From fe0dde01a42673c3eda1933c38a8f78dbff6c1de Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 15 2020 09:07:53 +0000 Subject: import scap-security-guide-0.1.52-2.el7_9 --- diff --git a/.gitignore b/.gitignore index a0b3fab..903f9c1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.49.tar.bz2 +SOURCES/scap-security-guide-0.1.52.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index c49602b..1034028 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -abc5640ac0b212fbea8379036830f650dd2543db SOURCES/scap-security-guide-0.1.49.tar.bz2 +d4088b4e38a789c4d56520c058cae303469bedde SOURCES/scap-security-guide-0.1.52.tar.bz2 diff --git a/SOURCES/centos-debranding.patch b/SOURCES/centos-debranding.patch deleted file mode 100644 index b5fd3d3..0000000 --- a/SOURCES/centos-debranding.patch +++ /dev/null @@ -1,241 +0,0 @@ -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/anssi_nt28_minimal.profile scap-security-guide-0.1.46/rhel7/profiles/anssi_nt28_minimal.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/anssi_nt28_minimal.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/anssi_nt28_minimal.profile 2020-04-02 00:12:34.138435758 +0000 -@@ -2,7 +2,8 @@ documentation_complete: true - - title: 'DRAFT - ANSSI DAT-NT28 (minimal)' - --description: 'Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des -+description: ' **Not applicable to CentOS Linux, included for reference only** -+ Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des - systèmes d''information. Based on https://www.ssi.gouv.fr/.' - - selections: -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/C2S-docker.profile scap-security-guide-0.1.46/rhel7/profiles/C2S-docker.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/C2S-docker.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/C2S-docker.profile 2020-04-02 00:13:40.055578160 +0000 -@@ -3,6 +3,8 @@ documentation_complete: false - title: 'DRAFT - C2S for Docker' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile demonstrates compliance against the - U.S. Government Commercial Cloud Services (C2S) baseline. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/C2S.profile scap-security-guide-0.1.46/rhel7/profiles/C2S.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/C2S.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/C2S.profile 2020-04-02 00:13:14.710523405 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'C2S for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile demonstrates compliance against the - U.S. Government Commercial Cloud Services (C2S) baseline. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/cjis.profile scap-security-guide-0.1.46/rhel7/profiles/cjis.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/cjis.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/cjis.profile 2020-04-02 00:14:09.815642451 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Criminal Justice Information Services (CJIS) Security Policy' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile is derived from FBI's CJIS v5.4 - Security Policy. A copy of this policy can be found at the CJIS Security - Policy Resource Center: -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/cui.profile scap-security-guide-0.1.46/rhel7/profiles/cui.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/cui.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/cui.profile 2020-04-02 00:14:39.735707092 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - From NIST 800-171, Section 2.2: - Security requirements for protecting the confidentiality of CUI in non-federal - information systems and organizations have a well-defined structure that -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/docker-host.profile scap-security-guide-0.1.46/rhel7/profiles/docker-host.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/docker-host.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/docker-host.profile 2020-04-02 00:15:08.697769654 +0000 -@@ -3,6 +3,8 @@ documentation_complete: false - title: 'DRAFT - Standard Docker Host Security Profile' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains rules to ensure standard security - baseline of Red Hat Enterprise Linux 7 system running docker. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/e8.profile scap-security-guide-0.1.46/rhel7/profiles/e8.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/e8.profile 2020-04-02 00:07:38.530797155 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/e8.profile 2020-04-02 00:15:34.521825440 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Australian Cyber Security Centre (ACSC) Essential Eight' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains configuration checks for Red Hat Enterprise Linux 7 - that align to the Australian Cyber Security Centre (ACSC) Essential Eight. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/hipaa.profile scap-security-guide-0.1.46/rhel7/profiles/hipaa.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/hipaa.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/hipaa.profile 2020-04-02 00:16:12.605907713 +0000 -@@ -3,6 +3,8 @@ documentation_complete: True - title: 'Health Insurance Portability and Accountability Act (HIPAA)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - The HIPAA Security Rule establishes U.S. national standards to protect individuals’ - electronic personal health information that is created, received, used, or - maintained by a covered entity. The Security Rule requires appropriate -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/http-stig.profile scap-security-guide-0.1.46/rhel7/profiles/http-stig.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/http-stig.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/http-stig.profile 2020-04-02 00:16:43.191973788 +0000 -@@ -3,6 +3,8 @@ documentation_complete: false - title: 'DRAFT - DISA STIG for Apache HTTP on Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains configuration checks that align to the - DISA STIG for Apache HTTP web server. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ipa-stig.profile scap-security-guide-0.1.46/rhel7/profiles/ipa-stig.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/ipa-stig.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/ipa-stig.profile 2020-04-02 00:17:03.371017390 +0000 -@@ -3,6 +3,8 @@ documentation_complete: false - title: 'DRAFT - DISA STIG for Red Hat IdM' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This is a *draft* profile for STIG. This profile is being - developed under the DoD consensus model to become a STIG in - coordination with DISA FSO. -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ncp.profile scap-security-guide-0.1.46/rhel7/profiles/ncp.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/ncp.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/ncp.profile 2020-04-02 00:19:00.198269763 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'NIST National Checklist Program Security Guide' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This compliance profile reflects the core set of security - related configuration settings for deployment of Red Hat Enterprise - Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ospp.profile scap-security-guide-0.1.46/rhel7/profiles/ospp.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/ospp.profile 2020-04-02 00:07:38.523797140 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/ospp.profile 2020-04-02 00:18:53.448255187 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'OSPP - Protection Profile for General Purpose Operating Systems v4.2.1' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile reflects mandatory configuration controls identified in the - NIAP Configuration Annex to the Protection Profile for General Purpose - Operating Systems (Protection Profile Version 4.2.1). -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/pci-dss.profile scap-security-guide-0.1.46/rhel7/profiles/pci-dss.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/pci-dss.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/pci-dss.profile 2020-04-02 00:19:22.109317098 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - Ensures PCI-DSS v3.2.1 security configuration settings are applied. - - selections: -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-stig.profile scap-security-guide-0.1.46/rhel7/profiles/rhelh-stig.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-stig.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/rhelh-stig.profile 2020-04-02 00:20:04.168407959 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This *draft* profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH). - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-vpp.profile scap-security-guide-0.1.46/rhel7/profiles/rhelh-vpp.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-vpp.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/rhelh-vpp.profile 2020-04-02 00:18:01.448142852 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This compliance profile reflects the core set of security - related configuration settings for deployment of Red Hat Enterprise - Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies. -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rht-ccp.profile scap-security-guide-0.1.46/rhel7/profiles/rht-ccp.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/rht-ccp.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/rht-ccp.profile 2020-04-02 00:20:25.205453406 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains the minimum security relevant - configuration settings recommended by Red Hat, Inc for - Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/satellite-stig.profile scap-security-guide-0.1.46/rhel7/profiles/satellite-stig.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/satellite-stig.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/satellite-stig.profile 2020-04-02 00:20:44.967496099 +0000 -@@ -3,6 +3,8 @@ documentation_complete: false - title: 'DRAFT - DISA STIG for Red Hat Satellite' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This is a *draft* profile for STIG. This profile is being - developed under the DoD consensus model to become a STIG in - coordination with DISA FSO. -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/standard.profile scap-security-guide-0.1.46/rhel7/profiles/standard.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/standard.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/standard.profile 2020-04-02 00:21:05.637540751 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Standard System Security Profile for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains rules to ensure standard security baseline - of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload - all of these checks should pass. -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/stig.profile scap-security-guide-0.1.46/rhel7/profiles/stig.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/stig.profile 2019-08-28 13:46:33.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/stig.profile 2020-04-02 00:21:23.477579298 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'DISA STIG for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux V1R4. - -diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/tower-stig.profile scap-security-guide-0.1.46/rhel7/profiles/tower-stig.profile ---- scap-security-guide-0.1.46.orig/rhel7/profiles/tower-stig.profile 2019-08-28 12:35:00.000000000 +0000 -+++ scap-security-guide-0.1.46/rhel7/profiles/tower-stig.profile 2020-04-02 00:21:44.885625545 +0000 -@@ -3,6 +3,8 @@ documentation_complete: false - title: 'DRAFT - DISA STIG for Red Hat Ansible Tower' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This is a *draft* profile for STIG. This profile is being - developed under the DoD consensus model to become a STIG in - coordination with DISA FSO. diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch index d26c4b2..6a4b641 100644 --- a/SOURCES/disable-not-in-good-shape-profiles.patch +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -1,26 +1,23 @@ -From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 17 Jan 2020 19:01:22 +0100 -Subject: [PATCH] Disable profiles that are not in good shape for RHEL8 +From ca6ddb178dd89fde3fc2d3e6dd6e6d30a0e1f023 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 9 Oct 2020 18:08:26 +0200 +Subject: [PATCH] Disable profiles that are not in good shape for RHEL8. -They raise too many errors and fails. -Also disable tables for profiles that are not built. --- - rhel8/CMakeLists.txt | 2 -- + rhel8/CMakeLists.txt | 1 - rhel8/profiles/cjis.profile | 2 +- - rhel8/profiles/cui.profile | 2 +- - rhel8/profiles/hipaa.profile | 2 +- + rhel8/profiles/ism_o.profile | 2 +- rhel8/profiles/rhelh-stig.profile | 2 +- rhel8/profiles/rhelh-vpp.profile | 2 +- rhel8/profiles/rht-ccp.profile | 2 +- rhel8/profiles/standard.profile | 2 +- - 9 files changed, 8 insertions(+), 10 deletions(-) + 7 files changed, 6 insertions(+), 7 deletions(-) diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt -index 40f2b2b0f..492a8dae1 100644 +index 40f2b2b..bbdecba 100644 --- a/rhel8/CMakeLists.txt +++ b/rhel8/CMakeLists.txt -@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") +@@ -14,7 +14,6 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") ssg_build_html_table_by_ref(${PRODUCT} "pcidss") ssg_build_html_table_by_ref(${PRODUCT} "anssi") @@ -28,10 +25,8 @@ index 40f2b2b0f..492a8dae1 100644 ssg_build_html_nistrefs_table(${PRODUCT} "ospp") ssg_build_html_nistrefs_table(${PRODUCT} "stig") - # Uncomment when anssi profiles are marked documentation_complete: true - #ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal") diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile -index 05ea9cdd6..9c55ac5b1 100644 +index 05ea9cd..9c55ac5 100644 --- a/rhel8/profiles/cjis.profile +++ b/rhel8/profiles/cjis.profile @@ -1,4 +1,4 @@ @@ -40,28 +35,18 @@ index 05ea9cdd6..9c55ac5b1 100644 title: 'Criminal Justice Information Services (CJIS) Security Policy' -diff --git a/rhel8/profiles/cui.profile b/rhel8/profiles/cui.profile -index eb62252a4..e8f369708 100644 ---- a/rhel8/profiles/cui.profile -+++ b/rhel8/profiles/cui.profile +diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile +index d044376..10b0eae 100644 +--- a/rhel8/profiles/ism_o.profile ++++ b/rhel8/profiles/ism_o.profile @@ -1,4 +1,4 @@ -documentation_complete: true +documentation_complete: false - title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' - -diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile -index 8d20f9019..d641b56fe 100644 ---- a/rhel8/profiles/hipaa.profile -+++ b/rhel8/profiles/hipaa.profile -@@ -1,4 +1,4 @@ --documentation_complete: True -+documentation_complete: false - - title: 'Health Insurance Portability and Accountability Act (HIPAA)' + title: 'Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) Official' diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile -index 1efca5f44..c3d0b0964 100644 +index 1efca5f..c3d0b09 100644 --- a/rhel8/profiles/rhelh-stig.profile +++ b/rhel8/profiles/rhelh-stig.profile @@ -1,4 +1,4 @@ @@ -71,7 +56,7 @@ index 1efca5f44..c3d0b0964 100644 title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)' diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile -index 2baee6d66..8592d7aaf 100644 +index 2baee6d..8592d7a 100644 --- a/rhel8/profiles/rhelh-vpp.profile +++ b/rhel8/profiles/rhelh-vpp.profile @@ -1,4 +1,4 @@ @@ -81,7 +66,7 @@ index 2baee6d66..8592d7aaf 100644 title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)' diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile -index c84579592..164ec98c4 100644 +index c845795..164ec98 100644 --- a/rhel8/profiles/rht-ccp.profile +++ b/rhel8/profiles/rht-ccp.profile @@ -1,4 +1,4 @@ @@ -91,7 +76,7 @@ index c84579592..164ec98c4 100644 title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' diff --git a/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile -index a63ae2cf3..da669bb84 100644 +index a63ae2c..da669bb 100644 --- a/rhel8/profiles/standard.profile +++ b/rhel8/profiles/standard.profile @@ -1,4 +1,4 @@ @@ -101,5 +86,5 @@ index a63ae2cf3..da669bb84 100644 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' -- -2.21.1 +2.26.2 diff --git a/SOURCES/remove_package_rear_installed_from_e8_profile.patch b/SOURCES/remove_package_rear_installed_from_e8_profile.patch new file mode 100644 index 0000000..465ca56 --- /dev/null +++ b/SOURCES/remove_package_rear_installed_from_e8_profile.patch @@ -0,0 +1,29 @@ +commit f59046ca26f86978fa5086914c0faf75850062ac +Author: Gabriel Becker +Date: Wed Nov 11 16:08:44 2020 +0100 + + Remove package_rear_installed from RHEL7 E8 profile. + +diff --git a/rhel7/profiles/e8.profile b/rhel7/profiles/e8.profile +index be1351d..cf53741 100644 +--- a/rhel7/profiles/e8.profile ++++ b/rhel7/profiles/e8.profile +@@ -131,6 +131,3 @@ selections: + - sshd_disable_user_known_hosts + - sshd_enable_strictmodes + - sshd_use_strong_macs +- +- ### Backup +- - package_rear_installed +diff --git a/tests/data/profile_stability/rhel7/e8.profile b/tests/data/profile_stability/rhel7/e8.profile +index 23d226e..3b6ca01 100644 +--- a/tests/data/profile_stability/rhel7/e8.profile ++++ b/tests/data/profile_stability/rhel7/e8.profile +@@ -59,7 +59,6 @@ selections: + - no_empty_passwords + - package_firewalld_installed + - package_quagga_removed +-- package_rear_installed + - package_rsh-server_removed + - package_rsh_removed + - package_rsyslog_installed diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_networkconfig_mod_PR_5719.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_networkconfig_mod_PR_5719.patch deleted file mode 100644 index cd4dde8..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_networkconfig_mod_PR_5719.patch +++ /dev/null @@ -1,136 +0,0 @@ -From ac5a43653e418d52ecba4f1469388615620cd731 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 29 Apr 2020 11:54:04 +0200 -Subject: [PATCH 1/3] add ansible remediation - ---- - .../ansible/shared.yml | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml -new file mode 100644 -index 0000000000..3708226e66 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml -@@ -0,0 +1,18 @@ -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low -+# remediate syscalls -+{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification") }}} -+{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification") }}} -+ -+# remediate watches -+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/issue', permissions='wa', key='audit_rules_networkconfig_modification') }}} -+{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/issue', permissions='wa', key='audit_rules_networkconfig_modification') }}} -+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/issue.net', permissions='wa', key='audit_rules_networkconfig_modification') }}} -+{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/issue.net', permissions='wa', key='audit_rules_networkconfig_modification') }}} -+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/hosts', permissions='wa', key='audit_rules_networkconfig_modification') }}} -+{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/hosts', permissions='wa', key='audit_rules_networkconfig_modification') }}} -+{{{ ansible_audit_augenrules_add_watch_rule(path='/etc/sysconfig/network', permissions='wa', key='audit_rules_networkconfig_modification') }}} -+{{{ ansible_audit_auditctl_add_watch_rule(path='/etc/sysconfig/network', permissions='wa', key='audit_rules_networkconfig_modification') }}} - -From 8de44a2ec24813affd51377bcaa8472b53b67e86 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 29 Apr 2020 11:54:23 +0200 -Subject: [PATCH 2/3] improve tests - ---- - .../tests/auditctl_correct_rules.pass.sh | 17 +++++++++++++++++ - ...ules.pass.sh => augen_correct_rules.pass.sh} | 0 - .../tests/partial_rules.fail.sh | 10 ++++++++++ - 3 files changed, 27 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules.pass.sh - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/{correct_rules.pass.sh => augen_correct_rules.pass.sh} (100%) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/partial_rules.fail.sh - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules.pass.sh -new file mode 100644 -index 0000000000..ac5059f31c ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/auditctl_correct_rules.pass.sh -@@ -0,0 +1,17 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+ -+# use auditctl -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+ -+rm -rf /etc/audit/rules.d/* -+rm /etc/audit/audit.rules -+ -+echo "-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification" >> /etc/audit/audit.rules -+echo "-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification" >> /etc/audit/audit.rules -+echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules -+echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules -+echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules -+echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/augen_correct_rules.pass.sh -similarity index 100% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/correct_rules.pass.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/augen_correct_rules.pass.sh -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/partial_rules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/partial_rules.fail.sh -new file mode 100644 -index 0000000000..4991b02369 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/tests/partial_rules.fail.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+ -+echo "-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification" >> /etc/audit/rules.d/some.rules -+echo "-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification" >> /etc/audit/rules.d/some.rules -+echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules -+echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules -+echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules -+echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> /etc/audit/audit.rules - -From f488ee2cef17f8c5764b53d551beabdb8cbf0e60 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 29 Apr 2020 17:13:12 +0200 -Subject: [PATCH 3/3] fix metadata and rewrite remediation to use newer macro - ---- - .../ansible/shared.yml | 21 ++++++++++++++++--- - 1 file changed, 18 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml -index 3708226e66..fa07d5bf94 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/ansible/shared.yml -@@ -1,11 +1,26 @@ - # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv --# reboot = true -+# reboot =false - # strategy = restrict - # complexity = low - # disruption = low - # remediate syscalls --{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification") }}} --{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification") }}} -+# -+# What architecture are we on? -+# -+- name: Set architecture for audit tasks -+ set_fact: -+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ -+- name: Remediate audit rules for network configuration for x86 -+ block: -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} -+ -+- name: Remediate audit rules for network configuration for x86_64 -+ block: -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["sethostname", "setdomainname"], key="audit_rules_networkconfig_modification")|indent(4) }}} -+ when: audit_arch == "b64" - - # remediate watches - {{{ ansible_audit_augenrules_add_watch_rule(path='/etc/issue', permissions='wa', key='audit_rules_networkconfig_modification') }}} diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_kernel_module_loading_PR_5594.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_kernel_module_loading_PR_5594.patch deleted file mode 100644 index 4d63e76..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_kernel_module_loading_PR_5594.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 12f8a8fbbf4e2bf4bec46e256f272a43fdc26a58 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 15 Apr 2020 13:18:23 +0200 -Subject: [PATCH 1/2] add ansible remediation - ---- - .../ansible/shared.yml | 81 +++++++++++++++++++ - 1 file changed, 81 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -new file mode 100644 -index 0000000000..8cc519c61b ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -@@ -0,0 +1,81 @@ -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+# -+# What architecture are we on? -+# -+- name: Set architecture for audit modules tasks -+ set_fact: -+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ -+# -+# Inserts/replaces the rule in /etc/audit/rules.d -+# -+- name: Search /etc/audit/rules.d for other kernel module loading audit rules -+ find: -+ paths: "/etc/audit/rules.d" -+ recurse: no -+ contains: "-F key=modules$" -+ patterns: "*.rules" -+ register: find_modules -+ -+- name: If existing kernel module loading ruleset not found, use /etc/audit/rules.d/modules.rules as the recipient for the rule -+ set_fact: -+ all_files: -+ - /etc/audit/rules.d/modules.rules -+ when: find_modules.matched is defined and find_modules.matched == 0 -+ -+- name: Use matched file as the recipient for the rule -+ set_fact: -+ all_files: -+ - "{{ find_modules.files | map(attribute='path') | list | first }}" -+ when: find_modules.matched is defined and find_modules.matched > 0 -+ -+- name: Inserts/replaces the modules rule in rules.d when on x86 -+ lineinfile: -+ path: "{{ all_files[0] }}" -+ {{% if product == "rhel6" %}} -+ line: "-a always,exit -F arch=b32 -S init_module -S delete_module -k modules" -+ {{% else %}} -+ line: "-a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules" -+ {{% endif %}} -+ create: yes -+ -+- name: Inserts/replaces the modules rule in rules.d when on x86_64 -+ lineinfile: -+ path: "{{ all_files[0] }}" -+ {{% if product == "rhel6" %}} -+ line: "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" -+ {{% else %}} -+ line: "-a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules" -+ {{% endif %}} -+ create: yes -+ when: audit_arch is defined and audit_arch == 'b64' -+# -+# Inserts/replaces the rule in /etc/audit/audit.rules -+# -+- name: Inserts/replaces the modules rule in /etc/audit/audit.rules when on x86 -+ lineinfile: -+ {{% if product == "rhel6" %}} -+ line: "-a always,exit -F arch=b32 -S init_module -S delete_module -k modules" -+ {{% else %}} -+ line: "-a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules" -+ {{% endif %}} -+ state: present -+ dest: /etc/audit/audit.rules -+ create: yes -+ -+- name: Inserts/replaces the modules rule in audit.rules when on x86_64 -+ lineinfile: -+ {{% if product == "rhel6" %}} -+ line: "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" -+ {{% else %}} -+ line: "-a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules" -+ {{% endif %}} -+ state: present -+ dest: /etc/audit/audit.rules -+ create: yes -+ when: audit_arch is defined and audit_arch == 'b64' - -From 6295ba4c3bdc9fe24c0d39fb2db2284b803c5bb8 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 15 Apr 2020 15:08:49 +0200 -Subject: [PATCH 2/2] fix test - ---- - .../tests/syscalls_one_per_arg.pass.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh -index 30eb4757ec..ccc2d4beee 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh -@@ -8,4 +8,4 @@ sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/sys - rm -f /etc/audit/rules.d/* - - # cut out irrelevant rules for this test --sed '1,14d' test_audit.rules > /etc/audit/audit.rules -+sed '1,13d' test_audit.rules > /etc/audit/audit.rules diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_mac_modification_PR_5638.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_mac_modification_PR_5638.patch deleted file mode 100644 index 32ad47b..