + echo "-- WARNING -- This system is for the use of authorized users only. Individuals +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh +index c82a8e39b2..43b2e0a2e9 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh +@@ -1,5 +1,3 @@ + #!/bin/bash +-# +-# profiles = xccdf_org.ssgproject.content_profile_ospp + + echo "This is not the expected banner" > /etc/motd +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh +index 41894c998b..5abacbb535 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh +@@ -1,6 +1,4 @@ + #!/bin/bash +-# +-# profiles = xccdf_org.ssgproject.content_profile_ospp + + # usgcb_default banner + echo "-- WARNING -- This system is for the use of authorized users only. Individuals + +From 4cb5b1f167a1ac3de94626d82eb6d3779a443475 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Mar 2020 18:04:14 +0100 +Subject: [PATCH 4/4] Remove test that doesn't make sense + +At the moment no profile selects this rules. +The value of the variable will be the default (first) value of +variable login_banner_text. Thus, second pass test doesn't make sense. +--- + .../tests/banner_etc_motd_ospp_usbcg_banner.pass.sh | 10 ---------- + 1 file changed, 10 deletions(-) + delete mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh +deleted file mode 100644 +index 5abacbb535..0000000000 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh ++++ /dev/null +@@ -1,10 +0,0 @@ +-#!/bin/bash +- +-# usgcb_default banner +-echo "-- WARNING -- This system is for the use of authorized users only. Individuals +-using this computer system without authority or in excess of their authority +-are subject to having all their activities on this system monitored and +-recorded by system personnel. Anyone using this system expressly consents to +-such monitoring and is advised that if such monitoring reveals possible +-evidence of criminal activity system personal may provide the evidence of such +-monitoring to law enforcement officials." > /etc/motd diff --git a/SOURCES/scap-security-guide-0.1.50-fix_boot_target_after_xorg_removed_PR_5625.patch b/SOURCES/scap-security-guide-0.1.50-fix_boot_target_after_xorg_removed_PR_5625.patch new file mode 100644 index 0000000..663f92b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_boot_target_after_xorg_removed_PR_5625.patch @@ -0,0 +1,538 @@ +From 6429aa7d29a6c93a6c6826d6fa99cee162ed1c22 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 20 Apr 2020 12:50:27 +0200 +Subject: [PATCH 01/10] Add warning to package_xorg-x11-server-common_removed. + +When this package is removed from a GUI environment system, it may end up with a black +screen after restarting it. +--- + .../package_xorg-x11-server-common_removed/rule.yml | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +index 4ce51a8141..04ee90b4d5 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +@@ -9,8 +9,8 @@ description: |- + installed. If X Windows is not installed then the system cannot boot into graphical user mode. + This prevents the system from being accidentally or maliciously booted into a graphical.target + mode. To do so, run the following command: +- 
$ sudo yum groupremove "X Window System"
+- 
$ sudo yum remove xorg-x11-server-common
++ 
$ sudo {{{ pkg_manager }}} groupremove "X Window System"
++ 
$ sudo {{{ pkg_manager }}} remove xorg-x11-server-common
+ + rationale: |- + Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security +@@ -47,6 +47,14 @@ ocil: |- + The output should be: + 
package xorg-x11-server-common is not installed
+ ++warnings: ++ - functionality: |- ++ The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your ++ overall security posture. Removing the package xorg-x11-server-common package can ++ potentially remove the graphical target which might bring your system to an inconsistent state requiring ++ additional configuration to access the system again. If a GUI is an operational requirement, a tailored profile ++ that removes this rule should used before continuing installation. ++ + template: + name: package_removed + vars: + +From 9f767c7c60e1a5b35e30cbe7f9d81288dd26ac9e Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 20 Apr 2020 12:51:48 +0200 +Subject: [PATCH 02/10] SSGTS: Encode string to UTF-8 before writing into file. + +--- + tests/ssg_test_suite/oscap.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/ssg_test_suite/oscap.py b/tests/ssg_test_suite/oscap.py +index 301c326835..2858963373 100644 +--- a/tests/ssg_test_suite/oscap.py ++++ b/tests/ssg_test_suite/oscap.py +@@ -170,7 +170,7 @@ def run_stage_remediation_ansible(run_type, formatting, verbose_path): + # Appends output of ansible-playbook to the verbose_path file. + with open(verbose_path, 'a') as f: + f.write('Stdout of "{}":'.format(command_string)) +- f.write(output) ++ f.write(output.encode("utf-8")) + if returncode != 0: + msg = ( + 'Ansible playbook remediation run has ' +@@ -199,7 +199,7 @@ def run_stage_remediation_bash(run_type, formatting, verbose_path): + # Appends output of script execution to the verbose_path file. + with open(verbose_path, 'a') as f: + f.write('Stdout of "{}":'.format(command_string)) +- f.write(output) ++ f.write(output.encode("utf-8")) + if returncode != 0: + msg = ( + 'Bash script remediation run has exited with return code {} ' + +From 2cb9a0eac96e2dd44c2ca8e50c8460e9f220f977 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 20 Apr 2020 12:52:36 +0200 +Subject: [PATCH 03/10] Add check and remediation for xwindows_runlevel_target. + +Select this rule in profiles (RHEL6 profiles are not included) that select +package_xorg-x11-server-common_removed since this rule removes a +package that is dependent when using a system with GUI and the target +needs to be changed from graphical.target to multi-user.target otherwise +the system ends with having a black screen after restarting it. +--- + .../ansible/shared.yml | 12 +++++ + .../xwindows_runlevel_target/bash/shared.sh | 7 +++ + .../xwindows_runlevel_target/oval/shared.xml | 49 +++++++++++++++++++ + .../xwindows_runlevel_target/rule.yml | 3 +- + .../tests/correct_target.pass.sh | 5 ++ + .../tests/wrong_target.fail.sh | 5 ++ + rhel7/profiles/cis.profile | 1 + + 10 files changed, 84 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml + create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh + create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml + create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh + create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml +new file mode 100644 +index 0000000000..49cdaeb7aa +--- /dev/null ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml +@@ -0,0 +1,12 @@ ++# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: get default target ++ command: systemctl get-default ++ register: default_target ++- name: Switch to multi-user runlevel ++ command: systemctl set-default multi-user.target ++ when: default_target.stdout != "multi-user.target" +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh +new file mode 100644 +index 0000000000..289a38483c +--- /dev/null ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++systemctl set-default multi-user.target +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml +new file mode 100644 +index 0000000000..94c372ffec +--- /dev/null ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml +@@ -0,0 +1,49 @@ ++{{%- if init_system == "systemd" and target_oval_version == [5, 10] -%}} ++{{# this is the only scenario this definition cannot handle, there is no good alternative for symlink_test for OVAL 5.10 #}} ++{{%- else -%}} ++ ++ ++ ++ Disable X Windows Startup By Setting Default SystemD Target ++ {{{- oval_affected(products) }}} ++ {{%- if init_system == "systemd" %}} ++ Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target. ++ {{%- else %}} ++ Checks /etc/inittab to ensure that default runlevel is set to 3. ++ {{%- endif %}} ++ ++ {{%- if init_system == "systemd" %}} ++ ++ ++ ++ {{%- else %}} ++ ++ ++ ++ {{%- endif %}} ++ ++ {{%- if init_system == "systemd" %}} ++ ++ ++ ++ ++ ++ /etc/systemd/system/default.target ++ ++ ++ /etc/systemd/system/default.target ++ ^/usr/lib/systemd/system/multi-user.target$ ++ ++ {{%- else %}} ++ ++ ++ ++ ++ /etc/inittab ++ ^[\s]*id:3:initdefault:[\s]*$ ++ 1 ++ ++ {{%- endif %}} ++ ++{{%- endif -%}} ++ +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml +index ed5882941c..cd04fcde8f 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhel7,rhel8 ++prodtype: fedora,rhel7,rhel8,sle12,rhv4 + + title: 'Disable X Windows Startup By Setting Default Target' + +@@ -24,6 +24,7 @@ severity: medium + + identifiers: + cce@rhel7: 27285-6 ++ cce@rhel8: 83380-6 + + references: + disa: "366" +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh +new file mode 100644 +index 0000000000..33835c8f50 +--- /dev/null ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 ++ ++rm -f /etc/systemd/system/default.target ++ln -s /usr/lib/systemd/system/multi-user.target /etc/systemd/system/default.target +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh +new file mode 100644 +index 0000000000..9313dbb5a2 +--- /dev/null ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 ++ ++rm -f /etc/systemd/system/default.target ++ln -s /usr/lib/systemd/system/graphical.target /etc/systemd/system/default.target +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 886e9a963a..0826a49547 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -226,6 +226,7 @@ selections: + + ### 2.2.2 Ensure X Window System is not installed (Scored) + - package_xorg-x11-server-common_removed ++ - xwindows_runlevel_target + + ### 2.2.3 Ensure Avahi Server is not enabled (Scored) + - service_avahi-daemon_disabled + +From 3e1381a89b54591b7ca6a6b54cf56c6594cb87c0 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 20 Apr 2020 17:46:08 +0200 +Subject: [PATCH 04/10] Simplify xwindows_runlevel_target artifacts. + +--- + .../rule.yml | 2 ++ + .../ansible/shared.yml | 1 + + .../xwindows_runlevel_target/oval/shared.xml | 23 +------------------ + .../tests/correct_target.pass.sh | 3 +-- + .../tests/wrong_target.fail.sh | 3 +-- + 5 files changed, 6 insertions(+), 26 deletions(-) + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +index 04ee90b4d5..934205472b 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +@@ -9,7 +9,9 @@ description: |- + installed. If X Windows is not installed then the system cannot boot into graphical user mode. + This prevents the system from being accidentally or maliciously booted into a graphical.target + mode. To do so, run the following command: ++ {{%- if product != "rhel8" and product != "rhv4" -%}} + 
$ sudo {{{ pkg_manager }}} groupremove "X Window System"
++ {{%- endif %}} + 
$ sudo {{{ pkg_manager }}} remove xorg-x11-server-common
+ + rationale: |- +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml +index 49cdaeb7aa..2677c96ac7 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml +@@ -7,6 +7,7 @@ + - name: get default target + command: systemctl get-default + register: default_target ++ + - name: Switch to multi-user runlevel + command: systemctl set-default multi-user.target + when: default_target.stdout != "multi-user.target" +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml +index 94c372ffec..16e15df8e1 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml +@@ -6,23 +6,12 @@ + + Disable X Windows Startup By Setting Default SystemD Target + {{{- oval_affected(products) }}} +- {{%- if init_system == "systemd" %}} +- Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target. +- {{%- else %}} +- Checks /etc/inittab to ensure that default runlevel is set to 3. +- {{%- endif %}} ++ Ensure that the default runlevel target is set to multi-user.target. + +- {{%- if init_system == "systemd" %}} + + + +- {{%- else %}} +- +- +- +- {{%- endif %}} + +- {{%- if init_system == "systemd" %}} + + + +@@ -34,16 +23,6 @@ + /etc/systemd/system/default.target + ^/usr/lib/systemd/system/multi-user.target$ + +- {{%- else %}} +- +- +- +- +- /etc/inittab +- ^[\s]*id:3:initdefault:[\s]*$ +- 1 +- +- {{%- endif %}} + + {{%- endif -%}} + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh +index 33835c8f50..f7837a25b7 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh +@@ -1,5 +1,4 @@ + #!/bin/bash + # platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + +-rm -f /etc/systemd/system/default.target +-ln -s /usr/lib/systemd/system/multi-user.target /etc/systemd/system/default.target ++systemctl set-default multi-user.target +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh +index 9313dbb5a2..5a20e8ce3a 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh +@@ -1,5 +1,4 @@ + #!/bin/bash + # platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + +-rm -f /etc/systemd/system/default.target +-ln -s /usr/lib/systemd/system/graphical.target /etc/systemd/system/default.target ++systemctl set-default graphical.target + +From bf0a5b6760b58ae5a7927781af3f24443b732554 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 20 Apr 2020 23:23:00 +0200 +Subject: [PATCH 05/10] Update list of available CCE. + +--- + shared/references/cce-redhat-avail.txt | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index c10448ff8d..4debf015dd 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -71,7 +71,6 @@ CCE-83376-4 + CCE-83377-2 + CCE-83378-0 + CCE-83379-8 +-CCE-83380-6 + CCE-83381-4 + CCE-83382-2 + CCE-83383-0 + +From e4ab5d8502aba4e4f55aa1d6394fe47f893e68ff Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 23 Apr 2020 16:01:06 +0200 +Subject: [PATCH 06/10] Update ansible remediation for xwindows_runlevel_target + to use file module. + +--- + .../xwindows_runlevel_target/ansible/shared.yml | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml +index 2677c96ac7..72a3c5415a 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml +@@ -4,10 +4,9 @@ + # complexity = low + # disruption = low + +-- name: get default target +- command: systemctl get-default +- register: default_target +- + - name: Switch to multi-user runlevel +- command: systemctl set-default multi-user.target +- when: default_target.stdout != "multi-user.target" ++ file: ++ src: /usr/lib/systemd/system/multi-user.target ++ dest: /etc/systemd/system/default.target ++ state: link ++ force: yes + +From d19185cd39abcb413351894384a8c603ee768470 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 23 Apr 2020 16:01:52 +0200 +Subject: [PATCH 07/10] Update rule package_xorg-x11-server-common_removed + metadata. + +For RHEL8 based products the group id that represents base Xorg packages +is called "base-x". +--- + .../package_xorg-x11-server-common_removed/rule.yml | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +index 934205472b..099ef2bc7b 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +@@ -9,7 +9,9 @@ description: |- + installed. If X Windows is not installed then the system cannot boot into graphical user mode. + This prevents the system from being accidentally or maliciously booted into a graphical.target + mode. To do so, run the following command: +- {{%- if product != "rhel8" and product != "rhv4" -%}} ++ {{%- if product == "rhel8" or product == "rhv4" -%}} ++ 
$ sudo {{{ pkg_manager }}} groupremove base-x
++ {{%- else %}} + 
$ sudo {{{ pkg_manager }}} groupremove "X Window System"
+ {{%- endif %}} + 
$ sudo {{{ pkg_manager }}} remove xorg-x11-server-common
+@@ -52,10 +54,10 @@ ocil: |- + warnings: + - functionality: |- + The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your +- overall security posture. Removing the package xorg-x11-server-common package can +- potentially remove the graphical target which might bring your system to an inconsistent state requiring +- additional configuration to access the system again. If a GUI is an operational requirement, a tailored profile +- that removes this rule should used before continuing installation. ++ overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target ++ which might bring your system to an inconsistent state requiring additional configuration to access the system ++ again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before ++ continuing installation. + + template: + name: package_removed + +From 568ea36774cd41778c5ffcb004c11b538697f39b Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 23 Apr 2020 17:13:58 +0200 +Subject: [PATCH 08/10] OVAL Check for xwindows_runlevel_target consider files + from both /usr and /lib directory prefix. + +--- + .../xwindows_runlevel_target/oval/shared.xml | 2 +- + .../tests/correct_target_under_lib.pass.sh | 4 ++++ + .../tests/wrong_target_under_lib.fail.sh | 4 ++++ + 3 files changed, 9 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh + create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml +index 16e15df8e1..97f51c3140 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml +@@ -21,7 +21,7 @@ + + + /etc/systemd/system/default.target +- ^/usr/lib/systemd/system/multi-user.target$ ++ ^(/usr)?/lib/systemd/system/multi-user.target$ + + + {{%- endif -%}} +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh +new file mode 100644 +index 0000000000..f7837a25b7 +--- /dev/null ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 ++ ++systemctl set-default multi-user.target +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh +new file mode 100644 +index 0000000000..408409b9b1 +--- /dev/null ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 ++ ++ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target + +From e39030c464385251d0688ccb609ad10718b22359 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 23 Apr 2020 17:14:51 +0200 +Subject: [PATCH 09/10] Update command output from instructions on how to + manually set multi-user.target. + +--- + .../disabling_xwindows/xwindows_runlevel_target/rule.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml +index cd04fcde8f..79457b2b4f 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml +@@ -11,8 +11,8 @@ description: |- + multi-user.target will prevent automatic startup of the X server. To do so, run: + 
$ systemctl set-default multi-user.target
+ You should see the following output: +- 
rm '/etc/systemd/system/default.target'
+-    ln -s '/usr/lib/systemd/system/multi-user.target' '/etc/systemd/system/default.target'
++ 
Removed symlink /etc/systemd/system/default.target.
