From e331686eb7f52210c53cb282bc6b6f0765e68c11 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 25 2018 17:32:58 +0000 Subject: import scap-security-guide-0.1.36-10.el7_5 --- diff --git a/SOURCES/scap-security-guide-0.1.37-fix-local_d_typos.patch b/SOURCES/scap-security-guide-0.1.37-fix-local_d_typos.patch new file mode 100644 index 0000000..e61027f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-fix-local_d_typos.patch @@ -0,0 +1,106 @@ +From dca8feafaa0b9044a0cec24c245eecaf8b7658ab Mon Sep 17 00:00:00 2001 +From: Chuck Atkins +Date: Tue, 12 Dec 2017 14:32:20 -0500 +Subject: [PATCH] Fix typos "local/d" -> "local.d" + +--- + shared/fixes/ansible/dconf_gnome_banner_enabled.yml | 2 +- + .../fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml | 2 +- + shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml | 2 +- + shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml | 2 +- + shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml | 2 +- + shared/fixes/ansible/dconf_gnome_screensaver_mode_blank.yml | 2 +- + shared/fixes/ansible/dconf_gnome_screensaver_user_info.yml | 2 +- + 7 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/shared/fixes/ansible/dconf_gnome_banner_enabled.yml b/shared/fixes/ansible/dconf_gnome_banner_enabled.yml +index abd8a8002b..38cd4d4e99 100644 +--- a/shared/fixes/ansible/dconf_gnome_banner_enabled.yml ++++ b/shared/fixes/ansible/dconf_gnome_banner_enabled.yml +@@ -5,7 +5,7 @@ + # disruption = medium + - name: "Enable GNOME3 Login Warning Banner" + ini_file: +- dest: "/etc/dconf/db/local/d/00-security-settings" ++ dest: "/etc/dconf/db/local.d/00-security-settings" + section: "org/gnome/login-screen" + option: banner-message-enabled + value: true +diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml b/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml +index 20d2013c52..3ed9b78b5a 100644 +--- a/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml ++++ b/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml +@@ -5,7 +5,7 @@ + # disruption = medium + - name: "Enable GNOME3 Screensaver Idle Activation" + ini_file: +- dest: "/etc/dconf/db/local/d/00-security-settings" ++ dest: "/etc/dconf/db/local.d/00-security-settings" + section: "org/gnome/desktop/screensaver" + option: idle_activation_enabled + value: true +diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml b/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml +index a69c86225d..8d4e9d2adc 100644 +--- a/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml ++++ b/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml +@@ -7,7 +7,7 @@ + + - name: "Set GNOME3 Screensaver Inactivity Timeout" + ini_file: +- dest: "/etc/dconf/db/local/d/00-security-settings" ++ dest: "/etc/dconf/db/local.d/00-security-settings" + section: "org/gnome/desktop/screensaver" + option: idle-delay + value: "{{ inactivity_timeout_value }}" +diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml b/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml +index f11b909b65..01dec5ea9b 100644 +--- a/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml ++++ b/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml +@@ -5,7 +5,7 @@ + # disruption = medium + - name: "Set GNOME3 Screensaver Lock Delay After Activation Period" + ini_file: +- dest: "/etc/dconf/db/local/d/00-security-settings" ++ dest: "/etc/dconf/db/local.d/00-security-settings" + section: "org/gnome/desktop/screensaver" + option: lock-delay + value: uint32 5 +diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml b/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml +index be5ffc10eb..5ac6fe6b3f 100644 +--- a/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml ++++ b/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml +@@ -5,7 +5,7 @@ + # disruption = medium + - name: "Enable GNOME3 Screensaver Lock After Idle Period" + ini_file: +- dest: "/etc/dconf/db/local/d/00-security-settings" ++ dest: "/etc/dconf/db/local.d/00-security-settings" + section: "org/gnome/desktop/screensaver" + option: lock-enabled + value: true +diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_mode_blank.yml b/shared/fixes/ansible/dconf_gnome_screensaver_mode_blank.yml +index d2be193fe1..64f6ba5b7e 100644 +--- a/shared/fixes/ansible/dconf_gnome_screensaver_mode_blank.yml ++++ b/shared/fixes/ansible/dconf_gnome_screensaver_mode_blank.yml +@@ -5,7 +5,7 @@ + # disruption = medium + - name: "Implement Blank Screensaver" + ini_file: +- dest: "/etc/dconf/db/local/d/00-security-settings" ++ dest: "/etc/dconf/db/local.d/00-security-settings" + section: "org/gnome/desktop/screensaver" + option: picture-uri + value: string '' +diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_user_info.yml b/shared/fixes/ansible/dconf_gnome_screensaver_user_info.yml +index ee407ad5b1..93873a997a 100644 +--- a/shared/fixes/ansible/dconf_gnome_screensaver_user_info.yml ++++ b/shared/fixes/ansible/dconf_gnome_screensaver_user_info.yml +@@ -5,7 +5,7 @@ + # disruption = medium + - name: "Disable Full Username on Splash Screen" + ini_file: +- dest: "/etc/dconf/db/local/d/00-security-settings" ++ dest: "/etc/dconf/db/local.d/00-security-settings" + section: "org/gnome/desktop/screensaver" + option: show-full-name-in-top-bar + value: false diff --git a/SOURCES/scap-security-guide-0.1.37-fix-rhel7-ansible-role.patch b/SOURCES/scap-security-guide-0.1.37-fix-rhel7-ansible-role.patch new file mode 100644 index 0000000..988b7d2 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-fix-rhel7-ansible-role.patch @@ -0,0 +1,103 @@ +diff --git a/shared/fixes/ansible/dconf_gnome_banner_enabled.yml b/shared/fixes/ansible/dconf_gnome_banner_enabled.yml +index b2d79ef04..abd8a8002 100644 +--- a/shared/fixes/ansible/dconf_gnome_banner_enabled.yml ++++ b/shared/fixes/ansible/dconf_gnome_banner_enabled.yml +@@ -18,5 +18,6 @@ + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: '^/org/gnome/login-screen/banner-message-enable' + line: '/org/gnome/login-screen/banner-message-enable' ++ create: yes + tags: + @ANSIBLE_TAGS@ +diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml b/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml +index 3f85b384c..20d2013c5 100644 +--- a/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml ++++ b/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml +@@ -18,5 +18,6 @@ + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: '^/org/gnome/desktop/screensaver/idle-activation-enabled' + line: '/org/gnome/desktop/screensaver/idle-activation-enabled' ++ create: yes + tags: + @ANSIBLE_TAGS@ +diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml b/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml +index 79e48cf63..a69c86225 100644 +--- a/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml ++++ b/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml +@@ -20,5 +20,6 @@ + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: '^/org/gnome/desktop/screensaver/idle-delay' + line: '/org/gnome/desktop/screensaver/idle-delay' ++ create: yes + tags: + @ANSIBLE_TAGS@ +diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml b/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml +index cf73fe111..f11b909b6 100644 +--- a/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml ++++ b/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml +@@ -18,5 +18,6 @@ + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: '^/org/gnome/desktop/screensaver/lock-delay' + line: '/org/gnome/desktop/screensaver/lock-delay' ++ create: yes + tags: + @ANSIBLE_TAGS@ +diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml b/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml +index 4b203036b..be5ffc10e 100644 +--- a/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml ++++ b/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml +@@ -18,5 +18,6 @@ + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: '^/org/gnome/desktop/screensaver/lock-enabled' + line: '/org/gnome/desktop/screensaver/lock-enabled' ++ create: yes + tags: + @ANSIBLE_TAGS@ +diff --git a/shared/fixes/ansible/rsyslog_remote_loghost.yml b/shared/fixes/ansible/rsyslog_remote_loghost.yml +index 16a8e1ab5..b15dcca12 100644 +--- a/shared/fixes/ansible/rsyslog_remote_loghost.yml ++++ b/shared/fixes/ansible/rsyslog_remote_loghost.yml +@@ -10,6 +10,7 @@ + dest: /etc/rsyslog.conf + regexp: "^\\*\\.