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_mac_modification_PR_5638.patch +++ /dev/null @@ -1,341 +0,0 @@ -From 0be72ebcc3b8782ed617a8e99b1f188e4072f8a2 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 17 Apr 2020 14:51:57 +0200 -Subject: [PATCH 1/5] create tests - ---- - .../tests/auditctl_correct.pass.sh | 6 ++++++ - .../tests/auditctl_missing.fail.sh | 6 ++++++ - .../tests/auditctl_wrong_value.fail.sh | 7 +++++++ - .../tests/augen_correct.pass.sh | 3 +++ - .../tests/augen_missing.fail.sh | 3 +++ - .../tests/augen_wrong_value.fail.sh | 4 ++++ - 6 files changed, 29 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_missing.fail.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_wrong_value.fail.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_missing.fail.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_wrong_value.fail.sh - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh -new file mode 100644 -index 0000000000..398980456a ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_correct.pass.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+# use auditctl -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+echo "-w /etc/selinux/ -p wa -k MAC-policy" > /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_missing.fail.sh -new file mode 100644 -index 0000000000..733436ecaf ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_missing.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+# use auditctl -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+echo "some value" > /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_wrong_value.fail.sh -new file mode 100644 -index 0000000000..9ef870a12b ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/auditctl_wrong_value.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+ -+# use auditctl -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+echo "-w /etc/passwd -p w -k MAC-policy" > /etc/audit/audit.rules -+ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh -new file mode 100644 -index 0000000000..a814e1b7ea ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_correct.pass.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "-w /etc/selinux/ -p wa -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_missing.fail.sh -new file mode 100644 -index 0000000000..0997495e4b ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_missing.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+rm -rf /etc/audit/rules.d/* -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_wrong_value.fail.sh -new file mode 100644 -index 0000000000..2208fcd089 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/tests/augen_wrong_value.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+rm -rf /etc/audit/rules.d/* -+echo "-w /etc/group -p w -k MAC-policy" > /etc/audit/rules.d/MAC-policy.rules - -From 62aa3afacab14b888da8b8af28ac60d10c400c7f Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 17 Apr 2020 15:15:10 +0200 -Subject: [PATCH 2/5] add ansible remediation - ---- - .../ansible/shared.yml | 46 +++++++++++++++++++ - 1 file changed, 46 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -new file mode 100644 -index 0000000000..c2e0aa856d ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -@@ -0,0 +1,46 @@ -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+ -+# -+# Inserts/replaces the rule in /etc/audit/rules.d -+# -+- name: Search /etc/audit/rules.d for other MAC modification audit rules -+ find: -+ paths: "/etc/audit/rules.d" -+ recurse: no -+ contains: "-k MAC-policy$" -+ patterns: "*.rules" -+ register: find_mac -+ -+- name: If existing MAC modification ruleset not found, use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule -+ set_fact: -+ all_files: -+ - /etc/audit/rules.d/MAC-policy.rules -+ when: find_mac.matched is defined and find_mac.matched == 0 -+ -+- name: Use matched file as the recipient for the rule -+ set_fact: -+ all_files: -+ - "{{ find_mac.files | map(attribute='path') | list | first }}" -+ when: find_mac.matched is defined and find_mac.matched > 0 -+ -+- name: Inserts/replaces the MAC modification rule in rules.d -+ lineinfile: -+ path: "{{ all_files[0] }}" -+ line: "-w /etc/selinux/ -p wa -k MAC-policy" -+ create: yes -+ -+ -+# -+# Inserts/replaces the rule in /etc/audit/audit.rules -+# -+- name: Inserts/replaces the MAC modifications rule in /etc/audit/audit.rules -+ lineinfile: -+ line: "-w /etc/selinux/ -p wa -k MAC-policy" -+ state: present -+ dest: /etc/audit/audit.rules -+ create: yes - -From 2d84f563fc8f083e0356b82dced0cc5f4960bcf6 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 20 Apr 2020 15:55:11 +0200 -Subject: [PATCH 3/5] check for already existing rule before remediation - ---- - .../ansible/shared.yml | 24 ++++++++++++++++--- - 1 file changed, 21 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -index c2e0aa856d..656707eafc 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -@@ -4,35 +4,52 @@ - # complexity = low - # disruption = low - -+- name: detect if rule does not already exist in /etc/audit/rules.d/* -+ find: -+ paths: "/etc/audit/rules.d" -+ recurse: no -+ contains: '-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' -+ patterns: "*.rules" -+ register: find_existing_rules_d -+ -+- name: detect if rule does not already exist in /etc/audit/audit.rules -+ find: -+ paths: "/etc/audit/" -+ contains: '-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' -+ patterns: "audit.rules" -+ register: find_existing_audit_rules -+ - - # - # Inserts/replaces the rule in /etc/audit/rules.d - # --- name: Search /etc/audit/rules.d for other MAC modification audit rules -+- name: Search /etc/audit/rules.d for other rules with MAC-policy key - find: - paths: "/etc/audit/rules.d" - recurse: no - contains: "-k MAC-policy$" - patterns: "*.rules" - register: find_mac -+ when: find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 - - - name: If existing MAC modification ruleset not found, use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/MAC-policy.rules -- when: find_mac.matched is defined and find_mac.matched == 0 -+ when: find_mac.matched is defined and find_mac.matched == 0 and find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 - - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_mac.files | map(attribute='path') | list | first }}" -- when: find_mac.matched is defined and find_mac.matched > 0 -+ when: find_mac.matched is defined and find_mac.matched > 0 and find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 - - - name: Inserts/replaces the MAC modification rule in rules.d - lineinfile: - path: "{{ all_files[0] }}" - line: "-w /etc/selinux/ -p wa -k MAC-policy" - create: yes -+ when: find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 - - - # -@@ -44,3 +61,4 @@ - state: present - dest: /etc/audit/audit.rules - create: yes -+ when: find_existing_audit_rules.matched is defined and find_existing_audit_rules.matched == 0 - -From db78a47435f5136ce3ab9f8593547630c5205e9a Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 20 Apr 2020 17:07:59 +0200 -Subject: [PATCH 4/5] feedback to review - -anchoring regexes, name fixes ---- - .../ansible/shared.yml | 26 +++++++++---------- - 1 file changed, 13 insertions(+), 13 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -index 656707eafc..8622138f82 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -@@ -4,20 +4,20 @@ - # complexity = low - # disruption = low - --- name: detect if rule does not already exist in /etc/audit/rules.d/* -+- name: Check if rule does not already exist in /etc/audit/rules.d/* - find: - paths: "/etc/audit/rules.d" - recurse: no -- contains: '-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' -+ contains: '^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' - patterns: "*.rules" -- register: find_existing_rules_d -+ register: find_existing_mac_rules_d - --- name: detect if rule does not already exist in /etc/audit/audit.rules -+- name: Check if rule does not already exist in /etc/audit/audit.rules - find: - paths: "/etc/audit/" -- contains: '-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' -+ contains: '^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' - patterns: "audit.rules" -- register: find_existing_audit_rules -+ register: find_existing_mac_audit_rules - - - # -@@ -29,27 +29,27 @@ - recurse: no - contains: "-k MAC-policy$" - patterns: "*.rules" -- register: find_mac -- when: find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 -+ register: find_mac_key -+ when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 - - - name: If existing MAC modification ruleset not found, use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/MAC-policy.rules -- when: find_mac.matched is defined and find_mac.matched == 0 and find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 -+ when: find_mac_key.matched is defined and find_mac_key.matched == 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 - - - name: Use matched file as the recipient for the rule - set_fact: - all_files: -- - "{{ find_mac.files | map(attribute='path') | list | first }}" -- when: find_mac.matched is defined and find_mac.matched > 0 and find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 -+ - "{{ find_mac_key.files | map(attribute='path') | list | first }}" -+ when: find_mac_key.matched is defined and find_mac_key.matched > 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 - - - name: Inserts/replaces the MAC modification rule in rules.d - lineinfile: - path: "{{ all_files[0] }}" - line: "-w /etc/selinux/ -p wa -k MAC-policy" - create: yes -- when: find_existing_rules_d.matched is defined and find_existing_rules_d.matched == 0 -+ when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 - - - # -@@ -61,4 +61,4 @@ - state: present - dest: /etc/audit/audit.rules - create: yes -- when: find_existing_audit_rules.matched is defined and find_existing_audit_rules.matched == 0 -+ when: find_existing_mac_audit_rules.matched is defined and find_existing_mac_audit_rules.matched == 0 - -From ba04156742e3f577f4b4144136ccacb7edf034ae Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 21 Apr 2020 11:11:20 +0200 -Subject: [PATCH 5/5] cosmetic fixes - ---- - .../audit_rules_mac_modification/ansible/shared.yml | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -index 8622138f82..65d935c8f4 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -@@ -4,7 +4,11 @@ - # complexity = low - # disruption = low - --- name: Check if rule does not already exist in /etc/audit/rules.d/* -+# -+# check if rules already exist -+# -+ -+- name: Check if rule already exists in /etc/audit/rules.d/* - find: - paths: "/etc/audit/rules.d" - recurse: no -@@ -12,7 +16,7 @@ - patterns: "*.rules" - register: find_existing_mac_rules_d - --- name: Check if rule does not already exist in /etc/audit/audit.rules -+- name: Check if rule already exists in /etc/audit/audit.rules - find: - paths: "/etc/audit/" - contains: '^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_media_export_PR_5590.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_media_export_PR_5590.patch deleted file mode 100644 index 3f3a5d3..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_media_export_PR_5590.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 9525e4ccb79ad245a8b3df48927c55a0c2589911 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 15 Apr 2020 11:25:09 +0200 -Subject: [PATCH] add ansible remediation - ---- - .../ansible/shared.yml | 65 +++++++++++++++++++ - 1 file changed, 65 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml -new file mode 100644 -index 0000000000..12a61b6d1c ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml -@@ -0,0 +1,65 @@ -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+# -+# What architecture are we on? -+# -+- name: Set architecture for audit media export tasks -+ set_fact: -+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ -+# -+# Inserts/replaces the rule in /etc/audit/rules.d -+# -+- name: Search /etc/audit/rules.d for other media export audit rules -+ find: -+ paths: "/etc/audit/rules.d" -+ recurse: no -+ contains: "-F key=export$" -+ patterns: "*.rules" -+ register: find_mount -+ -+- name: If existing media export ruleset not found, use /etc/audit/rules.d/export.rules as the recipient for the rule -+ set_fact: -+ all_files: -+ - /etc/audit/rules.d/export.rules -+ when: find_mount.matched is defined and find_mount.matched == 0 -+ -+- name: Use matched file as the recipient for the rule -+ set_fact: -+ all_files: -+ - "{{ find_mount.files | map(attribute='path') | list | first }}" -+ when: find_mount.matched is defined and find_mount.matched > 0 -+ -+- name: Inserts/replaces the media export rule in rules.d when on x86 -+ lineinfile: -+ path: "{{ all_files[0] }}" -+ line: "-a always,exit -F arch=b32 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export" -+ create: yes -+ -+- name: Inserts/replaces the media export rule in rules.d when on x86_64 -+ lineinfile: -+ path: "{{ all_files[0] }}" -+ line: "-a always,exit -F arch=b64 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export" -+ create: yes -+ when: audit_arch is defined and audit_arch == 'b64' -+# -+# Inserts/replaces the rule in /etc/audit/audit.rules -+# -+- name: Inserts/replaces the media export rule in /etc/audit/audit.rules when on x86 -+ lineinfile: -+ line: "-a always,exit -F arch=b32 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export" -+ state: present -+ dest: /etc/audit/audit.rules -+ create: yes -+ -+- name: Inserts/replaces the media export rule in audit.rules when on x86_64 -+ lineinfile: -+ line: "-a always,exit -F arch=b64 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export" -+ state: present -+ dest: /etc/audit/audit.rules -+ create: yes -+ when: audit_arch is defined and audit_arch == 'b64' diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_session_events_PR_5721.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_session_events_PR_5721.patch deleted file mode 100644 index 77ae510..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_rules_session_events_PR_5721.patch +++ /dev/null @@ -1,113 +0,0 @@ -From c0edf5074b0b8dd7ed7cfab74a8b4f278b0e51c5 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 29 Apr 2020 12:57:58 +0200 -Subject: [PATCH 1/2] add ansible remediation - ---- - .../audit_rules_session_events/ansible/shared.yml | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml -new file mode 100644 -index 0000000000..08694d3032 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/ansible/shared.yml -@@ -0,0 +1,12 @@ -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+{{{ ansible_audit_augenrules_add_watch_rule(path='/var/run/utmp', permissions='wa', key='session') }}} -+{{{ ansible_audit_auditctl_add_watch_rule(path='/var/run/utmp', permissions='wa', key='session') }}} -+{{{ ansible_audit_augenrules_add_watch_rule(path='/var/log/btmp', permissions='wa', key='session') }}} -+{{{ ansible_audit_auditctl_add_watch_rule(path='/var/log/btmp', permissions='wa', key='session') }}} -+{{{ ansible_audit_augenrules_add_watch_rule(path='/var/log/wtmp', permissions='wa', key='session') }}} -+{{{ ansible_audit_auditctl_add_watch_rule(path='/var/log/wtmp', permissions='wa', key='session') }}} - -From b8d3dc253ee62a5c4e725b2a89ab6f22f4870e66 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 29 Apr 2020 12:58:17 +0200 -Subject: [PATCH 2/2] att tests - ---- - .../tests/auditctl_correct.pass.sh | 11 +++++++++++ - .../tests/auditctl_rules_missing.fail.sh | 7 +++++++ - .../tests/augen_correct.pass.ah | 9 +++++++++ - .../tests/augen_partial_rules.fail.sh | 6 ++++++ - .../tests/augen_rules_missing.fail.sh | 3 +++ - 5 files changed, 36 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_correct.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_rules_missing.fail.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_correct.pass.ah - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_partial_rules.fail.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_rules_missing.fail.sh - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_correct.pass.sh -new file mode 100644 -index 0000000000..82d53db8e5 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_correct.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+ -+# use auditctl -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+rm -rf /etc/audit/rules.d/* -+rm /etc/audit/audit.rules -+ -+echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/audit.rules -+echo "-w /var/log/btmp -p wa -k session" >> /etc/audit/audit.rules -+echo "-w /var/log/wtmp -p wa -k session" >> /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_rules_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_rules_missing.fail.sh -new file mode 100644 -index 0000000000..a9bac580e8 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/auditctl_rules_missing.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+ -+# use auditctl -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+rm -rf /etc/audit/rules.d/* -+rm /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_correct.pass.ah b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_correct.pass.ah -new file mode 100644 -index 0000000000..32e5686026 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_correct.pass.ah -@@ -0,0 +1,9 @@ -+#!/bin/bash -+ -+rm -rf /etc/audit/rules.d/* -+rm /etc/audit/audit.rules -+ -+echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/rules.d/session.rules -+echo "-w /var/log/btmp -p wa -k session" >> /etc/audit/rules.d/session.rules -+echo "-w /var/log/wtmp -p wa -k session" >> /etc/audit/rules.d/session.rules -+ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_partial_rules.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_partial_rules.fail.sh -new file mode 100644 -index 0000000000..26862281f7 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_partial_rules.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+rm -rf /etc/audit/rules.d/* -+rm -f /etc/audit/audit.rules -+ -+echo "-w /var/run/utmp -p wa -k session" >> /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_rules_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_rules_missing.fail.sh -new file mode 100644 -index 0000000000..0997495e4b ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/tests/augen_rules_missing.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+rm -rf /etc/audit/rules.d/* diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_time_rules_PR_5720.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_time_rules_PR_5720.patch deleted file mode 100644 index d9dad8c..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_ansible_audit_time_rules_PR_5720.patch +++ /dev/null @@ -1,246 +0,0 @@ -From 03c44366cd4bc16808e000eac7b3eb548851cb1a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 29 Apr 2020 10:59:43 +0200 -Subject: [PATCH 1/4] Add Ansible remediations for syscall time changes - -Uses Ansible audit macros to add remediations for: -- adjtimex -- settimeofday -- stime ---- - .../ansible/shared.yml | 20 +++++++++++++++++++ - .../ansible/shared.yml | 20 +++++++++++++++++++ - .../audit_rules_time_stime/ansible/shared.yml | 14 +++++++++++++ - 3 files changed, 54 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml -new file mode 100644 -index 0000000000..2ecbf5f998 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml -@@ -0,0 +1,20 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+- name: Set architecture for audit tasks -+ set_fact: -+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ -+- name: Perform remediation of Audit rules for adjtimex for x86 platform -+ block: -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} -+ -+- name: Perform remediation of Audit rules for adjtimex for x86_64 platform -+ block: -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} -+ when: audit_arch == "b64" -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml -new file mode 100644 -index 0000000000..e97a752298 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml -@@ -0,0 +1,20 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+- name: Set architecture for audit tasks -+ set_fact: -+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ -+- name: Perform remediation of Audit rules for settimeofday for x86 platform -+ block: -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} -+ -+- name: Perform remediation of Audit rules for settimeofday for x86_64 platform -+ block: -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} -+ when: audit_arch == "b64" -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml -new file mode 100644 -index 0000000000..b1e9380781 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml -@@ -0,0 +1,14 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+- name: Set architecture for audit tasks -+ set_fact: -+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ -+- name: Perform remediation of Audit rules for stime syscall for x86 platform -+ block: -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["stime"], key="audit_time_rules")|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}} - -From c004e5bdceb4a942585adff1cb085165e6dcbc1b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 29 Apr 2020 12:02:23 +0200 -Subject: [PATCH 2/4] time_adjtimex: Rename, simplify and add tests - ---- - .../tests/correct_syscall.pass.sh | 7 +++++++ - .../audit_rules_time_adjtimex/tests/correct_value.pass.sh | 8 -------- - .../tests/line_not_there.fail.sh | 5 ----- - .../tests/syscall_not_there.fail.sh | 5 +++++ - 4 files changed, 12 insertions(+), 13 deletions(-) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh - delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh - delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh -new file mode 100644 -index 0000000000..51c8e8705e ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_syscall.pass.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_cis -+ -+rm -rf /etc/audit/rules.d/*.rules -+echo "-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules -+echo "-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh -deleted file mode 100644 -index d37d624763..0000000000 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/correct_value.pass.sh -+++ /dev/null -@@ -1,8 +0,0 @@ --#!/bin/bash -- --# profiles = xccdf_org.ssgproject.content_profile_ospp -- --if grep -qv "^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$" /etc/audit/rules.d/*.rules; then -- echo "-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules -- echo "-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules" >> /etc/audit/rules.d/time.rules --fi -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh -deleted file mode 100644 -index bdf8c837f2..0000000000 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/line_not_there.fail.sh -+++ /dev/null -@@ -1,5 +0,0 @@ --#!/bin/bash -- --# profiles = xccdf_org.ssgproject.content_profile_ospp -- --sed -i "/^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/d" /etc/audit/rules.d/*.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh -new file mode 100644 -index 0000000000..73eec5e777 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/tests/syscall_not_there.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_cis -+ -+rm -rf /etc/audit/rules.d/*.rules - -From f09c6fd53814d00d85a1ca311887dea11c48d3ad Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 30 Apr 2020 10:47:00 +0200 -Subject: [PATCH 3/4] Add Ansible remedation to watch for time changes - ---- - .../audit_rules_time_watch_localtime/ansible/shared.yml | 8 ++++++++ - 1 file changed, 8 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml -new file mode 100644 -index 0000000000..629dea88bb ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/ansible/shared.yml -@@ -0,0 +1,8 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+{{{ ansible_audit_augenrules_add_watch_rule(path="/etc/localtime", permissions="wa", key="audit_time_rules") }}} -+{{{ ansible_audit_auditctl_add_watch_rule(path="/etc/localtime", permissions="wa", key="audit_time_rules") }}} - -From fe5e3be44528cd331ab7697daa2d0373e01d8d62 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 30 Apr 2020 16:32:08 +0200 -Subject: [PATCH 4/4] Fix arch parameter and useless arch task - ---- - .../audit_rules_time_adjtimex/ansible/shared.yml | 4 ++-- - .../audit_rules_time_settimeofday/ansible/shared.yml | 4 ++-- - .../audit_rules_time_stime/ansible/shared.yml | 6 +----- - 3 files changed, 5 insertions(+), 9 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml -index 2ecbf5f998..921b8e34cb 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/ansible/shared.yml -@@ -10,11 +10,11 @@ - - - name: Perform remediation of Audit rules for adjtimex for x86 platform - block: -- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} - - - name: Perform remediation of Audit rules for adjtimex for x86_64 platform - block: -- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["adjtimex"], key="audit_time_rules")|indent(4) }}} - when: audit_arch == "b64" -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml -index e97a752298..b1a25c2776 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/ansible/shared.yml -@@ -10,11 +10,11 @@ - - - name: Perform remediation of Audit rules for settimeofday for x86 platform - block: -- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} - - - name: Perform remediation of Audit rules for settimeofday for x86_64 platform - block: -- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b64, syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["settimeofday"], key="audit_time_rules")|indent(4) }}} - when: audit_arch == "b64" -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml -index b1e9380781..b57c71ce21 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/ansible/shared.yml -@@ -4,11 +4,7 @@ - # complexity = low - # disruption = low - --- name: Set architecture for audit tasks -- set_fact: -- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- - - name: Perform remediation of Audit rules for stime syscall for x86 platform - block: -- {{{ ansible_audit_augenrules_add_syscall_rule(arch=b32, syscalls=["stime"], key="audit_time_rules")|indent(4) }}} -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}} - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["stime"], key="audit_time_rules")|indent(4) }}} diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_ensure_logrotate_activated_PR_5753.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_ensure_logrotate_activated_PR_5753.patch deleted file mode 100644 index e859c54..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_ansible_ensure_logrotate_activated_PR_5753.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 12 May 2020 08:17:20 +0200 -Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated - ---- - .../ansible/shared.yml | 33 +++++++++++++++++++ - 1 file changed, 33 insertions(+) - create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml - -diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml -new file mode 100644 -index 0000000000..5d76b3c073 ---- /dev/null -+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml -@@ -0,0 +1,33 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = configure -+# complexity = low -+# disruption = low -+ -+- name: Configure daily log rotation in /etc/logrotate.conf -+ lineinfile: -+ create: yes -+ dest: "/etc/logrotate.conf" -+ regexp: "^daily$" -+ line: "daily" -+ -+- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf -+ lineinfile: -+ create: no -+ dest: "/etc/logrotate.conf" -+ regexp: "^(weekly|monthly|yearly)$" -+ state: absent -+ -+- name: Configure cron.daily if not already -+ block: -+ - name: Add shebang -+ lineinfile: -+ path: "/etc/cron.daily/logrotate" -+ line: "#!