++    Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
+ + rationale: |- + Services that are not required for system and application processes + +From 2965265fcaf9b14b53866e33d18eeb89f50902c1 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 23 Apr 2020 17:32:21 +0200 +Subject: [PATCH 10/10] Fix location of symlink created by test scenario for + xwindows_runlevel_target. + +--- + .../tests/correct_target_under_lib.pass.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh +index f7837a25b7..dc698edc50 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh +@@ -1,4 +1,4 @@ + #!/bin/bash + # platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + +-systemctl set-default multi-user.target ++ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target diff --git a/SOURCES/scap-security-guide-0.1.50-fix_chronyd_rule_title_PR_5309.patch b/SOURCES/scap-security-guide-0.1.50-fix_chronyd_rule_title_PR_5309.patch new file mode 100644 index 0000000..37cbac1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_chronyd_rule_title_PR_5309.patch @@ -0,0 +1,22 @@ +From 6cf3a337a6f69d93ac31a344ccf039bfa3a93d66 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 18 Mar 2020 17:49:57 +0100 +Subject: [PATCH] remove ntp mention from rule title + +--- + .../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +index b2177fc76e..bc8815b068 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml +@@ -1,7 +1,7 @@ + documentation_complete: true + + +-title: 'A remote NTP server for Chrony is configured' ++title: 'A remote time server for Chrony is configured' + + description: |- + Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to diff --git a/SOURCES/scap-security-guide-0.1.50-fix_ipv6_disable_rule_PR_5547.patch b/SOURCES/scap-security-guide-0.1.50-fix_ipv6_disable_rule_PR_5547.patch new file mode 100644 index 0000000..4be74b6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_ipv6_disable_rule_PR_5547.patch @@ -0,0 +1,488 @@ +From c91d25e9398028bd9b0032a776456bf5ff6fdeed Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 31 Mar 2020 12:45:32 +0200 +Subject: [PATCH 1/5] modify templates + +--- + shared/templates/template_OVAL_grub2_bootloader_argument | 2 +- + ssg/templates.py | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument +index 77497d21bc..132e676cc5 100644 +--- a/shared/templates/template_OVAL_grub2_bootloader_argument ++++ b/shared/templates/template_OVAL_grub2_bootloader_argument +@@ -1,5 +1,5 @@ + +- ++ + + Ensure GRUB 2 is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}} + {{{- oval_affected(products) }}} +diff --git a/ssg/templates.py b/ssg/templates.py +index e5ed4890b4..7e4264d0e2 100644 +--- a/ssg/templates.py ++++ b/ssg/templates.py +@@ -200,6 +200,9 @@ def file_permissions(data, lang): + + @template(["ansible", "bash", "oval"]) + def grub2_bootloader_argument(data, lang): ++ if lang == "oval": ++ # solve the case where argument contains dot ++ data["arg_name"].replace(".", "\\.") + data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"] + return data + + +From bd6ebf4ae6e579ef56c6420307e4c39fc5637258 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 31 Mar 2020 12:46:56 +0200 +Subject: [PATCH 2/5] rename rule, add tests + +--- + .../rule.yml | 0 + .../arg_not_there_etcdefaultgrub.fail.sh | 7 ++++++ + ...e_etcdefaultgrub_recovery_disabled.fail.sh | 17 +++++++++++++ + .../tests/arg_not_there_rhel7.fail.sh | 8 +++++++ + .../tests/arg_not_there_rhel8.fail.sh | 8 +++++++ + .../tests/correct_grubby.pass.sh | 13 ++++++++++ + .../tests/correct_grubenv.pass.sh | 4 ++++ + .../tests/correct_recovery_disabled.pass.sh | 24 +++++++++++++++++++ + .../tests/correct_value.pass.sh | 12 ++++++++++ + .../tests/wrong_value_etcdefaultgrub.fail.sh | 11 +++++++++ + ...e_etcdefaultgrub_recovery_disabled.fail.sh | 22 +++++++++++++++++ + .../tests/wrong_value_rhel7.fail.sh | 13 ++++++++++ + .../tests/wrong_value_rhel8.fail.sh | 12 ++++++++++ + 13 files changed, 151 insertions(+) + rename linux_os/guide/system/network/network-ipv6/disabling_ipv6/{grub2_disable_ipv6 => grub2_ipv6_disable_argument}/rule.yml (100%) + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh + create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh + +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml +similarity index 100% +rename from linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml +rename to linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh +new file mode 100644 +index 0000000000..33f6be147e +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bas ++# platform = Red Hat Enterprise Linux 7 ++ ++# Removes ipv6.disable argument from kernel command line in /etc/default/grub ++if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then ++ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' ++fi +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh +new file mode 100644 +index 0000000000..6163f9fbaa +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh +@@ -0,0 +1,17 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 7 ++# Removes ipv6.disable argument from kernel command line in /etc/default/grub ++if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then ++ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' ++fi ++ ++# removing the parameter from the no recovery kernel parameters as well ++sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' ++ ++# disabling recovery ++sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub' ++ ++#if the line is not present at all, add it ++if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then ++ echo 'GRUB_CMDLINE_LINUX_DEFAULT=""' >> /etc/default/grub ++fi +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh +new file mode 100644 +index 0000000000..5becb561a6 +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 7 ++ ++# Removes ipv6.disable argument from kernel command line in /boot/grub2/grub.cfg ++file="/boot/grub2/grub.cfg" ++if grep -q '^.*ipv6\.disable=.*' "$file" ; then ++ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 \2/' "$file" ++fi +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh +new file mode 100644 +index 0000000000..5d8daaa6bc +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++ ++# Removes ipv6.disable argument from kernel command line in /boot/grub2/grubenv ++file="/boot/grub2/grubenv" ++if grep -q '^.*ipv6\.disable=.*' "$file" ; then ++ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 \2/' "$file" ++fi +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh +new file mode 100644 +index 0000000000..59b18bd049 +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh +@@ -0,0 +1,13 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 7 ++ ++# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby ++if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then ++ # modify the GRUB command-line if an ipv6.disable= arg already exists ++ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub' ++else ++ # no ipv6.disable=arg is present, append it ++ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub' ++fi ++ ++grubby --update-kernel=ALL --args="ipv6.disable=1" +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh +new file mode 100644 +index 0000000000..0e84a458ca +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++ ++grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1" +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh +new file mode 100644 +index 0000000000..e36f81903d +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh +@@ -0,0 +1,24 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 7 ++ ++# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby ++if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then ++ # modify the GRUB command-line if an ipv6.disable= arg already exists ++ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub' ++else ++ # no ipv6.disable=arg is present, append it ++ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub' ++fi ++ ++# removing the parameter from the no recovery kernel parameters as well ++sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' ++ ++# disabling recovery ++sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub' ++ ++#if the line is not present at all, add it ++if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then ++ echo 'GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"' >> /etc/default/grub ++fi ++ ++grubby --update-kernel=ALL --args="ipv6.disable=1" +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh +new file mode 100644 +index 0000000000..eb7c07ce7f +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++ ++# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby ++if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then ++ # modify the GRUB command-line if an ipv6.disable= arg already exists ++ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub' ++else ++ # no ipv6.disable=arg is present, append it ++ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub' ++fi ++ ++grubby --update-kernel=ALL --args="ipv6.disable=1" +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh +new file mode 100644 +index 0000000000..4e7492b588 +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 7 ++ ++# Break the ipv6.disable argument in kernel command line in /etc/default/grub ++if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then ++ # modify the GRUB command-line if an ipv6.disable= arg already exists ++ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=0 \2/' '/etc/default/grub' ++else ++ # no ipv6.disable=arg is present, append it ++ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=0"/' '/etc/default/grub' ++fi +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh +new file mode 100644 +index 0000000000..85cc596ca8 +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh +@@ -0,0 +1,22 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 7 ++ ++# Break the ipv6.disable argument in kernel command line in /etc/default/grub ++if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then ++ # modify the GRUB command-line if an ipv6.disable= arg already exists ++ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=0 \2/' '/etc/default/grub' ++else ++ # no ipv6\.disable=arg is present, append it ++ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 ipv6\.disable=0"/' '/etc/default/grub' ++fi ++ ++# removing the parameter from the no recovery kernel parameters as well ++sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' ++ ++# disabling recovery ++sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub' ++ ++#if the line is not present at all, add it ++if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then ++ echo 'GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=0"' >> /etc/default/grub ++fi +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh +new file mode 100644 +index 0000000000..a37b45c4ad +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh +@@ -0,0 +1,13 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 7 ++ ++# Break the ipv6.disable argument in kernel command line in /boot/grub2/grub.cfg ++file="/boot/grub2/grub.cfg" ++if grep -q '^.*ipv6\.disable=.*' "$file" ; then ++ # modify the GRUB command-line if an ipv6.disable= arg already exists ++ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 ipv6\.disable=0 \2/' "$file" ++else ++ # no ipv6.disable=arg is present, append it ++ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 ipv6\.disable=0/' "$file" ++fi ++ +diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh +new file mode 100644 +index 0000000000..db339c3534 +--- /dev/null ++++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 8 ++ ++# Break the ipv6.disable argument in kernel command line in /boot/grub2/grubenv ++file="/boot/grub2/grubenv" ++if grep -q '^.*ipv6\.disable=.*' "$file" ; then ++ # modify the GRUB command-line if an ipv6.disable= arg already exists ++ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 ipv6\.disable=0 \2/' "$file" ++else ++ # no ipv6.disable=arg is present, append it ++ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 ipv6\.disable=0/' "$file" ++fi + +From b55cda3227d9fdcc1eac91e3e4cd22aaf03e80c5 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 31 Mar 2020 12:47:20 +0200 +Subject: [PATCH 3/5] adjust cis profiles + +--- + rhel7/profiles/cis.profile | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 76506c9369..739ed27200 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -351,7 +351,7 @@ selections: + - sysctl_net_ipv6_conf_default_accept_redirects + + ### 3.3.3 Ensure IPv6 is disabled (Not Scored) +- - grub2_disable_ipv6 ++ - grub2_ipv6_disable_argument + + ## 3.4 TCP Wrappers + ### 3.4.1 Ensure TCP Wrappers is installed (Scored) + +From 7421ab585ec1e0314298a2dbb6b0b181daf53bce Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 31 Mar 2020 16:04:27 +0200 +Subject: [PATCH 4/5] add escaped dot only in arg_name_value + +--- + ssg/templates.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssg/templates.py b/ssg/templates.py +index 7e4264d0e2..ba6d8dc7fe 100644 +--- a/ssg/templates.py ++++ b/ssg/templates.py +@@ -200,10 +200,10 @@ def file_permissions(data, lang): + + @template(["ansible", "bash", "oval"]) + def grub2_bootloader_argument(data, lang): ++ data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"] + if lang == "oval": + # solve the case where argument contains dot +- data["arg_name"].replace(".", "\\.") +- data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"] ++ data["arg_name_value"] = data["arg_name_value"].replace(".", "\\.") + return data + + + +From 3e41fffc62e50e771a2f410d43bd600c8e5849ee Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 1 Apr 2020 11:58:11 +0200 +Subject: [PATCH 5/5] make oval ids use _ instead of . + +--- + .../template_OVAL_grub2_bootloader_argument | 44 +++++++++---------- + ssg/templates.py | 6 ++- + 2 files changed, 26 insertions(+), 24 deletions(-) + +diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument +index 132e676cc5..a18f85f5e8 100644 +--- a/shared/templates/template_OVAL_grub2_bootloader_argument ++++ b/shared/templates/template_OVAL_grub2_bootloader_argument +@@ -7,61 +7,61 @@ + + + {{% if product in ["rhel7", "ol7", "rhv4"] %}} +- + +- + +- + + + + {{% else %}} +- + {{% endif %}} + + + + {{% if product in ["rhel7", "ol7", "rhv4"] %}} +- +- +- ++ ++ + + +- ++ + /etc/default/grub + ^\s*GRUB_CMDLINE_LINUX="(.*)"$ + 1 + + +- +- +- ++ ++ + + +- + /etc/default/grub + ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ + 1 + + +- +- +- ++ ++ + + +- + /boot/grub2/grub.cfg + {{% if product == "rhel7" %}} +@@ -74,14 +74,14 @@ + + {{% else %}} + +- +- +- ++ ++ + + +- + /boot/grub2/grubenv + ^kernelopts=(.*)$ +@@ -90,9 +90,9 @@ + + {{% endif %}} + +- +- ^.*{{{ ARG_NAME_VALUE }}}.*$ ++ ^.*{{{ ESCAPED_ARG_NAME_VALUE }}}.*$ + + + +diff --git a/ssg/templates.py b/ssg/templates.py +index ba6d8dc7fe..3f12968b66 100644 +--- a/ssg/templates.py ++++ b/ssg/templates.py +@@ -202,8 +202,10 @@ def file_permissions(data, lang): + def grub2_bootloader_argument(data, lang): + data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"] + if lang == "oval": +- # solve the case where argument contains dot +- data["arg_name_value"] = data["arg_name_value"].replace(".", "\\.") ++ # escape dot, this is used in oval regex ++ data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.") ++ # replace . with _, this is used in test / object / state ids ++ data["sanitized_arg_name"] = data["arg_name"].replace(".", "_") + return data + + diff --git a/SOURCES/scap-security-guide-0.1.50-fix_permissions_backup_etc_passwd_PR_5619.patch b/SOURCES/scap-security-guide-0.1.50-fix_permissions_backup_etc_passwd_PR_5619.patch new file mode 100644 index 0000000..cf42393 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_permissions_backup_etc_passwd_PR_5619.patch @@ -0,0 +1,84 @@ +From b5b96f3f1c20ba75e6af9bdcf2729a6513db8e48 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 16 Apr 2020 15:01:16 +0200 +Subject: [PATCH] Change permissions to 644 for passwd- file from rule + file_permissions_backup_etc_passwd. + +--- + .../file_permissions_backup_etc_passwd/rule.yml | 8 ++++---- + .../tests/adduser.pass.sh | 10 ++++++++++ + .../tests/correct_value.pass.sh | 4 ++++ + .../tests/wrong_value.fail.sh | 5 +++++ + 5 files changed, 24 insertions(+), 5 deletions(-) + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml +index cd1dded6f7..c5106b0cda 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml +@@ -3,7 +3,7 @@ documentation_complete: true + title: 'Verify Permissions on Backup passwd File' + + description: |- +- {{{ describe_file_permissions(file="/etc/passwd-", perms="0600") }}} ++ {{{ describe_file_permissions(file="/etc/passwd-", perms="0644") }}} + + rationale: |- + The /etc/passwd- file is a backup file of /etc/passwd, and as such, +@@ -21,14 +21,14 @@ references: + cis@rhel7: 6.1.6 + cis@rhel8: 6.1.6 + +-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-------") }}}' ++ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-r--r--") }}}' + + ocil: |- +- {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-------") }}} ++ {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-r--r--") }}} + + template: + name: file_permissions + vars: + filepath: /etc/passwd- +- filemode: '0600' ++ filemode: '0644' + missing_file_pass: 'true' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh +new file mode 100644 +index 0000000000..e053a5a87b +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++USER=ssgttuser ++ ++# set wrong permissions ++chmod 600 /etc/passwd- ++ ++# useradd will copy the backup file with permissions from the ++# actual /etc/passwd file containing correct permissions ++useradd ${USER} ++ +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh +new file mode 100644 +index 0000000000..223ece7df2 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++chmod 644 /etc/passwd- ++ +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh +new file mode 100644 +index 0000000000..d0030f9b5e +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++# the expected is 644 ++chmod 660 /etc/passwd- ++ diff --git a/SOURCES/scap-security-guide-0.1.50-fix_rule_rsyslog_nolisten_regex_PR_5557.patch b/SOURCES/scap-security-guide-0.1.50-fix_rule_rsyslog_nolisten_regex_PR_5557.patch new file mode 100644 index 0000000..2c06323 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_rule_rsyslog_nolisten_regex_PR_5557.patch @@ -0,0 +1,30 @@ +From 0a22bbbaeabd9c13254ef251479e9d74143620e6 Mon Sep 17 00:00:00 2001 +From: Ilya Okomin +Date: Mon, 23 Mar 2020 20:07:47 -0400 +Subject: [PATCH] Fix rsyslog_nolisten regex to match rule description + +Signed-off-by: Ilya Okomin +--- + .../rsyslog_nolisten/oval/shared.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml +index e38dee5bbc..b56281e283 100644 +--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml ++++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml +@@ -16,13 +16,13 @@ + + + + + + + /etc/rsyslog.conf +- ^[\s]*\$(?:Input(?:TCP|RELP)|UDP)ServerRun ++ ^[\s]*\$((?:Input(?:TCP|RELP)|UDP)ServerRun|ModLoad[\s]+(imtcp|imudp|imrelp)) + 1 + + diff --git a/SOURCES/scap-security-guide-0.1.50-fix_service_chronyd_enabled_PR_5325.patch b/SOURCES/scap-security-guide-0.1.50-fix_service_chronyd_enabled_PR_5325.patch new file mode 100644 index 0000000..dcdcb38 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_service_chronyd_enabled_PR_5325.patch @@ -0,0 +1,19 @@ +From e5592bf29987e0989a5a4400669cfff3e1d7b6da Mon Sep 17 00:00:00 2001 +From: Klaas Demter +Date: Fri, 20 Mar 2020 16:16:40 +0100 +Subject: [PATCH] Fix service check service_chronyd_enabled to use proper rhel + package name + +--- + linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +index 829d662afe..7b3a0a2a13 100644 +--- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml ++++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +@@ -34,3 +34,4 @@ template: + name: service_enabled + vars: + servicename: chronyd ++ packagename: chrony diff --git a/SOURCES/scap-security-guide-0.1.50-fix_sysctl_rules_description.patch b/SOURCES/scap-security-guide-0.1.50-fix_sysctl_rules_description.patch new file mode 100644 index 0000000..42f9811 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_sysctl_rules_description.patch @@ -0,0 +1,102 @@ +From 99ad87babd43c95dc2787ba7e0301b3d2b650ab9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 10 Mar 2020 13:44:23 +0100 +Subject: [PATCH 1/3] Fix description of sysctl rules. + +As there is no way how to make the project aware of sysctl parameter defaults +in Linux upstream kernel or in specific Linux distributions, +the parameter has to be explicitly specified in a config file. +--- + shared/macros.jinja | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shared/macros.jinja b/shared/macros.jinja +index 8a25acc937..ce27536dc2 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -602,8 +602,8 @@ ocil_clause: "the correct value is not returned" + run the following command: + 
$ sudo sysctl -w {{{ sysctl }}}={{{ value }}}
+ +- If this is not the system default value, add the following line to a file in the +- directory /etc/sysctl.d: ++ To make sure that the setting is persistent, ++ add the following line to a file in the directory /etc/sysctl.d: + 
{{{ sysctl }}} = {{{ value }}}
+ {{%- endmacro %}} + + +From 5bffa9dc3d62f67364abb034b7da877935156764 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Wed, 11 Mar 2020 16:14:13 +0100 +Subject: [PATCH 2/3] Improved the OCIL entry for sysctl rules. + +--- + shared/macros.jinja | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/shared/macros.jinja b/shared/macros.jinja +index ce27536dc2..f81dbc7de6 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -577,15 +577,18 @@ ocil_clause: "{{{ sebool }}} is not enabled" + + + {{% macro ocil_sysctl_option_value(sysctl, value) -%}} +- The status of the {{{ sysctl }}} kernel parameter can be queried +- by running the following command: +- 
$ sysctl {{{ sysctl }}}
+- The output of the command should indicate a value of {{{ value }}}. +- If this value is not the default value, investigate how it could have been +- adjusted at runtime, and verify it is not set improperly. This has to be checked +- in all files in the /etc/sysctl.d directory and the deprecated +- /etc/sysctl.conf. You can verify this by running the following command: ++ The persistent kernel parameter configuration is performed by specifying the appropriate ++ assignment in any file located in the 
/etc/sysctl.d
directory. ++ Verify that there is not any existing incorrect configuration by executing the following command: ++ 
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
++ If any other assignments that ++ 
{{{ sysctl }}} = {{{ value }}}
++ are found, or the correct assignment is duplicated, remove those offending lines from respective files, ++ and make sure that exactly one file in ++ /etc/sysctl.d contains {{{ sysctl }}} = {{{ value }}}, and that one assignment ++ is returned when + 
$ grep -r {{{ sysctl }}} /etc/sysctl.conf /etc/sysctl.d
++ is executed. + {{%- endmacro %}} + + + +From 5b5edc64773be690e4046dc88de9407d7c470702 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 12 Mar 2020 15:27:26 +0100 +Subject: [PATCH 3/3] Improved the text based on the reviewer feedback. + +--- + shared/macros.jinja | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/shared/macros.jinja b/shared/macros.jinja +index f81dbc7de6..edbaeeb56c 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -577,11 +577,18 @@ ocil_clause: "{{{ sebool }}} is not enabled" + + + {{% macro ocil_sysctl_option_value(sysctl, value) -%}} ++ The runtime status of the {{{ sysctl }}} kernel parameter can be queried ++ by running the following command: ++ 
$ sysctl {{{ sysctl }}}
++ The output of the command should indicate a value of {{{ value }}}. ++ The preferable way how to assure the runtime compliance is to have ++ correct persistent configuration, and rebooting the system. ++ + The persistent kernel parameter configuration is performed by specifying the appropriate + assignment in any file located in the 
/etc/sysctl.d
directory. + Verify that there is not any existing incorrect configuration by executing the following command: + 
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
+- If any other assignments that ++ If any assignments other than + 
{{{ sysctl }}} = {{{ value }}}