\\*" + line: "*.* @@{{ rsyslog_remote_loghost_address }}" ++ create: yes + tags: + @ANSIBLE_TAGS@ + +diff --git a/shared/fixes/ansible/selinux_policytype.yml b/shared/fixes/ansible/selinux_policytype.yml +index c68da2c46..57583f94e 100644 +--- a/shared/fixes/ansible/selinux_policytype.yml ++++ b/shared/fixes/ansible/selinux_policytype.yml +@@ -5,8 +5,11 @@ + # disruption = low + - (xccdf-var var_selinux_policy_name) + +-- name: "Configure SELinux Policy" +- selinux: +- policy: "{{ var_selinux_policy_name }}" ++- name: "@RULE_TITLE@" ++ lineinfile: ++ path: /etc/sysconfig/selinux ++ regexp: '^SELINUXTYPE=' ++ line: "SELINUXTYPE={{ var_selinux_policy_name }}" ++ create: yes + tags: + @ANSIBLE_TAGS@ +diff --git a/shared/fixes/ansible/selinux_state.yml b/shared/fixes/ansible/selinux_state.yml +index 62889bd4e..3e5b9f1ff 100644 +--- a/shared/fixes/ansible/selinux_state.yml ++++ b/shared/fixes/ansible/selinux_state.yml +@@ -6,7 +6,10 @@ + - (xccdf-var var_selinux_state) + + - name: "@RULE_TITLE@" +- selinux: +- state: "{{ var_selinux_state }}" ++ lineinfile: ++ path: /etc/sysconfig/selinux ++ regexp: '^SELINUX=' ++ line: "SELINUX={{ var_selinux_state }}" ++ create: yes + tags: + @ANSIBLE_TAGS@ diff --git a/SOURCES/scap-security-guide-0.1.40-fix-login_d_umask-2.patch b/SOURCES/scap-security-guide-0.1.40-fix-login_d_umask-2.patch new file mode 100644 index 0000000..d40f425 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.40-fix-login_d_umask-2.patch @@ -0,0 +1,33 @@ +From 95e9d5130f7b20677af0fd8b23b8fb2ad0900d5b Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Tue, 26 Jun 2018 13:28:20 -0400 +Subject: [PATCH] To be on the safe side, force ansible XCCDFs to be + interpreted as strings + +Avoid quotes though because that enables all sorts of escaping rules +that we would have to work around. +--- + ssg/build_remediations.py | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/shared/utils/combine-remediations.py +index ece3765d56..5f61982750 100644 +--- a/shared/utils/combine-remediations.py ++++ b/shared/utils/combine-remediations.py +@@ -190,11 +190,15 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions): + "substituting directly." + ) + ++ # we use the horrid "!!str |-" syntax to force strings without using ++ # quotes. quotes enable yaml escaping rules so we'd have to escape all ++ # the backslashes and at this point we don't know if there are any. + fix_text = re.sub( + r"- \(xccdf-var\s+(\S+)\)", + r"- name: XCCDF Value \1 # promote to variable\n" + r" set_fact:\n" +- r' \1: "(ansible-populate \1)"\n' ++ r" \1: !!str |-\n" ++ r" (ansible-populate \1)\n" + r" tags:\n" + r" - always", + fix_text diff --git a/SOURCES/scap-security-guide-0.1.40-fix-login_d_umask.patch b/SOURCES/scap-security-guide-0.1.40-fix-login_d_umask.patch new file mode 100644 index 0000000..f37f9e5 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.40-fix-login_d_umask.patch @@ -0,0 +1,51 @@ +From b0eb3b7f7baa1a57dac3e373209d20bd55b3f215 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 26 Jun 2018 11:42:49 +0200 +Subject: [PATCH 1/2] Added implicit double quoting of substituted vars. + +Variables in Ansible may be wrongly interpreted if they are not quoted +(i.e. yes, 077 will be converted to bool and octal respectively). +Unlike single quotes, double quotes may be escaped. + +Fixes: #2989 +--- + ssg/build_remediations.