/bin/sh" -+ insertbefore: BOF -+ create: yes -+ - name: Add logrotate call -+ lineinfile: -+ path: "/etc/cron.daily/logrotate" -+ line: '/usr/sbin/logrotate /etc/logrotate.conf' -+ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$' - -From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 12 May 2020 14:48:15 +0200 -Subject: [PATCH 2/2] Add test for ensure_logrotate_activated - -Test scenario when monthly is there, but weekly is not. ---- - .../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++ - 1 file changed, 4 insertions(+) - create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh - -diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh -new file mode 100644 -index 0000000000..b10362989b ---- /dev/null -+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+sed -i "s/weekly/daily/g" /etc/logrotate.conf -+echo "monthly" >> /etc/logrotate.conf diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_ipv6_option_disabled_PR_5737.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_ipv6_option_disabled_PR_5737.patch deleted file mode 100644 index def994b..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_ansible_ipv6_option_disabled_PR_5737.patch +++ /dev/null @@ -1,64 +0,0 @@ -From e14418e1bfbecde7f7091173c8ad9c84b28bd8ee Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 4 May 2020 18:51:13 +0200 -Subject: [PATCH] Add Ansible for kernel_module_ipv6_option_disabled - -The remediation does more than disabling only one kernel module, so it -is not suitable for "templation" (use of templating system). ---- - .../ansible/shared.yml | 22 +++++++++++++++++++ - .../tests/module_disabled.pass.sh | 4 ++++ - .../tests/module_enabled.fail.sh | 4 ++++ - 3 files changed, 30 insertions(+) - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh - -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml -new file mode 100644 -index 0000000000..a6d6229bdc ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml -@@ -0,0 +1,22 @@ -+# platform = multi_platform_all -+# reboot = true -+# strategy = disable -+# complexity = low -+# disruption = medium -+ -+- name: Disable IPv6 Networking kernel module -+ lineinfile: -+ create: yes -+ dest: "/etc/modprobe.d/ipv6.conf" -+ regexp: "^options\\s+ipv6\\s+disable=\\d" -+ line: "options ipv6 disable=1" -+ -+- name: Ensure disable_ipv6 (all and default) is set to 1 -+ sysctl: -+ name: "{{ item }}" -+ value: "1" -+ state: present -+ reload: yes -+ with_items: -+ - "net.ipv6.conf.all.disable_ipv6" -+ - "net.ipv6.conf.default.disable_ipv6" -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh -new file mode 100644 -index 0000000000..f22b37b8e8 ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 7 -+ -+echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh -new file mode 100644 -index 0000000000..82122fea40 ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 7 -+ -+echo "options ipv6 disable=0" > /etc/modprobe.d/ipv6.conf diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_macro_syscall_rule_PR_5709.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_macro_syscall_rule_PR_5709.patch deleted file mode 100644 index ade0667..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_ansible_macro_syscall_rule_PR_5709.patch +++ /dev/null @@ -1,738 +0,0 @@ -From 8dd8ca19bc7608db27ba79ac0df90cbc502dcfa8 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 27 Apr 2020 14:51:22 +0200 -Subject: [PATCH 1/7] create macro - ---- - shared/macros-ansible.jinja | 176 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 176 insertions(+) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 884b562ae4..7ccab981d2 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -346,3 +346,179 @@ The macro requires following parameters: - create: yes - when: find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - {{%- endmacro %}} -+ -+{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}} -+# -+# What architecture are we on? -+# -+- name: Set architecture for audit modules tasks -+ set_fact: -+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ -+- name: Declare list of syscals -+ set_fact: -+ syscalls: {{{ syscalls }}} -+ -+- name: Declare number of syscalls -+ set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" -+ -+- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/ -+ find: -+ paths: "/etc/audit/rules.d" -+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -+ patterns: "*.rules" -+ register: audit_syscalls_found_32_rules_d -+ loop: "{{ syscalls }}" -+ -+- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/ -+ set_fact: audit_syscalls_matched_32_rules_d="{{audit_syscalls_found_32_rules_d.results|sum(attribute='matched')|int }}" -+ -+{{% if arch == "64" %}} -+- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ -+ find: -+ paths: "/etc/audit/rules.d" -+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -+ patterns: "*.rules" -+ register: audit_syscalls_found_64_rules_d -+ loop: "{{ syscalls }}" -+ -+- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/ -+ set_fact: audit_syscalls_matched_64_rules_d="{{audit_syscalls_found_64_rules_d.results|sum(attribute='matched')|int }}" -+{{% endif %}} -+ -+- name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} -+ find: -+ paths: "/etc/audit/rules.d" -+ recurse: no -+ contains: '(-F key=)|(-k\s+){{{ key }}}$' -+ patterns: "*.rules" -+ register: find_syscalls_files -+ -+- name: Use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule -+ set_fact: -+ all_files: -+ - /etc/audit/rules.d/{{{ key }}}.rules -+ when: find_syscalls_files.matched is defined and find_syscalls_files.matched == 0 -+ -+- name: Use matched file as the recipient for the rule -+ set_fact: -+ all_files: -+ - "{{ find_syscalls_files.files | map(attribute='path') | list | first }}" -+ when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 -+ -+- name: "Insert the modules rule in {{ all_files[0] }} when on x86" -+ block: -+ - name: "Construct rule: add rule list, action and arch" -+ set_fact: tmpline="-a always,exit -F arch=b32 " -+ - name: "Construct rule: add syscalls" -+ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -+ loop: "{{ audit_syscalls_found_32_rules_d.results }}" -+ when: item.matched is defined and item.matched == 0 -+ - name: "Construct rule: add key" -+ set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" -+ - name: "Insert the line in {{ all_files[0] }}" -+ lineinfile: -+ path: "{{ all_files[0] }}" -+ line: "{{ tmpline }}" -+ create: true -+ state: present -+ when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls -+ -+{{% if arch == "64" %}} -+- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64" -+ block: -+ - name: "Construct rule: add rule list, action and arch" -+ set_fact: tmpline="-a always,exit -F arch=b64 " -+ - name: "Construct rule: add syscalls" -+ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -+ loop: "{{ audit_syscalls_found_64_rules_d.results }}" -+ when: item.matched is defined and item.matched == 0 -+ - name: "Construct rule: add key" -+ set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" -+ - name: "Insert the line in {{ all_files[0] }}" -+ lineinfile: -+ path: "{{ all_files[0] }}" -+ line: "{{ tmpline }}" -+ create: true -+ state: present -+ when: audit_syscalls_matched_64_rules_d < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' -+{{% endif %}} -+{{%- endmacro %}} -+ -+{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}} -+# -+# What architecture are we on? -+# -+- name: Set architecture for audit modules tasks -+ set_fact: -+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ -+- name: Declare list of syscals -+ set_fact: -+ syscalls: {{{ syscalls }}} -+ -+- name: Declare number of syscalls -+ set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" -+ -+- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules -+ find: -+ paths: "/etc/audit" -+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -+ patterns: "audit.rules" -+ register: audit_syscalls_found_32_audit_rules -+ loop: "{{ syscalls }}" -+ -+- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules -+ set_fact: audit_syscalls_matched_32_audit_rules="{{audit_syscalls_found_32_audit_rules.results|sum(attribute='matched')|int }}" -+ -+{{% if arch == "64" %}} -+- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules -+ find: -+ paths: "/etc/audit" -+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -+ patterns: "audit.rules" -+ register: audit_syscalls_found_64_audit_rules -+ loop: "{{ syscalls }}" -+ -+- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/* -+ set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}" -+{{% endif %}} -+ -+- name: Insert the modules rule in /etc/audit/audit.rules when on x86 -+ block: -+ - name: "Construct rule: add rule list, action and arch" -+ set_fact: tmpline="-a always,exit -F arch=b32 " -+ - name: "Construct rule: add syscalls" -+ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -+ loop: "{{ audit_syscalls_found_32_audit_rules.results }}" -+ when: item.matched is defined and item.matched == 0 -+ - name: "Construct rule: add key" -+ set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" -+ - name: Insert the line in /etc/audit/audit.rules -+ lineinfile: -+ path: "/etc/audit/audit.rules" -+ line: "{{ tmpline }}" -+ create: true -+ state: present -+ when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls -+ -+{{% if arch == "64" %}} -+- name: Insert the modules rule in /etc/audit/rules.d when on x86_64 -+ block: -+ - name: "Construct rule: add rule list, action and arch" -+ set_fact: tmpline="-a always,exit -F arch=b64 " -+ - name: "Construct rule: add syscalls" -+ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -+ loop: "{{ audit_syscalls_found_64_audit_rules.results }}" -+ when: item.matched is defined and item.matched == 0 -+ - name: "Construct rule: add key" -+ set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" -+ - name: Insert the line in /etc/audit/audit.rules -+ lineinfile: -+ path: "/etc/audit/audit.rules" -+ line: "{{ tmpline }}" -+ create: true -+ state: present -+ when: audit_syscalls_matched_64_audit_rules < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' -+{{% endif %}} -+{{%- endmacro %}} - -From afefec951b00a9b068a3a9c7fe9e22c6b73c79b1 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 27 Apr 2020 14:51:40 +0200 -Subject: [PATCH 2/7] use macro in example rule - ---- - .../ansible/shared.yml | 167 +----------------- - 1 file changed, 4 insertions(+), 163 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -index 9d028a598d..ac448523c6 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -@@ -4,166 +4,7 @@ - # complexity = low - # disruption = low - --# --# What architecture are we on? --# --- name: Set architecture for audit modules tasks -- set_fact: -- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- --- name: Declare list of syscals -- set_fact: -- syscalls: -- - "init_module" -- - "delete_module" -- {{% if product != "rhel6" %}} -- - "finit_module" -- {{% endif %}} -- --- name: Declare number of syscalls -- set_fact: audit_kernel_number_of_syscalls="{{ syscalls|length|int }}" -- --# --#rules in /etc/audit/rules.d/* --# -- --- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/ -- find: -- paths: "/etc/audit/rules.d" -- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -- patterns: "*.rules" -- register: audit_kernel_found_32_rules_d -- loop: "{{ syscalls }}" -- --- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/ -- set_fact: audit_kernel_matched_32_rules_d="{{audit_kernel_found_32_rules_d.results|sum(attribute='matched')|int }}" -- --- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ -- find: -- paths: "/etc/audit/rules.d" -- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -- patterns: "*.rules" -- register: audit_kernel_found_64_rules_d -- loop: "{{ syscalls }}" -- --- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/ -- set_fact: audit_kernel_matched_64_rules_d="{{audit_kernel_found_64_rules_d.results|sum(attribute='matched')|int }}" -- --- name: Search /etc/audit/rules.d for other kernel module loading audit rules -- find: -- paths: "/etc/audit/rules.d" -- recurse: no -- contains: "(-F key=modules)|(-k modules)$" -- patterns: "*.rules" -- register: find_modules -- --- name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule -- set_fact: -- all_files: -- - /etc/audit/rules.d/modules.rules -- when: find_modules.matched is defined and find_modules.matched == 0 -- --- name: Use matched file as the recipient for the rule -- set_fact: -- all_files: -- - "{{ find_modules.files | map(attribute='path') | list | first }}" -- when: find_modules.matched is defined and find_modules.matched > 0 -- --- name: "Insert the modules rule in {{ all_files[0] }} when on x86" -- block: -- - name: "Construct rule: add rule list, action and arch" -- set_fact: tmpline="-a always,exit -F arch=b32 " -- - name: "Construct rule: add syscalls" -- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -- loop: "{{ audit_kernel_found_32_rules_d.results }}" -- when: item.matched is defined and item.matched == 0 -- - name: "Construct rule: add key" -- set_fact: tmpline="{{ tmpline + '-k modules' }}" -- - name: "Insert the line in {{ all_files[0] }}" -- lineinfile: -- path: "{{ all_files[0] }}" -- line: "{{ tmpline }}" -- create: true -- state: present -- when: audit_kernel_matched_32_rules_d < audit_kernel_number_of_syscalls -- --- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64" -- block: -- - name: "Construct rule: add rule list, action and arch" -- set_fact: tmpline="-a always,exit -F arch=b64 " -- - name: "Construct rule: add syscalls" -- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -- loop: "{{ audit_kernel_found_64_rules_d.results }}" -- when: item.matched is defined and item.matched == 0 -- - name: "Construct rule: add key" -- set_fact: tmpline="{{ tmpline + '-k modules' }}" -- - name: "Insert the line in {{ all_files[0] }}" -- lineinfile: -- path: "{{ all_files[0] }}" -- line: "{{ tmpline }}" -- create: true -- state: present -- when: audit_kernel_matched_64_rules_d < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' -- -- --# --# rules in /etc/audit/audit.rules --# -- --- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules -- find: -- paths: "/etc/audit" -- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -- patterns: "audit.rules" -- register: audit_kernel_found_32_audit_rules -- loop: "{{ syscalls }}" -- --- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules -- set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}" -- --- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules -- find: -- paths: "/etc/audit" -- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -- patterns: "audit.rules" -- register: audit_kernel_found_64_audit_rules -- loop: "{{ syscalls }}" -- --- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/* -- set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}" -- --- name: Insert the modules rule in /etc/audit/audit.rules when on x86 -- block: -- - name: "Construct rule: add rule list, action and arch" -- set_fact: tmpline="-a always,exit -F arch=b32 " -- - name: "Construct rule: add syscalls" -- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -- loop: "{{ audit_kernel_found_32_audit_rules.results }}" -- when: item.matched is defined and item.matched == 0 -- - name: "Construct rule: add key" -- set_fact: tmpline="{{ tmpline + '-k modules' }}" -- - name: Insert the line in /etc/audit/audit.rules -- lineinfile: -- path: "/etc/audit/audit.rules" -- line: "{{ tmpline }}" -- create: true -- state: present -- when: audit_kernel_matched_32_audit_rules < audit_kernel_number_of_syscalls -- --- name: Insert the modules rule in /etc/audit/rules.d when on x86_64 -- block: -- - name: "Construct rule: add rule list, action and arch" -- set_fact: tmpline="-a always,exit -F arch=b64 " -- - name: "Construct rule: add syscalls" -- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -- loop: "{{ audit_kernel_found_64_audit_rules.results }}" -- when: item.matched is defined and item.matched == 0 -- - name: "Construct rule: add key" -- set_fact: tmpline="{{ tmpline + '-k modules' }}" -- - name: Insert the line in /etc/audit/audit.rules -- lineinfile: -- path: "/etc/audit/audit.rules" -- line: "{{ tmpline }}" -- create: true -- state: present -- when: audit_kernel_matched_64_audit_rules < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' -+{{{ ansible_audit_augenrules_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} -+{{{ ansible_audit_augenrules_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} -+{{{ ansible_audit_auditctl_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} -+{{{ ansible_audit_auditctl_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} - -From 08504829c3ef3cda866425986b60df0d457d59cd Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 27 Apr 2020 16:14:56 +0200 -Subject: [PATCH 3/7] add documentation, fix task naming - ---- - shared/macros-ansible.jinja | 24 ++++++++++++++++++++---- - 1 file changed, 20 insertions(+), 4 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 7ccab981d2..a61ca4528d 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -347,6 +347,15 @@ The macro requires following parameters: - when: find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - {{%- endmacro %}} - -+{{# -+The following macro remediates Audit syscall rule in /etc/audit/rules.d directory. -+The macro requires following parameters: -+- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used. -+- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. -+- key: a key to use as rule identifier. -+Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file. -+#}} -+ - {{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}} - # - # What architecture are we on? -@@ -406,7 +415,7 @@ The macro requires following parameters: - - "{{ find_syscalls_files.files | map(attribute='path') | list | first }}" - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - --- name: "Insert the modules rule in {{ all_files[0] }} when on x86" -+- name: "Insert the syscall rule in {{ all_files[0] }} when on x86" - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b32 " -@@ -425,7 +434,7 @@ The macro requires following parameters: - when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls - - {{% if arch == "64" %}} --- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64" -+- name: "Insert the syscall rule in {{ all_files[0] }} when on x86_64" - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b64 " -@@ -445,6 +454,13 @@ The macro requires following parameters: - {{% endif %}} - {{%- endmacro %}} - -+{{# -+The following macro remediates Audit syscall rule in /etc/audit/audit.rules file. -+The macro requires following parameters: -+- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used. -+- syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. -+- key: a key to use as rule identifier. -+#}} - {{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}} - # - # What architecture are we on? -@@ -484,7 +500,7 @@ The macro requires following parameters: - set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}" - {{% endif %}} - --- name: Insert the modules rule in /etc/audit/audit.rules when on x86 -+- name: Insert the syscall rule in /etc/audit/audit.rules when on x86 - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b32 " -@@ -503,7 +519,7 @@ The macro requires following parameters: - when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls - - {{% if arch == "64" %}} --- name: Insert the modules rule in /etc/audit/rules.d when on x86_64 -+- name: Insert the syscall rule in /etc/audit/rules.d when on x86_64 - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b64 " - -From 7b5a2f5efd8c39aee066eb8c59e034612129f00a Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 28 Apr 2020 11:31:40 +0200 -Subject: [PATCH 4/7] remove arch argument from macros - -modify the example rule -add rhel6 condition to the rule ---- - .../ansible/shared.yml | 11 +++++++---- - shared/macros-ansible.jinja | 18 ++++++------------ - 2 files changed, 13 insertions(+), 16 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -index ac448523c6..3b16dd1989 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -@@ -4,7 +4,10 @@ - # complexity = low - # disruption = low - --{{{ ansible_audit_augenrules_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} --{{{ ansible_audit_augenrules_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} --{{{ ansible_audit_auditctl_add_syscall_rule(arch="32", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} --{{{ ansible_audit_auditctl_add_syscall_rule(arch="64", syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} -+{{% if product == "rhel6" %}} -+{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}} -+{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}} -+{{% else %}} -+{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} -+{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} -+{{% endif %}} -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index a61ca4528d..09b80bf114 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -350,13 +350,14 @@ The macro requires following parameters: - {{# - The following macro remediates Audit syscall rule in /etc/audit/rules.d directory. - The macro requires following parameters: --- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used. - - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. - - key: a key to use as rule identifier. - Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file. -+The rule determines the architecture of the system and apply appropriate remediations. -+It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture. - #}} - --{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}} -+{{% macro ansible_audit_augenrules_add_syscall_rule(syscalls=[], key="") -%}} - # - # What architecture are we on? - # -@@ -382,7 +383,6 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul - - name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_32_rules_d="{{audit_syscalls_found_32_rules_d.results|sum(attribute='matched')|int }}" - --{{% if arch == "64" %}} - - name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ - find: - paths: "/etc/audit/rules.d" -@@ -393,7 +393,6 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul - - - name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_64_rules_d="{{audit_syscalls_found_64_rules_d.results|sum(attribute='matched')|int }}" --{{% endif %}} - - - name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} - find: -@@ -433,7 +432,6 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul - state: present - when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls - --{{% if arch == "64" %}} - - name: "Insert the syscall rule in {{ all_files[0] }} when on x86_64" - block: - - name: "Construct rule: add rule list, action and arch" -@@ -451,17 +449,17 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul - create: true - state: present - when: audit_syscalls_matched_64_rules_d < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' --{{% endif %}} - {{%- endmacro %}} - - {{# - The following macro remediates Audit syscall rule in /etc/audit/audit.rules file. - The macro requires following parameters: --- arch: must be 32 or 64, this distinguishes the architecture (32 bit or 64 bit). Rules for appropriate architecture will be used. - - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. - - key: a key to use as rule identifier. -+The rule determines the architecture of the system and apply appropriate remediations. -+It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture. - #}} --{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}} -+{{% macro ansible_audit_auditctl_add_syscall_rule(syscalls=[], key="") -%}} - # - # What architecture are we on? - # -@@ -487,7 +485,6 @@ The macro requires following parameters: - - name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_32_audit_rules="{{audit_syscalls_found_32_audit_rules.results|sum(attribute='matched')|int }}" - --{{% if arch == "64" %}} - - name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules - find: - paths: "/etc/audit" -@@ -498,7 +495,6 @@ The macro requires following parameters: - - - name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/* - set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}" --{{% endif %}} - - - name: Insert the syscall rule in /etc/audit/audit.rules when on x86 - block: -@@ -518,7 +514,6 @@ The macro requires following parameters: - state: present - when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls - --{{% if arch == "64" %}} - - name: Insert the syscall rule in /etc/audit/rules.d when on x86_64 - block: - - name: "Construct rule: add rule list, action and arch" -@@ -536,5 +531,4 @@ The macro requires following parameters: - create: true - state: present - when: audit_syscalls_matched_64_audit_rules < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' --{{% endif %}} - {{%- endmacro %}} - -From 2d2e18a8f21a076ea31dc91463611359cd220ad5 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 28 Apr 2020 17:07:19 +0200 -Subject: [PATCH 5/7] add tests for augen-rules - ---- - ...ass.sh => auditctl_syscalls_multiple_per_arg.pass.sh} | 0 - ...arg.pass.sh => auditctl_syscalls_one_per_arg.pass.sh} | 0 - ...ne.pass.sh => auditctl_syscalls_one_per_line.pass.sh} | 0 - ...> auditctl_syscalls_one_per_line_one_missing.fail.sh} | 0 - .../tests/augen_syscalls_multiple_per_arg.pass.sh | 9 +++++++++ - .../tests/augen_syscalls_one_per_arg.pass.sh | 8 ++++++++ - .../tests/augen_syscalls_one_per_line.pass.sh | 7 +++++++ - .../augen_syscalls_one_per_line_one_missing.fail.sh | 7 +++++++ - 8 files changed, 31 insertions(+) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_multiple_per_arg.pass.sh => auditctl_syscalls_multiple_per_arg.pass.sh} (100%) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_one_per_arg.pass.sh => auditctl_syscalls_one_per_arg.pass.sh} (100%) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_one_per_line.pass.sh => auditctl_syscalls_one_per_line.pass.sh} (100%) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/{syscalls_one_per_line_one_missing.fail.sh => auditctl_syscalls_one_per_line_one_missing.fail.sh} (100%) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh -similarity index 100% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh -similarity index 100% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh -similarity index 100% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line_one_missing.fail.sh -similarity index 100% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line_one_missing.fail.sh -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh -new file mode 100644 -index 0000000000..c50695a586 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S -+ -+ -+rm -f /etc/audit/rules.d/* -+ -+# cut out irrelevant rules for this test -+sed '1,10d' test_audit.rules > /etc/audit/rules.d/test.rules -+sed -i '5,8d' /etc/audit/rules.d/test.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh -new file mode 100644 -index 0000000000..c086da0b0f ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S -+ -+ -+rm -f /etc/audit/rules.d/* -+ -+# cut out irrelevant rules for this test -+sed '1,13d' test_audit.rules > /etc/audit/rules.d/test.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh -new file mode 100644 -index 0000000000..76a868ab17 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S -+ -+rm -f /etc/audit/rules.d/* -+ -+# cut out irrelevant rules for this test -+sed '11,18d' test_audit.rules > /etc/audit/rules.d/test.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh -new file mode 100644 -index 0000000000..43f3d07e8f ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line_one_missing.