+ are found, or the correct assignment is duplicated, remove those offending lines from respective files, + and make sure that exactly one file in diff --git a/SOURCES/scap-security-guide-0.1.50-fix_test_suite_on_python3_PR_5711.patch b/SOURCES/scap-security-guide-0.1.50-fix_test_suite_on_python3_PR_5711.patch new file mode 100644 index 0000000..1c8c0a5 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_test_suite_on_python3_PR_5711.patch @@ -0,0 +1,36 @@ +From 9b2801d9ea538ba0e5c611b597e454801cb52c15 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 27 Apr 2020 18:37:45 +0200 +Subject: [PATCH] Fix SSGTS when running with python3 and writing binary data + to file. + +--- + tests/ssg_test_suite/oscap.py | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tests/ssg_test_suite/oscap.py b/tests/ssg_test_suite/oscap.py +index 2858963373..2cbb18bc13 100644 +--- a/tests/ssg_test_suite/oscap.py ++++ b/tests/ssg_test_suite/oscap.py +@@ -168,8 +168,8 @@ def run_stage_remediation_ansible(run_type, formatting, verbose_path): + command_string = ' '.join(command) + returncode, output = common.run_cmd_local(command, verbose_path) + # Appends output of ansible-playbook to the verbose_path file. +- with open(verbose_path, 'a') as f: +- f.write('Stdout of "{}":'.format(command_string)) ++ with open(verbose_path, 'ab') as f: ++ f.write('Stdout of "{}":'.format(command_string).encode("utf-8")) + f.write(output.encode("utf-8")) + if returncode != 0: + msg = ( +@@ -197,8 +197,8 @@ def run_stage_remediation_bash(run_type, formatting, verbose_path): + returncode, output = common.run_cmd_remote( + command_string, formatting['domain_ip'], verbose_path) + # Appends output of script execution to the verbose_path file. +- with open(verbose_path, 'a') as f: +- f.write('Stdout of "{}":'.format(command_string)) ++ with open(verbose_path, 'ab') as f: ++ f.write('Stdout of "{}":'.format(command_string).encode("utf-8")) + f.write(output.encode("utf-8")) + if returncode != 0: + msg = ( diff --git a/SOURCES/scap-security-guide-0.1.50-fix_typo_in_cce_assignment_PR_5340.patch b/SOURCES/scap-security-guide-0.1.50-fix_typo_in_cce_assignment_PR_5340.patch new file mode 100644 index 0000000..709d211 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_typo_in_cce_assignment_PR_5340.patch @@ -0,0 +1,22 @@ +From 0d95fdad5f8ac29d6f0866e531d0a545dca81879 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 24 Mar 2020 17:44:33 +0100 +Subject: [PATCH] Fix typo in CCE assignment + +--- + .../inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml +index b34be48968..41ce29300a 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml +@@ -16,7 +16,7 @@ severity: medium + + identifiers: + cce@rhel6: 83825-0 +- cce@rhel7: 83826-0 ++ cce@rhel7: 83826-8 + + references: + cis@rhel7: 3.4.4 diff --git a/SOURCES/scap-security-guide-0.1.50-fix_typo_in_ocil_clause_PR_5342.patch b/SOURCES/scap-security-guide-0.1.50-fix_typo_in_ocil_clause_PR_5342.patch new file mode 100644 index 0000000..9ec7bbe --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-fix_typo_in_ocil_clause_PR_5342.patch @@ -0,0 +1,22 @@ +From 27157ac9cd4d37af08d3022c389d090bf21e81a8 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 24 Mar 2020 19:22:48 +0100 +Subject: [PATCH] Fix typo in ocil clause + +--- + .../file_permissions_backup_etc_gshadow/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +index 6e6857027f..e9e3b8abea 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml +@@ -29,7 +29,7 @@ references: + + ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms=target_perms) }}}' + +-ocil: - ++ocil: |- + {{{ ocil_file_permissions(file="/etc/gshadow-", perms=target_perms) }}} + + template: diff --git a/SOURCES/scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch b/SOURCES/scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch new file mode 100644 index 0000000..f706894 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch @@ -0,0 +1,315 @@ +From 67f0ba457c2dafd9077d80bd17d10857fe31a55d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Wed, 18 Mar 2020 16:44:49 +0100 +Subject: [PATCH 1/2] Parametrized the sshd_use_approved_ciphers rule. + +--- + .../ansible/shared.yml | 4 ++- + .../sshd_use_approved_ciphers/bash/shared.sh | 4 ++- + .../sshd_use_approved_ciphers/oval/shared.xml | 33 ++++++++++++++++--- + .../sshd_use_approved_ciphers/rule.yml | 3 +- + .../tests/stig_comment.fail.sh | 9 +++++ + .../tests/stig_correct_reduced_list.pass.sh | 9 +++++ + .../tests/stig_correct_scrambled.pass.sh | 9 +++++ + .../tests/stig_correct_value_full.pass.sh | 9 +++++ + .../tests/stig_line_not_there.fail.sh | 5 +++ + .../tests/stig_wrong_value.fail.sh | 9 +++++ + .../tests/wrong_value.fail.sh | 2 +- + .../sshd_use_approved_macs/rule.yml | 1 + + .../services/ssh/sshd_approved_ciphers.var | 16 +++++++++ + rhel7/profiles/stig.profile | 1 + + shared/macros.jinja | 5 +++ + 15 files changed, 111 insertions(+), 8 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh + create mode 100644 linux_os/guide/services/ssh/sshd_approved_ciphers.var + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml +index ea05a8f896..ef331a843e 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml +@@ -3,4 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low +-{{{ ansible_sshd_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc") }}} ++- (xccdf-var sshd_approved_ciphers) ++ ++{{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh +index 2475923e6e..a294138272 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh +@@ -3,4 +3,6 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-replace_or_append '/etc/ssh/sshd_config' '^Ciphers' 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' '@CCENUM@' '%s %s' ++populate sshd_approved_ciphers ++ ++replace_or_append '/etc/ssh/sshd_config' '^Ciphers' "$sshd_approved_ciphers" '@CCENUM@' '%s %s' +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml +index 84c3c8aa48..19b63d404f 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml +@@ -32,14 +32,39 @@ + + + +- + +- +- ++ ++ ++ ++ ++ var_sshd_config_ciphers ++ ++ ++ ++ ++ ++ ++ + /etc/ssh/sshd_config +- ^[\s]*(?i)Ciphers(?-i)[\s]+((aes128-ctr|aes192-ctr|aes256-ctr|aes128-cbc|aes192-cbc|aes256-cbc|3des-cbc|rijndael-cbc@lysator\.liu\.se),?)+[\s]*(?:|(?:#.*))?$ ++ ^[\s]*(?i)Ciphers(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ + 1 + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +index f85b9016f9..e043b12c93 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +@@ -13,7 +13,7 @@ description: |- + The man page sshd_config(5) contains a list of supported ciphers. + {{% if product in ["rhel7","ol7"] %}} +

+- The following ciphers are FIPS 140-2 certified on {{{ full_name }}}: ++ Only the following ciphers are FIPS 140-2 certified on {{{ full_name }}}: +
- aes128-ctr +
- aes192-ctr +
- aes256-ctr +@@ -31,6 +31,7 @@ description: |- + {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}} + {{% endif %}} + {{% endif %}} ++ The rule is parametrized to use the following ciphers: {{{ sub_var_value("sshd_approved_ciphers") }}}. + + rationale: |- + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh +new file mode 100644 +index 0000000000..1be6371045 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config ++else ++ echo "# Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh +new file mode 100644 +index 0000000000..5393d96617 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr/" /etc/ssh/sshd_config ++else ++ echo "Ciphers aes128-ctr,aes192-ctr" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh +new file mode 100644 +index 0000000000..cd1fbde03b +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr,aes256-ctr/" /etc/ssh/sshd_config ++else ++ echo "Ciphers aes192-ctr,aes128-ctr,aes256-ctr" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh +new file mode 100644 +index 0000000000..ad6d9f887c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config ++else ++ echo 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh +new file mode 100644 +index 0000000000..f73d82e221 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh +new file mode 100644 +index 0000000000..46b437944f +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc/" /etc/ssh/sshd_config ++else ++ echo "Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh +index 550c55968b..ffd8eda6e8 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh +@@ -5,5 +5,5 @@ + if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config + else +- echo "Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config ++ echo "# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config + fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +index b64be010cd..6a582c9577 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +@@ -32,6 +32,7 @@ description: |- + {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}} + {{% endif %}} + {{% endif %}} ++ The rule is parametrized to use the following MACs: {{{ sub_var_value("sshd_approved_macs") }}}. + + rationale: |- + DoD Information Systems are required to use FIPS-approved cryptographic hash +diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var +new file mode 100644 +index 0000000000..66d0776949 +--- /dev/null ++++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var +@@ -0,0 +1,16 @@ ++documentation_complete: true ++ ++title: 'SSH Approved ciphers by FIPS' ++ ++description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server." ++ ++type: string ++ ++operator: equals ++ ++interactive: false ++ ++options: ++ stig: aes128-ctr,aes192-ctr,aes256-ctr ++ default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se ++ +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index e148325d3e..9b6ecfa543 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -228,6 +228,7 @@ selections: + - install_antivirus + - accounts_max_concurrent_login_sessions + - configure_firewalld_ports ++ - sshd_approved_ciphers=stig + - sshd_use_approved_ciphers + - accounts_tmout + - sshd_enable_warning_banner +diff --git a/shared/macros.jinja b/shared/macros.jinja +index edbaeeb56c..d80eeb69b3 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -35,6 +35,11 @@ ocil_clause: "the {{{ option }}} is not present in the output line, or there is + {{%- endmacro %}} + + ++{{% macro sub_var_value(varname) -%}} ++ ++{{%- endmacro %}} ++ ++ + {{% macro complete_ocil_entry_mount_option(point, option) -%}} + ocil: | + {{{ ocil_mount_option(point, option) | indent(4) }}} + +From 12eca02a6d16d723c90fb95b21d9992af53befab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 19 Mar 2020 09:56:35 +0100 +Subject: [PATCH 2/2] Streamlined description by removing ineffective escape + sequences. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-Authored-By: Jan Černý +--- + linux_os/guide/services/ssh/sshd_approved_ciphers.var | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var +index 66d0776949..30e58336ce 100644 +--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var ++++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var +@@ -2,7 +2,7 @@ documentation_complete: true + + title: 'SSH Approved ciphers by FIPS' + +-description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server." ++description: "Specify the FIPS approved ciphers that are used for data integrity protection by the SSH server." + + type: string + +@@ -13,4 +13,3 @@ interactive: false + options: + stig: aes128-ctr,aes192-ctr,aes256-ctr + default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se +- diff --git a/SOURCES/scap-security-guide-0.1.50-removable_media_PR_5278.patch b/SOURCES/scap-security-guide-0.1.50-removable_media_PR_5278.patch new file mode 100644 index 0000000..545a973 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-removable_media_PR_5278.patch @@ -0,0 +1,373 @@ +diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc +index 76c1c10218..d2b94207d4 100644 +--- a/docs/manual/developer_guide.adoc ++++ b/docs/manual/developer_guide.adoc +@@ -1555,12 +1555,9 @@ mount_option_remote_filesystems:: + * Languages: Ansible, Bash, OVAL + + mount_option_removable_partitions:: +-* Checks if all removable media mounts are mounted with a specific option. ++* Checks if all removable media mounts are mounted with a specific option. Unlike other mount option templates, this template doesn't use the mount point, but the block device. The block device path (eg. `/dev/cdrom`) is always set to `var_removable_partition`. This is an XCCDF Value, defined in `link:{rootdir}/linux_os/guide/system/permissions/partitions/var_removable_partition.var[var_removable_partition.var]` + * Parameters: +-** *mountpoint* - always set to `var_removable_partition`. This is an XCCDF Value, defined in `link:{rootdir}/linux_os/guide/system/permissions/partitions/var_removable_partition.var[var_removable_partition.var]` + ** *mountoption* - mount option, eg. `nodev` +-** *filesystem* - filesystem of new mount point (used when adding new entry in `/etc/fstab`), eg. `tmpfs`. Used only in Bash remediation. +-** *mount_has_to_exist* - Used only in Bash remediation. Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`. + * Languages: Anaconda, Ansible, Bash, OVAL + + package_installed:: +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +index 7fd5237f1d..ef3fed7bac 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +@@ -39,8 +39,6 @@ platform: machine + template: + name: mount_option_removable_partitions + vars: +- mount_has_to_exist: 'yes' + mountoption: nodev +- mountpoint: var_removable_partition + backends: + anaconda: 'off' +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +index 0cff560310..b95e2394a7 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +@@ -47,8 +47,6 @@ platform: machine + template: + name: mount_option_removable_partitions + vars: +- mount_has_to_exist: 'yes' + mountoption: noexec +- mountpoint: var_removable_partition + backends: + anaconda: 'off' +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_bad_opts.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_bad_opts.fail.sh +new file mode 100644 +index 0000000000..10fd6cdad0 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_bad_opts.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++touch /dev/cdrom ++echo "/dev/cdrom /var/cdrom iso9660 ro 0 0" > /etc/fstab +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_good_opts.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_good_opts.pass.sh +new file mode 100644 +index 0000000000..ae33d8312a +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_good_opts.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++touch /dev/cdrom ++echo "/dev/cdrom /var/cdrom iso9660 noexec 0 0" > /etc/fstab +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts.fail.sh +new file mode 100644 +index 0000000000..a68453097d +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++touch /dev/cdrom ++echo "/dev/cdrom /media/cdrom iso9660 ro,noauto,nosuid,nodev,defaults 0 0" >> /etc/fstab +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts.pass.sh +new file mode 100644 +index 0000000000..472a5e0578 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++touch /dev/cdrom ++echo "/dev/cdrom /media/cdrom iso9660 ro,noauto,nosuid,noexec,nodev 0 0" >> /etc/fstab +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts_first.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts_first.pass.sh +new file mode 100644 +index 0000000000..ab2815f713 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts_first.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++touch /dev/cdrom ++echo "/dev/cdrom /media/cdrom iso9660 noexec,ro,noauto,nosuid,nodev 0 0" >> /etc/fstab +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts_last.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts_last.pass.sh +new file mode 100644 +index 0000000000..5316c7c319 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts_last.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++touch /dev/cdrom ++echo "/dev/cdrom /media/cdrom iso9660 ro,noauto,nosuid,nodev,noexec 0 0" >> /etc/fstab +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/dvd_bad_opts.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/dvd_bad_opts.fail.sh +deleted file mode 100644 +index 96540c9f34..0000000000 +--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/dvd_bad_opts.fail.sh ++++ /dev/null +@@ -1,8 +0,0 @@ +-#!/bin/bash +-# +-# profiles = xccdf_org.ssgproject.content_profile_C2S +- +-. $SHARED/removable_partitions.sh +- +-touch /dev/dvd +-dvdrom_fstab_line > /etc/fstab +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/dvd_good_opts.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/dvd_good_opts.pass.sh +deleted file mode 100644 +index 1f29c61f23..0000000000 +--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/dvd_good_opts.pass.sh ++++ /dev/null +@@ -1,8 +0,0 @@ +-#!/bin/bash +-# +-# profiles = xccdf_org.ssgproject.content_profile_C2S +- +-. $SHARED/removable_partitions.sh +- +-touch /dev/dvd +-dvdrom_fstab_line noexec > /etc/fstab +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/no_partitions.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/no_partitions.pass.sh +index 9f348f24c2..cb39b089ec 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/no_partitions.pass.sh ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/no_partitions.pass.sh +@@ -1,6 +1,7 @@ + #!/bin/bash +-# +-# profiles = xccdf_org.ssgproject.content_profile_C2S ++ ++# Regression test for rhbz#1403905 ++# The rule should pass if there is no removable media entry in /etc/fstab + + touch /dev/cdrom + echo "" > /etc/fstab +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +index 1ec828b015..b77c48a295 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +@@ -41,8 +41,6 @@ platform: machine + template: + name: mount_option_removable_partitions + vars: +- mount_has_to_exist: 'yes' + mountoption: nosuid +- mountpoint: var_removable_partition + backends: + anaconda: 'off' +diff --git a/shared/templates/template_ANACONDA_mount_option_removable_partitions b/shared/templates/template_ANACONDA_mount_option_removable_partitions +index 8092f6648a..b4510ae804 100644 +--- a/shared/templates/template_ANACONDA_mount_option_removable_partitions ++++ b/shared/templates/template_ANACONDA_mount_option_removable_partitions +@@ -4,4 +4,4 @@ + # complexity = low + # disruption = high + +-part (anaconda-populate {{{ MOUNTPOINT }}}) --mountoptions="{{{ MOUNTOPTION }}}" ++part (anaconda-populate var_removable_partition) --mountoptions="{{{ MOUNTOPTION }}}" +diff --git a/shared/templates/template_ANSIBLE_mount_option_removable_partitions b/shared/templates/template_ANSIBLE_mount_option_removable_partitions +index aafce84762..374499261d 100644 +--- a/shared/templates/template_ANSIBLE_mount_option_removable_partitions ++++ b/shared/templates/template_ANSIBLE_mount_option_removable_partitions +@@ -3,31 +3,11 @@ + # strategy = configure + # complexity = low + # disruption = high +-- (xccdf-var {{{ MOUNTPOINT }}}) ++- (xccdf-var var_removable_partition) + +-- name: get back mount information associated to mountpoint +- command: findmnt --fstab '{{ {{{ MOUNTPOINT }}} }}' +- register: device_name +- failed_when: device_name.rc > 1 +- changed_when: False +- +-- name: create mount_info dictionary variable +- set_fact: +- mount_info: "{{ mount_info|default({})|combine({item.0: item.1}) }}" +- with_together: +- - "{{ device_name.stdout_lines[0].split() | list | lower }}" +- - "{{ device_name.stdout_lines[1].split() | list }}" +- when: +- - device_name.stdout is defined and device_name.stdout_lines is defined +- - (device_name.stdout | length > 0) +- +-- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}} +- mount: +- path: "{{ {{{ MOUNTPOINT }}} }}" +- src: "{{ mount_info.source }}" +- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}" +- state: "mounted" +- fstype: "{{ mount_info.fstype }}" +- when: +- - device_name.stdout is defined +- - (device_name.stdout | length > 0) ++- name: Ensure permission {{{ MOUNTOPTION }}} are set on var_removable_partition ++ lineinfile: ++ path: /etc/fstab ++ regexp: '^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$' ++ backrefs: yes ++ line: '\1 \2 \3 \4,{{{ MOUNTOPTION }}} \5' +diff --git a/shared/templates/template_BASH_mount_option_removable_partitions b/shared/templates/template_BASH_mount_option_removable_partitions +index dad2c8b718..5293bffc1a 100644 +--- a/shared/templates/template_BASH_mount_option_removable_partitions ++++ b/shared/templates/template_BASH_mount_option_removable_partitions +@@ -4,19 +4,15 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate {{{ MOUNTPOINT }}} ++populate var_removable_partition + +-include_mount_options_functions ++device_regex="^\s*$var_removable_partition\s\+" ++mount_option="{{{ MOUNTOPTION }}}" + +-function perform_remediation { +- # test "$mount_has_to_exist" = 'yes' +- if test "{{{ MOUNT_HAS_TO_EXIST }}}" = 'yes'; then +- assert_mount_point_in_fstab "${{{ MOUNTPOINT }}}" || { echo "Not remediating, because there is no record of ${{{ MOUNTPOINT }}} in /etc/fstab" >&2; return 1; } +- fi +- +- ensure_mount_option_in_fstab "${{{ MOUNTPOINT }}}" "{{{ MOUNTOPTION }}}" "{{{ FILESYSTEM }}}" "{{{ TYPE }}}" +- +- ensure_partition_is_mounted "${{{ MOUNTPOINT }}}" +-} +- +-perform_remediation ++if grep -q $device_regex /etc/fstab ; then ++ previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') ++ sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab ++else ++ echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 ++ return 1 ++fi +diff --git a/shared/templates/template_OVAL_mount_option_removable_partitions b/shared/templates/template_OVAL_mount_option_removable_partitions +index 8b1987fbb5..4304c175e1 100644 +--- a/shared/templates/template_OVAL_mount_option_removable_partitions ++++ b/shared/templates/template_OVAL_mount_option_removable_partitions +@@ -1,39 +1,31 @@ + +- ++ + + Add {{{ MOUNTOPTION }}} Option to Removable Media Partitions + {{{- oval_affected(products) }}} + The {{{ MOUNTOPTION }}} option should be enabled for all removable devices mounts in /etc/fstab. + + +- + + ++ names in /etc/fstab are configured with '{{{ MOUNTOPTION }}}' option --> + + + +- +- +- +- + + + + +- +- ++ +- +- + + + +@@ -58,7 +50,7 @@ + + + ++ names to check /etc/fstab --> + + + +@@ -74,27 +66,8 @@ + ^.*,?{{{ MOUNTOPTION }}},?.*$ + + +- +- +- +- +- +- +- ^.*$ +- +- state_{{{ MOUNTOPTION }}}_runtime_cd_dvd_drive +- +- +- +- +- {{{ MOUNTOPTION }}} +- +- + ++ Check if configured with '{{{ MOUNTOPTION }}}' mount option in both /etc/fstab --> + + + +@@ -121,25 +94,6 @@ + ^.*,?{{{ MOUNTOPTION }}},?.* + + +- +- +- +- +- +- +- ^.*$ +- +- state_{{{ MOUNTOPTION }}}_runtime_not_cd_dvd_drive +- +- +- +- +- {{{ MOUNTOPTION }}} +- +- + + + +diff --git a/ssg/templates.py b/ssg/templates.py +index e5ed4890b4..d0af1b19da 100644 +--- a/ssg/templates.py ++++ b/ssg/templates.py +@@ -237,7 +237,7 @@ def mount_option_remote_filesystems(data, lang): + + @template(["anaconda", "ansible", "bash", "oval"]) + def mount_option_removable_partitions(data, lang): +- return _mount_option(data, lang) ++ return data + + + @template(["anaconda", "ansible", "bash", "oval", "puppet"]) diff --git a/SOURCES/scap-security-guide-0.1.50-run_chronyd_as_chrony_user_PR_5298.patch b/SOURCES/scap-security-guide-0.1.50-run_chronyd_as_chrony_user_PR_5298.patch new file mode 100644 index 0000000..f7e4de4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-run_chronyd_as_chrony_user_PR_5298.patch @@ -0,0 +1,450 @@ +From 894d50c90ad9fd9431c8198a082f4742b168c7c8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 17 Mar 2020 09:31:32 +0100 +Subject: [PATCH 1/8] add rule + +--- + .../ntp/chronyd_run_as_chrony_user/rule.yml | 40 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 2 - + 2 files changed, 40 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml + +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +new file mode 100644 +index 0000000000..00a9e1d046 +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +@@ -0,0 +1,40 @@ ++documentation_complete: true ++ ++prodtype: rhel7,rhel8,fedora ++ ++title: 'Ensure thatchronyd is running under chrony user account' ++ ++description: |- ++ chrony is a daemon which implements the Network Time Protocol (NTP) is designed to ++ synchronize system clocks across a variety of systems and use a source that is highly ++ accurate. More information on chrony can be found at ++ {{{ weblink(link="http://chrony.tuxfamily.org/) }}}. ++ Chrony can be configured to be a client and/or a server. ++ To ensure that chronyd is running under chrony user account, Add or edit the ++ OPTIONS variable in /etc/sysconfig/chronyd to include ' -u chrony ': ++ 
OPTIONS="-u chrony"
++ This recommendation only applies if chrony is in use on the system. ++ ++rationale: |- ++ If chrony is in use on the system proper configuration is vital to ensuring time synchronization ++ is working properly. ++ ++severity: medium ++ ++platform: ntp ++ ++references: ++ cis@rhel7: 2.2.1.2 ++ cis@rhel8: 2.2.1.2 ++ ++identifiers: ++ cce@rhel7: 82878-0 ++ cce@rhel8: 82879-8 ++ ++ocil_clause: 'chronyd is not running under chrony user account' ++ ++ocil: |- ++ Run the following command and verify that -u chrony is included in OPTIONS: ++ 
# grep "^OPTIONS" /etc/sysconfig/chronyd
++    OPTIONS="-u chrony"