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/utils/combine-remediations.py b/shared/utils/combine-remediations.py +index ca6ce96b79..ece3765d56 100644 +--- a/shared/utils/combine-remediations.py ++++ b/shared/utils/combine-remediations.py +@@ -194,7 +194,7 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions): + r"- \(xccdf-var\s+(\S+)\)", + r"- name: XCCDF Value \1 # promote to variable\n" + r" set_fact:\n" +- r" \1: (ansible-populate \1)\n" ++ r' \1: "(ansible-populate \1)"\n' + r" tags:\n" + r" - always", + fix_text + +From a1693c2015a5513a871366f48ce1c3d83ecd9bde Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 26 Jun 2018 14:04:55 +0200 +Subject: [PATCH 2/2] Made the UMASK check in login.defs case-insensitive. + +The guide says it should be UMASK, not umask, and man login.defs says the same. +--- + shared/checks/oval/accounts_umask_etc_login_defs.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/checks/oval/accounts_umask_etc_login_defs.xml b/shared/checks/oval/accounts_umask_etc_login_defs.xml +index 22b67cf0dd..513632b56a 100644 +--- a/shared/checks/oval/accounts_umask_etc_login_defs.xml ++++ b/shared/checks/oval/accounts_umask_etc_login_defs.xml +@@ -18,7 +18,7 @@ + + /etc/login.defs +- ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) ++ ^[\s]*UMASK[\s]+([^#\s]*) + 1 + + diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index e421ae0..e8639fc 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -6,7 +6,7 @@ Name: scap-security-guide Version: 0.1.%{redhatssgversion} -Release: 9%{?dist} +Release: 10%{?dist} Summary: Security guidance and baselines in SCAP formats Group: System Environment/Base @@ -27,6 +27,10 @@ Patch11: scap-security-guide-0.1.38-aide-scan-email-notification.patch Patch12: scap-security-guide-0.1.39-fix-failing-rules-for-PCI-DSS-DISA-UGSCB.patch Patch13: scap-security-guide-0.1.38-audit-kernel-module-loading.patch Patch14: scap-security-guide-0.1.37-fix-aide-scan-email-notification-remediation.patch +Patch15: scap-security-guide-0.1.37-fix-local_d_typos.patch +Patch16: scap-security-guide-0.1.37-fix-rhel7-ansible-role.patch +Patch17: scap-security-guide-0.1.40-fix-login_d_umask.patch +Patch18: scap-security-guide-0.1.40-fix-login_d_umask-2.patch BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml, cmake >= 2.8 @@ -81,8 +85,18 @@ mkdir build %patch12 -p1 -b .fix_failing_rules %patch13 -p1 -b .audit_kernel_module %patch14 -p1 -b .aide_notification_remediation +# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1592887 +%patch15 -p1 -b .ansible_local_d_typos +# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1592970 +%patch16 -p1 -b .ansible_roles_patch +# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1592957 +%patch17 -p1 -b .ansible_login_defs_umask_patch +%patch18 -p1 -b .ansible_login_defs_umask_patch-2 %build + +# chmod is because of patches 17, 18 that strip the executable permission of this file. +chmod a+x shared/utils/combine-remediations.py cd build %cmake -D CMAKE_INSTALL_DOCDIR=%{_pkgdocdir} \ -DSSG_PRODUCT_CHROMIUM:BOOL=OFF \ @@ -100,13 +114,12 @@ cd build -DSSG_PRODUCT_UBUNTU16:BOOL=OFF \ -DSSG_PRODUCT_WRLINUX:BOOL=OFF \ -DSSG_PRODUCT_WEBMIN:BOOL=OFF \ --DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \ +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../ make %{?_smp_mflags} %install cd build -sed 's/Red Hat Enterprise Linux/CentOS Linux/g' -i ssg-centos*.xml %make_install %files @@ -127,8 +140,10 @@ sed 's/Red Hat Enterprise Linux/CentOS Linux/g' -i ssg-centos*.xml %doc build/guides/ssg-*-guide-*.html %changelog -* Mon May 14 2018 Johnny Hughes - 0.1.36-9 -- Manual CentOS Debranding +* Wed Jun 27 2018 Matěj Týč - 0.1.36-10 +- Fix local/d typos in Ansible remediation (RHBZ#1592887) +- Fix Ansible remediation of SELinux policies (RHBZ#1592970) +- Fix Ansible remediation of login.defs umask (RHBZ#1592957) * Fri Apr 27 2018 Watson Yuuma Sato - 0.1.36-9 - Fix remediation of AIDE notification (RHBZ#1571315)