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S -+ -+rm -f /etc/audit/rules.d/* -+ -+# cut out irrelevant rules for this test -+sed -e '11,18d' -e '/.*init.*/d' test_audit.rules > /etc/audit/rules.d/test.rules - -From 6d4065c9dfbf216343b032fd41c4bca605513521 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 28 Apr 2020 17:07:40 +0200 -Subject: [PATCH 6/7] remove recurse from tasks, fix regex - ---- - shared/macros-ansible.jinja | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 09b80bf114..e24fa5caa7 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -397,8 +397,7 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur - - name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} - find: - paths: "/etc/audit/rules.d" -- recurse: no -- contains: '(-F key=)|(-k\s+){{{ key }}}$' -+ contains: '^.*(?:-F key=|-k\s+){{{ key }}}$' - patterns: "*.rules" - register: find_syscalls_files - - -From 31db4018d4aab3148f48b7afe1743fe6cf5c011d Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 28 Apr 2020 17:19:52 +0200 -Subject: [PATCH 7/7] remove mention of modules from task description - ---- - shared/macros-ansible.jinja | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index e24fa5caa7..f54f73e866 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -361,7 +361,7 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur - # - # What architecture are we on? - # --- name: Set architecture for audit modules tasks -+- name: Set architecture for audit tasks - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" - -@@ -462,7 +462,7 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur - # - # What architecture are we on? - # --- name: Set architecture for audit modules tasks -+- name: Set architecture for audit tasks - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" - diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_macro_watch_rule_PR_5658.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_macro_watch_rule_PR_5658.patch deleted file mode 100644 index 1b2146d..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_ansible_macro_watch_rule_PR_5658.patch +++ /dev/null @@ -1,336 +0,0 @@ -From dbb2a306a3f3b1ec10fd331f48ea1e094a0359f8 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 24 Apr 2020 13:19:17 +0200 -Subject: [PATCH 1/4] add macro for ansible remediation of audit watches - ---- - shared/macros-ansible.jinja | 54 +++++++++++++++++++++++++++++++++++++ - 1 file changed, 54 insertions(+) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index b020246ef2..4fc381f5e0 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -277,3 +277,57 @@ regex_replace("\(n\)\*", "\\n") - {{% macro ansible_deregexify_banner_backslash() -%}} - regex_replace("\\", "") - {{%- endmacro %}} -+ -+{{% macro remediate_audit_watch_rules_d(path='', permissions='', key='') -%}} -+- name: Check if rule already exists in /etc/audit/rules.d/* -+ find: -+ paths: "/etc/audit/rules.d" -+ recurse: no -+ contains: '^\s*-w\s+{{{ path }}}\s+-p\s+{{{ permissions }}}(\s|$)+' -+ patterns: "*.rules" -+ register: find_existing_mac_rules_d -+- name: Search /etc/audit/rules.d for other rules with specified key -+ find: -+ paths: "/etc/audit/rules.d" -+ recurse: no -+ contains: "^.*(-F key=)(|-k ){{{ key }}}$" -+ patterns: "*.rules" -+ register: find_mac_key -+ when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 -+ -+- name: If existing ruleset with key {{{ key }}} not found, use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule -+ set_fact: -+ all_files: -+ - /etc/audit/rules.d/{{{ key }}}.rules -+ when: find_mac_key.matched is defined and find_mac_key.matched == 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 -+ -+- name: Use matched file as the recipient for the rule -+ set_fact: -+ all_files: -+ - "{{ find_mac_key.files | map(attribute='path') | list | first }}" -+ when: find_mac_key.matched is defined and find_mac_key.matched > 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 -+ -+- name: Inserts/replaces the rule in rules.d -+ lineinfile: -+ path: "{{ all_files[0] }}" -+ line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}" -+ create: yes -+ when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 -+{{%- endmacro %}} -+ -+{{% macro remediate_audit_watch_audit_rules(path='', permissions='', key='') -%}} -+- name: Check if rule already exists in /etc/audit/audit.rules -+ find: -+ paths: "/etc/audit/" -+ contains: '^\s*-w\s+{{{ path }}}\s+-p\s+{{{ permissions }}}(\s|$)+' -+ patterns: "audit.rules" -+ register: find_existing_mac_audit_rules -+ -+- name: Inserts/replaces the MAC modifications rule in /etc/audit/audit.rules -+ lineinfile: -+ line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}" -+ state: present -+ dest: /etc/audit/audit.rules -+ create: yes -+ when: find_existing_mac_audit_rules.matched is defined and find_existing_mac_audit_rules.matched == 0 -+{{%- endmacro %}} - -From e0b54991b9e299b47f2a40c873b5661cff69fe93 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 24 Apr 2020 13:19:42 +0200 -Subject: [PATCH 2/4] switch example rule to macro - ---- - .../ansible/shared.yml | 63 +------------------ - 1 file changed, 2 insertions(+), 61 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -index 65d935c8f4..779db85509 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -@@ -4,65 +4,6 @@ - # complexity = low - # disruption = low - --# --# check if rules already exist --# -+{{{ remediate_audit_watch_rules_d(path="/etc/selinux/", permissions="wa", key="MAC-policy") }}} - --- name: Check if rule already exists in /etc/audit/rules.d/* -- find: -- paths: "/etc/audit/rules.d" -- recurse: no -- contains: '^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' -- patterns: "*.rules" -- register: find_existing_mac_rules_d -- --- name: Check if rule already exists in /etc/audit/audit.rules -- find: -- paths: "/etc/audit/" -- contains: '^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+' -- patterns: "audit.rules" -- register: find_existing_mac_audit_rules -- -- --# --# Inserts/replaces the rule in /etc/audit/rules.d --# --- name: Search /etc/audit/rules.d for other rules with MAC-policy key -- find: -- paths: "/etc/audit/rules.d" -- recurse: no -- contains: "-k MAC-policy$" -- patterns: "*.rules" -- register: find_mac_key -- when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 -- --- name: If existing MAC modification ruleset not found, use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule -- set_fact: -- all_files: -- - /etc/audit/rules.d/MAC-policy.rules -- when: find_mac_key.matched is defined and find_mac_key.matched == 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 -- --- name: Use matched file as the recipient for the rule -- set_fact: -- all_files: -- - "{{ find_mac_key.files | map(attribute='path') | list | first }}" -- when: find_mac_key.matched is defined and find_mac_key.matched > 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 -- --- name: Inserts/replaces the MAC modification rule in rules.d -- lineinfile: -- path: "{{ all_files[0] }}" -- line: "-w /etc/selinux/ -p wa -k MAC-policy" -- create: yes -- when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 -- -- --# --# Inserts/replaces the rule in /etc/audit/audit.rules --# --- name: Inserts/replaces the MAC modifications rule in /etc/audit/audit.rules -- lineinfile: -- line: "-w /etc/selinux/ -p wa -k MAC-policy" -- state: present -- dest: /etc/audit/audit.rules -- create: yes -- when: find_existing_mac_audit_rules.matched is defined and find_existing_mac_audit_rules.matched == 0 -+{{{ remediate_audit_watch_audit_rules(path="/etc/selinux/", permissions="wa", key="MAC-policy") }}} - -From 127e93d8a2159911e95778394373e491ee0896b3 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 24 Apr 2020 14:57:54 +0200 -Subject: [PATCH 3/4] add documentation, rename variables - ---- - shared/macros-ansible.jinja | 37 ++++++++++++++++++++++++++----------- - 1 file changed, 26 insertions(+), 11 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 4fc381f5e0..2b88d3c8b6 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -277,7 +277,14 @@ regex_replace("\(n\)\*", "\\n") - {{% macro ansible_deregexify_banner_backslash() -%}} - regex_replace("\\", "") - {{%- endmacro %}} -- -+{{# -+The following macro remediates one audit watch rule in /etc/audit/rules.d directory. -+The macro requires following parameters: -+- path: path to watch -+- permissions: permissions changes to watch for -+- key: key to use as identifier. Note that if there exists any other rule with the same find_mac_key -+in some file within /etc/audit/rules.d/, the new rule will be appended to this file. -+#}} - {{% macro remediate_audit_watch_rules_d(path='', permissions='', key='') -%}} - - name: Check if rule already exists in /etc/audit/rules.d/* - find: -@@ -285,49 +292,57 @@ regex_replace("\\", "") - recurse: no - contains: '^\s*-w\s+{{{ path }}}\s+-p\s+{{{ permissions }}}(\s|$)+' - patterns: "*.rules" -- register: find_existing_mac_rules_d -+ register: find_existing_watch_rules_d -+ - - name: Search /etc/audit/rules.d for other rules with specified key - find: - paths: "/etc/audit/rules.d" - recurse: no - contains: "^.*(-F key=)(|-k ){{{ key }}}$" - patterns: "*.rules" -- register: find_mac_key -- when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 -+ register: find_watch_key -+ when: find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - - name: If existing ruleset with key {{{ key }}} not found, use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/{{{ key }}}.rules -- when: find_mac_key.matched is defined and find_mac_key.matched == 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 -+ when: find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - - name: Use matched file as the recipient for the rule - set_fact: - all_files: -- - "{{ find_mac_key.files | map(attribute='path') | list | first }}" -- when: find_mac_key.matched is defined and find_mac_key.matched > 0 and find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 -+ - "{{ find_watch_key.files | map(attribute='path') | list | first }}" -+ when: find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - - - name: Inserts/replaces the rule in rules.d - lineinfile: - path: "{{ all_files[0] }}" - line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}" - create: yes -- when: find_existing_mac_rules_d.matched is defined and find_existing_mac_rules_d.matched == 0 -+ when: find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - {{%- endmacro %}} - -+{{# -+The following macro remediates one audit watch rule in /etc/audit/audit.rules. -+The macro requires following parameters: -+- path: path to watch -+- permissions: permissions changes to watch for -+- key: key to use as identifier. -+#}} - {{% macro remediate_audit_watch_audit_rules(path='', permissions='', key='') -%}} - - name: Check if rule already exists in /etc/audit/audit.rules - find: - paths: "/etc/audit/" - contains: '^\s*-w\s+{{{ path }}}\s+-p\s+{{{ permissions }}}(\s|$)+' - patterns: "audit.rules" -- register: find_existing_mac_audit_rules -+ register: find_existing_watch_audit_rules - --- name: Inserts/replaces the MAC modifications rule in /etc/audit/audit.rules -+- name: Inserts/replaces the rule in /etc/audit/audit.rules - lineinfile: - line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}" - state: present - dest: /etc/audit/audit.rules - create: yes -- when: find_existing_mac_audit_rules.matched is defined and find_existing_mac_audit_rules.matched == 0 -+ when: find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched == 0 - {{%- endmacro %}} - -From 46f058b7a9048a4c97651df1e8708c8d928a7618 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 27 Apr 2020 09:17:11 +0200 -Subject: [PATCH 4/4] rename macros, fix task names - ---- - .../ansible/shared.yml | 4 ++-- - shared/macros-ansible.jinja | 16 ++++++++-------- - 2 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -index 779db85509..4633be5a18 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/ansible/shared.yml -@@ -4,6 +4,6 @@ - # complexity = low - # disruption = low - --{{{ remediate_audit_watch_rules_d(path="/etc/selinux/", permissions="wa", key="MAC-policy") }}} -+{{{ ansible_audit_augenrules_add_watch_rule(path="/etc/selinux/", permissions="wa", key="MAC-policy") }}} - --{{{ remediate_audit_watch_audit_rules(path="/etc/selinux/", permissions="wa", key="MAC-policy") }}} -+{{{ ansible_audit_auditctl_add_watch_rule(path="/etc/selinux/", permissions="wa", key="MAC-policy") }}} -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 2b88d3c8b6..884b562ae4 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -285,8 +285,8 @@ The macro requires following parameters: - - key: key to use as identifier. Note that if there exists any other rule with the same find_mac_key - in some file within /etc/audit/rules.d/, the new rule will be appended to this file. - #}} --{{% macro remediate_audit_watch_rules_d(path='', permissions='', key='') -%}} --- name: Check if rule already exists in /etc/audit/rules.d/* -+{{% macro ansible_audit_augenrules_add_watch_rule(path='', permissions='', key='') -%}} -+- name: Check if watch rule for {{{ path }}} already exists in /etc/audit/rules.d/ - find: - paths: "/etc/audit/rules.d" - recurse: no -@@ -294,7 +294,7 @@ in some file within /etc/audit/rules.d/, the new rule will be appended to this f - patterns: "*.rules" - register: find_existing_watch_rules_d - --- name: Search /etc/audit/rules.d for other rules with specified key -+- name: Search /etc/audit/rules.d for other rules with specified key {{{ key }}} - find: - paths: "/etc/audit/rules.d" - recurse: no -@@ -303,7 +303,7 @@ in some file within /etc/audit/rules.d/, the new rule will be appended to this f - register: find_watch_key - when: find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - --- name: If existing ruleset with key {{{ key }}} not found, use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule -+- name: Use /etc/audit/rules.d/{{{ key }}}.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/{{{ key }}}.rules -@@ -315,7 +315,7 @@ in some file within /etc/audit/rules.d/, the new rule will be appended to this f - - "{{ find_watch_key.files | map(attribute='path') | list | first }}" - when: find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 - --- name: Inserts/replaces the rule in rules.d -+- name: Add watch rule for {{{ path }}} in /etc/audit/rules.d/ - lineinfile: - path: "{{ all_files[0] }}" - line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}" -@@ -330,15 +330,15 @@ The macro requires following parameters: - - permissions: permissions changes to watch for - - key: key to use as identifier. - #}} --{{% macro remediate_audit_watch_audit_rules(path='', permissions='', key='') -%}} --- name: Check if rule already exists in /etc/audit/audit.rules -+{{% macro ansible_audit_auditctl_add_watch_rule(path='', permissions='', key='') -%}} -+- name: Check if watch rule for {{{ path }}} already exists in /etc/audit/audit.rules - find: - paths: "/etc/audit/" - contains: '^\s*-w\s+{{{ path }}}\s+-p\s+{{{ permissions }}}(\s|$)+' - patterns: "audit.rules" - register: find_existing_watch_audit_rules - --- name: Inserts/replaces the rule in /etc/audit/audit.rules -+- name: Add watch rule for {{{ path }}} in /etc/audit/audit.rules - lineinfile: - line: "-w {{{ path }}} -p {{{ permissions }}} -k {{{ key }}}" - state: present diff --git a/SOURCES/scap-security-guide-0.1.50-add_ansible_sshd_set_max_auth_tries_PR_5597.patch b/SOURCES/scap-security-guide-0.1.50-add_ansible_sshd_set_max_auth_tries_PR_5597.patch deleted file mode 100644 index 90df5b9..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_ansible_sshd_set_max_auth_tries_PR_5597.patch +++ /dev/null @@ -1,149 +0,0 @@ -From dcefd47e94095cbb39059f5d0ec9ef42593ae595 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Wed, 15 Apr 2020 17:15:39 +0200 -Subject: [PATCH] Add ansible and bash remediation for rule - sshd_set_max_auth_tries. - ---- - .../ssh_server/sshd_set_max_auth_tries/ansible/shared.yml | 8 ++++++++ - .../ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh | 8 ++++++++ - .../ssh/ssh_server/sshd_set_max_auth_tries/rule.yml | 4 ++-- - .../sshd_set_max_auth_tries/tests/comment.fail.sh | 8 ++++++++ - .../sshd_set_max_auth_tries/tests/correct_value.pass.sh | 8 ++++++++ - .../tests/correct_value_less_than.pass.sh | 8 ++++++++ - .../sshd_set_max_auth_tries/tests/line_not_there.fail.sh | 3 +++ - .../sshd_set_max_auth_tries/tests/wrong_value.fail.sh | 8 ++++++++ - rhel7/profiles/cis.profile | 1 + - 9 files changed, 54 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml -new file mode 100644 -index 0000000000..28f3ef0cd2 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml -@@ -0,0 +1,8 @@ -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+- (xccdf-var sshd_max_auth_tries_value) -+ -+{{{ ansible_sshd_set(parameter="MaxAuthTries", value="{{ sshd_max_auth_tries_value }}") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh -new file mode 100644 -index 0000000000..eebe07158c ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh -@@ -0,0 +1,8 @@ -+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle -+ -+# Include source function library. -+. /usr/share/scap-security-guide/remediation_functions -+ -+populate sshd_max_auth_tries_value -+ -+{{{ bash_sshd_config_set(parameter="MaxAuthTries", value="$sshd_max_auth_tries_value") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -index 7b5750ee0d..437c4dd8c7 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -@@ -6,7 +6,7 @@ description: |- - The MaxAuthTries parameter specifies the maximum number of authentication attempts - permitted per connection. Once the number of failures reaches half this value, additional failures are logged. - to set MaxAUthTries edit /etc/ssh/sshd_config as follows: --
MaxAuthTries tries
-+
MaxAuthTries 
- - rationale: |- - Setting the MaxAuthTries parameter to a low number will minimize the risk of successful -@@ -30,4 +30,4 @@ ocil: |- - To ensure the MaxAuthTries parameter is set, run the following command: -
$ sudo grep MaxAuthTries /etc/ssh/sshd_config
- If properly configured, output should be: --
MaxAuthTries tries
-+
MaxAuthTries 
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh -new file mode 100644 -index 0000000000..caf18a73c6 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+SSHD_CONFIG="/etc/ssh/sshd_config" -+ -+if grep -q "^MaxAuthTries" $SSHD_CONFIG; then -+ sed -i "s/^MaxAuthTries.*/# MaxAuthTries 4/" $SSHD_CONFIG -+else -+ echo "# MaxAuthTries 4" >> $SSHD_CONFIG -+fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh -new file mode 100644 -index 0000000000..32233d3a82 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+SSHD_CONFIG="/etc/ssh/sshd_config" -+ -+if grep -q "^MaxAuthTries" $SSHD_CONFIG; then -+ sed -i "s/^MaxAuthTries.*/MaxAuthTries 4/" $SSHD_CONFIG -+else -+ echo "MaxAuthTries 4" >> $SSHD_CONFIG -+fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh -new file mode 100644 -index 0000000000..e98176320d ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+SSHD_CONFIG="/etc/ssh/sshd_config" -+ -+if grep -q "^MaxAuthTries" $SSHD_CONFIG; then -+ sed -i "s/^MaxAuthTries.*/MaxAuthTries 2/" $SSHD_CONFIG -+else -+ echo "MaxAuthTries 2" >> $SSHD_CONFIG -+fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh -new file mode 100644 -index 0000000000..f038aa9be0 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+sed -i "/^MaxAuthTries.*/d" /etc/ssh/sshd_config -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh -new file mode 100644 -index 0000000000..79940bded3 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+SSHD_CONFIG="/etc/ssh/sshd_config" -+ -+if grep -q "^MaxAuthTries" $SSHD_CONFIG; then -+ sed -i "s/^MaxAuthTries.*/MaxAuthTries 50/" $SSHD_CONFIG -+else -+ echo "MaxAuthTries 50" >> $SSHD_CONFIG -+fi -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 2e68e73f34..886e9a963a 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -581,6 +581,7 @@ selections: - - sshd_disable_x11_forwarding - - ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored) -+ - sshd_max_auth_tries_value=4 - - sshd_set_max_auth_tries - - ### 5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored) diff --git a/SOURCES/scap-security-guide-0.1.50-add_arch_support_macro_syscall_PR_5723.patch b/SOURCES/scap-security-guide-0.1.50-add_arch_support_macro_syscall_PR_5723.patch deleted file mode 100644 index 2fa39dd..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_arch_support_macro_syscall_PR_5723.patch +++ /dev/null @@ -1,351 +0,0 @@ -From 361033952354561b569d0429d0671b30154cbfbd Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 29 Apr 2020 17:01:28 +0200 -Subject: [PATCH 1/4] rewrite macro - ---- - shared/macros-ansible.jinja | 119 +++++++----------------------------- - 1 file changed, 22 insertions(+), 97 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 8f94f1803a..f9a5b53302 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -349,21 +349,12 @@ The macro requires following parameters: - {{# - The following macro remediates Audit syscall rule in /etc/audit/rules.d directory. - The macro requires following parameters: -+- arch: an architecture to be used in the Audit rule (b32, b64) - - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. - - key: a key to use as rule identifier. - Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file. --The rule determines the architecture of the system and apply appropriate remediations. --It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture. - #}} -- --{{% macro ansible_audit_augenrules_add_syscall_rule(syscalls=[], key="") -%}} --# --# What architecture are we on? --# --- name: Set architecture for audit tasks -- set_fact: -- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- -+{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}} - - name: Declare list of syscals - set_fact: - syscalls: {{{ syscalls }}} -@@ -371,27 +362,16 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - --- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/ -- find: -- paths: "/etc/audit/rules.d" -- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -- patterns: "*.rules" -- register: audit_syscalls_found_32_rules_d -- loop: "{{ syscalls }}" -- --- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/ -- set_fact: audit_syscalls_matched_32_rules_d="{{audit_syscalls_found_32_rules_d.results|sum(attribute='matched')|int }}" -- --- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ -+- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/ - find: - paths: "/etc/audit/rules.d" -- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "*.rules" -- register: audit_syscalls_found_64_rules_d -+ register: audit_syscalls_found_{{{ arch }}}_rules_d - loop: "{{ syscalls }}" - --- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/ -- set_fact: audit_syscalls_matched_64_rules_d="{{audit_syscalls_found_64_rules_d.results|sum(attribute='matched')|int }}" -+- name: Get number of matched syscalls for architecture {{{ arch }}}in /etc/audit/rules.d/ -+ set_fact: audit_syscalls_matched_{{{ arch }}}_rules_d="{{audit_syscalls_found_{{{ arch }}}_rules_d.results|sum(attribute='matched')|int }}" - - - name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} - find: -@@ -412,31 +392,13 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur - - "{{ find_syscalls_files.files | map(attribute='path') | list | first }}" - when: find_syscalls_files.matched is defined and find_syscalls_files.matched > 0 - --- name: "Insert the syscall rule in {{ all_files[0] }} when on x86" -- block: -- - name: "Construct rule: add rule list, action and arch" -- set_fact: tmpline="-a always,exit -F arch=b32 " -- - name: "Construct rule: add syscalls" -- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -- loop: "{{ audit_syscalls_found_32_rules_d.results }}" -- when: item.matched is defined and item.matched == 0 -- - name: "Construct rule: add key" -- set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" -- - name: "Insert the line in {{ all_files[0] }}" -- lineinfile: -- path: "{{ all_files[0] }}" -- line: "{{ tmpline }}" -- create: true -- state: present -- when: audit_syscalls_matched_32_rules_d < audit_syscalls_number_of_syscalls -- --- name: "Insert the syscall rule in {{ all_files[0] }} when on x86_64" -+- name: "Insert the syscall rule in {{ all_files[0] }}" - block: - - name: "Construct rule: add rule list, action and arch" -- set_fact: tmpline="-a always,exit -F arch=b64 " -+ set_fact: tmpline="-a always,exit -F arch={{{ arch }}} " - - name: "Construct rule: add syscalls" - set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -- loop: "{{ audit_syscalls_found_64_rules_d.results }}" -+ loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}" - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" -@@ -446,25 +408,17 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur - line: "{{ tmpline }}" - create: true - state: present -- when: audit_syscalls_matched_64_rules_d < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' -+ when: audit_syscalls_matched_{{{ arch }}}_rules_d < audit_syscalls_number_of_syscalls - {{%- endmacro %}} - - {{# - The following macro remediates Audit syscall rule in /etc/audit/audit.rules file. - The macro requires following parameters: -+- arch: an architecture to be used in the Audit rule (b32, b64) - - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. - - key: a key to use as rule identifier. --The rule determines the architecture of the system and apply appropriate remediations. --It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architecture. - #}} --{{% macro ansible_audit_auditctl_add_syscall_rule(syscalls=[], key="") -%}} --# --# What architecture are we on? --# --- name: Set architecture for audit tasks -- set_fact: -- audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -- -+{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}} - - name: Declare list of syscals - set_fact: - syscalls: {{{ syscalls }}} -@@ -472,53 +426,24 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - --- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules -+- name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules - find: - paths: "/etc/audit" -- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "audit.rules" -- register: audit_syscalls_found_32_audit_rules -+ register: audit_syscalls_found_{{{ arch }}}_audit_rules - loop: "{{ syscalls }}" - --- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules -- set_fact: audit_syscalls_matched_32_audit_rules="{{audit_syscalls_found_32_audit_rules.results|sum(attribute='matched')|int }}" -- --- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules -- find: -- paths: "/etc/audit" -- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -- patterns: "audit.rules" -- register: audit_syscalls_found_64_audit_rules -- loop: "{{ syscalls }}" -- --- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/* -- set_fact: audit_syscalls_matched_64_audit_rules="{{audit_syscalls_found_64_audit_rules.results|sum(attribute='matched')|int }}" -- --- name: Insert the syscall rule in /etc/audit/audit.rules when on x86 -- block: -- - name: "Construct rule: add rule list, action and arch" -- set_fact: tmpline="-a always,exit -F arch=b32 " -- - name: "Construct rule: add syscalls" -- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -- loop: "{{ audit_syscalls_found_32_audit_rules.results }}" -- when: item.matched is defined and item.matched == 0 -- - name: "Construct rule: add key" -- set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" -- - name: Insert the line in /etc/audit/audit.rules -- lineinfile: -- path: "/etc/audit/audit.rules" -- line: "{{ tmpline }}" -- create: true -- state: present -- when: audit_syscalls_matched_32_audit_rules < audit_syscalls_number_of_syscalls -+- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules -+ set_fact: audit_syscalls_matched_{{{ arch }}}_audit_rules="{{audit_syscalls_found_{{{ arch }}}_audit_rules.results|sum(attribute='matched')|int }}" - --- name: Insert the syscall rule in /etc/audit/rules.d when on x86_64 -+- name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: "Construct rule: add rule list, action and arch" -- set_fact: tmpline="-a always,exit -F arch=b64 " -+ set_fact: tmpline="-a always,exit -F arch={{{ arch }}} " - - name: "Construct rule: add syscalls" - set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -- loop: "{{ audit_syscalls_found_64_audit_rules.results }}" -+ loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}" - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" -@@ -528,5 +453,5 @@ It utilizes b32 for X86 architecture and both b32 and b64 for x86_64 architectur - line: "{{ tmpline }}" - create: true - state: present -- when: audit_syscalls_matched_64_audit_rules < audit_syscalls_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' -+ when: audit_syscalls_matched_{{{ arch }}}_audit_rules < audit_syscalls_number_of_syscalls - {{%- endmacro %}} - -From c1b10847d740f289f6be58a1409df6433f1b84d5 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 29 Apr 2020 17:01:43 +0200 -Subject: [PATCH 2/4] rewrite rule - ---- - .../ansible/shared.yml | 34 +++++++++++++++---- - 1 file changed, 27 insertions(+), 7 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -index 3b16dd1989..d2dcc8c1fe 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -@@ -3,11 +3,31 @@ - # strategy = restrict - # complexity = low - # disruption = low -+# -+# What architecture are we on? -+# -+- name: Set architecture for audit tasks -+ set_fact: -+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" - --{{% if product == "rhel6" %}} --{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}} --{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "delete_module"], key="modules") }}} --{{% else %}} --{{{ ansible_audit_augenrules_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} --{{{ ansible_audit_auditctl_add_syscall_rule(syscalls=["init_module", "finit_module", "delete_module"], key="modules") }}} --{{% endif %}} -+ -+- name: perform remediation of Audit rules for kernel module loading for x86 platform -+ block: -+ {{% if product == "rhel6" %}} -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} -+ {{% else %}} -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} -+ {{% endif %}} -+ -+- name: perform remediation of Audit rules for kernel module loading for x86_64 platform -+ block: -+ {{% if product == "rhel6" %}} -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} -+ {{% else %}} -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} -+ {{% endif %}} -+ when: audit_arch == "b64" - -From 1505ef7f1632eeb76743410a88b9e50a8f9c44c4 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 29 Apr 2020 17:15:37 +0200 -Subject: [PATCH 3/4] fix task names - ---- - .../audit_rules_kernel_module_loading/ansible/shared.yml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -index d2dcc8c1fe..c80f836b6c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -@@ -11,7 +11,7 @@ - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" - - --- name: perform remediation of Audit rules for kernel module loading for x86 platform -+- name: Perform remediation of Audit rules for kernel module loading for x86 platform - block: - {{% if product == "rhel6" %}} - {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} -@@ -21,7 +21,7 @@ - {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} - {{% endif %}} - --- name: perform remediation of Audit rules for kernel module loading for x86_64 platform -+- name: Perform remediation of Audit rules for kernel module loading for x86_64 platform - block: - {{% if product == "rhel6" %}} - {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} - -From 7474ee0d7eb901f417336d7b75a4cfa61dfab7ca Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 30 Apr 2020 09:27:28 +0200 -Subject: [PATCH 4/4] use variable, remove duplicate code - ---- - .../ansible/shared.yml | 24 ++++++++----------- - shared/macros-ansible.jinja | 2 +- - 2 files changed, 11 insertions(+), 15 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -index c80f836b6c..c1ba35bf25 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -@@ -10,24 +10,20 @@ - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" - -+# set list of syscalls based on rhel version -+{{% if product == "rhel6" %}} -+{{% set audit_syscalls = ["init_module", "delete_module"] %}} -+{{% else %}} -+{{% set audit_syscalls = ["init_module", "delete_module", "finit_module"] %}} -+{{% endif %}} - - - name: Perform remediation of Audit rules for kernel module loading for x86 platform - block: -- {{% if product == "rhel6" %}} -- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} -- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} -- {{% else %}} -- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} -- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} -- {{% endif %}} -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=audit_syscalls, key="modules")|indent(4) }}} - - - name: Perform remediation of Audit rules for kernel module loading for x86_64 platform - block: -- {{% if product == "rhel6" %}} -- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} -- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "delete_module"], key="modules")|indent(4) }}} -- {{% else %}} -- {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} -- {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["init_module", "finit_module", "delete_module"], key="modules")|indent(4) }}} -- {{% endif %}} -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=audit_syscalls, key="modules")|indent(4) }}} - when: audit_arch == "b64" -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index f9a5b53302..03e4306051 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -370,7 +370,7 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul - register: audit_syscalls_found_{{{ arch }}}_rules_d - loop: "{{ syscalls }}" - --- name: Get number of matched syscalls for architecture {{{ arch }}}in /etc/audit/rules.d/ -+- name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_{{{ arch }}}_rules_d="{{audit_syscalls_found_{{{ arch }}}_rules_d.results|sum(attribute='matched')|int }}" - - - name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} diff --git a/SOURCES/scap-security-guide-0.1.50-add_audit_rules_immutable_PR_5609.patch b/SOURCES/scap-security-guide-0.1.50-add_audit_rules_immutable_PR_5609.patch deleted file mode 100644 index 2846d3f..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_audit_rules_immutable_PR_5609.patch +++ /dev/null @@ -1,301 +0,0 @@ -From d5533786f8d34442754cf60234877f4f9768fdae Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 16 Apr 2020 11:35:14 +0200 -Subject: [PATCH 1/4] add ansible remediation - ---- - .../audit_rules_immutable/ansible/shared.yml | 45 +++++++++++++++++++ - 1 file changed, 45 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -new file mode 100644 -index 0000000000..20266d394f ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -@@ -0,0 +1,45 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+- name: add /etc/audit/audit.rules to the list of files to be searched -+ set_fact: -+ files_to_search: -+ - /etc/audit/audit.rules -+ -+- name: Search /etc/audit/rules.d for files containing the -e option -+ find: -+ paths: "/etc/audit/rules.d" -+ recurse: true -+ contains: "-e[\\s]+.*" -+ patterns: "*.rules" -+ register: find_immutable -+ -+- name: add found files to the list of files to be searched -+ set_fact: -+ files_to_search: "{{ files_to_search + [item.path] }}" -+ with_items: "{{ find_immutable.files }}" -+ when: find_immutable.matched is defined and find_immutable.matched >= 1 -+ -+- name: remove the config line from /etc/audit/audit.rules and any file in /etc/audit/rules.d directory -+ lineinfile: -+ path: "{{ item }}" -+ regexp: "-e[\\s]+.*" -+ state: absent -+ with_items: "{{ files_to_search }}" -+ -+- name: insert lines at the end of /etc/audit/audit.rules and /etc/audit/rules.d/immutable.rules -+ blockinfile: -+ path: "{{ item }}" -+ create: True -+ marker: "" -+ block: |+ -+ # Set the audit.rules configuration immutable per security requirements -+ # Reboot is required to change audit rules once this setting is applied -+ -+ -e 2 -+ with_items: -+ - /etc/audit/audit.rules -+ - /etc/audit/rules.d/immutable.rules - -From 8f1c60ba4efd625c2df20a109710e0dbf423e44a Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 16 Apr 2020 11:35:37 +0200 -Subject: [PATCH 2/4] add tests - ---- - .../audit_rules_immutable/tests/auditctl_correct.pass.sh | 6 ++++++ - .../audit_rules_immutable/tests/auditctl_missing.fail.sh | 6 ++++++ - .../tests/auditctl_wrong_value.fail.sh | 7 +++++++ - .../audit_rules_immutable/tests/augen_correct.pass.sh | 3 +++ - .../audit_rules_immutable/tests/augen_missing.fail.sh | 3 +++ - .../audit_rules_immutable/tests/augen_wrong_value.fail.sh | 4 ++++ - 6 files changed, 29 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh -new file mode 100644 -index 0000000000..36478840c1 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_correct.pass.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+# use auditctl -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+echo "-e 2" > /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh -new file mode 100644 -index 0000000000..733436ecaf ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_missing.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+# use auditctl -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+echo "some value" > /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh -new file mode 100644 -index 0000000000..e3369107dd ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/auditctl_wrong_value.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+ -+# use auditctl -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+echo "-e 1" > /etc/audit/audit.rules -+ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh -new file mode 100644 -index 0000000000..fa5b7231df ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_correct.pass.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "-e 2" > /etc/audit/rules.d/immutable.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh -new file mode 100644 -index 0000000000..0997495e4b ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_missing.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+rm -rf /etc/audit/rules.d/* -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh -new file mode 100644 -index 0000000000..a8c2d53830 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/tests/augen_wrong_value.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+rm -rf /etc/audit/rules.d/* -+echo "-e 1" > /etc/audit/rules.d/immutable.rules - -From 2bba06ada88cb359a19288725232e79387931aee Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 4 May 2020 15:29:10 +0200 -Subject: [PATCH 3/4] do not use explaining comment in ansible remediation - ---- - .../audit_rules_immutable/ansible/shared.yml | 58 ++++++++++--------- - 1 file changed, 32 insertions(+), 26 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -index 20266d394f..4e1b2f9569 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -@@ -1,45 +1,51 @@ - # platform = multi_platform_all --# reboot = false -+# reboot = true - # strategy = restrict - # complexity = low - # disruption = low - --- name: add /etc/audit/audit.rules to the list of files to be searched -- set_fact: -- files_to_search: -- - /etc/audit/audit.rules -+- name: Check if the file /etc/audit/audit.rules contains the -e option -+ find: -+ paths: "/etc/audit" -+ contains: '^\s*-e\s+.*$' -+ patterns: "audit.rules" -+ register: find_immutable_audit_rules - - - name: Search /etc/audit/rules.d for files containing the -e option - find: - paths: "/etc/audit/rules.d" -- recurse: true -- contains: "-e[\\s]+.*" -+ contains: '^\s*-e\s+.*$' - patterns: "*.rules" -- register: find_immutable -+ register: find_immutable_rules_d - --- name: add found files to the list of files to be searched -- set_fact: -- files_to_search: "{{ files_to_search + [item.path] }}" -- with_items: "{{ find_immutable.files }}" -- when: find_immutable.matched is defined and find_immutable.matched >= 1 -+- name: Construct list of Audit config files containing the -e option -+ block: -+ - name: Initialize empty list for files to be edited -+ set_fact: -+ files_to_edit: [] -+ - name: Add matched files from /etc/audit/rules.d -+ set_fact: -+ files_to_edit: "{{ files_to_edit + [item.path] }}" -+ loop: "{{ find_immutable_rules_d.files }}" -+ - name: Add /etc/audit/audit.rules to the list of files -+ set_fact: -+ files_to_edit: "{{ files_to_edit + ['/etc/audit/audit.rules'] }}" -+ when: find_immutable_audit_rules is defined and find_immutable_audit_rules.matched >= 1 -+ when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1) - --- name: remove the config line from /etc/audit/audit.rules and any file in /etc/audit/rules.d directory -+- name: Remove the -e option from all Audit config files - lineinfile: - path: "{{ item }}" - regexp: "-e[\\s]+.*" - state: absent -- with_items: "{{ files_to_search }}" -+ loop: "{{ files_to_edit }}" -+ when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1) - --- name: insert lines at the end of /etc/audit/audit.rules and /etc/audit/rules.d/immutable.rules -- blockinfile: -+- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules -+ lineinfile: - path: "{{ item }}" - create: True -- marker: "" -- block: |+ -- # Set the audit.rules configuration immutable per security requirements -- # Reboot is required to change audit rules once this setting is applied -- -- -e 2 -- with_items: -- - /etc/audit/audit.rules -- - /etc/audit/rules.d/immutable.rules -+ line: "-e 2" -+ loop: -+ - "/etc/audit/audit.rules" -+ - "/etc/audit/rules.d/immutable.rules" - -From dbf87484436e142a771ebd22a1bada61a429cceb Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 5 May 2020 14:44:24 +0200 -Subject: [PATCH 4/4] simplify remediation - ---- - .../audit_rules_immutable/ansible/shared.yml | 34 +++---------------- - 1 file changed, 5 insertions(+), 29 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -index 4e1b2f9569..5ac7b3dabb 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -@@ -4,42 +4,18 @@ - # complexity = low - # disruption = low - --- name: Check if the file /etc/audit/audit.rules contains the -e option -+- name: Collect all files from /etc/audit/rules.d with .rules extension - find: -- paths: "/etc/audit" -- contains: '^\s*-e\s+.*$' -- patterns: "audit.rules" -- register: find_immutable_audit_rules -- --- name: Search /etc/audit/rules.d for files containing the -e option -- find: -- paths: "/etc/audit/rules.d" -- contains: '^\s*-e\s+.*$' -+ paths: "/etc/audit/rules.d/" - patterns: "*.rules" -- register: find_immutable_rules_d -- --- name: Construct list of Audit config files containing the -e option -- block: -- - name: Initialize empty list for files to be edited -- set_fact: -- files_to_edit: [] -- - name: Add matched files from /etc/audit/rules.d -- set_fact: -- files_to_edit: "{{ files_to_edit + [item.path] }}" -- loop: "{{ find_immutable_rules_d.files }}" -- - name: Add /etc/audit/audit.rules to the list of files -- set_fact: -- files_to_edit: "{{ files_to_edit + ['/etc/audit/audit.rules'] }}" -- when: find_immutable_audit_rules is defined and find_immutable_audit_rules.matched >= 1 -- when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1) -+ register: find_rules_d - - - name: Remove the -e option from all Audit config files - lineinfile: - path: "{{ item }}" -- regexp: "-e[\\s]+.*" -+ regexp: '^\s*(?:-e)\s+.*$' - state: absent -- loop: "{{ files_to_edit }}" -- when: (find_immutable_rules_d.matched is defined and find_immutable_rules_d.matched >= 1) or (find_immutable_audit_rules.matched is defined and find_immutable_audit_rules.matched >= 1) -+ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" - - - name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules - lineinfile: diff --git a/SOURCES/scap-security-guide-0.1.50-add_chrony_rules_PR_5273.patch b/SOURCES/scap-security-guide-0.1.50-add_chrony_rules_PR_5273.patch deleted file mode 100644 index 5ea1200..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_chrony_rules_PR_5273.patch +++ /dev/null @@ -1,820 +0,0 @@ -From b5379d0850f2ee366c7259512c74355d86babf2f Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 10 Mar 2020 19:05:57 +0100 -Subject: [PATCH 01/10] create new chrony rules for CIS - -add package_chrony_installed -add service_chronyd_enabled -add chrony_specify_remote_server -add default value to chrony_multiple_servers variable ---- - .../bash/shared.sh | 9 +++++ - .../oval/shared.xml | 15 ++++++++ - .../chronyd_specify_remote_server/rule.yml | 35 +++++++++++++++++ - .../ntp/package_chrony_installed/rule.yml | 34 +++++++++++++++++ - .../ntp/service_chronyd_enabled/rule.yml | 38 +++++++++++++++++++ - .../ntp/var_multiple_time_servers.var | 3 +- - shared/templates/extra_ovals.yml | 6 --- - 7 files changed, 133 insertions(+), 7 deletions(-) - create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh - create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml - create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml - create mode 100644 linux_os/guide/services/ntp/package_chrony_installed/rule.yml - create mode 100644 linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh -new file mode 100644 -index 0000000000..ab9aab8732 ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh -@@ -0,0 +1,9 @@ -+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol -+. /usr/share/scap-security-guide/remediation_functions -+populate var_multiple_time_servers -+ -+config_file="/etc/chrony.conf" -+ -+if ! grep -q ^server "$config_file" ; then -+ {{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}} -+fi -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml -new file mode 100644 -index 0000000000..0045c93a2d ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml -@@ -0,0 +1,15 @@ -+ -+ -+ -+ Specify Remote NTP chronyd Server for Time Data -+ {{{- oval_affected(products) }}} -+ A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met) -+ -+ -+ -+ -+ -+ -+ -+ -+ -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -new file mode 100644 -index 0000000000..062d382709 ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -@@ -0,0 +1,35 @@ -+documentation_complete: true -+ -+prodtype: fedora,ocp4,ol8,rhel8 -+ -+title: 'A remote NTP server for Chrony is configured' -+ -+description: |- -+ chrony is a daemon which implements the Network Time Protocol (NTP) is designed to -+ synchronize system clocks across a variety of systems and use a source that is highly -+ accurate. More information on chrony can be found at -+ {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. -+ Chrony can be configured to be a client and/or a server. -+ Add or edit server or pool lines to /etc/chrony.conf as appropriate: -+
server <remote-server>
-+ Multiple servers may be configured. -+ -+rationale: |- -+ If chrony is in use on the system proper configuration is vital to ensuring time -+ synchronization is working properly. -+ -+severity: medium -+ -+platform: machine -+ -+identifiers: -+ cce@rhel8: 82734-5 -+ -+references: -+ cis@rhel8: 2.2.1.2 -+ -+ocil_clause: 'The remote NTP server for Chrony is not configured' -+ -+ocil: |- -+ Run the following command and verify remote server is configured properly: -+
# grep -E "^(server|pool)" /etc/chrony.conf
-diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -new file mode 100644 -index 0000000000..36cae252e0 ---- /dev/null -+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -@@ -0,0 +1,34 @@ -+documentation_complete: true -+ -+prodtype: fedora,ocp4,ol8,rhel8 -+ -+title: 'The Chrony package is enabled' -+ -+description: |- -+ System time should be synchronized between all systems in an environment. This is -+ typically done by establishing an authoritative time server or set of servers and having all -+ systems synchronize their clocks to them. -+ You can install the package with the following command: -+
# dnf install chrony
-+ -+rationale: |- -+ Time synchronization is important to support time sensitive security mechanisms like -+ Kerberos and also ensures log files have consistent time records across the enterprise, -+ which aids in forensic investigations. -+ -+severity: medium -+ -+platform: machine -+ -+identifiers: -+ cce@rhel8: 82730-3 -+ -+references: -+ cis@rhel8: 2.2.1.1 -+ -+{{{ complete_ocil_entry_package(package="chrony") }}} -+ -+template: -+ name: package_installed -+ vars: -+ pkgname: chrony -diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -new file mode 100644 -index 0000000000..37adcae640 ---- /dev/null -+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: fedora,ocp4,ol8,rhel8 -+ -+title: 'The Chronyd service is enabled' -+ -+description: |- -+ chrony is a daemon which implements the Network Time Protocol (NTP) is designed to -+ synchronize system clocks across a variety of systems and use a source that is highly -+ accurate. More information on chrony can be found at -+ {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. -+ Chrony can be configured to be a client and/or a server. -+ To enable Chronyd service, you can run: -+ # systemctl enable chronyd.service -+ This recommendation only applies if chrony is in use on the system. -+ -+rationale: |- -+ If chrony is in use on the system proper configuration is vital to ensuring time -+ synchronization is working properly. -+ -+severity: medium -+ -+platform: machine -+ -+identifiers: -+ cce@rhel8: 82729-5 -+ -+references: -+ cis@rhel8: 2.2.1.2 -+ -+ocil_clause: 'The chronyd process is not running' -+ -+ocil: '{{{ ocil_service_enabled(service="chronyd") }}}' -+ -+template: -+ name: service_enabled -+ vars: -+ servicename: chronyd -diff --git a/linux_os/guide/services/ntp/var_multiple_time_servers.var b/linux_os/guide/services/ntp/var_multiple_time_servers.var -index 32deb2b851..47c6594ad2 100644 ---- a/linux_os/guide/services/ntp/var_multiple_time_servers.var -+++ b/linux_os/guide/services/ntp/var_multiple_time_servers.var -@@ -6,9 +6,10 @@ description: 'The list of vendor-approved time servers' - - type: string - --interactive: false -+interactive: true - - options: -+ default: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org" - fedora: "0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org" - rhel: "0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org" - ol: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org" -diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml -index 9768f5c5c4..948912c228 100644 ---- a/shared/templates/extra_ovals.yml -+++ b/shared/templates/extra_ovals.yml -@@ -43,12 +43,6 @@ package_prelink_removed: - vars: - pkgname: prelink - --service_chronyd_enabled: -- name: service_enabled -- vars: -- servicename: chronyd -- packagename: chrony -- - service_sssd_disabled: - name: service_disabled - vars: - -From e6145398300fae26e9765dc2798d7eec602be70c Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 11 Mar 2020 11:05:17 +0100 -Subject: [PATCH 02/10] add tests and ansible remediation - -remove shared oval for checking chronyd_specify_remote_server ---- - .../ansible/shared.yml | 13 ++++++++ - .../bash/shared.sh | 2 +- - .../oval/shared.xml | 32 +++++++++++++------ - .../tests/correct.pass.sh | 7 ++++ - .../tests/file_empty.fail.sh | 6 ++++ - .../tests/file_missing.fail.sh | 6 ++++ - .../tests/line_missing.fail.sh | 7 ++++ - .../tests/multiple_servers.pass.sh | 7 ++++ - .../tests/server_not_specified.fail.sh | 6 ++++ - .../oval/chronyd_specify_remote_server.xml | 29 ----------------- - 10 files changed, 76 insertions(+), 39 deletions(-) - create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml - create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh - create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh - create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh - create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh - create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh - create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh - delete mode 100644 shared/checks/oval/chronyd_specify_remote_server.xml - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml -new file mode 100644 -index 0000000000..ad93be3580 ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml -@@ -0,0 +1,13 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = configure -+# complexity = low -+# disruption = low -+- (xccdf-var var_multiple_time_servers) -+ -+- name: "Ensure Chrony is installed" -+ package: -+ name: "chrony" -+ state: present -+ -+{{{ ansible_lineinfile(msg='Ensure remote servers are specified in chrony.conf', path='/etc/chrony.conf', regex='^[\s]*server[\s]+[\w]+', new_line='server {{ item }}', create='yes', state='present', with_items='{{ var_multiple_time_servers.split(",") }}') }}} -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh -index ab9aab8732..9fdb46d419 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh -@@ -4,6 +4,6 @@ populate var_multiple_time_servers - - config_file="/etc/chrony.conf" - --if ! grep -q ^server "$config_file" ; then -+if ! grep -q '^[\s]*server[\s]+[\w]+' "$config_file" ; then - {{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}} - fi -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml -index 0045c93a2d..744ea925c9 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml -@@ -1,15 +1,29 @@ -- -+ - - -- Specify Remote NTP chronyd Server for Time Data -- {{{- oval_affected(products) }}} -- A remote chronyd NTP Server for time synchronization should be specified (and dependencies are met) -+ Specify a Remote NTP Server for Time Data -+ -+ multi_platform_all -+ -+ A remote NTP Server for time synchronization should be -+ specified (and dependencies are met) - -- -- -- -- -+ -+ - -- - -+ -+ -+ -+ -+ -+ -+ /etc/chrony.conf -+ ^[\s]*server[\s]+.+$ -+ 1 -+ -+ - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh -new file mode 100644 -index 0000000000..d5db6a6fb3 ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct.pass.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+ -+ -+yum -y install chrony -+ -+echo "server 0.pool.ntp.org" > /etc/chrony.conf -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh -new file mode 100644 -index 0000000000..15c414d9fc ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_empty.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+ -+yum -y install chrony -+ -+echo "" > /etc/chrony.conf -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh -new file mode 100644 -index 0000000000..4e02f34c0f ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/file_missing.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+ -+yum -y install chrony -+ -+rm -f /etc/chrony.conf -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh -new file mode 100644 -index 0000000000..acae68b7ee ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/line_missing.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+ -+yum -y install chrony -+ -+echo "some line" > /etc/chrony.conf -+echo "another line" >> /etc/chrony.conf -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh -new file mode 100644 -index 0000000000..d239a76dda ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/multiple_servers.pass.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+ -+yum -y install chrony -+ -+echo "server 0.pool.ntp.org" > /etc/chrony.conf -+echo "server 1.pool.ntp.org" >> /etc/chrony.conf -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh -new file mode 100644 -index 0000000000..63c2a7f0a4 ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/server_not_specified.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+ -+yum -y install chrony -+ -+echo "server " > /etc/chrony.conf -diff --git a/shared/checks/oval/chronyd_specify_remote_server.xml b/shared/checks/oval/chronyd_specify_remote_server.xml -deleted file mode 100644 -index 744ea925c9..0000000000 ---- a/shared/checks/oval/chronyd_specify_remote_server.xml -+++ /dev/null -@@ -1,29 +0,0 @@ -- -- -- -- Specify a Remote NTP Server for Time Data -- -- multi_platform_all -- -- A remote NTP Server for time synchronization should be -- specified (and dependencies are met) -- -- -- -- -- -- -- -- -- -- -- -- /etc/chrony.conf -- ^[\s]*server[\s]+.+$ -- 1 -- -- -- - -From bc61c4eb7552012761223d75870c8bee36d5acc0 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 12 Mar 2020 17:05:12 +0100 -Subject: [PATCH 03/10] fix typos and fix oval affected products - ---- - .../ntp/chronyd_specify_remote_server/oval/shared.xml | 4 +--- - .../services/ntp/chronyd_specify_remote_server/rule.yml | 2 +- - .../guide/services/ntp/package_chrony_installed/rule.yml | 5 ++--- - 3 files changed, 4 insertions(+), 7 deletions(-) - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml -index 744ea925c9..3a3c2895ce 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml -@@ -2,9 +2,7 @@ - - - Specify a Remote NTP Server for Time Data -- -- multi_platform_all -- -+ {{{- oval_affected(products) }}} - A remote NTP Server for time synchronization should be - specified (and dependencies are met) - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -index 062d382709..3befba9de8 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -@@ -5,7 +5,7 @@ prodtype: fedora,ocp4,ol8,rhel8 - title: 'A remote NTP server for Chrony is configured' - - description: |- -- chrony is a daemon which implements the Network Time Protocol (NTP) is designed to -+ chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to - synchronize system clocks across a variety of systems and use a source that is highly - accurate. More information on chrony can be found at - {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. -diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -index 36cae252e0..1e99e241dd 100644 ---- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -@@ -2,14 +2,13 @@ documentation_complete: true - - prodtype: fedora,ocp4,ol8,rhel8 - --title: 'The Chrony package is enabled' -+title: 'The Chrony package is installed' - - description: |- - System time should be synchronized between all systems in an environment. This is - typically done by establishing an authoritative time server or set of servers and having all - systems synchronize their clocks to them. -- You can install the package with the following command: --