++ +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index a12a6355fc..53b8232431 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -3,8 +3,6 @@ CCE-82874-9 + CCE-82875-6 + CCE-82876-4 + CCE-82877-2 +-CCE-82878-0 +-CCE-82879-8 + CCE-82880-6 + CCE-82882-2 + CCE-82883-0 + +From 8a6213bc0a5cfe5005b3d4c9c2e331bc361a9eec Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 17 Mar 2020 10:47:23 +0100 +Subject: [PATCH 2/8] add chrony cpe to rhel7, rhel8, fedora + +--- + .../ntp/chronyd_run_as_chrony_user/rule.yml | 6 +++--- + 6 files changed, 39 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +index 00a9e1d046..811ab8ac91 100644 +--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +@@ -5,10 +5,10 @@ prodtype: rhel7,rhel8,fedora + title: 'Ensure thatchronyd is running under chrony user account' + + description: |- +- chrony is a daemon which implements the Network Time Protocol (NTP) is designed to ++ chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to + synchronize system clocks across a variety of systems and use a source that is highly + accurate. More information on chrony can be found at +- {{{ weblink(link="http://chrony.tuxfamily.org/) }}}. ++ {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. + Chrony can be configured to be a client and/or a server. + To ensure that chronyd is running under chrony user account, Add or edit the + OPTIONS variable in /etc/sysconfig/chronyd to include ' -u chrony ': +@@ -21,7 +21,7 @@ rationale: |- + + severity: medium + +-platform: ntp ++platform: chrony + + references: + cis@rhel7: 2.2.1.2 +From f32d587b8d6f916f0ed35000348de111a0ff3347 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 17 Mar 2020 10:47:56 +0100 +Subject: [PATCH 3/8] add remediations + +--- + .../ansible/shared.yml | 30 +++++++++++++++++++ + .../chronyd_run_as_chrony_user/bash/shared.sh | 9 ++++++ + 2 files changed, 39 insertions(+) + create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml + create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh + +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml +new file mode 100644 +index 0000000000..f9c29734c0 +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml +@@ -0,0 +1,30 @@ ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = low ++ ++- name: "detect if file is not empty or missing" ++ find: ++ path: /etc/sysconfig/ ++ patterns: chronyd ++ contains: '^([\s]*OPTIONS=["]?[^"]*)("?)' ++ register: chronyd_file ++ ++- name: "replace existing setting or create a new file, rest is handled by different task" ++ lineinfile: ++ path: /etc/sysconfig/chronyd ++ regexp: '^([\s]*OPTIONS=["]?[^"]*)("?)' ++ line: '\1 -u chrony\2' ++ state: present ++ create: True ++ backrefs: True ++ when: chronyd_file.matched > 0 ++ ++- name: "put line into file, assume file was empty" ++ lineinfile: ++ path: /etc/sysconfig/chronyd ++ line: 'OPTIONS="-u chrony"' ++ state: present ++ create: True ++ when: chronyd_file.matched == 0 +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh +new file mode 100644 +index 0000000000..4210e28560 +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh +@@ -0,0 +1,9 @@ ++# platform = Red Hat Enterprise Linux 7,multi_platform_fedora,Red Hat Enterprise Linux 8 ++ ++if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then ++ # trying to solve cases where the parameter after OPTIONS ++ #may or may not be enclosed in quotes ++ sed -i -E 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd ++else ++ echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd ++fi + +From 93055dfbb432ca08fbe215ddc40235b3c815a604 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 17 Mar 2020 10:48:31 +0100 +Subject: [PATCH 4/8] add oval check + +--- + .../services/ntp/chronyd_run_as_chrony_user/oval/shared.xml | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml + +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml +new file mode 100644 +index 0000000000..fe2936bc92 +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml +@@ -0,0 +1 @@ ++{{{ oval_check_config_file(path='/etc/sysconfig/chronyd', prefix_regex='^[ \\t]*', parameter='OPTIONS', separator_regex='=', value='["]?.*-u chrony.*["]?', missing_parameter_pass=false, missing_config_file_fail=true) }}} + +From 4e1c628a1aca02a578aa1e9401c7d4c48367bc5d Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 17 Mar 2020 10:48:45 +0100 +Subject: [PATCH 5/8] add tests + +--- + .../ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh | 5 +++++ + .../ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh | 6 ++++++ + .../chronyd_run_as_chrony_user/tests/empty_options.fail.sh | 5 +++++ + .../chronyd_run_as_chrony_user/tests/file_missing.fail.sh | 5 +++++ + .../ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh | 5 +++++ + 5 files changed, 26 insertions(+) + create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh + create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh + create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh + create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh + create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh + +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh +new file mode 100644 +index 0000000000..44783378ce +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++yum -y install chrony ++ ++echo 'OPTIONS="-u chrony"' > /etc/sysconfig/chronyd +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh +new file mode 100644 +index 0000000000..51f5b8663f +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++ ++yum -y install ntp ++ ++echo "" > /etc/sysconfig/ntpd ++echo "" > /usr/lib/systemd/system/ntpd.service +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh +new file mode 100644 +index 0000000000..c38004ae8a +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++yum -y install chrony ++ ++echo 'OPTIONS=""' > /etc/sysconfig/chronyd +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh +new file mode 100644 +index 0000000000..c5e5c97b85 +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++yum -y install chrony ++ ++rm -f /etc/sysconfig/ntpd +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh +new file mode 100644 +index 0000000000..72ef399539 +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++yum -y install chrony ++ ++echo 'OPTIONS="-u root:root"' > /etc/sysconfig/chronyd + +From 72e02f1d773b513cb2bcfac35cef2b17b036c7a6 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 18 Mar 2020 12:09:26 +0100 +Subject: [PATCH 6/8] fix wording and ansible + +--- + .../ntp/chronyd_run_as_chrony_user/ansible/shared.yml | 9 ++++----- + .../services/ntp/chronyd_run_as_chrony_user/rule.yml | 4 ++-- + 2 files changed, 6 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml +index f9c29734c0..42acdff9f4 100644 +--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml +@@ -4,24 +4,23 @@ + # complexity = low + # disruption = low + +-- name: "detect if file is not empty or missing" ++- name: "Detect if file /etc/sysconfig/chronyd is not empty or missing" + find: + path: /etc/sysconfig/ + patterns: chronyd + contains: '^([\s]*OPTIONS=["]?[^"]*)("?)' + register: chronyd_file + +-- name: "replace existing setting or create a new file, rest is handled by different task" ++- name: "Correct existing in /etc/sysconfig/chronyd to run chronyd as chrony user" + lineinfile: + path: /etc/sysconfig/chronyd + regexp: '^([\s]*OPTIONS=["]?[^"]*)("?)' + line: '\1 -u chrony\2' + state: present +- create: True + backrefs: True +- when: chronyd_file.matched > 0 ++ when: chronyd_file is defined and chronyd_file.matched > 0 + +-- name: "put line into file, assume file was empty" ++- name: "Insert correct line into /etc/sysconfig/chronyd ensuring chronyd runs as chrony user" + lineinfile: + path: /etc/sysconfig/chronyd + line: 'OPTIONS="-u chrony"' +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +index 811ab8ac91..cd641ce0cb 100644 +--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + prodtype: rhel7,rhel8,fedora + +-title: 'Ensure thatchronyd is running under chrony user account' ++title: 'Ensure that chronyd is running under chrony user account' + + description: |- + chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to +@@ -11,7 +11,7 @@ description: |- + {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. + Chrony can be configured to be a client and/or a server. + To ensure that chronyd is running under chrony user account, Add or edit the +- OPTIONS variable in /etc/sysconfig/chronyd to include ' -u chrony ': ++ OPTIONS variable in /etc/sysconfig/chronyd to include -u chrony: + 
OPTIONS="-u chrony"
+ This recommendation only applies if chrony is in use on the system. + + +From 0885706c1d1e9f2b0dfd1150736549e0d1a036c1 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 18 Mar 2020 12:09:56 +0100 +Subject: [PATCH 7/8] fix and add tests + +--- + .../tests/correct_multiple_options.pass.sh | 5 +++++ + .../ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh | 3 +-- + .../chronyd_run_as_chrony_user/tests/file_missing.fail.sh | 2 +- + .../chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh | 5 +++++ + 4 files changed, 12 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh + create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh + +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh +new file mode 100644 +index 0000000000..12f14a7e28 +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++yum -y install chrony ++ ++echo 'OPTIONS="-g -u chrony"' > /etc/sysconfig/chronyd +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh +index 51f5b8663f..85b4995681 100644 +--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh +@@ -2,5 +2,4 @@ + + yum -y install ntp + +-echo "" > /etc/sysconfig/ntpd +-echo "" > /usr/lib/systemd/system/ntpd.service ++echo "" > /etc/sysconfig/chronyd +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh +index c5e5c97b85..96787432db 100644 +--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh +@@ -2,4 +2,4 @@ + + yum -y install chrony + +-rm -f /etc/sysconfig/ntpd ++rm -f /etc/sysconfig/chronyd +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh +new file mode 100644 +index 0000000000..4c3a51181a +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++ ++yum -y install chrony ++ ++echo 'OPTIONS="-g"' > /etc/sysconfig/chronyd + +From 1ffcfa459d95f335747e158adf1596323f72e518 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 18 Mar 2020 15:57:11 +0100 +Subject: [PATCH 8/8] fix remediations to remove any previous user + configuration + +fix test +--- + .../ntp/chronyd_run_as_chrony_user/ansible/shared.yml | 11 +++++++++-- + .../ntp/chronyd_run_as_chrony_user/bash/shared.sh | 2 +- + .../chronyd_run_as_chrony_user/tests/empty.fail.sh | 2 +- + 3 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml +index 42acdff9f4..e60dd11eb2 100644 +--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml +@@ -11,7 +11,14 @@ + contains: '^([\s]*OPTIONS=["]?[^"]*)("?)' + register: chronyd_file + +-- name: "Correct existing in /etc/sysconfig/chronyd to run chronyd as chrony user" ++- name: "Remove any previous configuration of user used to run chronyd process" ++ replace: ++ path: /etc/sysconfig/chronyd ++ regexp: '\s*-u\s+\w+\s*' ++ replace: ' ' ++ when: chronyd_file is defined and chronyd_file.matched > 0 ++ ++- name: "Correct existing line in /etc/sysconfig/chronyd to run chronyd as chrony user" + lineinfile: + path: /etc/sysconfig/chronyd + regexp: '^([\s]*OPTIONS=["]?[^"]*)("?)' +@@ -26,4 +33,4 @@ + line: 'OPTIONS="-u chrony"' + state: present + create: True +- when: chronyd_file.matched == 0 ++ when: chronyd_file is defined and chronyd_file.matched == 0 +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh +index 4210e28560..83acc51db0 100644 +--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh +@@ -3,7 +3,7 @@ + if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then + # trying to solve cases where the parameter after OPTIONS + #may or may not be enclosed in quotes +- sed -i -E 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd ++ sed -i -E -e 's/\s*-u\s+\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd + else + echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd + fi +diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh +index 85b4995681..4a4f21ced7 100644 +--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh ++++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash + +-yum -y install ntp ++yum -y install chrony + + echo "" > /etc/sysconfig/chronyd diff --git a/SOURCES/scap-security-guide-0.1.50-simplify_login_banner.patch b/SOURCES/scap-security-guide-0.1.50-simplify_login_banner.patch new file mode 100644 index 0000000..1a1a271 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-simplify_login_banner.patch @@ -0,0 +1,1728 @@ +From fb5fe8c7dea9c83558b9e4fd7d2235caff6bd4db Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Wed, 4 Dec 2019 15:11:39 +0100 +Subject: [PATCH 01/27] Create macro to translate text to banner text. + +With banner texts having every whitespace replaced with more complex regular +expression, it's not really readable in that form. This macro should provide +way to write human readable text in source, and get machine readable text +as the output. +--- + .../var_web_login_banner_text.var | 15 ++++++--------- + .../banner_etc_issue/bash/shared.sh | 2 +- + ...disa_dod_default_banner_no_newline.fail.sh | 19 +++++++++++++++++++ + .../accounts-banners/login_banner_text.var | 12 ++++++------ + shared/macros.jinja | 4 ++++ + ssg/build_yaml.py | 2 +- + 6 files changed, 37 insertions(+), 17 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index 61ebea65f3..72a728659b 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -4,7 +4,7 @@ title: 'Web Login Banner Verbiage' + + description: |- + Enter an appropriate login banner for your organization. Please note that new lines must +- be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. ++ be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. + + type: string + +@@ -13,11 +13,8 @@ operator: equals + interactive: false + + options: +- dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$ +- dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. +- dod_short: I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t. +- dss_odaa_default: "[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times.[\\s\\n]+This[\\s\\n]+is[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+and[\\s\\n]+related[\\s\\n]+equipment[\\s\\n]+are[\\s\\n]+intended[\\s\\n]+for[\\s\\n]+the[\\s\\n]+communication,[\\s\\n]+transmission,[\\s\\n]+processing,[\\s\\n]+and[\\s\\n]+storage[\\s\\n]+of[\\s\\n]+official[\\s\\n]+U.S.[\\s\\n]+Government[\\s\\n]+or[\\s\\n]+other[\\s\\n]+authorized[\\s\\n]+information[\\s\\n]+only.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times[\\s\\n]+to[\\s\\n]+ensure[\\s\\n]+proper[\\s\\n]+functioning[\\s\\n]+of[\\\ +- s\\n]+equipment[\\s\\n]+and[\\s\\n]+systems[\\s\\n]+including[\\s\\n]+security[\\s\\n]+devices[\\s\\n]+and[\\s\\n]+systems,[\\s\\n]+to[\\s\\n]+prevent[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+and[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+statutes[\\s\\n]+and[\\s\\n]+security[\\s\\n]+regulations,[\\s\\n]+to[\\s\\n]+deter[\\s\\n]+criminal[\\s\\n]+activity,[\\s\\n]+and[\\s\\n]+for[\\s\\n]+other[\\s\\n]+similar[\\s\\n]+purposes.[\\s\\n]+Any[\\s\\n]+user[\\s\\n]+of[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+should[\\s\\n]+be[\\s\\n]+aware[\\s\\n]+that[\\s\\n]+any[\\s\\n]+information[\\s\\n]+placed[\\s\\n]+in[\\s\\n]+the[\\s\\n]+system[\\s\\n]+is[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+and[\\s\\n]+is[\\s\\n]+not[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+any[\\s\\n]+expectation[\\s\\n]+of[\\s\\n]+privacy.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\\ +- s\\n]+reveals[\\s\\n]+possible[\\s\\n]+evidence[\\s\\n]+of[\\s\\n]+violation[\\s\\n]+of[\\s\\n]+criminal[\\s\\n]+statutes,[\\s\\n]+this[\\s\\n]+evidence[\\s\\n]+and[\\s\\n]+any[\\s\\n]+other[\\s\\n]+related[\\s\\n]+information,[\\s\\n]+including[\\s\\n]+identification[\\s\\n]+information[\\s\\n]+about[\\s\\n]+the[\\s\\n]+user,[\\s\\n]+may[\\s\\n]+be[\\s\\n]+provided[\\s\\n]+to[\\s\\n]+law[\\s\\n]+enforcement[\\s\\n]+officials.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+reveals[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+unauthorized[\\s\\n]+use,[\\s\\n]+employees[\\s\\n]+who[\\s\\n]+violate[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+make[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+of[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+appropriate[\\s\\n]+disciplinary[\\\ +- s\\n]+action.[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times." +- usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. ++ dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}} ++ dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}} ++ dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}} ++ dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} ++ usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 9617934e4f..54bc576551 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -3,7 +3,7 @@ + populate login_banner_text + + # There was a regular-expression matching various banners, needs to be expanded +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g') ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g') + formatted=$(echo "$expanded" | fold -sw 80) + + cat </etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh +new file mode 100644 +index 0000000000..00121bae96 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh +@@ -0,0 +1,19 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++# dod_default banner ++echo "You are accessing a U.S. Government (USG) Information System (IS) that is ++provided for USG-authorized use only. By using this IS (which includes any ++device attached to this IS), you consent to the following conditions:-The USG routinely intercepts and monitors communications on this IS for ++purposes including, but not limited to, penetration testing, COMSEC monitoring, ++network operations and defense, personnel misconduct (PM), law enforcement ++(LE), and counterintelligence (CI) investigations.-At any time, the USG may inspect and seize data stored on this IS.-Communications using, or data stored on, this IS are not private, are subject ++to routine monitoring, interception, and search, and may be disclosed or used ++for any USG-authorized purpose.-This IS includes security measures (e.g., authentication and access controls) ++to protect USG interests--not for your personal benefit or privacy.-Notwithstanding the above, using this IS does not constitute consent to PM, LE ++or CI investigative searching or monitoring of the content of privileged ++communications, or work product, related to personal representation or services ++by attorneys, psychotherapists, or clergy, and their assistants. Such ++communications and work product are private and confidential. See User ++Agreement for details." > /etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index f3a4795bce..0c398bee9c 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -4,7 +4,7 @@ title: 'Login Banner Verbiage' + + description: |- + Enter an appropriate login banner for your organization. Please note that new lines must +- be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. ++ be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. + + type: string + +@@ -14,8 +14,8 @@ interactive: false + + options: + # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters +- dod_banners: (^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) +- dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. +- dod_short: I(\\\')*(\')*ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t. +- dss_odaa_default: Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times. +- usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. ++ dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}} ++ dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}} ++ dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}} ++ dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} ++ usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} +diff --git a/shared/macros.jinja b/shared/macros.jinja +index 8a25acc937..3c617040bf 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -657,3 +657,7 @@ openssl() + ) + + {{%- endmacro %}} ++ ++{{% macro banner_flexibler(banner_text) -%}} ++{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}} ++{{% endmacro %}} +diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py +index 357d0e8d99..700e496246 100644 +--- a/ssg/build_yaml.py ++++ b/ssg/build_yaml.py +@@ -327,7 +327,7 @@ def __init__(self, id_): + + @staticmethod + def from_yaml(yaml_file, env_yaml=None): +- yaml_contents = open_and_expand(yaml_file, env_yaml) ++ yaml_contents = open_and_macro_expand(yaml_file, env_yaml) + if yaml_contents is None: + return None + + +From 23185944dd5db08cfee599c62717f1b0f23df683 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 27 Feb 2020 18:03:37 +0100 +Subject: [PATCH 02/27] Fix stripping of short banner from dod_banners + +Format of dod_banners changed a bit, and stripping of tailing +short dod banner got broken. + +Goal of dod_banners is to check for either long or shord DoD, but +default to remediating with the long banner. +--- + .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +- + .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 54bc576551..1b2052a658 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -3,7 +3,7 @@ + populate login_banner_text + + # There was a regular-expression matching various banners, needs to be expanded +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g') ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g') + formatted=$(echo "$expanded" | fold -sw 80) + + cat </etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index 1614098c8c..bc6a31bc74 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -2,7 +2,7 @@ + . /usr/share/scap-security-guide/remediation_functions + populate login_banner_text + +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') + + {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} + {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} + +From ed7a96bc41d31ceeeb6b75b2a9565521f4f3eda5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 2 Mar 2020 17:31:49 +0100 +Subject: [PATCH 03/27] Fix test scenarios for OSPP profile + +OSPP profile doesn't select banner_etc_issue +--- + ...banner_etc_issue_ospp_usbcg_banner.fail.sh | 2 +- + ...banner_etc_issue_ospp_usbcg_banner.pass.sh | 30 +++++++++++++------ + 2 files changed, 22 insertions(+), 10 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh +index db0b72089c..0f962279be 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash + # +-# profiles = xccdf_org.ssgproject.content_profile_ospp ++# profiles = xccdf_org.ssgproject.content_profile_stig + + echo "This is not the expected banner" > /etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh +index d36b3a146b..9bb0319323 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh +@@ -1,12 +1,24 @@ + #!/bin/bash + # +-# profiles = xccdf_org.ssgproject.content_profile_ospp ++# profiles = xccdf_org.ssgproject.content_profile_stig + +-# usgcb_default banner +-echo "-- WARNING -- This system is for the use of authorized users only. Individuals +-using this computer system without authority or in excess of their authority +-are subject to having all their activities on this system monitored and +-recorded by system personnel. Anyone using this system expressly consents to +-such monitoring and is advised that if such monitoring reveals possible +-evidence of criminal activity system personal may provide the evidence of such +-monitoring to law enforcement officials." > /etc/issue ++# dod_banners banner ++echo "You are accessing a U.S. Government (USG) Information System (IS) that is ++provided for USG-authorized use only. By using this IS (which includes any ++device attached to this IS), you consent to the following conditions: ++-The USG routinely intercepts and monitors communications on this IS for ++purposes including, but not limited to, penetration testing, COMSEC monitoring, ++network operations and defense, personnel misconduct (PM), law enforcement ++(LE), and counterintelligence (CI) investigations. ++-At any time, the USG may inspect and seize data stored on this IS. ++-Communications using, or data stored on, this IS are not private, are subject ++to routine monitoring, interception, and search, and may be disclosed or used ++for any USG-authorized purpose. ++-This IS includes security measures (e.g., authentication and access controls) ++to protect USG interests--not for your personal benefit or privacy. ++-Notwithstanding the above, using this IS does not constitute consent to PM, LE ++or CI investigative searching or monitoring of the content of privileged ++communications, or work product, related to personal representation or services ++by attorneys, psychotherapists, or clergy, and their assistants. Such ++communications and work product are private and confidential. See User ++Agreement for details." > /etc/issue + +From c0e947ab378de0c3c45b1a0be0b3f7a239c3d6f4 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 3 Mar 2020 10:26:40 +0100 +Subject: [PATCH 04/27] Update test scenario metadata for banner tests + +--- + .../dconf_gnome_login_banner_text/tests/correct_value.pass.sh | 1 + + .../tests/correct_value_stig.pass.sh | 2 +- + .../tests/missing_value_stig.fail.sh | 2 +- + .../dconf_gnome_login_banner_text/tests/wrong_value.fail.sh | 1 + + .../tests/wrong_value_stig.fail.sh | 2 +- + 5 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh +index 2c92fcbeb8..230a8b0a22 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# platform = Red Hat Enterprise Linux 7 + # profiles = xccdf_org.ssgproject.content_profile_ncp + + source $SHARED/dconf_test_functions.sh +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh +index 8a142b740e..d59f9071f0 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 + # profiles = xccdf_org.ssgproject.content_profile_stig + + source $SHARED/dconf_test_functions.sh +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh +index 1fea01471e..9638681130 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 + # profiles = xccdf_org.ssgproject.content_profile_stig + + source $SHARED/dconf_test_functions.sh +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh +index af4ea0ab82..7f7123a8be 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh +@@ -1,4 +1,5 @@ + #!/bin/bash ++# platform = Red Hat Enterprise Linux 7 + # profiles = xccdf_org.ssgproject.content_profile_ncp + + source $SHARED/dconf_test_functions.sh +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh +index e0f43ec001..cd65f885a2 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh +@@ -1,5 +1,5 @@ + #!/bin/bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 + # profiles = xccdf_org.ssgproject.content_profile_stig + + source $SHARED/dconf_test_functions.sh + +From 12f6616d83a23de27ebca932710a8128474068ff Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 3 Mar 2020 10:28:07 +0100 +Subject: [PATCH 05/27] Fix text of banners, remove space after dash + +Per DISA STIG reference, there is no space after the list items. +--- + .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- + .../tests/correct_value_stig.pass.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index bc6a31bc74..d9dca1bef9 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -2,7 +2,7 @@ + . /usr/share/scap-security-guide/remediation_functions + populate login_banner_text + +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') + + {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} + {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh +index d59f9071f0..dca4b8e99b 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh +@@ -6,7 +6,7 @@ source $SHARED/dconf_test_functions.sh + + install_dconf_and_gdm_if_needed + +-login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" ++login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" + expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') + + clean_dconf_settings + +From b09ddb6a040c980ccf1c55d3f4fe700953195d77 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 3 Mar 2020 11:01:25 +0100 +Subject: [PATCH 06/27] Make banner compatible with console and dconf + +The banner in /etc/issue is expected to have actual newlines, while the +banner in /etc/dconf/db/gdm.d/ is expected to have the escape sequence +'\n'. + +This commit transforms the newline from the input banner into a regex +that matches either the newline or the escape sequence. + +During remediation, each rule will replace the regular expression for +the correct "version" of the newline. +--- + .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +- + .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- + shared/macros.jinja | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 1b2052a658..fcaaa2c794 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -3,7 +3,7 @@ + populate login_banner_text + + # There was a regular-expression matching various banners, needs to be expanded +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g') ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') + formatted=$(echo "$expanded" | fold -sw 80) + + cat </etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index d9dca1bef9..2b51e7c94c 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -2,7 +2,7 @@ + . /usr/share/scap-security-guide/remediation_functions + populate login_banner_text + +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') + + {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} + {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} +diff --git a/shared/macros.jinja b/shared/macros.jinja +index 3c617040bf..b178088f0c 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -659,5 +659,5 @@ openssl() + {{%- endmacro %}} + + {{% macro banner_flexibler(banner_text) -%}} +-{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}} ++{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") }}} + {{% endmacro %}} + +From fc6fe07f12faac1023b65551eaa82dc50e12303b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 3 Mar 2020 12:46:30 +0100 +Subject: [PATCH 07/27] Simplify banner remediation regexes + +Remove unneded sed's for single quote (\x27) +--- + .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +- + .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index fcaaa2c794..5d079e9271 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -3,7 +3,7 @@ + populate login_banner_text + + # There was a regular-expression matching various banners, needs to be expanded +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') ++expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') + formatted=$(echo "$expanded" | fold -sw 80) + + cat </etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index 2b51e7c94c..568942e892 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -2,7 +2,7 @@ + . /usr/share/scap-security-guide/remediation_functions + populate login_banner_text + +-expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') ++expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;') + + {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} + {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} + +From f94f4ba5a5d650c5ae50f83d59b7464e7f785b9d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 3 Mar 2020 12:48:10 +0100 +Subject: [PATCH 08/27] Document what the regexes do in the banner + +--- + .../accounts-banners/banner_etc_issue/bash/shared.sh | 7 ++++++- + .../dconf_gnome_login_banner_text/bash/shared.sh | 8 ++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 5d079e9271..07b88bf039 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -2,7 +2,12 @@ + . /usr/share/scap-security-guide/remediation_functions + populate login_banner_text + +-# There was a regular-expression matching various banners, needs to be expanded ++# Multiple regexes transform the banner regex into a usable banner ++# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. ++# (dod_banners contains the long and shor banner) ++# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") ++# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") ++# 4- Remove any leftover backslash. (From any parethesis in the banner, for example). + expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') + formatted=$(echo "$expanded" | fold -sw 80) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index 568942e892..658205bd2c 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -2,6 +2,14 @@ + . /usr/share/scap-security-guide/remediation_functions + populate login_banner_text + ++# Multiple regexes transform the banner regex into a usable banner ++# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. ++# (dod_banners contains the long and shor banner) ++# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") ++# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") ++# 4- Remove any leftover backslash. (From any parethesis in the banner, for example). ++# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n"). ++# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". + expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;') + + {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} + +From b7545c3ab81758f89e034fdab7f2c573f287d770 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 3 Mar 2020 12:49:02 +0100 +Subject: [PATCH 09/27] Add rule to check dconf banner + +The STIG profile sets the banner, and checks whether it is enabled for +dconf, but never checked the banner text. +--- + rhel8/profiles/stig.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 7eb1869a3c..f315df7d06 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -21,6 +21,7 @@ extends: ospp + - login_banner_text=dod_banners + - dconf_db_up_to_date + - dconf_gnome_banner_enabled ++ - dconf_gnome_login_banner_text + - banner_etc_issue + - accounts_password_set_min_life_existing + - accounts_password_set_max_life_existing + +From 21ae88f72c1c9a324041637b0f52eea6b90fb03f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 6 Mar 2020 15:37:46 +0100 +Subject: [PATCH 10/27] Fix Ansible for dconf banner-message-text lock + +--- + .../dconf_gnome_login_banner_text/ansible/shared.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +index 6946c9ddf7..303f505968 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +@@ -38,7 +38,7 @@ + - name: "Prevent user modification of the GNOME3 Login Warning Banner Text" + lineinfile: + path: '/etc/dconf/db/gdm.d/locks/00-security-settings-lock' +- regexp: '^org/gnome/login-screen/banner-message-text$' +- line: 'org/gnome/login-screen/banner-message-text' ++ regexp: '^/org/gnome/login-screen/banner-message-text$' ++ line: '/org/gnome/login-screen/banner-message-text' + create: yes + state: present + +From 54ec93ae3254c726b8313646419fa9f1a9fbbcb5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 6 Mar 2020 15:58:38 +0100 +Subject: [PATCH 11/27] Fix banner regex stripping for Ansible + +Do similar regex stripping as done in Bash remediaiton. +The triple single quotes is necessary for the jinja template expansion +to add the banner wrapped in single quotes. +--- + .../dconf_gnome_login_banner_text/ansible/shared.yml | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +index 303f505968..5d5e92530a 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +@@ -32,8 +32,9 @@ + dest: /etc/dconf/db/gdm.d/00-security-settings + section: org/gnome/login-screen + option: banner-message-text +- value: '{{ login_banner_text }}' ++ value: '''{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)\*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}''' + create: yes ++ no_extra_spaces: yes + + - name: "Prevent user modification of the GNOME3 Login Warning Banner Text" + lineinfile: + +From a4755e87a66ad8b47f22444bde9a2e48c6f33aca Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 6 Mar 2020 16:09:50 +0100 +Subject: [PATCH 12/27] Add Ansible remediation for banner_etc_issue + +--- + .../banner_etc_issue/ansible/shared.yml | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +new file mode 100644 +index 0000000000..e136304020 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +@@ -0,0 +1,12 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol ++# reboot = false ++# strategy = unknown ++# complexity = low ++# disruption = medium ++- (xccdf-var login_banner_text) ++ ++- name: "{{{ rule_title }}}" ++ lineinfile: ++ dest: /etc/issue ++ line: '{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}' ++ create: yes + +From ac5d4b7482f4dc673f8f5d8dbbc95c42700bb251 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 6 Mar 2020 16:52:09 +0100 +Subject: [PATCH 13/27] Update reference RHEL8 STIG profile + +--- + tests/data/profile_stability/rhel8/stig.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 843267d589..381cf54b3a 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -84,6 +84,7 @@ selections: + - coredump_disable_storage + - dconf_db_up_to_date + - dconf_gnome_banner_enabled ++- dconf_gnome_login_banner_text + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot + - disable_host_auth + +From 6b27221e857cefe7efaa04f4491c506ea0cb096c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sat, 7 Mar 2020 13:12:28 +0100 +Subject: [PATCH 14/27] Move bash banner deregexification to macros + +This aims to increase maintenability and readability. +Every step in the deregexification is a separate macro. +The macros 'bash_deregexify_banner_etc_issue' and +'bash_deregexify_banner_dconf_gnome' build upon the basic steps. +--- + .../banner_etc_issue/bash/shared.sh | 9 ++++--- + .../bash/shared.sh | 10 +++++--- + shared/macros-bash.jinja | 25 +++++++++++++++++++ + 3 files changed, 38 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 07b88bf039..119413005e 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -4,12 +4,15 @@ populate login_banner_text + + # Multiple regexes transform the banner regex into a usable banner + # 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. +-# (dod_banners contains the long and shor banner) ++# (dod_banners contains the long and short banner) ++{{{ bash_deregexify_multiple_banners("login_banner_text") }}} + # 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") ++{{{ bash_deregexify_banner_space("login_banner_text") }}} + # 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") ++{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}} + # 4- Remove any leftover backslash. (From any parethesis in the banner, for example). +-expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') +-formatted=$(echo "$expanded" | fold -sw 80) ++{{{ bash_deregexify_banner_backslash("login_banner_text") }}} ++formatted=$(echo "$login_banner_text" | fold -sw 80) + + cat </etc/issue + $formatted +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index 658205bd2c..4011932790 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -4,13 +4,17 @@ populate login_banner_text + + # Multiple regexes transform the banner regex into a usable banner + # 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. +-# (dod_banners contains the long and shor banner) ++# (dod_banners contains the long and short banner) ++{{{ bash_deregexify_multiple_banners("login_banner_text") }}} + # 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") ++{{{ bash_deregexify_banner_space("login_banner_text") }}} + # 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") ++{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}} + # 4- Remove any leftover backslash. (From any parethesis in the banner, for example). ++{{{ bash_deregexify_banner_backslash("login_banner_text") }}} + # 5- Removes the newline "token." (Transforms them into newline escape sequences "\n"). + # ( Needs to be done after 4, otherwise the escapce sequence will become just "n". +-expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;') ++{{{ bash_deregexify_banner_newline_token("login_banner_text")}}} + +-{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} ++{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", "gdm.d", "00-security-settings") }}} + {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 2756cc0c00..6d72684c6d 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -521,3 +521,28 @@ cat << 'EOF' > {{{ filepath }}} + {{{ contents|trim() }}} + EOF + {{%- endmacro %}} ++ ++{{# Strips multibanner regex and keeps only the first banner #}} ++{{% macro bash_deregexify_multiple_banners(banner_var_name) -%}} ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\^(\(.*\)|.*$/\1/g') ++{{%- endmacro %}} ++ ++{{# Strips whitespace or newline regex #}} ++{{% macro bash_deregexify_banner_space(banner_var_name) -%}} ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\[\\s\\n\]+/ /g') ++{{%- endmacro %}} ++ ++{{# Strips newline or newline escape sequence regex #}} ++{{% macro bash_deregexify_banner_newline(banner_var_name, newline) -%}} ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(?:\[\\n\]+|(?:\\n)+)/{{{ newline }}}/g') ++{{%- endmacro %}} ++ ++{{# Strips newline token for a newline escape sequence regex #}} ++{{% macro bash_deregexify_banner_newline_token(banner_var_name) -%}} ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(n)\*/\\n/g') ++{{%- endmacro %}} ++ ++{{# Strips backslash regex #}} ++{{% macro bash_deregexify_banner_backslash(banner_var_name) -%}} ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\\//g') ++{{%- endmacro %}} + +From 4e2f96de31ed24c5e58ffc8da07b689a461d385f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sat, 7 Mar 2020 14:04:40 +0100 +Subject: [PATCH 15/27] Move ansible banner deregexification to macros + +This aims to increase maintenability and readability. +Every step in the deregexification is a separate macro. +The macros 'ansible_deregexify_banner_etc_issue' and +'ansible_deregexify_banner_dconf_gnome' build upon the basic steps. +--- + .../banner_etc_issue/ansible/shared.yml | 2 +- + .../ansible/shared.yml | 2 +- + shared/macros-ansible.jinja | 54 +++++++++++++++++++ + 3 files changed, 56 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +index e136304020..42c19194e4 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +@@ -8,5 +8,5 @@ + - name: "{{{ rule_title }}}" + lineinfile: + dest: /etc/issue +- line: '{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}' ++ line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' + create: yes +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +index 5d5e92530a..40cce05fbc 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +@@ -32,7 +32,7 @@ + dest: /etc/dconf/db/gdm.d/00-security-settings + section: org/gnome/login-screen + option: banner-message-text +- value: '''{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)\*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}''' ++ value: '{{{ ansible_deregexify_banner_dconf_gnome("login_banner_text") }}}' + create: yes + no_extra_spaces: yes + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 0d023553a7..5deb7ceb80 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -217,3 +217,57 @@ + {{{ contents|trim()|indent(8) }}} + force: yes + {{%- endmacro %}} ++ ++{{# ++ Formats a banner regex for use in /etc/issue ++ Parameters: ++ - banner_var_name - name of ansible variable with the banner regex ++#}} ++{{% macro ansible_deregexify_banner_etc_issue(banner_var_name) -%}} ++{{ {{{ banner_var_name }}} | ++{{{ ansible_deregexify_multiple_banners() }}} | ++{{{ ansible_deregexify_banner_space() }}} | ++{{{ ansible_deregexify_banner_newline("\\n") }}} | ++{{{ ansible_deregexify_banner_backslash() }}} | ++wordwrap() }} ++{{%- endmacro %}} ++ ++{{# ++ Formats a banner regex for use in dconf ++ Parameters: ++ - banner_var_name - name of ansible variable with the banner regex ++#}} ++{{% macro ansible_deregexify_banner_dconf_gnome(banner_var_name) -%}} ++''{{ {{{ banner_var_name }}} | ++{{{ ansible_deregexify_multiple_banners() }}} | ++{{{ ansible_deregexify_banner_space() }}} | ++{{{ ansible_deregexify_banner_newline("(n)*") }}} | ++{{{ ansible_deregexify_banner_backslash() }}} | ++{{{ ansible_deregexify_banner_newline_token()}}} }}'' ++{{%- endmacro %}} ++ ++ line: '{{ login_banner_text | | regex_replace("\\", "") | wordwrap() }}' ++{{# Strips multibanner regex and keeps only the first banner #}} ++{{% macro ansible_deregexify_multiple_banners() -%}} ++regex_replace("\^\((.*)\|.*$", "\1") ++{{%- endmacro %}} ++ ++{{# Strips whitespace or newline regex #}} ++{{% macro ansible_deregexify_banner_space() -%}} ++regex_replace("\[\\s\\n\]\+"," ") ++{{%- endmacro %}} ++ ++{{# Strips newline or newline escape sequence regex #}} ++{{% macro ansible_deregexify_banner_newline(newline) -%}} ++regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "{{{ newline }}}") ++{{%- endmacro %}} ++ ++{{# Strips newline token for a newline escape sequence regex #}} ++{{% macro ansible_deregexify_banner_newline_token() -%}} ++regex_replace("\(n\)\*", "\\n") ++{{%- endmacro %}} ++ ++{{# Strips backslash regex #}} ++{{% macro ansible_deregexify_banner_backslash() -%}} ++regex_replace("\\", "") ++{{%- endmacro %}} + +From 890e79ea0a9eff8cab05d8ef06e96900d95b2617 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 10:58:12 +0100 +Subject: [PATCH 16/27] Move the DoD banners into jinja variables + +The variables are used to easily combine them in the regex for the +"multiple banners allowed regex". +Lets avoid repeating ourselves. +--- + .../httpd_secure_content/var_web_login_banner_text.var | 9 ++++++--- + .../accounts/accounts-banners/login_banner_text.var | 9 ++++++--- + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index 72a728659b..96b6ac8e71 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -12,9 +12,12 @@ operator: equals + + interactive: false + ++{{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} ++{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}} ++ + options: +- dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}} +- dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}} +- dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}} ++ dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} ++ dod_default: {{{ banner_flexibler(var_dod_default) }}} ++ dod_short: {{{ banner_flexibler(var_dod_short) }}} + dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} + usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index 0c398bee9c..400a4299e6 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -12,10 +12,13 @@ operator: equals + + interactive: false + ++{{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} ++{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}} ++ + options: + # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters +- dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}} +- dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}} +- dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}} ++ dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} ++ dod_default: {{{ banner_flexibler(var_dod_default) }}} ++ dod_short: {{{ banner_flexibler(var_dod_short) }}} + dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} + usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} + +From f17b39f5a55f92ae4d0e4e03cbd26dd55137b083 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 11:14:09 +0100 +Subject: [PATCH 17/27] Remove unecessary escapping in short banner + +--- + .../httpd_secure_content/var_web_login_banner_text.var | 2 +- + .../system/accounts/accounts-banners/login_banner_text.var | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index 96b6ac8e71..c98d2441cf 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -13,7 +13,7 @@ operator: equals + interactive: false + + {{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} +-{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}} ++{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} + + options: + dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index 400a4299e6..fc65772554 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -13,7 +13,7 @@ operator: equals + interactive: false + + {{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} +-{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}} ++{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} + + options: + # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters + +From bb2dcd9212bb6e83c53bfb9df10bc7e236dec722 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 15:23:31 +0100 +Subject: [PATCH 18/27] Add utility to regexify a login banner + +Moved the banner_flexibler macro to python code, and renamed to +banner_regexify, to be aligned with Ansible and Bash counter parts +"deregexify". + +The utility will make it easy to add you own login banner on a tailoring +file, or via SCAP Workbench. +--- + .../var_web_login_banner_text.var | 10 +++---- + .../accounts-banners/login_banner_text.var | 10 +++---- + shared/macros.jinja | 4 --- + ssg/jinja.py | 3 +- + ssg/utils.py | 3 ++ + utils/regexify_banner.py | 29 +++++++++++++++++++ + 6 files changed, 44 insertions(+), 15 deletions(-) + create mode 100644 utils/regexify_banner.py + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index c98d2441cf..d3f72cbd97 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -16,8 +16,8 @@ interactive: false + {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} + + options: +- dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} +- dod_default: {{{ banner_flexibler(var_dod_default) }}} +- dod_short: {{{ banner_flexibler(var_dod_short) }}} +- dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} +- usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} ++ dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} ++ dod_default: {{{ banner_regexify(var_dod_default) }}} ++ dod_short: {{{ banner_regexify(var_dod_short) }}} ++ dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} ++ usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index fc65772554..f6eab9bf33 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -17,8 +17,8 @@ interactive: false + + options: + # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters +- dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} +- dod_default: {{{ banner_flexibler(var_dod_default) }}} +- dod_short: {{{ banner_flexibler(var_dod_short) }}} +- dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} +- usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} ++ dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} ++ dod_default: {{{ banner_regexify(var_dod_default) }}} ++ dod_short: {{{ banner_regexify(var_dod_short) }}} ++ dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} ++ usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} +diff --git a/shared/macros.jinja b/shared/macros.jinja +index b178088f0c..8a25acc937 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -657,7 +657,3 @@ openssl() + ) + + {{%- endmacro %}} +- +-{{% macro banner_flexibler(banner_text) -%}} +-{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") }}} +-{{% endmacro %}} +diff --git a/ssg/jinja.py b/ssg/jinja.py +index 700466b8c3..471fbf4140 100644 +--- a/ssg/jinja.py ++++ b/ssg/jinja.py +@@ -10,7 +10,7 @@ + JINJA_MACROS_BASH_DEFINITIONS, + JINJA_MACROS_OVAL_DEFINITIONS, + ) +-from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform ++from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform, banner_regexify + + + class MacroError(RuntimeError): +@@ -112,6 +112,7 @@ def add_python_functions(substitutions_dict): + substitutions_dict['prodtype_to_name'] = prodtype_to_name + substitutions_dict['name_to_platform'] = name_to_platform + substitutions_dict['prodtype_to_platform'] = prodtype_to_platform ++ substitutions_dict['banner_regexify'] = banner_regexify + substitutions_dict['raise'] = raise_exception + + +diff --git a/ssg/utils.py b/ssg/utils.py +index 16b1aebe33..3823e02a2d 100644 +--- a/ssg/utils.py ++++ b/ssg/utils.py +@@ -248,3 +248,6 @@ def mkdir_p(path): + pass + else: + raise ++ ++def banner_regexify(banner_text): ++ return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") +diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py +new file mode 100644 +index 0000000000..7bdf69b702 +--- /dev/null ++++ b/utils/regexify_banner.py +@@ -0,0 +1,29 @@ ++import argparse ++import ssg.utils ++ ++def parse_args(): ++ p = argparse.ArgumentParser() ++ p.add_argument("--output", help="Path to output regexified banner") ++ p.add_argument("input", help="Path to file with banner to regexify") ++ ++ return p.parse_args() ++ ++ ++def main(): ++ ++ args = parse_args() ++ with open(args.input, "r") as file_in: ++ # rstrip is used to remove newline at the end of file ++ banner_text = file_in.read().rstrip() ++ ++ banner_regex = ssg.utils.banner_regexify(banner_text) ++ ++ if args.output: ++ with open(args.output, "w") as file_out: ++ file_out.write(banner_regex) ++ else: ++ print(banner_regex) ++ ++ ++if __name__ == "__main__": ++ main() + +From 5c81e70d14ee90877630610bf0a2215199a3e491 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 15:31:12 +0100 +Subject: [PATCH 19/27] Move the macro to be a Jinja2 filter + +This is done so that we can apply banner_regexify indvidually in each +banner of dod_banners. +--- + .../httpd_secure_content/var_web_login_banner_text.var | 10 +++++----- + .../accounts/accounts-banners/login_banner_text.var | 10 +++++----- + ssg/jinja.py | 2 +- + 3 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index d3f72cbd97..e990f0cb23 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -16,8 +16,8 @@ interactive: false + {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} + + options: +- dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} +- dod_default: {{{ banner_regexify(var_dod_default) }}} +- dod_short: {{{ banner_regexify(var_dod_short) }}} +- dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} +- usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} ++ dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}} ++ dod_default: {{{ var_dod_default|banner_regexify }}} ++ dod_short: {{{ var_dod_short|banner_regexify }}} ++ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}} ++ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index f6eab9bf33..e059174cb5 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -17,8 +17,8 @@ interactive: false + + options: + # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters +- dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} +- dod_default: {{{ banner_regexify(var_dod_default) }}} +- dod_short: {{{ banner_regexify(var_dod_short) }}} +- dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} +- usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} ++ dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}} ++ dod_default: {{{ var_dod_default|banner_regexify }}} ++ dod_short: {{{ var_dod_short|banner_regexify }}} ++ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}} ++ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}} +diff --git a/ssg/jinja.py b/ssg/jinja.py +index 471fbf4140..e779466838 100644 +--- a/ssg/jinja.py ++++ b/ssg/jinja.py +@@ -71,6 +71,7 @@ def _get_jinja_environment(substitutions_dict): + loader=AbsolutePathFileSystemLoader(), + bytecode_cache=bytecode_cache + ) ++ _get_jinja_environment.env.filters['banner_regexify'] = banner_regexify + + return _get_jinja_environment.env + +@@ -112,7 +113,6 @@ def add_python_functions(substitutions_dict): + substitutions_dict['prodtype_to_name'] = prodtype_to_name + substitutions_dict['name_to_platform'] = name_to_platform + substitutions_dict['prodtype_to_platform'] = prodtype_to_platform +- substitutions_dict['banner_regexify'] = banner_regexify + substitutions_dict['raise'] = raise_exception + + + +From d416cb9e78842767f08d9c38d9ea0b79b05f00dd Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 15:53:07 +0100 +Subject: [PATCH 20/27] Automatically escape regex unsafe chars in banner + +Let the banner_regexify filter escape regex unsafe chars, no need for +manual escaping. +--- + .../httpd_secure_content/var_web_login_banner_text.var | 2 +- + .../system/accounts/accounts-banners/login_banner_text.var | 2 +- + ssg/utils.py | 5 +++++ + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index e990f0cb23..e59cdc0782 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -12,7 +12,7 @@ operator: equals + + interactive: false + +-{{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} ++{{% set var_dod_default = "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} + {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} + + options: +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index e059174cb5..1c6a39f481 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -12,7 +12,7 @@ operator: equals + + interactive: false + +-{{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} ++{{% set var_dod_default="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} + {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} + + options: +diff --git a/ssg/utils.py b/ssg/utils.py +index 3823e02a2d..7584e38a16 100644 +--- a/ssg/utils.py ++++ b/ssg/utils.py +@@ -250,4 +250,9 @@ def mkdir_p(path): + raise + + def banner_regexify(banner_text): ++ # We could use re.escape(), but it escapes too many characters, including plain white space. ++ # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it. ++ # See https://docs.python.org/3/library/re.html#re.sub ++ # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped. ++ banner_text = re.sub(r"([#$&*+-.^`|~:()])", r"\\\1", banner_text) + return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") + +From 35e962ce5c5c28d29d120723715d64dcbd567197 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 17:00:26 +0100 +Subject: [PATCH 21/27] Document the new macros, filter and utility + +--- + docs/manual/developer_guide.adoc | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc +index 76c1c10218..739a6a823c 100644 +--- a/docs/manual/developer_guide.adoc ++++ b/docs/manual/developer_guide.adoc +@@ -752,6 +752,14 @@ $ ./build-scripts/profile_tool.py sub --profile1 rhel7/profiles/ospp.profile --p + + This will result in a new YAML profile containing exclusive rules to the profile pointed by the --profile1 option. + ++=== Generating login banner regular expressions ++ ++Rules like `banner_etc_issue` and `dconf_gnome_login_banner_text` will check for configuration of login banners and remediate them. Both rules source the banner text from the same variable `login_banner_text`, and the banner texts need to be in the form of a regular expression. ++There are a few utilities you can use to transform your text into the appropriate regular expression: ++ ++When adding a new banner directly to the `login_banner_text`, use the custom Jinja filter `banner_regexify`. + ++If customizing content via SCAP Workbench, or directly writing your tailoring XML, use `utils/regexify_banner.py` to generate the appropriate regular expression. ++ + == Contributing with XCCDFs, OVALs and remediations + + There are three main types of content in the project, they are rules, defined using the XCCDF standard, checks, usually written in link:https://oval.mitre.org/language/about/[OVAL] format, and remediations, that can be executed on ansible, bash, anaconda installer, puppet and ignition. +@@ -1279,6 +1287,8 @@ Jinja macros for Ansible content are located in `/shared/macros-ansible.jinja`. + - `ansible_sshd_set` -- set a parameter in the sshd configuration + - `ansible_etc_profile_set` -- ensure a command gets executed or a variable gets set in /etc/profile or /etc/profile.d + - `ansible_tmux_set` -- set a command in tmux configuration ++- `ansible_deregexify_banner_etc_issue` -- Formats a banner regex for use in /etc/issue ++- `ansible_deregexify_banner_dconf_gnome` -- Formats a banner regex for use in dconf + + They also include several low-level macros: + +@@ -1289,6 +1299,14 @@ They also include several low-level macros: + - `ansible_set_config_file` -- for configuration files; set the given configuration value and ensure no conflicting values + - `ansible_set_config_file_dir` -- for configuration files and files in configuration directories; set the given configuration value and ensure no conflicting values + ++Low level macros to make login banner regular expressions usable in Ansible remediations ++ ++- `ansible_deregexify_multiple_banners` -- Strips multibanner regex and keeps only the first banner ++- `ansible_deregexify_banner_space` -- Strips whitespace or newline regex ++- `ansible_deregexify_banner_newline` -- Strips newline or newline escape sequence regex ++- `ansible_deregexify_banner_newline_token` -- Strips newline token for a newline escape sequence regex ++- `ansible_deregexify_banner_backslash` - Strips backslash regex ++ + When `msg` is absent from any of the above macros, rule title will be substituted instead. + + Whenever possible, please reuse the macros and form high-level simplifications. +@@ -1348,6 +1366,14 @@ Available low-level Jinja macros that can be used in Bash remediations: + - `die` - Function to terminate the remediation + - `set_config_file` - Add an entry to a text configuration file + ++Low level macros to make login banner regular expressions usable in Bash remediations ++ ++- `bash_deregexify_multiple_banners` - Strips multibanner regex and keeps only the first banner ++- `bash_deregexify_banner_space` - Strips whitespace or newline regex ++- `bash_deregexify_banner_newline` - Strips newline or newline escape sequence regex ++- `bash_deregexify_banner_newline_token` - Strips newline token for a newline escape sequence regex ++- `bash_deregexify_banner_backslash` - Strips backslash regex ++ + === Templating + + Writing OVAL checks, Bash, or any other content can be tedious work. For + +From ad5526d6704299cfd01c818fa8a79e3587b90cb5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Sun, 8 Mar 2020 17:56:44 +0100 +Subject: [PATCH 22/27] Code style fixes + +--- + ssg/jinja.py | 7 ++++++- + ssg/utils.py | 5 ++++- + utils/regexify_banner.py | 1 + + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/ssg/jinja.py b/ssg/jinja.py +index e779466838..e014768e2b 100644 +--- a/ssg/jinja.py ++++ b/ssg/jinja.py +@@ -10,7 +10,12 @@ + JINJA_MACROS_BASH_DEFINITIONS, + JINJA_MACROS_OVAL_DEFINITIONS, + ) +-from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform, banner_regexify ++from .utils import (required_key, ++ prodtype_to_name, ++ name_to_platform, ++ prodtype_to_platform, ++ banner_regexify ++ ) + + + class MacroError(RuntimeError): +diff --git a/ssg/utils.py b/ssg/utils.py +index 7584e38a16..472ac73b81 100644 +--- a/ssg/utils.py ++++ b/ssg/utils.py +@@ -249,10 +249,13 @@ def mkdir_p(path): + else: + raise + ++ + def banner_regexify(banner_text): + # We could use re.escape(), but it escapes too many characters, including plain white space. + # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it. + # See https://docs.python.org/3/library/re.html#re.sub + # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped. + banner_text = re.sub(r"([#$&*+-.^`|~:()])", r"\\\1", banner_text) +- return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") ++ banner_text = banner_text.replace("\n", "BFLMPSVZ") ++ banner_text = banner_text.replace(" ", "[\\s\\n]+") ++ return banner_text.replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") +diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py +index 7bdf69b702..c794c02a37 100644 +--- a/utils/regexify_banner.py ++++ b/utils/regexify_banner.py +@@ -1,6 +1,7 @@ + import argparse + import ssg.utils + ++ + def parse_args(): + p = argparse.ArgumentParser() + p.add_argument("--output", help="Path to output regexified banner") + +From 86439fed8f2d431da76bd613c87b38c4eda6457b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 11 Mar 2020 13:44:02 +0100 +Subject: [PATCH 23/27] regexify_banner.py: Set x permission and shebang + +--- + utils/regexify_banner.py | 1 + + 1 file changed, 1 insertion(+) + mode change 100644 => 100755 utils/regexify_banner.py + +diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py +old mode 100644 +new mode 100755 +index c794c02a37..15584693bf +--- a/utils/regexify_banner.py ++++ b/utils/regexify_banner.py +@@ -1,3 +1,4 @@ ++#!/usr/bin/env python + import argparse + import ssg.utils + + +From 556018017f7fbb2d7707aaf673ecd9d4edb53aae Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 11 Mar 2020 14:16:03 +0100 +Subject: [PATCH 24/27] The whole /etc/issue file should be evaluated + +Added test scenario where the banner is followed by an +extraneous line. This caused the rule to pass unexpectedly. + +Updated OVAL check to consider the all lines of /etc/issue the object to +be evaluated and compared against a state. +Also updated Bash remediation to not add extra newline at the end, and +Asnbile remediation to remove any extraneous line in /etc/issue +--- + .../banner_etc_issue/ansible/shared.yml | 7 ++++- + .../banner_etc_issue/bash/shared.sh | 2 -- + .../banner_etc_issue/oval/shared.xml | 8 ++++- + ...ner_etc_issue_disa_with_extra_line.fail.sh | 30 +++++++++++++++++++ + 4 files changed, 43 insertions(+), 4 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +index 42c19194e4..21f0925268 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +@@ -5,7 +5,12 @@ + # disruption = medium + - (xccdf-var login_banner_text) + +-- name: "{{{ rule_title }}}" ++- name: "{{{ rule_title }}} - remove incorrect banner" ++ file: ++ state: absent ++ path: /etc/issue ++ ++- name: "{{{ rule_title }}} - add correct banner" + lineinfile: + dest: /etc/issue + line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 119413005e..1a0c11f569 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -17,5 +17,3 @@ formatted=$(echo "$login_banner_text" | fold -sw 80) + cat </etc/issue + $formatted + EOF +- +-printf "\n" >> /etc/issue +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml +index 3317251d41..032c65b340 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml +@@ -12,14 +12,20 @@ + + + ++ + + + ++ + /etc/issue +- ++ ^(.*)$ + 1 + + ++ ++ ++ ++ + + + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh +new file mode 100644 +index 0000000000..dfa48bd61a +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh +@@ -0,0 +1,30 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++# dod_default|dod_short banner ++echo "You are accessing a U.S. Government (USG) Information System (IS) that is ++provided for USG-authorized use only. By using this IS (which includes any ++device attached to this IS), you consent to the following conditions: ++ ++-The USG routinely intercepts and monitors communications on this IS for ++purposes including, but not limited to, penetration testing, COMSEC monitoring, ++network operations and defense, personnel misconduct (PM), law enforcement ++(LE), and counterintelligence (CI) investigations. ++ ++-At any time, the USG may inspect and seize data stored on this IS. ++ ++-Communications using, or data stored on, this IS are not private, are subject ++to routine monitoring, interception, and search, and may be disclosed or used ++for any USG-authorized purpose. ++ ++-This IS includes security measures (e.g., authentication and access controls) ++to protect USG interests--not for your personal benefit or privacy. ++ ++-Notwithstanding the above, using this IS does not constitute consent to PM, LE ++or CI investigative searching or monitoring of the content of privileged ++communications, or work product, related to personal representation or services ++by attorneys, psychotherapists, or clergy, and their assistants. Such ++communications and work product are private and confidential. See User ++Agreement for details. ++Extra line at end." > /etc/issue + +From 488c5259595032f25dd98d45c1b38a65ed248647 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 11 Mar 2020 18:52:37 +0100 +Subject: [PATCH 25/27] Wrap banner text with regex anchors + +We need to be sure that the whole banners matches the banner variable. +This commit includes a test scenario that reproduces the issue. + +All the harness around banners have been updated, regexify, deregexify +and utility. +--- + .../var_web_login_banner_text.var | 8 ++++---- + .../banner_etc_issue/bash/shared.sh | 10 ++++++---- + .../dconf_gnome_login_banner_text/bash/shared.sh | 12 +++++++----- + .../tests/wrapped_banner.fail.sh | 16 ++++++++++++++++ + .../accounts-banners/login_banner_text.var | 8 ++++---- + shared/macros-ansible.jinja | 10 ++++++++-- + shared/macros-bash.jinja | 7 ++++++- + ssg/jinja.py | 4 +++- + ssg/utils.py | 3 +++ + utils/regexify_banner.py | 1 + + 10 files changed, 58 insertions(+), 21 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +index e59cdc0782..dc10e8c3cf 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var ++++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var +@@ -17,7 +17,7 @@ interactive: false + + options: + dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}} +- dod_default: {{{ var_dod_default|banner_regexify }}} +- dod_short: {{{ var_dod_short|banner_regexify }}} +- dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}} +- usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}} ++ dod_default: {{{ var_dod_default|banner_regexify|banner_anchor_wrap }}} ++ dod_short: {{{ var_dod_short|banner_regexify|banner_anchor_wrap }}} ++ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify|banner_anchor_wrap }}} ++ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify|banner_anchor_wrap }}} +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 1a0c11f569..30449d5e9d 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -3,14 +3,16 @@ + populate login_banner_text + + # Multiple regexes transform the banner regex into a usable banner +-# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. ++# 0 - Remove anchors around the banner text ++{{{ bash_deregexify_banner_anchors("login_banner_text") }}} ++# 1 - Keep only the first banners if there are multiple + # (dod_banners contains the long and short banner) + {{{ bash_deregexify_multiple_banners("login_banner_text") }}} +-# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") ++# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") + {{{ bash_deregexify_banner_space("login_banner_text") }}} +-# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") ++# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") + {{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}} +-# 4- Remove any leftover backslash. (From any parethesis in the banner, for example). ++# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). + {{{ bash_deregexify_banner_backslash("login_banner_text") }}} + formatted=$(echo "$login_banner_text" | fold -sw 80) + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index 4011932790..85ddd893c6 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -3,16 +3,18 @@ + populate login_banner_text + + # Multiple regexes transform the banner regex into a usable banner +-# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. ++# 0 - Remove anchors around the banner text ++{{{ bash_deregexify_banner_anchors("login_banner_text") }}} ++# 1 - Keep only the first banners if there are multiple + # (dod_banners contains the long and short banner) + {{{ bash_deregexify_multiple_banners("login_banner_text") }}} +-# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") ++# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") + {{{ bash_deregexify_banner_space("login_banner_text") }}} +-# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") ++# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") + {{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}} +-# 4- Remove any leftover backslash. (From any parethesis in the banner, for example). ++# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). + {{{ bash_deregexify_banner_backslash("login_banner_text") }}} +-# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n"). ++# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). + # ( Needs to be done after 4, otherwise the escapce sequence will become just "n". + {{{ bash_deregexify_banner_newline_token("login_banner_text")}}} + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh +new file mode 100644 +index 0000000000..1c6b9a23af +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh +@@ -0,0 +1,16 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 7 ++# profiles = xccdf_org.ssgproject.content_profile_ncp ++ ++source $SHARED/dconf_test_functions.sh ++ ++install_dconf_and_gdm_if_needed ++ ++login_banner_text="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after." ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock" ++ ++dconf update +diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +index 1c6a39f481..d00782f380 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var ++++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +@@ -18,7 +18,7 @@ interactive: false + options: + # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters + dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}} +- dod_default: {{{ var_dod_default|banner_regexify }}} +- dod_short: {{{ var_dod_short|banner_regexify }}} +- dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}} +- usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}} ++ dod_default: {{{ var_dod_default|banner_regexify|banner_anchor_wrap }}} ++ dod_short: {{{ var_dod_short|banner_regexify|banner_anchor_wrap }}} ++ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify|banner_anchor_wrap }}} ++ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify|banner_anchor_wrap }}} +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 5deb7ceb80..11fb79a4d9 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -225,6 +225,7 @@ + #}} + {{% macro ansible_deregexify_banner_etc_issue(banner_var_name) -%}} + {{ {{{ banner_var_name }}} | ++{{{ ansible_deregexify_banner_anchors() }}} | + {{{ ansible_deregexify_multiple_banners() }}} | + {{{ ansible_deregexify_banner_space() }}} | + {{{ ansible_deregexify_banner_newline("\\n") }}} | +@@ -239,6 +240,7 @@ wordwrap() }} + #}} + {{% macro ansible_deregexify_banner_dconf_gnome(banner_var_name) -%}} + ''{{ {{{ banner_var_name }}} | ++{{{ ansible_deregexify_banner_anchors() }}} | + {{{ ansible_deregexify_multiple_banners() }}} | + {{{ ansible_deregexify_banner_space() }}} | + {{{ ansible_deregexify_banner_newline("(n)*") }}} | +@@ -246,10 +248,14 @@ wordwrap() }} + {{{ ansible_deregexify_banner_newline_token()}}} }}'' + {{%- endmacro %}} + +- line: '{{ login_banner_text | | regex_replace("\\", "") | wordwrap() }}' ++{{# Strips anchors around the banner #}} ++{{% macro ansible_deregexify_banner_anchors() -%}} ++regex_replace("^\^(.*)\$$", "\1") ++{{%- endmacro %}} ++ + {{# Strips multibanner regex and keeps only the first banner #}} + {{% macro ansible_deregexify_multiple_banners() -%}} +-regex_replace("\^\((.*)\|.*$", "\1") ++regex_replace("\((.*)\|.*$", "\1") + {{%- endmacro %}} + + {{# Strips whitespace or newline regex #}} +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 6d72684c6d..03b381c3ca 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -522,9 +522,14 @@ cat << 'EOF' > {{{ filepath }}} + EOF + {{%- endmacro %}} + ++{{# Strips anchors regex around the banner text #}} ++{{% macro bash_deregexify_banner_anchors(banner_var_name) -%}} ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^\^\(.*\)\$$/\1/g') ++{{%- endmacro %}} ++ + {{# Strips multibanner regex and keeps only the first banner #}} + {{% macro bash_deregexify_multiple_banners(banner_var_name) -%}} +-{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\^(\(.*\)|.*$/\1/g') ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(\(.*\)|.*$/\1/g') + {{%- endmacro %}} + + {{# Strips whitespace or newline regex #}} +diff --git a/ssg/jinja.py b/ssg/jinja.py +index e014768e2b..da3e403a1b 100644 +--- a/ssg/jinja.py ++++ b/ssg/jinja.py +@@ -14,7 +14,8 @@ + prodtype_to_name, + name_to_platform, + prodtype_to_platform, +- banner_regexify ++ banner_regexify, ++ banner_anchor_wrap + ) + + +@@ -77,6 +78,7 @@ def _get_jinja_environment(substitutions_dict): + bytecode_cache=bytecode_cache + ) + _get_jinja_environment.env.filters['banner_regexify'] = banner_regexify ++ _get_jinja_environment.env.filters['banner_anchor_wrap'] = banner_anchor_wrap + + return _get_jinja_environment.env + +diff --git a/ssg/utils.py b/ssg/utils.py +index 472ac73b81..9b437d5556 100644 +--- a/ssg/utils.py ++++ b/ssg/utils.py +@@ -259,3 +259,6 @@ def banner_regexify(banner_text): + banner_text = banner_text.replace("\n", "BFLMPSVZ") + banner_text = banner_text.replace(" ", "[\\s\\n]+") + return banner_text.replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") ++ ++def banner_anchor_wrap(banner_text): ++ return "^" + banner_text + "$" +diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py +index 15584693bf..c17213d66d 100755 +--- a/utils/regexify_banner.py ++++ b/utils/regexify_banner.py +@@ -19,6 +19,7 @@ def main(): + banner_text = file_in.read().rstrip() + + banner_regex = ssg.utils.banner_regexify(banner_text) ++ banner_regex = ssg.utils.banner_anchor_wrap(banner_text) + + if args.output: + with open(args.output, "w") as file_out: + +From d30eb89a68ae536707b8535c47eba4a422e2f252 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 12 Mar 2020 13:27:22 +0100 +Subject: [PATCH 26/27] Fix call of banner_anchor_wrap + +--- + utils/regexify_banner.