# dnf install chrony
-+ {{{ describe_package_install(package="chrony") }}} - - rationale: |- - Time synchronization is important to support time sensitive security mechanisms like - -From 88ed5b1b1a44dcc9eb98cb1c514542059b7882e8 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 17 Mar 2020 11:55:44 +0100 -Subject: [PATCH 04/10] make rules available for all platforms - ---- - .../services/ntp/chronyd_specify_remote_server/bash/shared.sh | 2 +- - .../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 1 - - linux_os/guide/services/ntp/package_chrony_installed/rule.yml | 2 -- - linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 2 -- - 4 files changed, 1 insertion(+), 6 deletions(-) - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh -index 9fdb46d419..6be57c219b 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh -@@ -1,4 +1,4 @@ --# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol -+# platform = multi_platform_all - . /usr/share/scap-security-guide/remediation_functions - populate var_multiple_time_servers - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -index 3befba9de8..912a359080 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -@@ -1,6 +1,5 @@ - documentation_complete: true - --prodtype: fedora,ocp4,ol8,rhel8 - - title: 'A remote NTP server for Chrony is configured' - -diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -index 1e99e241dd..6e2c455201 100644 ---- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -@@ -1,7 +1,5 @@ - documentation_complete: true - --prodtype: fedora,ocp4,ol8,rhel8 -- - title: 'The Chrony package is installed' - - description: |- -diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -index 37adcae640..e0b21d81af 100644 ---- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -@@ -1,7 +1,5 @@ - documentation_complete: true - --prodtype: fedora,ocp4,ol8,rhel8 -- - title: 'The Chronyd service is enabled' - - description: |- - -From bd704e243821225440f1dd7c426922624cd6c08a Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 17 Mar 2020 14:47:53 +0100 -Subject: [PATCH 05/10] make oval accept also pool - -add test for it ---- - .../ntp/chronyd_specify_remote_server/oval/shared.xml | 2 +- - .../tests/correct_pool.pass.sh | 7 +++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml -index 3a3c2895ce..31cde36bc9 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml -@@ -20,7 +20,7 @@ - - /etc/chrony.conf -- ^[\s]*server[\s]+.+$ -+ ^[\s]*(?:server|pool)[\s]+.+$ - 1 - - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh -new file mode 100644 -index 0000000000..aa6e8aea2a ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/tests/correct_pool.pass.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+ -+ -+yum -y install chrony -+ -+echo "pool 0.pool.ntp.org" > /etc/chrony.conf - -From 387e404f2aa33ffd36305d899e5ba2846b0e99a8 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 17 Mar 2020 14:58:52 +0100 -Subject: [PATCH 06/10] modify bash macro not to add iburst - ---- - shared/macros-bash.jinja | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index bc6c6f6486..01b9e62e7b 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -348,7 +348,7 @@ done - {{%- macro bash_ensure_there_are_servers_in_ntp_compatible_config_file(config_file, servers_list) -%}} - if ! grep -q '#[[:space:]]*server' "{{{ config_file }}}" ; then - for server in $(echo "{{{ servers_list }}}" | tr ',' '\n') ; do -- printf '\nserver %s iburst' "$server" >> "{{{ config_file }}}" -+ printf '\nserver %s' "$server" >> "{{{ config_file }}}" - done - else - sed -i 's/#[ \t]*server/server/g' "{{{ config_file }}}" - -From eb953fba0979a795743bf669270709539dca5dc4 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 17 Mar 2020 17:41:58 +0100 -Subject: [PATCH 07/10] fix remediations - ---- - .../ansible/shared.yml | 19 ++++++++++++++----- - .../bash/shared.sh | 2 +- - .../chronyd_specify_remote_server/rule.yml | 2 +- - 3 files changed, 16 insertions(+), 7 deletions(-) - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml -index ad93be3580..747226601b 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml -@@ -5,9 +5,18 @@ - # disruption = low - - (xccdf-var var_multiple_time_servers) - --- name: "Ensure Chrony is installed" -- package: -- name: "chrony" -- state: present -+- name: "Detect if chrony is already configured with pools or servers" -+ find: -+ path: /etc -+ patterns: chrony.conf -+ contains: '^[\s]*(?:server|pool)[\s]+[\w]+' -+ register: chrony_servers - --{{{ ansible_lineinfile(msg='Ensure remote servers are specified in chrony.conf', path='/etc/chrony.conf', regex='^[\s]*server[\s]+[\w]+', new_line='server {{ item }}', create='yes', state='present', with_items='{{ var_multiple_time_servers.split(",") }}') }}} -+- name: "Add server configuration if none found in previous task" -+ lineinfile: -+ path: /etc/chrony.conf -+ line: 'server {{ item }}' -+ state: present -+ create: True -+ loop: '{{ var_multiple_time_servers.split(",") }}' -+ when: chrony_servers.matched == 0 -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh -index 6be57c219b..e566219788 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh -@@ -4,6 +4,6 @@ populate var_multiple_time_servers - - config_file="/etc/chrony.conf" - --if ! grep -q '^[\s]*server[\s]+[\w]+' "$config_file" ; then -+if ! grep -q '^[\s]*(?:server|pool)[\s]+[\w]+' "$config_file" ; then - {{{ bash_ensure_there_are_servers_in_ntp_compatible_config_file("$config_file", "$var_multiple_time_servers") | indent(2) }}} - fi -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -index 912a359080..28224c2383 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -@@ -4,7 +4,7 @@ documentation_complete: true - title: 'A remote NTP server for Chrony is configured' - - description: |- -- chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to -+ Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to - synchronize system clocks across a variety of systems and use a source that is highly - accurate. More information on chrony can be found at - {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. - -From 2106f716f5662f265a2e05b351e0fd7cb91dd698 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 17 Mar 2020 17:50:10 +0100 -Subject: [PATCH 08/10] fix description - ---- - .../ntp/chronyd_specify_remote_server/rule.yml | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -index 28224c2383..af250d0288 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -@@ -4,22 +4,22 @@ documentation_complete: true - title: 'A remote NTP server for Chrony is configured' - - description: |- -- Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to -+ Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to - synchronize system clocks across a variety of systems and use a source that is highly -- accurate. More information on chrony can be found at -+ accurate. More information on chrony can be found at - {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. -- Chrony can be configured to be a client and/or a server. -+ Chrony can be configured to be a client and/or a server. - Add or edit server or pool lines to /etc/chrony.conf as appropriate: -
server <remote-server>
- Multiple servers may be configured. - - rationale: |- -- If chrony is in use on the system proper configuration is vital to ensuring time -+ If chrony is in use on the system proper configuration is vital to ensuring time - synchronization is working properly. - - severity: medium - --platform: machine -+platform: chrony - - identifiers: - cce@rhel8: 82734-5 -@@ -27,7 +27,7 @@ identifiers: - references: - cis@rhel8: 2.2.1.2 - --ocil_clause: 'The remote NTP server for Chrony is not configured' -+ocil_clause: 'the remote NTP server for Chrony is not configured' - - ocil: |- - Run the following command and verify remote server is configured properly: - -From 6058590f752af869716a4bc166091d22cdda71e6 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 17 Mar 2020 18:07:00 +0100 -Subject: [PATCH 09/10] fix cces - ---- - .../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 2 +- - linux_os/guide/services/ntp/package_chrony_installed/rule.yml | 2 +- - linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 4 ++-- - 4 files changed, 4 insertions(+), 7 deletions(-) - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -index af250d0288..fbd457d2de 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -@@ -22,7 +22,7 @@ severity: medium - platform: chrony - - identifiers: -- cce@rhel8: 82734-5 -+ cce@rhel8: 82873-1 - - references: - cis@rhel8: 2.2.1.2 -diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -index 6e2c455201..2549f48b71 100644 ---- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -@@ -18,7 +18,7 @@ severity: medium - platform: machine - - identifiers: -- cce@rhel8: 82730-3 -+ cce@rhel8: 82874-9 - - references: - cis@rhel8: 2.2.1.1 -diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -index e0b21d81af..829d662afe 100644 ---- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -@@ -21,12 +21,12 @@ severity: medium - platform: machine - - identifiers: -- cce@rhel8: 82729-5 -+ cce@rhel8: 82875-6 - - references: - cis@rhel8: 2.2.1.2 - --ocil_clause: 'The chronyd process is not running' -+ocil_clause: 'the chronyd process is not running' - - ocil: '{{{ ocil_service_enabled(service="chronyd") }}}' - -From e70adc47f0c1cdcc7c652b5a6f19701aa61fe8f8 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 18 Mar 2020 10:53:45 +0100 -Subject: [PATCH 10/10] small wording changes - ---- - .../ntp/chronyd_specify_remote_server/ansible/shared.yml | 2 +- - .../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml -index 747226601b..0c812bdc2a 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml -@@ -12,7 +12,7 @@ - contains: '^[\s]*(?:server|pool)[\s]+[\w]+' - register: chrony_servers - --- name: "Add server configuration if none found in previous task" -+- name: "Configure remote time servers" - lineinfile: - path: /etc/chrony.conf - line: 'server {{ item }}' -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -index fbd457d2de..b2177fc76e 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -@@ -27,7 +27,7 @@ identifiers: - references: - cis@rhel8: 2.2.1.2 - --ocil_clause: 'the remote NTP server for Chrony is not configured' -+ocil_clause: 'a remote time server is not configured' - - ocil: |- - Run the following command and verify remote server is configured properly: diff --git a/SOURCES/scap-security-guide-0.1.50-add_configure_etc_hosts_deny_PR_5332.patch b/SOURCES/scap-security-guide-0.1.50-add_configure_etc_hosts_deny_PR_5332.patch deleted file mode 100644 index 8561364..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_configure_etc_hosts_deny_PR_5332.patch +++ /dev/null @@ -1,201 +0,0 @@ -From de575924082e17ff0e2fe537a3c72adf87942a55 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 23 Mar 2020 16:02:21 +0100 -Subject: [PATCH 1/3] create rule - ---- - .../ansible/shared.yml | 7 +++++ - .../configure_etc_hosts_deny/bash/shared.sh | 3 ++ - .../configure_etc_hosts_deny/oval/shared.xml | 1 + - .../configure_etc_hosts_deny/rule.yml | 31 +++++++++++++++++++ - .../tests/correct.pass.sh | 6 ++++ - .../tests/file_empty.fail.sh | 6 ++++ - .../tests/file_missing.fail.sh | 6 ++++ - .../tests/wrong.fail.sh | 6 ++++ - shared/references/cce-redhat-avail.txt | 1 - - 9 files changed, 66 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml -new file mode 100644 -index 0000000000..480bde9f80 ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml -@@ -0,0 +1,7 @@ -+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = medium -+ -+{{{ ansible_lineinfile(msg='', path='/etc/hosts.deny', regex='', new_line='ALL: ALL', create='true', state='present') }}} -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh -new file mode 100644 -index 0000000000..e1def7a9ab ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh -@@ -0,0 +1,3 @@ -+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 -+ -+{{{ set_config_file(path="/etc/hosts.deny", parameter="ALL:", value="ALL", create=true, insert_after="EOF", insert_before="", insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml -new file mode 100644 -index 0000000000..de1e7261a6 ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/oval/shared.xml -@@ -0,0 +1 @@ -+{{{ oval_check_config_file(path='/etc/hosts.deny', prefix_regex='^[ \\t]*', parameter='ALL:', separator_regex='[ \\t]+', value='ALL', missing_parameter_pass=false, missing_config_file_fail=true) }}} -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -new file mode 100644 -index 0000000000..f81259ab25 ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -@@ -0,0 +1,31 @@ -+documentation_complete: true -+ -+prodtype: ol7,rhel7 -+ -+title: 'Ensure /etc/hosts.deny is configured' -+ -+description: |- -+ The file /etc/hosts.deny together with /etc/hosts.allow provides a -+ simple access control mechanism for network services supporting TCP wrappers. -+ The following line in the file ensures that access to services supporting this mechanism is denied to any clients -+ not mentioned in /etc/hosts.allow: -+
ALL: ALL
-+ -+rationale: |- -+ Correct configuration in /etc/hosts.deny ensures that no explicitly mentioned clients will be able to connect to services supporting this access controll mechanism. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83391-3 -+ -+references: -+ cis@rhel7: 3.4.3 -+ -+ocil_clause: 'access to services supporting TCP wrappers is not properly configured' -+ -+ocil: |- -+ Display contents of the file: -+
cat /etc/hosts.deny
-+ Verify that the output contains the following line: -+
ALL: ALL
-diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh -new file mode 100644 -index 0000000000..cbd4e9467a ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/correct.pass.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+# this is done to ensure that we don't lose ssh connection to the machine -+echo "ALL: ALL" > /etc/hosts.allow -+# this is the actual test case -+echo "ALL: ALL" > /etc/hosts.deny -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh -new file mode 100644 -index 0000000000..d61a08a119 ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_empty.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+# this is done to ensure that we don't lose ssh connection to the machine -+echo "ALL: ALL" > /etc/hosts.allow -+# this is the actual test case -+echo "" > /etc/hosts.deny -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh -new file mode 100644 -index 0000000000..78c99cc73a ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/file_missing.fail.sh -@@ -0,0 +1,6 @@ -+#!(bin/bash -+ -+# this is done to ensure that we don't lose ssh connection to the machine -+echo "ALL: ALL" > /etc/hosts.allow -+# this is the actual test case -+rm -f /etc/hosts.deny -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh -new file mode 100644 -index 0000000000..efc958523d ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/tests/wrong.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+# this is done to ensure that we don't lose ssh connection to the machine -+echo "ALL: ALL" > /etc/hosts.allow -+# this is the actual test case -+echo "something different" > /etc/hosts.deny -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 6a2445d0bf..6c2b6aee41 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -96,7 +96,6 @@ CCE-83387-1 - CCE-83388-9 - CCE-83389-7 - CCE-83390-5 --CCE-83391-3 - CCE-83392-1 - CCE-83393-9 - CCE-83394-7 - -From bd3d76598f4790efc7d589d6f4916aa207f4aa4b Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 23 Mar 2020 16:02:43 +0100 -Subject: [PATCH 2/3] add rule to rhel7 cis profile - ---- - rhel7/profiles/cis.profile | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 486fcf9a33..4727adaaf5 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -352,6 +352,8 @@ selections: - - ### 3.4.2 Ensure /etc/hosts.allow is configured (Scored) - ### 3.4.3 Ensure /etc/hosts.deny is configured (Scored) -+ - configure_etc_hosts_deny -+ - ### 3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored) - ### 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored) - - -From d25cbb63a67af1ea749afda7c2fb7590de388538 Mon Sep 17 00:00:00 2001 -From: vojtapolasek -Date: Tue, 24 Mar 2020 08:57:21 +0100 -Subject: [PATCH 3/3] fix typo -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Co-Authored-By: Jan Černý ---- - .../obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -index f81259ab25..ea657a8f79 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -@@ -12,7 +12,7 @@ description: |- -
ALL: ALL
- - rationale: |- -- Correct configuration in /etc/hosts.deny ensures that no explicitly mentioned clients will be able to connect to services supporting this access controll mechanism. -+ Correct configuration in /etc/hosts.deny ensures that no explicitly mentioned clients will be able to connect to services supporting this access control mechanism. - - severity: medium - diff --git a/SOURCES/scap-security-guide-0.1.50-add_etc_hosts_deny_to_unselect_list_PR_5348.patch b/SOURCES/scap-security-guide-0.1.50-add_etc_hosts_deny_to_unselect_list_PR_5348.patch deleted file mode 100644 index b0879c4..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_etc_hosts_deny_to_unselect_list_PR_5348.patch +++ /dev/null @@ -1,19 +0,0 @@ -From 9fda2e206f9a9a97453b564c74cae24a1d64b04d Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 26 Mar 2020 10:34:15 +0100 -Subject: [PATCH] add configure_etc_hosts_deny to ignored rules because it - breaks ssh connections - ---- - tests/unselect_rules_list | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tests/unselect_rules_list b/tests/unselect_rules_list -index b65c177a1e..8ccbb14e95 100644 ---- a/tests/unselect_rules_list -+++ b/tests/unselect_rules_list -@@ -12,3 +12,4 @@ xccdf_org.ssgproject.content_rule_sshd_disable_root_login - xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords - xccdf_org.ssgproject.content_rule_disable_host_auth - xccdf_org.ssgproject.content_rule_harden_sshd_crypto_policy -+xccdf_org.ssgproject.content_rule_configure_etc_hosts_deny diff --git a/SOURCES/scap-security-guide-0.1.50-add_field_support_macro_syscall_PR_5724.patch b/SOURCES/scap-security-guide-0.1.50-add_field_support_macro_syscall_PR_5724.patch deleted file mode 100644 index 52e57d8..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_field_support_macro_syscall_PR_5724.patch +++ /dev/null @@ -1,341 +0,0 @@ -From 66b01d9b55ee6b1d791383467827a6444673a51c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 29 Apr 2020 18:36:39 +0200 -Subject: [PATCH 1/6] Add fields arg to ansbile audit syscall macros - -The field arg allows one to specify syscall fields for the audit rule. -These fields can be auid, exit, argument, or any field used by audit. -Reference: -https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events#field-names ---- - shared/macros-ansible.jinja | 32 +++++++++++++++++++++++++------- - 1 file changed, 25 insertions(+), 7 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 03e4306051..7674c290fa 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -352,9 +352,11 @@ The macro requires following parameters: - - arch: an architecture to be used in the Audit rule (b32, b64) - - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. - - key: a key to use as rule identifier. -+- fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100); -+ Add them in the order you expect them to be in the audit rule. - Note that if there already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file. - #}} --{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}} -+{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="", fields=[]) -%}} - - name: Declare list of syscals - set_fact: - syscalls: {{{ syscalls }}} -@@ -362,10 +364,17 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - -+{{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}} -+{{% set fields_data = { 'regex' : "", 'list': "" } %}} -+{{% for field in fields %}} -+ {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F\s+' + field + ')'}) %}} -+ {{% set not_used = fields_data.update({'list': fields_data.list+ ' -F ' + field }) %}} -+{{% endfor %}} -+ - - name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/ - find: - paths: "/etc/audit/rules.d" -- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*{{{ fields_data.regex }}}(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "*.rules" - register: audit_syscalls_found_{{{ arch }}}_rules_d - loop: "{{ syscalls }}" -@@ -401,7 +410,7 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul - loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}" - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add key" -- set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" -+ set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}" - - name: "Insert the line in {{ all_files[0] }}" - lineinfile: - path: "{{ all_files[0] }}" -@@ -417,8 +426,10 @@ The macro requires following parameters: - - arch: an architecture to be used in the Audit rule (b32, b64) - - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc. - - key: a key to use as rule identifier. -+- fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100); -+ Add them in the order you expect them to be in the audit rule. - #}} --{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}} -+{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="", fields=[]) -%}} - - name: Declare list of syscals - set_fact: - syscalls: {{{ syscalls }}} -@@ -426,10 +437,17 @@ The macro requires following parameters: - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - -+{{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}} -+{{% set fields_data = { 'regex' : "", 'list': "" } %}} -+{{% for field in fields %}} -+ {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F\s+' + field + ')'}) %}} -+ {{% set not_used = fields_data.update({'list': fields_data.list + ' -F ' + field }) %}} -+{{% endfor %}} -+ - - name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules - find: - paths: "/etc/audit" -- contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' -+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*{{{ fields_data.regex }}}(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "audit.rules" - register: audit_syscalls_found_{{{ arch }}}_audit_rules - loop: "{{ syscalls }}" -@@ -445,8 +463,8 @@ The macro requires following parameters: - set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" - loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}" - when: item.matched is defined and item.matched == 0 -- - name: "Construct rule: add key" -- set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}" -+ - name: "Construct rule: add fields and key" -+ set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: "/etc/audit/audit.rules" - -From 5de069a558c4456d0610764d8fc9da23f0ba294e Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 29 Apr 2020 18:43:08 +0200 -Subject: [PATCH 2/6] Fix spacing between syscalls and fields - -By having the white space at the beginning of the token, it is easy to -concatenate them without worries. ---- - shared/macros-ansible.jinja | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 7674c290fa..2aaf0c366b 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -404,12 +404,12 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul - - name: "Insert the syscall rule in {{ all_files[0] }}" - block: - - name: "Construct rule: add rule list, action and arch" -- set_fact: tmpline="-a always,exit -F arch={{{ arch }}} " -+ set_fact: tmpline="-a always,exit -F arch={{{ arch }}}" - - name: "Construct rule: add syscalls" -- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -+ set_fact: tmpline="{{tmpline + ' -S ' + item.item }}" - loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}" - when: item.matched is defined and item.matched == 0 -- - name: "Construct rule: add key" -+ - name: "Construct rule: add fields and key" - set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}" - - name: "Insert the line in {{ all_files[0] }}" - lineinfile: -@@ -458,9 +458,9 @@ The macro requires following parameters: - - name: Insert the syscall rule in /etc/audit/audit.rules - block: - - name: "Construct rule: add rule list, action and arch" -- set_fact: tmpline="-a always,exit -F arch={{{ arch }}} " -+ set_fact: tmpline="-a always,exit -F arch={{{ arch }}}" - - name: "Construct rule: add syscalls" -- set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -+ set_fact: tmpline="{{tmpline + ' -S ' + item.item }}" - loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}" - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add fields and key" - -From 80a3b0cca2b3af62e1a7cff578a45e844bd12fb4 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 30 Apr 2020 09:10:41 +0200 -Subject: [PATCH 3/6] Add tests for audit_rules_time_clock_settime - ---- - .../tests/correct_syscall.pass.sh | 7 +++++++ - .../tests/incorrect_arg_field.fail.sh | 7 +++++++ - .../tests/incorrect_syscall.fail.sh | 7 +++++++ - 3 files changed, 21 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/correct_syscall.