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py +index c17213d66d..16ec4ba6ef 100755 +--- a/utils/regexify_banner.py ++++ b/utils/regexify_banner.py +@@ -19,7 +19,7 @@ def main(): + banner_text = file_in.read().rstrip() + + banner_regex = ssg.utils.banner_regexify(banner_text) +- banner_regex = ssg.utils.banner_anchor_wrap(banner_text) ++ banner_regex = ssg.utils.banner_anchor_wrap(banner_regex) + + if args.output: + with open(args.output, "w") as file_out: + +From 90280f39e8548f2a7a22d1e328de72bc1b756099 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 12 Mar 2020 16:09:25 +0100 +Subject: [PATCH 27/27] Fix multiple banner regex stripping + +Anchor the opening parenthesis to beginning of banner, and add anchord +closing parenthesis to pattern. +--- + shared/macros-ansible.jinja | 2 +- + shared/macros-bash.jinja | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja +index 11fb79a4d9..b020246ef2 100644 +--- a/shared/macros-ansible.jinja ++++ b/shared/macros-ansible.jinja +@@ -255,7 +255,7 @@ regex_replace("^\^(.*)\$$", "\1") + + {{# Strips multibanner regex and keeps only the first banner #}} + {{% macro ansible_deregexify_multiple_banners() -%}} +-regex_replace("\((.*)\|.*$", "\1") ++regex_replace("^\((.*)\|.*\)$", "\1") + {{%- endmacro %}} + + {{# Strips whitespace or newline regex #}} +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 03b381c3ca..bc6c6f6486 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -529,7 +529,7 @@ EOF + + {{# Strips multibanner regex and keeps only the first banner #}} + {{% macro bash_deregexify_multiple_banners(banner_var_name) -%}} +-{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(\(.*\)|.*$/\1/g') ++{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^(\(.*\)|.*)$/\1/g') + {{%- endmacro %}} + + {{# Strips whitespace or newline regex #}} diff --git a/SOURCES/scap-security-guide-0.1.50-ssh_references_PR_5297.patch b/SOURCES/scap-security-guide-0.1.50-ssh_references_PR_5297.patch new file mode 100644 index 0000000..c293cc4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-ssh_references_PR_5297.patch @@ -0,0 +1,324 @@ +From 287fec018a738821ed62670fd202c3db40ed5300 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 16 Mar 2020 19:37:57 +0100 +Subject: [PATCH 1/4] Select rules for SSH and add references + +--- + .../rule.yml | 1 + + .../file_permissions_sshd_pub_key/rule.yml | 1 + + .../ssh/ssh_server/disable_host_auth/rule.yml | 3 +- + .../sshd_disable_empty_passwords/rule.yml | 3 +- + .../ssh_server/sshd_disable_rhosts/rule.yml | 3 +- + .../sshd_disable_root_login/rule.yml | 3 +- + .../sshd_do_not_permit_user_env/rule.yml | 3 +- + .../sshd_enable_warning_banner/rule.yml | 3 +- + .../sshd_enable_x11_forwarding/rule.yml | 3 +- + .../ssh_server/sshd_set_idle_timeout/rule.yml | 3 +- + .../ssh_server/sshd_set_keepalive/rule.yml | 3 +- + .../sshd_set_loglevel_info/rule.yml | 1 + + .../sshd_set_max_auth_tries/rule.yml | 1 + + .../configure_ssh_crypto_policy/rule.yml | 1 + + 15 files changed, 51 insertions(+), 22 deletions(-) + +diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +index b1b7ccabaa..108c9c5ce0 100644 +--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml ++++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +@@ -33,6 +33,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ cis@rhel8: 5.2.3 + + ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}' + +diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +index da3dead155..714b507db1 100644 +--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml ++++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +@@ -28,6 +28,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ cis@rhel8: 5.2.4 + + ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*.pub", perms="-rw-r--r--") }}}' + +diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +index de5580b9f5..9db9fd7516 100644 +--- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +@@ -27,7 +27,8 @@ references: + stigid@rhel6: "000236" + srg@rhel6: SRG-OS-000106 + disa@rhel6: 765,766 +- cis: 5.2.7 ++ cis@rhel8: 5.2.7 ++ cis@rhel8: 5.2.9 + cjis: 5.5.6 + cui: 3.1.12 + disa: "366" +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +index 25908a4e4d..b9bbe1e48e 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +@@ -28,7 +28,8 @@ references: + stigid@rhel6: "000239" + srg@rhel6: SRG-OS-000106 + disa@rhel6: 765,766 +- cis: 5.2.9 ++ cis@rhel7: 5.2.9 ++ cis@rhel8: 5.2.11 + cjis: 5.5.6 + cui: 3.1.1,3.1.5 + disa: "366" +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +index fd960a55ae..3a5d16c052 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +@@ -27,7 +27,8 @@ references: + stigid@rhel6: "000234" + srg@rhel6: SRG-OS-000106 + disa@rhel6: 765,766 +- cis: 5.2.6 ++ ci@rhel8s: 5.2.6 ++ ci@rhel8s: 5.2.8 + cjis: 5.5.6 + cui: 3.1.12 + disa: "366" +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +index 8b9cba960f..c6e7d7986c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +@@ -28,7 +28,8 @@ references: + stigid@rhel6: "000237" + srg@rhel6: SRG-OS-000109 + disa@rhel6: '770' +- cis: 5.2.8 ++ cis@rhel7: 5.2.8 ++ cis@rhel8: 5.2.10 + cjis: 5.5.6 + cui: '3.1.1,3.1.5' + disa: 366,770 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +index f25d2a690a..f1a09a1b8d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +@@ -23,7 +23,8 @@ references: + stigid@rhel6: "000241" + srg@rhel6: SRG-OS-000242 + disa@rhel6: '1414' +- cis: 5.2.10 ++ cis@rhel7: 5.2.10 ++ cis@rhel8: 5.2.12 + cjis: 5.5.6 + cui: 3.1.12 + disa: "366" +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +index f32287ff7c..4aa26eeb90 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +@@ -25,7 +25,8 @@ identifiers: + references: + stigid@rhel6: "000240" + srg@rhel6: SRG-OS-000023 +- cis: 5.2.16 ++ cis@rhel7: 5.2.15 ++ cis@rhel8: 5.2.15 + cjis: 5.5.6 + cui: 3.1.9 + disa: 48,50,1384,1385,1386,1387,1388 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml +index 5d50c2ed07..5fdca265fa 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml +@@ -22,7 +22,8 @@ identifiers: + cce@rhel8: 82421-9 + + references: +- cis: 5.2.4 ++ cis@rhel7: 5.2.4 ++ cis@rhel8: 5.2.6 + cui: 3.1.13 + disa: "366" + nist: CM-6(a),AC-17(a),AC-17(2) +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +index 7cf263bef4..347610cd6f 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +@@ -34,7 +34,8 @@ references: + stigid@rhel6: "000230" + srg@rhel6: SRG-OS-000163 + disa@rhel6: '879' +- cis: 5.2.12 ++ cis@rhel7: 5.2.12 ++ cis@rhel8: 5.2.13 + cjis: 5.5.6 + cui: 3.1.11 + disa: 879,1133,2361 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +index cc9f62b0af..65aac90ace 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +@@ -23,7 +23,8 @@ references: + stigid@rhel6: "000231" + srg@rhel6: SRG-OS-000126 + disa@rhel6: '879' +- cis: 5.2.12 ++ cis@rhel7: 5.2.12 ++ cis@rhel8: 5.2.13 + cjis: 5.5.6 + cui: 3.1.11 + disa: 879,1133,2361 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml +index 26eca336b2..e9e84cdf9b 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml +@@ -26,6 +26,7 @@ references: + cis@debian8: 9.3.2 + cis@debian10: 9.3.2 + cis@rhel7: 5.2.3 ++ cis@rhel8: 5.2.5 + nist: AC-17(a),CM-6(a) + + ocil_clause: 'it is commented out or is not enabled' +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +index 6fd7a4b6bd..1661b78773 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +@@ -21,6 +21,7 @@ references: + cis@debian8: 9.3.5 + cis@debian9: 9.3.5 + cis@rhel7: 5.2.5 ++ cis@rhel8: 5.2.7 + + ocil_clause: 'it is commented out or not configured properly' + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +index b9d8b06028..db5ce07f0e 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +@@ -23,6 +23,7 @@ identifiers: + + references: + nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13 ++ cis@rhel8: 5.2.20 + + ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd' + +From 74741eeab94571d881faf27221c75b2b3ea98c0f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Mar 2020 15:08:50 +0100 +Subject: [PATCH 2/4] Fix typos in CIS references + +--- + .../guide/services/ssh/ssh_server/disable_host_auth/rule.yml | 2 +- + .../services/ssh/ssh_server/sshd_disable_rhosts/rule.yml | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +index 9db9fd7516..d19bfd4538 100644 +--- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +@@ -27,7 +27,7 @@ references: + stigid@rhel6: "000236" + srg@rhel6: SRG-OS-000106 + disa@rhel6: 765,766 +- cis@rhel8: 5.2.7 ++ cis@rhel7: 5.2.7 + cis@rhel8: 5.2.9 + cjis: 5.5.6 + cui: 3.1.12 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +index 3a5d16c052..5dafad7462 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +@@ -27,8 +27,8 @@ references: + stigid@rhel6: "000234" + srg@rhel6: SRG-OS-000106 + disa@rhel6: 765,766 +- ci@rhel8s: 5.2.6 +- ci@rhel8s: 5.2.8 ++ cis@rhel7: 5.2.6 ++ cis@rhel8: 5.2.8 + cjis: 5.5.6 + cui: 3.1.12 + disa: "366" + +From 65f019d15c73a2d4f081a1506939d862bda946cf Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Mar 2020 19:43:16 +0100 +Subject: [PATCH 3/4] Update CIS references for sshd_config + +--- + .../guide/services/ssh/file_groupowner_sshd_config/rule.yml | 3 ++- + linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml | 3 ++- + .../guide/services/ssh/file_permissions_sshd_config/rule.yml | 3 ++- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml +index a9c09765d0..e53ac9d6b9 100644 +--- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml ++++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml +@@ -21,7 +21,8 @@ identifiers: + cce@rhel8: 82901-0 + + references: +- cis: 5.2.1 ++ cis@rhel7: 5.2.1 ++ cis@rhel8: 5.2.1 + nist: AC-17(a),CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml +index 5a80d04763..ca1cc19eeb 100644 +--- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml ++++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml +@@ -21,7 +21,8 @@ identifiers: + cce@rhel8: 82898-8 + + references: +- cis: 5.2.1 ++ cis@rhel7: 5.2.1 ++ cis@rhel8: 5.2.1 + nist: AC-17(a),CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml +index 13bdab401e..e40868dac4 100644 +--- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml ++++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml +@@ -21,7 +21,8 @@ identifiers: + cce@rhel8: 82894-7 + + references: +- cis: 5.2.1 ++ cis@rhel7: 5.2.1 ++ cis@rhel8: 5.2.1 + nist: AC-17(a),CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 + +From 9b9f7978409f23775f623d1c398f5b448ac73c94 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 19 Mar 2020 13:17:03 +0100 +Subject: [PATCH 4/4] Remove incorrect rule selection and its references + +Policy would like X11 forwarding disabled, not enabled. +--- + .../services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml | 2 -- + 2 files changed, 1 insertion(+), 3 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml +index 5fdca265fa..4dedae6e8b 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml +@@ -22,8 +22,6 @@ identifiers: + cce@rhel8: 82421-9 + + references: +- cis@rhel7: 5.2.4 +- cis@rhel8: 5.2.6 + cui: 3.1.13 + disa: "366" + nist: CM-6(a),AC-17(a),AC-17(2) diff --git a/SOURCES/scap-security-guide-0.1.50-sshd_allow_p2.patch b/SOURCES/scap-security-guide-0.1.50-sshd_allow_p2.patch new file mode 100644 index 0000000..f1061b2 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-sshd_allow_p2.patch @@ -0,0 +1,137 @@ +From 1d9a85c7b4e2f168d48884db10c7c71a534588d2 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 14 Apr 2020 16:38:09 +0200 +Subject: [PATCH 1/2] sshd_allow_only_protocol2 revert from template to + individual check and remediations + +--- + .../ansible/shared.yml | 6 +++ + .../sshd_allow_only_protocol2/bash/shared.sh | 6 +++ + .../sshd_allow_only_protocol2/oval/shared.xml | 45 +++++++++++++++++++ + .../sshd_allow_only_protocol2/rule.yml | 8 ---- + 4 files changed, 57 insertions(+), 8 deletions(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml +new file mode 100644 +index 0000000000..39102e5d78 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++{{{ ansible_sshd_set(parameter="Protocol", value="2") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh +new file mode 100644 +index 0000000000..590e96d150 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++replace_or_append '/etc/ssh/sshd_config' '^Protocol' '2' '@CCENUM@' '%s %s' +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml +new file mode 100644 +index 0000000000..948c40561c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml +@@ -0,0 +1,45 @@ ++ ++ ++ ++ Ensure Only Protocol 2 Connections Allowed ++ ++ multi_platform_wrlinux ++ multi_platform_rhel ++ multi_platform_rhv ++ multi_platform_debian ++ multi_platform_ubuntu ++ multi_platform_ol ++ ++ The OpenSSH daemon should be running protocol 2. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$ ++ 1 ++ ++ +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml +index c0cb97c9e8..2c91fd0c36 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml +@@ -62,11 +62,3 @@ warnings: + As of openssh-server version 7.4 and above, the only protocol + supported is version 2, and line 
Protocol 2
in + /etc/ssh/sshd_config is not necessary. +- +-template: +- name: sshd_lineinfile +- vars: +- missing_parameter_pass: 'false' +- parameter: Protocol +- rule_id: sshd_allow_only_protocol2 +- value: '2' + +From 4993ccd288caa17aad8888b065cfbff605ff1c24 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 15 Apr 2020 09:56:35 +0200 +Subject: [PATCH 2/2] add oval_affected jinja macro + +--- + .../ssh_server/sshd_allow_only_protocol2/oval/shared.xml | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml +index 948c40561c..e1a4ee4448 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml +@@ -2,14 +2,7 @@ + + + Ensure Only Protocol 2 Connections Allowed +- +- multi_platform_wrlinux +- multi_platform_rhel +- multi_platform_rhv +- multi_platform_debian +- multi_platform_ubuntu +- multi_platform_ol +- ++ {{{- oval_affected(products) }}} + The OpenSSH daemon should be running protocol 2. + + +Date: Tue, 17 Mar 2020 15:54:35 +0100 +Subject: [PATCH 1/2] Select rules for system file permissions + +And update references for these rules +--- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../file_permissions_ungroupowned/rule.yml | 3 +- + .../files/no_files_unowned_by_user/rule.yml | 3 +- + .../file_groupowner_etc_group/rule.yml | 3 +- + .../file_groupowner_etc_gshadow/rule.yml | 3 +- + .../file_groupowner_etc_passwd/rule.yml | 3 +- + .../file_groupowner_etc_shadow/rule.yml | 3 +- + .../file_owner_etc_group/rule.yml | 3 +- + .../file_owner_etc_gshadow/rule.yml | 3 +- + .../file_owner_etc_passwd/rule.yml | 3 +- + .../file_owner_etc_shadow/rule.yml | 3 +- + .../file_permissions_etc_group/rule.yml | 3 +- + .../file_permissions_etc_gshadow/rule.yml | 3 +- + .../file_permissions_etc_passwd/rule.yml | 3 +- + .../file_permissions_etc_shadow/rule.yml | 3 +- + 18 files changed, 74 insertions(+), 18 deletions(-) + +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +index 32c176d67f..fb00519f64 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +@@ -31,7 +31,8 @@ identifiers: + + references: + anssi: NT28(R37),NT28(R38) +- cis: 6.1.14 ++ cis@rhel7: 6.1.14 ++ cis@rhel8: 6.1.14 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + isa-62443-2013: 'SR 2.1,SR 5.2' +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +index ae5f1307ce..3c7898b912 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +@@ -31,7 +31,8 @@ identifiers: + + references: + anssi: NT28(R37),NT28(R38) +- cis: 6.1.13 ++ cis@rhel7: 6.1.13 ++ cis@rhel8: 6.1.13 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + isa-62443-2013: 'SR 2.1,SR 5.2' +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml +index c70b7989c6..871da04b77 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml +@@ -28,7 +28,8 @@ identifiers: + references: + stigid@rhel6: "000282" + srg@rhel6: SRG-OS-999999 +- cis: 6.1.10 ++ cis@rhel7: 6.1.10 ++ cis@rhel8: 6.1.10 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + isa-62443-2013: 'SR 2.1,SR 5.2' +diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +index e51cd7e1ea..2fe8c27da3 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +@@ -27,7 +27,8 @@ identifiers: + + references: + disa@rhel6: '224' +- cis: 6.1.12 ++ cis@rhel7: 6.1.12 ++ cis@rhel8: 6.1.12 + disa: "02165" + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.DS-5,PR.PT-3 +diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +index f2fb1f2d20..a8bf12ff81 100644 +--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml ++++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +@@ -27,7 +27,8 @@ identifiers: + + references: + disa@rhel6: '224' +- cis: 6.1.11 ++ cis@rhel7: 6.1.11 ++ cis@rhel8: 6.1.11 + disa: "002165" + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.AC-6,PR.DS-5,PR.IP-1,PR.PT-3 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml +index 5ffa26b0f2..53301cbbf5 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml +@@ -19,7 +19,8 @@ references: + stigid@rhel6: "000043" + srg@rhel6: SRG-OS-999999 + disa@rhel6: '225' +- cis: 6.1.4 ++ cis@rhel7: 6.1.4 ++ cis@rhel8: 6.1.4 + cjis: 5.5.2.2 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +index 6c770216f1..c2e12377ef 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +@@ -19,7 +19,8 @@ references: + stigid@rhel6: "000037" + srg@rhel6: SRG-OS-999999 + disa@rhel6: '225' +- cis: 6.1.5 ++ cis@rhel7: 6.1.5 ++ cis@rhel8: 6.1.5 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + isa-62443-2013: 'SR 2.1,SR 5.2' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml +index ad9814e836..86e2e6c25c 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml +@@ -19,7 +19,8 @@ references: + stigid@rhel6: "000040" + srg@rhel6: SRG-OS-999999 + disa@rhel6: '225' +- cis: 6.1.2 ++ cis@rhel7: 6.1.2 ++ cis@rhel8: 6.1.2 + cjis: 5.5.2.2 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +index 5147551c0f..d8a9d04142 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml +@@ -19,7 +19,8 @@ references: + stigid@rhel6: "000034" + srg@rhel6: SRG-OS-999999 + disa@rhel6: '225' +- cis: 6.1.3 ++ cis@rhel7: 6.1.3 ++ cis@rhel8: 6.1.3 + cjis: 5.5.2.2 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml +index 48cbe081be..ee0433c568 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml +@@ -18,7 +18,8 @@ identifiers: + references: + stigid@rhel6: "000042" + srg@rhel6: SRG-OS-999999 +- cis: 6.1.4 ++ cis@rhel7: 6.1.4 ++ cis@rhel8: 6.1.4 + cjis: 5.5.2.2 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml +index a1e65af70a..39f1b83381 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml +@@ -19,7 +19,8 @@ references: + stigid@rhel6: "000036" + srg@rhel6: SRG-OS-999999 + disa@rhel6: '366' +- cis: 6.1.5 ++ cis@rhel7: 6.1.5 ++ cis@rhel8: 6.1.5 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + isa-62443-2013: 'SR 2.1,SR 5.2' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml +index 9b5048001e..e19de1bba2 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml +@@ -19,7 +19,8 @@ references: + stigid@rhel6: "000039" + srg@rhel6: SRG-OS-999999 + disa@rhel6: '225' +- cis: 6.1.2 ++ cis@rhel7: 6.1.2 ++ cis@rhel8: 6.1.2 + cjis: 5.5.2.2 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml +index cf8e6e4a3e..989cb11c62 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml +@@ -22,7 +22,8 @@ references: + stigid@rhel6: "000033" + srg@rhel6: SRG-OS-999999 + disa@rhel6: '225' +- cis: 6.1.3 ++ cis@rhel7: 6.1.3 ++ cis@rhel8: 6.1.3 + cjis: 5.5.2.2 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml +index 8e5f39a13e..38ff43d62c 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml +@@ -20,7 +20,8 @@ references: + stigid@rhel6: "000044" + srg@rhel6: SRG-OS-999999 + disa@rhel6: '225' +- cis: 6.1.4 ++ cis@rhel7: 6.1.4 ++ cis@rhel8: 6.1.4 + cjis: 5.5.2.2 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +index c8d8c8a73c..d1ed4475fb 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +@@ -21,7 +21,8 @@ references: + stigid@rhel6: "000038" + srg@rhel6: SRG-OS-999999 + disa@rhel6: '225' +- cis: 6.1.5 ++ cis@rhel7: 6.1.5 ++ cis@rhel8: 6.1.5 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + isa-62443-2013: 'SR 2.1,SR 5.2' +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml +index d72b5277f1..ac48885925 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml +@@ -22,7 +22,8 @@ references: + stigid@rhel6: "000041" + srg@rhel6: SRG-OS-999999 + disa@rhel6: '225' +- cis: 6.1.2 ++ cis@rhel7: 6.1.2 ++ cis@rhel8: 6.1.2 + cjis: 5.5.2.2 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 +diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +index 7ec0b092f5..61f4fb6cce 100644 +--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +@@ -24,7 +24,8 @@ references: + stigid@rhel6: "000035" + srg@rhel6: SRG-OS-999999 + disa@rhel6: '225' +- cis: 6.1.3 ++ cis@rhel7: 6.1.3 ++ cis@rhel8: 6.1.3 + cjis: 5.5.2.2 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + +From b7f33f79e59d58cf6181e8fdb7879f40f54bb63a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 17 Mar 2020 15:56:17 +0100 +Subject: [PATCH 2/2] Update references for rpm_verification rules + +These rule checks whether permission and ownership of all installed +files are according to what the vendor (package provider) expects. + +These rules can contribute to the for specific permissions and +ownerships of specific files, granted the package is aligned with the +rules. +--- + .../rpm_verification/rpm_verify_ownership/rule.yml | 3 ++- + .../rpm_verification/rpm_verify_permissions/rule.yml | 4 +++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml +index 6c3c857442..1503836f75 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml +@@ -35,7 +35,8 @@ references: + nist-csf@rhel6: PR.DS-6,PR.DS-8 + srg@rhel6: SRG-OS-000257,SRG-OS-000258 + stigid@rhel6: "000279" +- cis: 1.2.6,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9,6.2.3 ++ cis@rhel7: 1.7.1.4,1.7.1.5,1.7.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9 ++ cis@rhel8: 1.8.1.4,1.8.1.5,1.8.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9 + cjis: 5.10.4.1 + cui: 3.3.8,3.4.1 + disa: 1494,1496 +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +index d6cc546921..1b3dd500b3 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +@@ -41,7 +41,9 @@ references: + nist-csf@rhel6: PR.DS-6,PR.IP-8 + srg@rhel6: SRG-OS-999999,SRG-OS-000256 + stigid@rhel6: "000518" +- cis: 1.2.6,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9,6.2.3 ++ cis@rhel7: 1.7.1.4,1.7.1.5,1.7.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9 ++ cis@rhel8: 1.8.1.4,1.8.1.5,1.8.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9 ++ + cjis: 5.10.4.1 + cui: 3.3.8,3.4.1 + disa: 1494,1496 diff --git a/SOURCES/scap-security-guide-0.1.50-update_cis_profile_PR_5349.patch b/SOURCES/scap-security-guide-0.1.50-update_cis_profile_PR_5349.patch new file mode 100644 index 0000000..d830eb0 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-update_cis_profile_PR_5349.patch @@ -0,0 +1,94 @@ +From c06a414187f3792413bfc86366e1578d2d22275d Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 25 Mar 2020 09:48:24 +0100 +Subject: [PATCH 1/3] Select newly developed rules in rhel7 CIS + +--- + rhel7/profiles/cis.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index affcf70ce2..06f0a8e3dd 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -300,6 +300,7 @@ selections: + - package_telnet_removed + + ### 2.3.5 Ensure LDAP client is not installed (Scored) ++ - package_openldap-clients_removed + + # 3 Network Configuration + ## 3.1 Network Parameters (Host Only) + +From ec2add9b21d7555134d736a57d729ffa1a537cff Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 25 Mar 2020 09:51:14 +0100 +Subject: [PATCH 2/3] Select rule to disable wireless interfaces + +Inspired by rhel8 benchmark. +Updated references as well. +--- + .../wireless_software/wireless_disable_interfaces/rule.yml | 1 + + rhel7/profiles/cis.profile | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +index 76d94fe8f1..f364fbdce6 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +@@ -31,7 +31,8 @@ identifiers: + references: + stigid@rhel6: "000293" + stigid@rhel7: "041010" +- cis: 4.3.1 ++ cis@rhel7: "3.7" ++ cis@rhel8: "3.5" + cui: 3.1.16 + disa: 85,2418 + nist: AC-18(a),AC-18(3),CM-7(a),CM-7(b),CM-6(a),MP-7 +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 06f0a8e3dd..d34d617579 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -393,6 +393,7 @@ selections: + ### 3.6.4 Ensure outbound and established connections are configured (Not Scored) + ### 3.6.5 Ensure firewall rules exist for all open ports (Scored) + ## 3.7 Ensure wireless interfaces are disabled (Not Scored) ++ - wireless_disable_interfaces + + # 4 Logging and Auditing + ## 4.1 Configure System Accounting (auditd) + +From 76f98f39cf9f90009c30e09d9c995402a5b46847 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 25 Mar 2020 10:52:58 +0100 +Subject: [PATCH 3/3] Comment out not applicable requirements + +--- + rhel7/profiles/cis.profile | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index d34d617579..76506c9369 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -216,8 +216,8 @@ selections: + - package_chrony_installed + + #### 2.2.1.2 Ensure ntp is configured (Scored) +- # restrict is not checkec by rules below +- - chronyd_or_ntpd_specify_remote_server ++ # This requirement is not applicable ++ # This profile opts to use chrony rather than ntp + + #### 2.2.1.3 Ensure chrony is configured (Scored) + - service_chronyd_enabled +@@ -517,6 +517,8 @@ selections: + #### 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored) + #### 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored) + #### 4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored) ++ # Whole section 4.2.2.X is not applicable ++ # This profile opts to use rsyslog rather than syslog-ng + + ### 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored) + - package_rsyslog_installed diff --git a/SOURCES/scap-security-guide-0.1.50-update_sshd_disable_x11_forwarding_PR_5610.patch b/SOURCES/scap-security-guide-0.1.50-update_sshd_disable_x11_forwarding_PR_5610.patch new file mode 100644 index 0000000..3027eaf --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-update_sshd_disable_x11_forwarding_PR_5610.patch @@ -0,0 +1,60 @@ +From 9931560aa3bca34cc1a5231b370dc86618ba6d9b Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 16 Apr 2020 14:04:40 +0200 +Subject: [PATCH 1/2] Add CCE identifiers to sshd_disable_x11_forwarding. + +--- + .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 +++ + shared/references/cce-redhat-avail.txt | 2 -- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +index 09dd808e99..91297a03b9 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -26,6 +26,9 @@ ocil_clause: "that the X11Forwarding option exists and is enabled" + ocil: |- + {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}} + ++identifiers: ++ cce@rhel7: 83359-0 ++ cce@rhel8: 83360-8 + + references: + cis@rhel7: 5.2.5 +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index c10448ff8d..cbba06db56 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -50,8 +50,6 @@ CCE-83355-8 + CCE-83356-6 + CCE-83357-4 + CCE-83358-2 +-CCE-83359-0 +-CCE-83360-8 + CCE-83361-6 + CCE-83362-4 + CCE-83363-2 + +From 176d03b11b60c0ae41ace2e95e4bb2688f5ac429 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 16 Apr 2020 14:05:26 +0200 +Subject: [PATCH 2/2] Correct CIS reference number for RHEL7. + +--- + .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +index 91297a03b9..23cb0a07f8 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -31,7 +31,7 @@ identifiers: + cce@rhel8: 83360-8 + + references: +- cis@rhel7: 5.2.5 ++ cis@rhel7: 5.2.4 + cis@rhel8: 5.2.6 + cis@sle12: 5.2.4 + cis@sle15: 5.2.6 diff --git a/SOURCES/scap-security-guide-0.1.50-warn_nonlocal_users_groups.patch b/SOURCES/scap-security-guide-0.1.50-warn_nonlocal_users_groups.patch new file mode 100644 index 0000000..bb43508 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.50-warn_nonlocal_users_groups.patch @@ -0,0 +1,37 @@ +From 4fc0688db8f97d1ee10bfd5162764ffef57356c9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Wed, 22 Apr 2020 16:58:12 +0200 +Subject: [PATCH] Added a warning to rules about only local user backends being + considered. + +--- + .../permissions/files/file_permissions_ungroupowned/rule.yml | 5 +++++ + .../permissions/files/no_files_unowned_by_user/rule.yml | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +index dba303d0ed..e99d035831 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +@@ -53,3 +53,8 @@ ocil: |- + Either remove all files and directories from the system that do not have a valid group, + or assign a valid group with the chgrp command: + 
$ sudo chgrp group file
++ ++warnings: ++ - general: |- ++ This rule only considers local groups. ++ If you have your groups defined outside /etc/group, the rule won't consider those. +diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +index 7cd9b787a4..72bf327519 100644 +--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml ++++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +@@ -54,3 +54,8 @@ ocil: |- + valid user, or assign a valid user to all unowned files and directories on + the system with the chown command: + 
$ sudo chown user file
++ ++warnings: ++ - general: |- ++ This rule only considers local users. ++ If you have your users defined outside /etc/passwd, the rule won't consider those. diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch new file mode 100644 index 0000000..ff529ca --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch @@ -0,0 +1,147 @@ +From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 11:52:35 +0200 +Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line + +Very likey a copy-pasta error from bash remediation for +audit_rules_immutable +--- + .../audit_rules_system_shutdown/bash/shared.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +index 1c9748ce9b..b56513cdcd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +@@ -8,7 +8,7 @@ + # files to check if '-f .*' setting is present in that '*.rules' file already. + # If found, delete such occurrence since auditctl(8) manual page instructs the + # '-f 2' rule should be placed as the last rule in the configuration +-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' ++find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' + + # Append '-f 2' requirement at the end of both: + # * /etc/audit/audit.rules file (for auditctl case) + +From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 12:12:21 +0200 +Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown + +Along with very basic test scenarios +--- + .../ansible/shared.yml | 28 +++++++++++++++++++ + .../tests/augen_correct.pass.sh | 4 +++ + .../tests/augen_e_2_immutable.fail.sh | 3 ++ + 3 files changed, 35 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml +new file mode 100644 +index 0000000000..b9e8fa87fa +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml +@@ -0,0 +1,28 @@ ++# platform = multi_platform_all ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Collect all files from /etc/audit/rules.d with .rules extension ++ find: ++ paths: "/etc/audit/rules.d/" ++ patterns: "*.rules" ++ register: find_rules_d ++ ++- name: Remove the -f option from all Audit config files ++ lineinfile: ++ path: "{{ item }}" ++ regexp: '^\s*(?:-f)\s+.*$' ++ state: absent ++ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" ++ ++- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules ++ lineinfile: ++ path: "{{ item }}" ++ create: True ++ line: "-f 2" ++ loop: ++ - "/etc/audit/audit.rules" ++ - "/etc/audit/rules.d/immutable.rules" ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh +new file mode 100644 +index 0000000000..0587b937e0 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++echo "-e 2" > /etc/audit/rules.d/immutable.rules ++echo "-f 2" >> /etc/audit/rules.d/immutable.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh +new file mode 100644 +index 0000000000..fa5b7231df +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "-e 2" > /etc/audit/rules.d/immutable.rules + +From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 14:06:08 +0200 +Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name + +--- + .../audit_rules_immutable/ansible/shared.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +index 5ac7b3dabb..1cafb744cc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml +@@ -17,7 +17,7 @@ + state: absent + loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" + +-- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules ++- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules + lineinfile: + path: "{{ item }}" + create: True + +From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 May 2020 11:02:56 +0200 +Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix + +--- + .../audit_rules_system_shutdown/bash/shared.sh | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +index b56513cdcd..a349bb1ca1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +@@ -4,16 +4,8 @@ + # + # /etc/audit/audit.rules, (for auditctl case) + # /etc/audit/rules.d/*.rules (for augenrules case) +-# +-# files to check if '-f .*' setting is present in that '*.rules' file already. +-# If found, delete such occurrence since auditctl(8) manual page instructs the +-# '-f 2' rule should be placed as the last rule in the configuration + find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' + +-# Append '-f 2' requirement at the end of both: +-# * /etc/audit/audit.rules file (for auditctl case) +-# * /etc/audit/rules.d/immutable.rules (for augenrules case) +- + for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" + do + echo '' >> $AUDIT_FILE diff --git a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch new file mode 100644 index 0000000..ec364a5 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch @@ -0,0 +1,29 @@ +From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 21 May 2020 18:16:43 +0200 +Subject: [PATCH] Attribute content to CIS + +And update the description a bit. +--- + rhel7/profiles/cis.profile | 8 +++++--- + 2 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 0826a49547..829c388133 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -3,9 +3,11 @@ documentation_complete: true + title: 'CIS Red Hat Enterprise Linux 7 Benchmark' + + description: |- +- This baseline aligns to the Center for Internet Security +- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released +- 12-27-2017. ++ This profile defines a baseline that aligns to the Center for Internet Security® ++ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 7 CIS Benchmarks™ content. + + selections: + # Necessary for dconf rules diff --git a/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch new file mode 100644 index 0000000..620c19d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch @@ -0,0 +1,141 @@ +From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 25 May 2020 12:17:48 +0200 +Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8 + +--- + rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++ + 2 files changed, 250 insertions(+) + create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg + +diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg +new file mode 100644 +index 0000000000..14c82c4231 +--- /dev/null ++++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg +@@ -0,0 +1,125 @@ ++# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server ++# Version: 0.0.1 ++# Date: 2020-05-25 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++# Harden installation with HIPAA profile ++# For more details and configuration options see command %addon org_fedora_oscap in ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_hipaa ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch new file mode 100644 index 0000000..1e028b7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch @@ -0,0 +1,40 @@ +From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 May 2020 23:36:18 +0200 +Subject: [PATCH] Ansible mount_option: split mount and option task + +Separate task that adds mount options mounts the mountpoint into two tasks. +Conditioning the "mount" task on the absence of the target mount option +caused the task to always be skipped when mount option was alredy present, +and could result in the mount point not being mounted. +--- + shared/templates/template_ANSIBLE_mount_option | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option +index 95bede25f9..a0cf8d6b7a 100644 +--- a/shared/templates/template_ANSIBLE_mount_option ++++ b/shared/templates/template_ANSIBLE_mount_option +@@ -26,14 +26,19 @@ + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + +-- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}} ++- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options ++ set_fact: ++ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}" ++ when: ++ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options ++ ++- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option + mount: + path: "{{{ MOUNTPOINT }}}" + src: "{{ mount_info.source }}" +- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}" ++ opts: "{{ mount_info.options }}" + state: "mounted" + fstype: "{{ mount_info.fstype }}" + when: +- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options + - device_name.stdout is defined + - (device_name.stdout | length > 0) diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch new file mode 100644 index 0000000..47b9cdb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch @@ -0,0 +1,33 @@ +From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 14 May 2020 16:46:07 +0200 +Subject: [PATCH] reorder groups because of permissions verification + +--- + ssg/build_yaml.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py +index e3e138283c..c9f3179c08 100644 +--- a/ssg/build_yaml.py ++++ b/ssg/build_yaml.py +@@ -700,6 +700,11 @@ def to_xml_element(self): + # audit_rules_privileged_commands, othervise the rule + # does not catch newly installed screeen binary during remediation + # and report fail ++ # the software group should come before the ++ # bootloader-grub2 group because of conflict between ++ # rules rpm_verify_permissions and file_permissions_grub2_cfg ++ # specific rules concerning permissions should ++ # be applied after the general rpm_verify_permissions + # The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS. + # the firewalld_activation must come before ruleset_modifications, othervise + # remediations for ruleset_modifications won't work +@@ -707,6 +712,7 @@ def to_xml_element(self): + # otherwise the remediation prints error although it is successful + priority_order = [ + "accounts", "auditing", ++ "software", "bootloader-grub2", + "fips", "crypto", + "firewalld_activation", "ruleset_modifications", + "disabling_ipv6", "configuring_ipv6" diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 1d52ce5..4be3ae3 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -3,32 +3,90 @@ %global _pkgdocdir %{_docdir}/%{name}-%{version} Name: scap-security-guide -Version: 0.1.46 -Release: 11%{?dist} +Version: 0.1.49 +Release: 13%{?dist} Summary: Security guidance and baselines in SCAP formats Group: System Environment/Base License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content Source0: %{name}-%{version}.tar.bz2 -Patch1: scap-security-guide-0.1.47-compare_suid_files_with_rpm.patch -Patch2: scap-security-guide-0.1.47-improve_bash_based_on_shellcheck.patch -Patch3: scap-security-guide-0.1.47-add_-t_parameter_to_fix_audit_syscall_rule.patch -Patch4: scap-security-guide-0.1.47-remove_slash_from_audit_rules_login_faillock.patch -Patch5: scap-security-guide-0.1.47-update_arufm_to_match_multiple_-S_args.patch -Patch6: scap-security-guide-0.1.47-first_occurence_mtab.patch -Patch7: scap-security-guide-0.1.48-fix_grub2_enable_fips_mode.patch -Patch8: scap-security-guide-0.1.47-remove_shell_module_from_playbooks.patch -Patch9: scap-security-guide-0.1.47-remove_directory_access_var_log_audit_from_ospp.patch -Patch10: scap-security-guide-0.1.48-fix_ansible_tasks_in_check_mode.patch -Patch11: scap-security-guide-0.1.47-e8.patch -Patch12: scap-security-guide-0.1.48-fix_sshd_use_strong.patch -Patch13: scap-security-guide-0.1.47-fix_missing_cce.patch -Patch14: scap-security-guide-0.1.48-add_e8_profile_kickstart.patch -Patch15: scap-security-guide-0.1.48-fix_aide_periodic_crontab_check.patch -Patch16: scap-security-guide-0.1.47-add_missing_cce_sudo_require_authentication.patch -Patch17: disable-not-in-good-shape-profiles.patch -Patch999: centos-debranding.patch +Patch0: disable-not-in-good-shape-profiles.patch +Patch1: scap-security-guide-0.1.50-simplify_login_banner.patch +Patch2: scap-security-guide-0.1.50-fix_sysctl_rules_description.patch +Patch3: scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch +Patch4: scap-security-guide-0.1.50-ansible_audit_sysadmin_actions_PR_5288.patch +Patch5: scap-security-guide-0.1.50-add_ntp_and_chrony_cpes_PR_5299.patch +Patch6: scap-security-guide-0.1.50-add_chrony_rules_PR_5273.patch +# Changes present in 5299 removed from 5298 +Patch7: scap-security-guide-0.1.50-run_chronyd_as_chrony_user_PR_5298.patch +Patch8: scap-security-guide-0.1.50-ssh_references_PR_5297.patch +Patch9: scap-security-guide-0.1.50-system_file_permissions_references_PR_5301.patch +Patch10: scap-security-guide-0.1.50-add_rhel7_cis_profile_PR_5306.patch +Patch11: scap-security-guide-0.1.50-add_service_rsyncd_disabled_PR_5318.patch +Patch12: scap-security-guide-0.1.50-fix_chronyd_rule_title_PR_5309.patch +Patch13: scap-security-guide-0.1.50-audit_data_retention_reference_PR_5294.patch +Patch14: scap-security-guide-0.1.50-audit_installed_reference_PR_5292.patch +Patch15: scap-security-guide-0.1.50-audit_login_events_references_PR_5296.patch +Patch16: scap-security-guide-0.1.50-banner_permissions_and_owners_PR_5302.patch +Patch17: scap-security-guide-0.1.50-add_package_libselinux_installed_PR_5312.patch +Patch18: scap-security-guide-0.1.50-add_package_openldap-clients_installed_PR_5316.patch +Patch19: scap-security-guide-0.1.50-chrony_references_PR_5331.patch +Patch20: scap-security-guide-0.1.50-add_configure_etc_hosts_deny_PR_5332.patch +Patch21: scap-security-guide-0.1.50-check_banner_owners_and_groupowners_PR_5335.patch +Patch22: scap-security-guide-0.1.50-add_rules_etc_hosts_file_permissions_PR_5323.patch +Patch23: scap-security-guide-0.1.50-add_rules_accounts_backup_files_PR_5317.patch +Patch24: scap-security-guide-0.1.50-fix_typo_in_cce_assignment_PR_5340.patch +Patch25: scap-security-guide-0.1.50-fix_banner_etc_motd_PR_5319.patch +Patch26: scap-security-guide-0.1.50-fix_typo_in_ocil_clause_PR_5342.patch +Patch27: scap-security-guide-0.1.50-add_grub2_disable_ipv6_PR_5324.patch +Patch28: scap-security-guide-0.1.50-fix_ipv6_disable_rule_PR_5547.patch +Patch29: scap-security-guide-0.1.50-add_rules_legacy_plus_in_passwd_PR_5339.patch +Patch30: scap-security-guide-0.1.50-add_missing_cces_PR_5546.patch +Patch31: scap-security-guide-0.1.50-add_etc_hosts_deny_to_unselect_list_PR_5348.patch +Patch32: scap-security-guide-0.1.50-add_rhel7_cis_kickstart_PR_5545.patch +Patch33: scap-security-guide-0.1.50-update_cis_profile_PR_5349.patch +Patch35: scap-security-guide-0.1.50-removable_media_PR_5278.patch +Patch36: scap-security-guide-0.1.50-warn_nonlocal_users_groups.patch +Patch37: scap-security-guide-0.1.50-sshd_allow_p2.patch +Patch38: scap-security-guide-0.1.50-fix_audit_rules_privileged_commands.patch +Patch39: scap-security-guide-0.1.50-fix_ansible_postfix_listening_PR_5353.patch +Patch40: scap-security-guide-0.1.50-add_rule_sshd_disable_x11_forwarding_PR_5554.patch +Patch41: scap-security-guide-0.1.50-fix_rule_rsyslog_nolisten_regex_PR_5557.patch +Patch42: scap-security-guide-0.1.50-change_disable_ipv6_rule_PR_5574.patch +Patch43: scap-security-guide-0.1.50-add_ansible_audit_rules_media_export_PR_5590.patch +Patch44: scap-security-guide-0.1.50-add_ansible_audit_rules_kernel_module_loading_PR_5594.patch +Patch45: scap-security-guide-0.1.50-add_ansible_sshd_set_max_auth_tries_PR_5597.patch +Patch46: scap-security-guide-0.1.50-fix_service_chronyd_enabled_PR_5325.patch +Patch47: scap-security-guide-0.1.50-fix_permissions_backup_etc_passwd_PR_5619.patch +Patch48: scap-security-guide-0.1.50-update_sshd_disable_x11_forwarding_PR_5610.patch +Patch49: scap-security-guide-0.1.50-drop_configure_etc_hosts_deny_remediation_PR_5652.patch +Patch50: scap-security-guide-0.1.50-ansible_audit_avoid_duplicates_PR_5650.patch +Patch51: scap-security-guide-0.1.50-add_ansible_audit_rules_mac_modification_PR_5638.patch +Patch52: scap-security-guide-0.1.50-add_ansible_macro_watch_rule_PR_5658.patch +Patch53: scap-security-guide-0.1.50-add_ansible_macro_syscall_rule_PR_5709.patch +Patch54: scap-security-guide-0.1.50-fix_ansible_macro_watch_rule_PR_5716.patch +Patch55: scap-security-guide-0.1.50-add_ansible_audit_rules_session_events_PR_5721.patch +Patch56: scap-security-guide-0.1.50-add_arch_support_macro_syscall_PR_5723.patch +Patch57: scap-security-guide-0.1.50-add_ansible_audit_time_rules_PR_5720.patch +Patch58: scap-security-guide-0.1.50-add_field_support_macro_syscall_PR_5724.patch +Patch59: scap-security-guide-0.1.50-add_ansible_audit_networkconfig_mod_PR_5719.patch +Patch60: scap-security-guide-0.1.50-add_missing_cces_for_cis_PR_5329.patch +Patch61: scap-security-guide-0.1.50-fix_audit_privileged_commands_test_metadata_PR_5739.patch +Patch62: scap-security-guide-0.1.50-add_ansible_ipv6_option_disabled_PR_5737.patch +Patch63: scap-security-guide-0.1.50-add_audit_rules_immutable_PR_5609.patch +Patch64: scap-security-guide-0.1.50-add_missing_cces_kernel_modules_PR_5236.patch +Patch65: scap-security-guide-0.1.50-add_ansible_ensure_logrotate_activated_PR_5753.patch +Patch66: scap-security-guide-0.1.50-fix_ansible_template_mount_options_PR_5752.patch +Patch67: scap-security-guide-0.1.50-add_rpm_verify_warnings_PR_5755.patch +Patch68: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch +Patch69: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch +Patch70: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch +Patch71: scap-security-guide-0.1.50-fix_boot_target_after_xorg_removed_PR_5625.patch +Patch72: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch +Patch73: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch +Patch74: scap-security-guide-0.1.50-fix_test_suite_on_python3_PR_5711.patch + BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.16, python-jinja2, cmake >= 2.8, PyYAML @@ -56,6 +114,7 @@ been generated from XCCDF benchmarks present in %{name} package. %prep %setup -q -n %{name}-%{version} +%patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 @@ -73,7 +132,63 @@ been generated from XCCDF benchmarks present in %{name} package. %patch15 -p1 %patch16 -p1 %patch17 -p1 -%patch999 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 +%patch38 -p1 +%patch39 -p1 +%patch40 -p1 +%patch41 -p1 +%patch42 -p1 +%patch43 -p1 +%patch44 -p1 +%patch45 -p1 +%patch46 -p1 +%patch47 -p1 +%patch48 -p1 +%patch49 -p1 +%patch50 -p1 +%patch51 -p1 +%patch52 -p1 +%patch53 -p1 +%patch54 -p1 +%patch55 -p1 +%patch56 -p1 +%patch57 -p1 +%patch58 -p1 +%patch59 -p1 +%patch60 -p1 +%patch61 -p1 +%patch62 -p1 +%patch63 -p1 +%patch64 -p1 +%patch65 -p1 +%patch66 -p1 +%patch67 -p1 +%patch68 -p1 +%patch69 -p1 +%patch70 -p1 +%patch71 -p1 +%patch72 -p1 +%patch73 -p1 +%patch74 -p1 + # Workaround to remove Python byte cache files from the upstream sources # See https://github.com/ComplianceAsCode/content/issues/4042 find . -name '*.pyc' -exec rm -f {} ';' @@ -88,7 +203,7 @@ mkdir -p build && cd build -DSSG_PRODUCT_RHEL6:BOOL=ON \ -DSSG_PRODUCT_RHEL7:BOOL=ON \ -DSSG_PRODUCT_RHEL8:BOOL=ON \ --DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \ +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \ ../ make %{?_smp_mflags} @@ -115,6 +230,62 @@ cd build %doc build/guides/ssg-*-guide-*.html %changelog +* Tue May 26 2020 Watson Sato - 0.1.49-13 +- Add example kickstart for RHEL7 HIPAA (RHBZ#1513087) +- Fix Test Suite to run on Python3 + +* Thu May 21 2020 Watson Sato - 0.1.49-12 +- CIS Profile (RHBZ#1821633) + - Make sure boot target is multi-user.target when xorg package is removed + - Add CIS Profile content attribution to Center for Internet Security + +* Wed May 20 2020 Watson Sato - 0.1.49-11 +- HIPAA Profile improvement (RHBZ#1513087) + - Add Ansible remediation for audit_rules_system_shutdown + +* Tue May 19 2020 Watson Sato - 0.1.49-10 +- CIS Profile fixes (RHBZ#1821633) + - Fix Ansible mount_option template + - Re-order rpm_verify_permissions to avoid file permission conflicts + +* Tue May 12 2020 Watson Sato - 0.1.49-9 +- CIS Profile fixes (RHBZ#1821633) + - Fix Ansible mount_option template + - Add Ansible for ensure_logrotate_activated + - Add warnings to rpm_verify_permissions and ownership about findindings that may need further inspection + +* Mon May 11 2020 Watson Sato - 0.1.49-8 +- Fix specfile to apply patch (RHBZ#1691877) + +* Mon May 04 2020 Watson Sato - 0.1.49-7 +- Bug fixes on CIS profile (RHBZ#1821633) + Added Ansible remediations + Fixed CIS references + Fixed integration issues with CIS profile + +* Mon May 04 2020 Vojtech Polasek - 0.1.49-6 +- Added a patch fixing audit_rules_privileged_commands (RHBZ#1691877) + +* Thu Apr 30 2020 Matěj Týč - 0.1.49-5 +- Added a patch fix for sshd_allow_protocol_2 (RHBZ#1823576) + +* Mon Apr 27 2020 Matěj Týč - 0.1.49-5 +- Added a patch warning about non-local users/groups are not considered by some rules (RHBZ#1721439, RHBZ#1544765, RHBZ#1829743) + +* Thu Apr 23 2020 Jan Černý - 0.1.49-4 +- Fix removable media options rules (RHBZ#1691579) + +* Mon Apr 06 2020 Watson Sato - 0.1.49-3 +- Add new rules and references for RHEL7 CIS (RHBZ#1821633) + +* Tue Mar 31 2020 Watson Sato - 0.1.49-2 +- Fix remediation of dconf_gnome_login_banner_text (RHBZ#1776780) +- Fix misleading sysctl rules description (RHBZ#1494606) +- Update STIG FIPS approved SSHD ciphers (RHBZ#1781244) + +* Thu Mar 19 2020 Gabriel Becker - 0.1.49-1 +- Update to the latest upstream release (RHBZ#1815008) + * Thu Nov 28 2019 Jan Černý - 0.1.46-11 - Ship RHEL 8 content (RHBZ#1777862)