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_arg_field.fail.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_syscall.fail.sh - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/correct_syscall.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/correct_syscall.pass.sh -new file mode 100644 -index 0000000000..b71cc454bc ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/correct_syscall.pass.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_cis -+ -+rm -rf /etc/audit/rules.d/*.rules -+echo "-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change" >> /etc/audit/rules.d/time.rules -+echo "-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change" >> /etc/audit/rules.d/time.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_arg_field.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_arg_field.fail.sh -new file mode 100644 -index 0000000000..add0722747 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_arg_field.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_cis -+ -+rm -rf /etc/audit/rules.d/*.rules -+echo "-a always,exit -F arch=b32 -S clock_settime -F a0=0x1 -k time-change" >> /etc/audit/rules.d/time.rules -+echo "-a always,exit -F arch=b64 -S clock_settime -F a0=0x1 -k time-change" >> /etc/audit/rules.d/time.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_syscall.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_syscall.fail.sh -new file mode 100644 -index 0000000000..9ab5cc3bc4 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_syscall.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_cis -+ -+rm -rf /etc/audit/rules.d/*.rules -+echo "-a always,exit -F arch=b32 -S stime -F a0=0x0 -k time-change" >> /etc/audit/rules.d/time.rules -+echo "-a always,exit -F arch=b64 -S stime -F a0=0x0 -k time-change" >> /etc/audit/rules.d/time.rules - -From a5b36f8400f821e35fc5a7e77b36a9fee0124702 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 30 Apr 2020 09:34:35 +0200 -Subject: [PATCH 4/6] Add Ansible for audit syscall clock_settime - -Also demonstrates how to use the fields parameter in ansible audit -syscall macro. ---- - .../ansible/shared.yml | 22 +++++++++++++++++++ - 1 file changed, 22 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml -new file mode 100644 -index 0000000000..e77850fa25 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml -@@ -0,0 +1,22 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+# What architecture are we on? -+# -+- name: Set architecture for audit tasks -+ set_fact: -+ audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ -+- name: Perform remediation of Audit rules for clock_settime for x86 platform -+ block: -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} -+ -+- name: Perform remediation of Audit rules for clock_settime for x86_64 platform -+ block: -+ {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} -+ {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}} -+ when: audit_arch == "b64" - -From fe179d4d870878d29b603e7ab5a8bc79cb8eb05c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 30 Apr 2020 11:54:03 +0200 -Subject: [PATCH 5/6] Fix regex spacing between fields and the key - -There needs to be a space between them. -Change syntax to be consistent with rest of regex. ---- - shared/macros-ansible.jinja | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 2aaf0c366b..eeafe5f6d5 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -367,7 +367,7 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul - {{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}} - {{% set fields_data = { 'regex' : "", 'list': "" } %}} - {{% for field in fields %}} -- {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F\s+' + field + ')'}) %}} -+ {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}} - {{% set not_used = fields_data.update({'list': fields_data.list+ ' -F ' + field }) %}} - {{% endfor %}} - -@@ -440,7 +440,7 @@ The macro requires following parameters: - {{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}} - {{% set fields_data = { 'regex' : "", 'list': "" } %}} - {{% for field in fields %}} -- {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F\s+' + field + ')'}) %}} -+ {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}} - {{% set not_used = fields_data.update({'list': fields_data.list + ' -F ' + field }) %}} - {{% endfor %}} - - -From 5e13b1a6698d4403cf4108664fd2c33be5ee9109 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 30 Apr 2020 14:41:59 +0200 -Subject: [PATCH 6/6] Improve macro documenation and clarify var name - ---- - shared/macros-ansible.jinja | 22 ++++++++++++++-------- - 1 file changed, 14 insertions(+), 8 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index eeafe5f6d5..7b64341fb7 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -364,11 +364,14 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - --{{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}} --{{% set fields_data = { 'regex' : "", 'list': "" } %}} -+{{# -+This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope. -+See official documentation: https://jinja.palletsprojects.com/en/2.11.x/templates/#assignments -+#}} -+{{% set fields_data = { 'regex' : "", 'plain_text': "" } %}} - {{% for field in fields %}} - {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}} -- {{% set not_used = fields_data.update({'list': fields_data.list+ ' -F ' + field }) %}} -+ {{% set not_used = fields_data.update({'plain_text': fields_data.plain_text + ' -F ' + field }) %}} - {{% endfor %}} - - - name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/ -@@ -410,7 +413,7 @@ Note that if there already exists a rule wit the same key in the /etc/audit/rul - loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}" - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add fields and key" -- set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}" -+ set_fact: tmpline="{{ tmpline + '{{{ fields_data.plain_text }}} -k {{{ key }}}' }}" - - name: "Insert the line in {{ all_files[0] }}" - lineinfile: - path: "{{ all_files[0] }}" -@@ -437,11 +440,14 @@ The macro requires following parameters: - - name: Declare number of syscalls - set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" - --{{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}} --{{% set fields_data = { 'regex' : "", 'list': "" } %}} -+{{# -+This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope. -+See official documentation: https://jinja.palletsprojects.com/en/2.11.x/templates/#assignments -+#}} -+{{% set fields_data = { 'regex' : "", 'plain_text': "" } %}} - {{% for field in fields %}} - {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}} -- {{% set not_used = fields_data.update({'list': fields_data.list + ' -F ' + field }) %}} -+ {{% set not_used = fields_data.update({'plain_text': fields_data.plain_text + ' -F ' + field }) %}} - {{% endfor %}} - - - name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules -@@ -464,7 +470,7 @@ The macro requires following parameters: - loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}" - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add fields and key" -- set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}" -+ set_fact: tmpline="{{ tmpline + '{{{ fields_data.plain_text }}} -k {{{ key }}}' }}" - - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: "/etc/audit/audit.rules" diff --git a/SOURCES/scap-security-guide-0.1.50-add_grub2_disable_ipv6_PR_5324.patch b/SOURCES/scap-security-guide-0.1.50-add_grub2_disable_ipv6_PR_5324.patch deleted file mode 100644 index 7882c3e..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_grub2_disable_ipv6_PR_5324.patch +++ /dev/null @@ -1,351 +0,0 @@ -From 0f919eef79444dfbbf105d58258f4935596d617d Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 20 Mar 2020 11:15:10 +0100 -Subject: [PATCH 1/5] add rule - ---- - .../grub2_disable_ipv6/rule.yml | 94 +++++++++++++++++++ - 2 files changed, 94 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml - -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml -new file mode 100644 -index 0000000000..ab3137e57e ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml -@@ -0,0 +1,94 @@ -+documentation_complete: true -+ -+prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4 -+ -+title: 'Ensure IPv6 is disabled through kernel boot parameter' -+ -+description: |- -+ To disable IPv6 protocol support in the Linux kernel, -+ add the argument ipv6.disable=1 to the default -+ GRUB 2 command line for the Linux operating system in -+{{% if product in ["rhel7", "ol7", "rhv4"] %}} -+ /etc/default/grub, so that the line looks similar to -+
GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
-+ In case the GRUB_DISABLE_RECOVERY is set to true, then the parameter should be added to the GRUB_CMDLINE_LINUX_DEFAULT instead. -+{{% else %}} -+ /boot/grub2/grubenv, in the manner below: -+
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
-+{{% endif %}} -+ -+ -+rationale: |- -+ Any unnecessary network stacks - including IPv6 - should be disabled, to reduce -+ the vulnerability to exploitation. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 82886-3 -+ cce@rhel8: 82887-1 -+ -+references: -+ cis@rhel7: 3.3.3 -+ cis@rhel8: "3.6" -+ -+ocil_clause: 'IPv6 is not disabled' -+ -+ocil: |- -+ {{% if product in ["rhel7", "ol7", "rhv4"] %}} -+ Inspect the form of default GRUB 2 command line for the Linux operating system -+ in /etc/default/grub. If it includes ipv6.disable=1, then IPv6 -+ is disabled at boot time. -+ First check if the GRUB recovery is enabled: -+
$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-+ If this option is set to true, then check that a line is output by the following command: -+
$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
-+ If the recovery is disabled, check the line with -+
$ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. -+ Moreover, current Grub2 config file in /etc/grub2/grub.cfg must be checked. -+
# grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
-+ This command should not return any output. If it does, update the configuration with -+
# grub2-mkconfig -o /boot/grub2/grub.cfg
-+

-+ Alternatively, to ensure ipv6.disable=1 is configured on all installed kernels, the -+ following command may be used: -+
-+
$ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
-+
-+{{% else %}} -+ Inspect the form of default GRUB 2 command line for the Linux operating system -+ in /boot/grub2/grubenv. If they include ipv6.disable=1, then IPv6 -+ is disabled at boot time. -+
# grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
-+

-+ To ensure ipv6.disable=1 is configured on all installed kernels, the -+ following command may be used: -+
-+
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
-+
-+{{% endif %}} -+ -+ -+warnings: -+ - management: |- -+ The GRUB 2 configuration file, grub.cfg, -+ is automatically updated each time a new kernel is installed. Note that any -+ changes to /etc/default/grub require rebuilding the grub.cfg -+ file. To update the GRUB 2 configuration file manually, use the -+
grub2-mkconfig -o
command as follows: -+
    -+
  • On BIOS-based machines, issue the following command as root: -+
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • -+
  • On UEFI-based machines, issue the following command as root: -+{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}} -+
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  • -+{{% else %}} -+
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    -+{{% endif %}} -+
-+ -+template: -+ name: grub2_bootloader_argument -+ vars: -+ arg_name: ipv6.disable -+ arg_value: '1' - -From 847faabaa90a70a4c1c4c896c287f8f05b40579c Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 20 Mar 2020 15:06:45 +0100 -Subject: [PATCH 2/5] add rule to rhel7 and rhel8 cis - ---- - rhel7/profiles/cis.profile | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index b66594f594..88b27c7a71 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -350,6 +350,7 @@ selections: - - sysctl_net_ipv6_conf_default_accept_redirects - - ### 3.3.3 Ensure IPv6 is disabled (Not Scored) -+ - grub2_disable_ipv6 - - ## 3.4 TCP Wrappers - ### 3.4.1 Ensure TCP Wrappers is installed (Scored) - -From 95e501a09061ade19d5c6363967bc48a5e28ef41 Mon Sep 17 00:00:00 2001 -From: vojtapolasek -Date: Mon, 23 Mar 2020 08:49:06 +0100 -Subject: [PATCH 3/5] fix wording in rule.yml - -Co-Authored-By: Shawn Wells ---- - .../disabling_ipv6/grub2_disable_ipv6/rule.yml | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml -index ab3137e57e..06fd3b2a36 100644 ---- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml -@@ -7,7 +7,7 @@ title: 'Ensure IPv6 is disabled through kernel boot parameter' - description: |- - To disable IPv6 protocol support in the Linux kernel, - add the argument ipv6.disable=1 to the default -- GRUB 2 command line for the Linux operating system in -+ GRUB2 command line for the Linux operating system in - {{% if product in ["rhel7", "ol7", "rhv4"] %}} - /etc/default/grub, so that the line looks similar to -
GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
-@@ -19,7 +19,7 @@ description: |- - - - rationale: |- -- Any unnecessary network stacks - including IPv6 - should be disabled, to reduce -+ Any unnecessary network stacks, including IPv6, should be disabled to reduce - the vulnerability to exploitation. - - severity: medium -@@ -36,7 +36,7 @@ ocil_clause: 'IPv6 is not disabled' - - ocil: |- - {{% if product in ["rhel7", "ol7", "rhv4"] %}} -- Inspect the form of default GRUB 2 command line for the Linux operating system -+ Inspect the form of default GRUB2 command line for the Linux operating system - in /etc/default/grub. If it includes ipv6.disable=1, then IPv6 - is disabled at boot time. - First check if the GRUB recovery is enabled: -@@ -45,7 +45,7 @@ ocil: |- -
$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
- If the recovery is disabled, check the line with -
$ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. -- Moreover, current Grub2 config file in /etc/grub2/grub.cfg must be checked. -+ Moreover, current GRUB2 config file in /etc/grub2/grub.cfg must be checked. -
# grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
- This command should not return any output. If it does, update the configuration with -
# grub2-mkconfig -o /boot/grub2/grub.cfg
-@@ -56,7 +56,7 @@ ocil: |- -
$ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
-
- {{% else %}} -- Inspect the form of default GRUB 2 command line for the Linux operating system -+ Inspect the form of default GRUB2 command line for the Linux operating system - in /boot/grub2/grubenv. If they include ipv6.disable=1, then IPv6 - is disabled at boot time. -
# grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
- -From 3006d2025e472c2c457f5665ab0096f22e84766c Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 23 Mar 2020 14:13:15 +0100 -Subject: [PATCH 4/5] change severity, reorder prodtypes, and add sudo instead - of root - ---- - .../grub2_disable_ipv6/rule.yml | 32 +++++++++---------- - 1 file changed, 16 insertions(+), 16 deletions(-) - -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml -index 06fd3b2a36..1c6d2388d1 100644 ---- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4 -+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 - - title: 'Ensure IPv6 is disabled through kernel boot parameter' - -@@ -14,7 +14,7 @@ description: |- - In case the GRUB_DISABLE_RECOVERY is set to true, then the parameter should be added to the GRUB_CMDLINE_LINUX_DEFAULT instead. - {{% else %}} - /boot/grub2/grubenv, in the manner below: --
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
-+
sudo  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
- {{% endif %}} - - -@@ -22,7 +22,7 @@ rationale: |- - Any unnecessary network stacks, including IPv6, should be disabled to reduce - the vulnerability to exploitation. - --severity: medium -+severity: low - - identifiers: - cce@rhel7: 82886-3 -@@ -40,31 +40,31 @@ ocil: |- - in /etc/default/grub. If it includes ipv6.disable=1, then IPv6 - is disabled at boot time. - First check if the GRUB recovery is enabled: --
$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-+
grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
- If this option is set to true, then check that a line is output by the following command: --
$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
-+
grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
- If the recovery is disabled, check the line with --
$ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. -+
grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. - Moreover, current GRUB2 config file in /etc/grub2/grub.cfg must be checked. --
# grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
-+
sudo grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
- This command should not return any output. If it does, update the configuration with --
# grub2-mkconfig -o /boot/grub2/grub.cfg
-+
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
-

- Alternatively, to ensure ipv6.disable=1 is configured on all installed kernels, the - following command may be used: -
--
$ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
-+
sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
-
- {{% else %}} - Inspect the form of default GRUB2 command line for the Linux operating system - in /boot/grub2/grubenv. If they include ipv6.disable=1, then IPv6 - is disabled at boot time. --
# grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
-+
sudo grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
-

- To ensure ipv6.disable=1 is configured on all installed kernels, the - following command may be used: -
--
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
-+
sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
-
- {{% endif %}} - -@@ -77,13 +77,13 @@ warnings: - file. To update the GRUB 2 configuration file manually, use the -
grub2-mkconfig -o
command as follows: -
    --
  • On BIOS-based machines, issue the following command as root: --
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • --
  • On UEFI-based machines, issue the following command as root: -+
  • On BIOS-based machines, issue the following command: -+
    sudo grub2-mkconfig -o /boot/grub2/grub.cfg
  • -+
  • On UEFI-based machines, issue the following command: - {{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}} --
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  • -+
    sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    - {{% else %}} --
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    -+
    sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    - {{% endif %}} -
- - -From 18529b39aa08084c6a73adec2771b48eac89ce7f Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 25 Mar 2020 09:54:05 +0100 -Subject: [PATCH 5/5] make description and ocil clearer - ---- - .../grub2_disable_ipv6/rule.yml | 19 +++++++++---------- - 1 file changed, 9 insertions(+), 10 deletions(-) - -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml -index 1c6d2388d1..e128654204 100644 ---- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml -@@ -12,6 +12,10 @@ description: |- - /etc/default/grub, so that the line looks similar to -
GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
- In case the GRUB_DISABLE_RECOVERY is set to true, then the parameter should be added to the GRUB_CMDLINE_LINUX_DEFAULT instead. -+ Run one of following command to ensure that the configuration is applied when booting currently installed kernels: -+
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
-+ or -+
sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
- {{% else %}} - /boot/grub2/grubenv, in the manner below: -
sudo  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
-@@ -37,28 +41,23 @@ ocil_clause: 'IPv6 is not disabled' - ocil: |- - {{% if product in ["rhel7", "ol7", "rhv4"] %}} - Inspect the form of default GRUB2 command line for the Linux operating system -- in /etc/default/grub. If it includes ipv6.disable=1, then IPv6 -- is disabled at boot time. -+ in /etc/default/grub. Check if it includes ipv6.disable=1. - First check if the GRUB recovery is enabled: -
grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-- If this option is set to true, then check that a line is output by the following command: -+ If this option is set to true, then check that the following line is output by the following command: -
grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
- If the recovery is disabled, check the line with -
grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. - Moreover, current GRUB2 config file in /etc/grub2/grub.cfg must be checked. -
sudo grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
-- This command should not return any output. If it does, update the configuration with -+ This command should not return any output. If it does, update the configuration with one of following commands: -
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
--

-- Alternatively, to ensure ipv6.disable=1 is configured on all installed kernels, the -- following command may be used: --
-+ or -
sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
-
- {{% else %}} - Inspect the form of default GRUB2 command line for the Linux operating system -- in /boot/grub2/grubenv. If they include ipv6.disable=1, then IPv6 -- is disabled at boot time. -+ in /boot/grub2/grubenv. Check if it includes ipv6.disable=1. -
sudo grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
-

- To ensure ipv6.disable=1 is configured on all installed kernels, the diff --git a/SOURCES/scap-security-guide-0.1.50-add_missing_cces_PR_5546.patch b/SOURCES/scap-security-guide-0.1.50-add_missing_cces_PR_5546.patch deleted file mode 100644 index 388a393..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_missing_cces_PR_5546.patch +++ /dev/null @@ -1,48 +0,0 @@ -From b0f940d192e7a649970cb160647d90a5e5e3649c Mon Sep 17 00:00:00 2001 -From: Milan Lysonek -Date: Mon, 30 Mar 2020 13:19:46 +0200 -Subject: [PATCH] Add RHEL7 CCEs to chronyd_specify_remote_server, - package_chrony_installed, and service_chronyd_enabled. - ---- - .../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 1 + - linux_os/guide/services/ntp/package_chrony_installed/rule.yml | 1 + - linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 1 + - 4 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -index ea4c955c8e..8179f5dbfb 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -@@ -22,6 +22,7 @@ severity: medium - platform: chrony - - identifiers: -+ cce@rhel7: 83418-4 - cce@rhel8: 82873-1 - - references: -diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -index f6dc1f427f..19be2af6b9 100644 ---- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -@@ -18,6 +18,7 @@ severity: medium - platform: machine - - identifiers: -+ cce@rhel7: 83419-2 - cce@rhel8: 82874-9 - - references: -diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -index 94269dfd54..b0e28d3a6d 100644 ---- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -@@ -21,6 +21,7 @@ severity: medium - platform: machine - - identifiers: -+ cce@rhel7: 83420-0 - cce@rhel8: 82875-6 - - references: diff --git a/SOURCES/scap-security-guide-0.1.50-add_missing_cces_for_cis_PR_5329.patch b/SOURCES/scap-security-guide-0.1.50-add_missing_cces_for_cis_PR_5329.patch deleted file mode 100644 index d70eb17..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_missing_cces_for_cis_PR_5329.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 7dc066ba15b4afa2eb5b55dfa468e6c506904b9c Mon Sep 17 00:00:00 2001 -From: Milan Lysonek -Date: Mon, 23 Mar 2020 13:17:41 +0100 -Subject: [PATCH 1/2] Add missing CCEs for rules from CIS profile in RHEL7. - ---- - .../system/accounts/accounts-banners/banner_etc_motd/rule.yml | 3 +++ - .../network-uncommon/kernel_module_tipc_disabled/rule.yml | 1 + - 3 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -index bcd5593d6b..4345173e72 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -@@ -48,6 +48,9 @@ rationale: |- - - severity: medium - -+identifiers: -+ cce@rhel7: 83394-7 -+ - ocil_clause: 'it does not display the required banner' - - ocil: |- -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml -index ec4ee3d5a1..71aa0dcd2d 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml -@@ -23,6 +23,7 @@ severity: medium - - identifiers: - cce@rhel6: 26696-5 -+ cce@rhel7: 83395-4 - cce@rhel8: 82297-3 - cce@ocp4: 82520-8 - - -From d757e03b3af18b416a3f11e43b0a721f0c5bc134 Mon Sep 17 00:00:00 2001 -From: Milan Lysonek -Date: Mon, 23 Mar 2020 13:24:57 +0100 -Subject: [PATCH 2/2] Add missing CCEs for rules from CIS profile in RHEL8. - ---- - .../ssh/ssh_server/sshd_set_max_auth_tries/rule.yml | 1 + - .../accounts/accounts-banners/banner_etc_motd/rule.yml | 1 + - .../wireless_software/wireless_disable_interfaces/rule.yml | 1 + - .../files/file_permissions_ungroupowned/rule.yml | 1 + - .../permissions/files/no_files_unowned_by_user/rule.yml | 1 + - .../mounting/kernel_module_squashfs_disabled/rule.yml | 1 + - 7 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -index 1661b78773..7b5750ee0d 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -@@ -16,6 +16,7 @@ severity: medium - - identifiers: - cce@rhel7: 82354-2 -+ cce@rhel8: 83500-9 - - references: - cis@debian8: 9.3.5 -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -index 4345173e72..8e872c0944 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -@@ -50,6 +50,7 @@ severity: medium - - identifiers: - cce@rhel7: 83394-7 -+ cce@rhel8: 83496-0 - - ocil_clause: 'it does not display the required banner' - -diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -index 3b16dbf456..76d94fe8f1 100644 ---- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel6: 27057-9 - cce@rhel7: 27358-1 -+ cce@rhel8: 83501-7 - cce@ocp4: 82660-2 - - references: -diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -index 2fe8c27da3..6ee1e123cb 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -@@ -24,6 +24,7 @@ severity: medium - identifiers: - cce@rhel6: 26872-2 - cce@rhel7: 80135-7 -+ cce@rhel8: 83497-8 - - references: - disa@rhel6: '224' -diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -index a8bf12ff81..70515fd9a6 100644 ---- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -@@ -24,6 +24,7 @@ severity: medium - identifiers: - cce@rhel6: 27032-2 - cce@rhel7: 80134-0 -+ cce@rhel8: 83499-4 - - references: - disa@rhel6: '224' -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml -index 5eae44757d..94898a2a4f 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled/rule.yml -@@ -22,6 +22,7 @@ severity: low - identifiers: - cce@rhel6: 26404-4 - cce@rhel7: 80142-3 -+ cce@rhel8: 83498-6 - cce@ocp4: 82717-0 - - references: diff --git a/SOURCES/scap-security-guide-0.1.50-add_missing_cces_kernel_modules_PR_5236.patch b/SOURCES/scap-security-guide-0.1.50-add_missing_cces_kernel_modules_PR_5236.patch deleted file mode 100644 index e51c8ad..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_missing_cces_kernel_modules_PR_5236.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml -index 6e01799d88..cf3b2ca4b7 100644 ---- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml -@@ -19,9 +19,12 @@ severity: medium - - identifiers: - cce@rhel6: 27153-6 -+ cce@rhel7: 82871-5 -+ cce@rhel8: 82872-3 - - references: - disa@rhel6: "1551" -+ cis@rhel8: "3.6" - nist: CM-7(a),CM-7(b),CM-6(a) - nist-csf: PR.IP-1,PR.PT-3 - srg@rhel6: SRG-OS-999999 -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml -index f19e548863..54cfc9fa41 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_rds_disabled/rule.yml -@@ -4,7 +4,7 @@ title: 'Disable RDS Support' - - description: |- - The Reliable Datagram Sockets (RDS) protocol is a transport -- layer protocol designed to provide reliable high- bandwidth, -+ layer protocol designed to provide reliable high-bandwidth, - low-latency communications between nodes in a cluster. - {{{ describe_module_disable(module="rds") }}} - -@@ -12,13 +12,16 @@ rationale: |- - Disabling RDS protects - the system against exploitation of any flaws in its implementation. - --severity: unknown -+severity: low - - identifiers: - cce@rhel6: 26239-4 -+ cce@rhel7: 82869-9 -+ cce@rhel8: 82870-7 - - references: - disa@rhel6: "382" -+ cis@rhel8: 3.3.3 - nist: CM-7(a),CM-7(b),CM-6(a) - nist-csf: PR.IP-1,PR.PT-3 - srg@rhel6: SRG-OS-000096 diff --git a/SOURCES/scap-security-guide-0.1.50-add_ntp_and_chrony_cpes_PR_5299.patch b/SOURCES/scap-security-guide-0.1.50-add_ntp_and_chrony_cpes_PR_5299.patch deleted file mode 100644 index dad2a32..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_ntp_and_chrony_cpes_PR_5299.patch +++ /dev/null @@ -1,612 +0,0 @@ -From cf35976d0c455158fd6a49b8a82c13e383d85565 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 17 Mar 2020 13:19:47 +0100 -Subject: [PATCH] add ntp and chrony cpes - ---- - debian10/cpe/debian10-cpe-dictionary.xml | 10 ++++++++++ - debian8/cpe/debian8-cpe-dictionary.xml | 10 ++++++++++ - debian9/cpe/debian9-cpe-dictionary.xml | 10 ++++++++++ - fedora/cpe/fedora-cpe-dictionary.xml | 10 ++++++++++ - ocp4/cpe/ocp4-cpe-dictionary.xml | 5 +++++ - ol7/cpe/ol7-cpe-dictionary.xml | 10 ++++++++++ - ol8/cpe/ol8-cpe-dictionary.xml | 5 +++++ - opensuse/cpe/opensuse-cpe-dictionary.xml | 10 ++++++++++ - rhel6/cpe/rhel6-cpe-dictionary.xml | 10 ++++++++++ - rhel7/cpe/rhel7-cpe-dictionary.xml | 10 ++++++++++ - rhel8/cpe/rhel8-cpe-dictionary.xml | 5 +++++ - rhv4/cpe/rhv4-cpe-dictionary.xml | 5 +++++ - .../oval/installed_env_has_chrony_package.xml | 20 +++++++++++++++++++ - .../oval/installed_env_has_ntp_package.xml | 20 +++++++++++++++++++ - sle11/cpe/sle11-cpe-dictionary.xml | 10 ++++++++++ - sle12/cpe/sle12-cpe-dictionary.xml | 10 ++++++++++ - ssg/constants.py | 2 ++ - ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 10 ++++++++++ - ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 10 ++++++++++ - ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 10 ++++++++++ - .../cpe/wrlinux1019-cpe-dictionary.xml | 16 ++++++++++++--- - wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 16 ++++++++++++--- - 22 files changed, 218 insertions(+), 6 deletions(-) - create mode 100644 shared/checks/oval/installed_env_has_chrony_package.xml - create mode 100644 shared/checks/oval/installed_env_has_ntp_package.xml - -diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml -index 50b1cf598f..5cc27ceb79 100644 ---- a/debian10/cpe/debian10-cpe-dictionary.xml -+++ b/debian10/cpe/debian10-cpe-dictionary.xml -@@ -17,6 +17,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -32,6 +37,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml -index c5832137be..38d490138a 100644 ---- a/debian8/cpe/debian8-cpe-dictionary.xml -+++ b/debian8/cpe/debian8-cpe-dictionary.xml -@@ -17,6 +17,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -32,6 +37,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml -index 471823055b..f01770b044 100644 ---- a/debian9/cpe/debian9-cpe-dictionary.xml -+++ b/debian9/cpe/debian9-cpe-dictionary.xml -@@ -17,6 +17,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -32,6 +37,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml -index fdf1aa72be..2964e320c2 100644 ---- a/fedora/cpe/fedora-cpe-dictionary.xml -+++ b/fedora/cpe/fedora-cpe-dictionary.xml -@@ -52,6 +52,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -67,6 +72,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/ocp4/cpe/ocp4-cpe-dictionary.xml b/ocp4/cpe/ocp4-cpe-dictionary.xml -index 97e2801453..81047b6f45 100644 ---- a/ocp4/cpe/ocp4-cpe-dictionary.xml -+++ b/ocp4/cpe/ocp4-cpe-dictionary.xml -@@ -12,6 +12,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml -index 2b8363ea67..c153272121 100644 ---- a/ol7/cpe/ol7-cpe-dictionary.xml -+++ b/ol7/cpe/ol7-cpe-dictionary.xml -@@ -17,6 +17,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -32,6 +37,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml -index d3d642c9fd..3fd74e53ca 100644 ---- a/ol8/cpe/ol8-cpe-dictionary.xml -+++ b/ol8/cpe/ol8-cpe-dictionary.xml -@@ -17,6 +17,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml -index 659045ac65..1ab4e85ea8 100644 ---- a/opensuse/cpe/opensuse-cpe-dictionary.xml -+++ b/opensuse/cpe/opensuse-cpe-dictionary.xml -@@ -32,6 +32,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -47,6 +52,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml -index 39f844e2ab..2c8a82ebc5 100644 ---- a/rhel6/cpe/rhel6-cpe-dictionary.xml -+++ b/rhel6/cpe/rhel6-cpe-dictionary.xml -@@ -37,6 +37,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -52,6 +57,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml -index a34b30c62f..a5214e36f0 100644 ---- a/rhel7/cpe/rhel7-cpe-dictionary.xml -+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml -@@ -47,6 +47,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -62,6 +67,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml -index c6594e169c..694cbb5a4e 100644 ---- a/rhel8/cpe/rhel8-cpe-dictionary.xml -+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml -@@ -22,6 +22,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml -index c53ae56254..56ea1abf8c 100644 ---- a/rhv4/cpe/rhv4-cpe-dictionary.xml -+++ b/rhv4/cpe/rhv4-cpe-dictionary.xml -@@ -22,6 +22,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -diff --git a/shared/checks/oval/installed_env_has_chrony_package.xml b/shared/checks/oval/installed_env_has_chrony_package.xml -new file mode 100644 -index 0000000000..b3a835c02e ---- /dev/null -+++ b/shared/checks/oval/installed_env_has_chrony_package.xml -@@ -0,0 +1,20 @@ -+ -+ -+ -+ -+ Package chrony is installed -+ -+ multi_platform_all -+ -+ Checks if package chrony is installed. -+ -+ -+ -+ -+ -+ -+ -+ {{{ oval_test_package_installed(package='chrony', evr='', test_id='test_env_has_chrony_installed') }}} -+ -+ -diff --git a/shared/checks/oval/installed_env_has_ntp_package.xml b/shared/checks/oval/installed_env_has_ntp_package.xml -new file mode 100644 -index 0000000000..6babd17a0f ---- /dev/null -+++ b/shared/checks/oval/installed_env_has_ntp_package.xml -@@ -0,0 +1,20 @@ -+ -+ -+ -+ -+ Package ntp is installed -+ -+ multi_platform_all -+ -+ Checks if package ntp is installed. -+ -+ -+ -+ -+ -+ -+ -+ {{{ oval_test_package_installed(package='ntp', evr='', test_id='test_env_has_ntp_installed') }}} -+ -+ -diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml -index f4af2c6330..c732ecb48a 100644 ---- a/sle11/cpe/sle11-cpe-dictionary.xml -+++ b/sle11/cpe/sle11-cpe-dictionary.xml -@@ -22,6 +22,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -37,6 +42,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml -index ae70f01bce..79daa31412 100644 ---- a/sle12/cpe/sle12-cpe-dictionary.xml -+++ b/sle12/cpe/sle12-cpe-dictionary.xml -@@ -22,6 +22,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -37,6 +42,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/ssg/constants.py b/ssg/constants.py -index 813e529b50..08af04138e 100644 ---- a/ssg/constants.py -+++ b/ssg/constants.py -@@ -439,9 +439,11 @@ - XCCDF_PLATFORM_TO_CPE = { - "machine": "cpe:/a:machine", - "container": "cpe:/a:container", -+ "chrony": "cpe:/a:chrony", - "gdm": "cpe:/a:gdm", - "libuser": "cpe:/a:libuser", - "nss-pam-ldapd": "cpe:/a:nss-pam-ldapd", -+ "ntp": "cpe:/a:ntp", - "pam": "cpe:/a:pam", - "login_defs": "cpe:/a:login_defs", - "sssd": "cpe:/a:sssd", -diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml -index 60a2a68823..df5abff723 100644 ---- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml -+++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml -@@ -17,6 +17,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -32,6 +37,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml -index b53643d1c5..6269344376 100644 ---- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml -+++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml -@@ -17,6 +17,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -32,6 +37,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml -index 46579d36ab..ccb285768e 100644 ---- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml -+++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml -@@ -17,6 +17,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -32,6 +37,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml -index 0c708dc1d0..73e419c9ab 100644 ---- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml -+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml -@@ -2,10 +2,10 @@ - -- -- Wind River Linux 1019 -+ -+ Wind River Linux 1019 - installed_OS_is_wrlinux1019 -- -+ - - Container - -@@ -16,6 +16,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -31,6 +36,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - -diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml -index 1421e79ac0..8449ea1416 100644 ---- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml -+++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml -@@ -2,10 +2,10 @@ - -- -- Wind River Linux 8 -+ -+ Wind River Linux 8 - installed_OS_is_wrlinux8 -- -+ - - Container - -@@ -16,6 +16,11 @@ - - installed_env_is_a_machine - -+ -+ Package chrony is installed -+ -+ installed_env_has_chrony_package -+ - - Package gdm is installed - -@@ -31,6 +36,11 @@ - - installed_env_has_nss-pam-ldapd_package - -+ -+ Package ntp is installed -+ -+ installed_env_has_ntp_package -+ - - Package pam is installed - diff --git a/SOURCES/scap-security-guide-0.1.50-add_package_libselinux_installed_PR_5312.patch b/SOURCES/scap-security-guide-0.1.50-add_package_libselinux_installed_PR_5312.patch deleted file mode 100644 index 0166346..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_package_libselinux_installed_PR_5312.patch +++ /dev/null @@ -1,79 +0,0 @@ -From c10f34d8c3932784d69eb0d7b5cff640139ded52 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 19 Mar 2020 09:55:24 +0100 -Subject: [PATCH 1/3] add new rule - ---- - .../package_libselinux_installed/rule.yml | 38 +++++++++++++++++++ - 2 files changed, 38 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/system/selinux/package_libselinux_installed/rule.yml - -diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml -new file mode 100644 -index 0000000000..a9970fb2c2 ---- /dev/null -+++ b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,ocp4 -+ -+title: 'Install libselinux Package' -+ -+description: |- -+ {{{ describe_package_install(package="libselinux") }}} -+ -+rationale: |- -+ Security-enhanced Linux is a feature of the Linux kernel and a number of utilities -+ with enhanced security functionality designed to add mandatory access controls to Linux. -+ The Security-enhanced Linux kernel contains new architectural components originally -+ developed to improve security of the Flask operating system. These architectural components -+ provide general support for the enforcement of many kinds of mandatory access control -+ policies, including those based on the concepts of Type Enforcement, Role-based Access -+ Control, and Multi-level Security. -+ -+ The libselinux package contains the core library of the Security-enhanced Linux system. -+ -+severity: high -+ -+identifiers: -+ cce@rhel7: 82876-4 -+ cce@rhel8: 82877-2 -+ -+references: -+ cis@rhel7: 1.6.2 -+ cis@rhel8: 1.7.1.1 -+ -+ocil_clause: 'the package is not installed' -+ -+ocil: '{{{ ocil_package(package="libselinux") }}}' -+ -+template: -+ name: package_installed -+ vars: -+ pkgname: libselinux -From 80e8674b374cd82510abcf923a18235bae3e5948 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 19 Mar 2020 15:48:10 +0100 -Subject: [PATCH 3/3] change wording of rationale - ---- - .../system/selinux/package_libselinux_installed/rule.yml | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml -index a9970fb2c2..2855c21c90 100644 ---- a/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml -+++ b/linux_os/guide/system/selinux/package_libselinux_installed/rule.yml -@@ -10,11 +10,6 @@ description: |- - rationale: |- - Security-enhanced Linux is a feature of the Linux kernel and a number of utilities - with enhanced security functionality designed to add mandatory access controls to Linux. -- The Security-enhanced Linux kernel contains new architectural components originally -- developed to improve security of the Flask operating system. These architectural components -- provide general support for the enforcement of many kinds of mandatory access control -- policies, including those based on the concepts of Type Enforcement, Role-based Access -- Control, and Multi-level Security. - - The libselinux package contains the core library of the Security-enhanced Linux system. - diff --git a/SOURCES/scap-security-guide-0.1.50-add_package_openldap-clients_installed_PR_5316.patch b/SOURCES/scap-security-guide-0.1.50-add_package_openldap-clients_installed_PR_5316.patch deleted file mode 100644 index 16190e3..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_package_openldap-clients_installed_PR_5316.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 9f7a12207d136211a5906df39490104ef02e3e0c Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 19 Mar 2020 15:35:47 +0100 -Subject: [PATCH 1/4] add rule - ---- - .../package_openldap-clients_removed/rule.yml | 32 +++++++++++++++++++ - 2 files changed, 32 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml - -diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -new file mode 100644 -index 0000000000..e8dfc04020 ---- /dev/null -+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -@@ -0,0 +1,32 @@ -+documentation_complete: true -+ -+title: 'Ensure LDAP client is not installed' -+ -+description: |- -+ The Lightweight Directory Access Protocol (LDAP) is a service that provideso -+ a method for looking up information from a central database. -+ {{{ describe_package_remove("openldap-clients") }}} -+ -+rationale: -+ If the system does not need to act as an LDAP client, it is recommended that the software is -+ removed to reduce the potential attack surface. -+ -+severity: low -+ -+identifiers: -+ cce@rhel7: 82884-8 -+ cce@rhel8: 82885-5 -+ -+references: -+ cis@rhel7: 2.3.5 -+ cis@rhel8: 2.3.3 -+ -+ocil_clause: 'the package is installed' -+ -+ocil: |- -+ {{{ ocil_package("openldap-clients") }}} -+ -+template: -+ name: package_removed -+ vars: -+ pkgname: openldap-clients -From b21593567c0c758710461bc7a3d59651503f84c9 Mon Sep 17 00:00:00 2001 -From: vojtapolasek -Date: Thu, 19 Mar 2020 16:40:55 +0100 -Subject: [PATCH 2/4] Update - linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Co-Authored-By: Jan Černý ---- - .../openldap_client/package_openldap-clients_removed/rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -index e8dfc04020..1339137fb4 100644 ---- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -@@ -3,7 +3,7 @@ documentation_complete: true - title: 'Ensure LDAP client is not installed' - - description: |- -- The Lightweight Directory Access Protocol (LDAP) is a service that provideso -+ The Lightweight Directory Access Protocol (LDAP) is a service that provides - a method for looking up information from a central database. - {{{ describe_package_remove("openldap-clients") }}} - - -From 82c734902f7f215286168f6aa3e3bfaff99fc336 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 19 Mar 2020 16:58:02 +0100 -Subject: [PATCH 3/4] add missing prodtype - ---- - .../openldap_client/package_openldap-clients_removed/rule.yml | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -index 1339137fb4..aee1aa315a 100644 ---- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml -@@ -1,5 +1,7 @@ - documentation_complete: true - -+prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4 -+ - title: 'Ensure LDAP client is not installed' - - description: |- - diff --git a/SOURCES/scap-security-guide-0.1.50-add_rhel7_cis_kickstart_PR_5545.patch b/SOURCES/scap-security-guide-0.1.50-add_rhel7_cis_kickstart_PR_5545.patch deleted file mode 100644 index fc86492..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_rhel7_cis_kickstart_PR_5545.patch +++ /dev/null @@ -1,163 +0,0 @@ -From 89f8c585e3eb05dddd95f601df13664335bc4b14 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 30 Mar 2020 11:34:38 +0200 -Subject: [PATCH] add kickstarts for cis into rhel7 and rhel8 - ---- - rhel7/kickstart/ssg-rhel7-cis-ks.cfg | 147 +++++++++++++++++++++++++++ - 2 files changed, 293 insertions(+) - create mode 100644 rhel7/kickstart/ssg-rhel7-cis-ks.cfg - -diff --git a/rhel7/kickstart/ssg-rhel7-cis-ks.cfg b/rhel7/kickstart/ssg-rhel7-cis-ks.cfg -new file mode 100644 -index 0000000000..85c592de8a ---- /dev/null -+++ b/rhel7/kickstart/ssg-rhel7-cis-ks.cfg -@@ -0,0 +1,147 @@ -+# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 7 Server -+# Version: 0.0.1 -+# Date: 2020-03-30 -+# -+# Based on: -+# http://fedoraproject.org/wiki/Anaconda/Kickstart -+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -+ -+# Install a fresh new system (optional) -+install -+ -+# Specify installation method to use for installation -+# To use a different one comment out the 'url' one below, update -+# the selected choice with proper options & un-comment it -+# -+# Install from an installation tree on a remote server via FTP or HTTP: -+# --url the URL to install from -+# -+# Example: -+# -+# url --url=http://192.168.122.1/image -+# -+# Modify concrete URL in the above example appropriately to reflect the actual -+# environment machine is to be installed in -+# -+# Other possible / supported installation methods: -+# * install from the first CD-ROM/DVD drive on the system: -+# -+# cdrom -+# -+# * install from a directory of ISO images on a local drive: -+# -+# harddrive --partition=hdb2 --dir=/tmp/install-tree -+# -+# * install from provided NFS server: -+# -+# nfs --server= --dir= [--opts=] -+# -+ -+# Set language to use during installation and the default language to use on the installed system (required) -+lang en_US.UTF-8 -+ -+# Set system keyboard type / layout (required) -+keyboard us -+ -+# Configure network information for target system and activate network devices in the installer environment (optional) -+# --onboot enable device at a boot time -+# --device device to be activated and / or configured with the network command -+# --bootproto method to obtain networking configuration for device (default dhcp) -+# --noipv6 disable IPv6 on this device -+# -+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, -+# "--bootproto=static" must be used. For example: -+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 -+# -+network --onboot yes --device eth0 --bootproto dhcp --noipv6 -+ -+# Set the system's root password (required) -+# Plaintext password is: server -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 -+ -+# The selected profile will restrict root login -+# Add a user that can login and escalate privileges -+# Plaintext password is: admin123 -+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted -+ -+# Configure firewall settings for the system (optional) -+# --enabled reject incoming connections that are not in response to outbound requests -+# --ssh allow sshd service through the firewall -+firewall --enabled --ssh -+ -+# Set up the authentication options for the system (required) -+# --enableshadow enable shadowed passwords by default -+# --passalgo hash / crypt algorithm for new passwords -+# See the manual page for authconfig for a complete list of possible options. -+authconfig --enableshadow --passalgo=sha512 -+ -+# State of SELinux on the installed system (optional) -+# Defaults to enforcing -+selinux --enforcing -+ -+# Set the system time zone (required) -+timezone --utc America/New_York -+ -+# Specify how the bootloader should be installed (required) -+# Plaintext password is: password -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 -+ -+# Initialize (format) all disks (optional) -+zerombr -+ -+# The following partition layout scheme assumes disk of size 20GB or larger -+# Modify size of partitions appropriately to reflect actual machine's hardware -+# -+# Remove Linux partitions from the system prior to creating new ones (optional) -+# --linux erase all Linux partitions -+# --initlabel initialize the disk label to the default based on the underlying architecture -+clearpart --linux --initlabel -+ -+# Create primary system partitions (required for installs) -+part /boot --fstype=xfs --size=512 -+part pv.01 --grow --size=1 -+ -+# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 -+ -+# Create particular logical volumes (optional) -+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow -+# Ensure /home Located On Separate Partition -+logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" -+# Ensure /tmp Located On Separate Partition -+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" -+# Ensure /var/tmp Located On Separate Partition -+logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -+# Ensure /var Located On Separate Partition -+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 -+# Ensure /var/log Located On Separate Partition -+logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 -+# Ensure /var/log/audit Located On Separate Partition -+logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 -+logvol swap --name=lv_swap --vgname=VolGroup --size=2016 -+ -+ -+ -+# Harden installation with CIS profile -+# For more details and configuration options see command %addon org_fedora_oscap in -+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands -+%addon org_fedora_oscap -+ content-type = scap-security-guide -+ profile = xccdf_org.ssgproject.content_profile_cis -+%end -+ -+# Packages selection (%packages section is required) -+%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section -+ -+# Reboot after the installation is complete (optional) -+# --eject attempt to eject CD or DVD media before rebooting -+reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.50-add_rhel7_cis_profile_PR_5306.patch b/SOURCES/scap-security-guide-0.1.50-add_rhel7_cis_profile_PR_5306.patch deleted file mode 100644 index 0851355..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_rhel7_cis_profile_PR_5306.patch +++ /dev/null @@ -1,745 +0,0 @@ -From 50474e08bd7326ad0331b2d97ddad9ab56fd7d6c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 18 Mar 2020 12:30:16 +0100 -Subject: [PATCH] Add Initial CIS profile - ---- - rhel7/profiles/cis.profile | 729 +++++++++++++++++++++++++++++++++++++ - 1 file changed, 729 insertions(+) - create mode 100644 rhel7/profiles/cis.profile - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -new file mode 100644 -index 0000000000..486fcf9a33 ---- /dev/null -+++ b/rhel7/profiles/cis.profile -@@ -0,0 +1,729 @@ -+documentation_complete: true -+ -+title: 'CIS Red Hat Enterprise Linux 7 Benchmark' -+ -+description: |- -+ This baseline aligns to the Center for Internet Security -+ Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released -+ 12-27-2017. -+ -+selections: -+ # Necessary for dconf rules -+ - dconf_db_up_to_date -+ -+ # 1 Initial Setup -+ ## 1.1 Filesystem Configuration -+ ### 1.1.1 Disable unused filesystems -+ #### 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Scored) -+ - kernel_module_cramfs_disabled -+ -+ #### 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled (Scored) -+ - kernel_module_freevxfs_disabled -+ -+ #### 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Scored) -+ - kernel_module_jffs2_disabled -+ -+ #### 1.1.1.4 Ensure mounting of hfs filesystems is disabled (Scored) -+ - kernel_module_hfs_disabled -+ -+ #### 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled (Scored) -+ - kernel_module_hfsplus_disabled -+ -+ #### 1.1.1.6 Ensure mounting of squashfs filesystems is disabled (Scored) -+ - kernel_module_squashfs_disabled -+ -+ #### 1.1.1.7 Ensure mounting of udf filesystems is disabled (Scored) -+ - kernel_module_udf_disabled -+ -+ #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Scored) -+ - kernel_module_vfat_disabled -+ -+ ### 1.1.2 Ensure separate partition exists for /tmp (Scored) -+ - partition_for_tmp -+ -+ ### 1.1.3 Ensure nodev option set on /tmp partition (Scored) -+ - mount_option_tmp_nodev -+ -+ ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored) -+ - mount_option_tmp_nosuid -+ -+ ### 1.1.5 Ensure noexec option set on /tmp partition (Scored) -+ - mount_option_tmp_noexec -+ -+ ### 1.1.6 Ensure separate partition exists for /var (Scored) -+ - partition_for_var -+ -+ ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored) -+ - partition_for_var_tmp -+ -+ ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) -+ - mount_option_var_tmp_nodev -+ -+ ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) -+ - mount_option_var_tmp_nosuid -+ -+ ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) -+ - mount_option_var_tmp_noexec -+ -+ ### 1.1.11 Ensure separate partition exists for /var/log (Scored) -+ - partition_for_var_log -+ -+ ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) -+ - partition_for_var_log_audit -+ -+ ### 1.1.13 Ensure separate partition exists for /home (Scored) -+ - partition_for_home -+ -+ ### 1.1.14 Ensure nodev option set on /home partition (Scored) -+ - mount_option_home_nodev -+ -+ ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) -+ - mount_option_dev_shm_nodev -+ -+ ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) -+ - mount_option_dev_shm_nosuid -+ -+ ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) -+ - mount_option_dev_shm_noexec -+ -+ ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored) -+ - mount_option_nodev_removable_partitions -+ -+ ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored) -+ - mount_option_nosuid_removable_partitions -+ -+ ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored) -+ - mount_option_noexec_removable_partitions -+ -+ ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored) -+ - dir_perms_world_writable_sticky_bits -+ -+ ### 1.1.22 Disable Automounting (Scored) -+ - service_autofs_disabled -+ -+ ## 1.2 Configure Software Updates -+ ### 1.2.1 Ensure package manager repositories are configured (Not Scored) -+ ### 1.2.2 Ensure gpgcheck is globally activated (Scored) -+ - ensure_gpgcheck_globally_activated -+ -+ ### 1.2.3 Ensure GPG keys are configured (Not Scored) -+ - ensure_redhat_gpgkey_installed -+ -+ ### 1.2.4 Ensure Red Hat Subscription Manager connection is configured (Not Scored) -+ -+ ### 1.2.5 Disable the rhnsd Daemon (Not Scored) -+ - service_rhnsd_disabled -+ -+ ## 1.3 Filesystem Integrity Checking -+ ### 1.3.1 Ensure AIDE is installed (Scored) -+ - package_aide_installed -+ -+ ### 1.3.2 Ensure filesystem integrity is regularly checked (Scored) -+ - aide_periodic_cron_checking -+ -+ ## 1.4 Secure Boot Settings -+ ### 1.4.1 Ensure permissions on bootloader config are configured (Scored) -+ - file_owner_grub2_cfg -+ - file_groupowner_grub2_cfg -+ - file_permissions_grub2_cfg -+ -+ ### 1.4.2 Ensure bootloader password is set (Scored) -+ - grub2_password -+ -+ ### 1.4.3 Ensure authentication required for single user mode (Scored) -+ - require_singleuser_auth -+ -+ ## 1.5 Additional Process Hardening -+ ### 1.5.1 Ensure core dumps are restricted (Scored) -+ - disable_users_coredumps -+ - sysctl_fs_suid_dumpable -+ -+ ### 1.5.2 Ensure XD/NX support is enabled (Not Scored) -+ - sysctl_kernel_exec_shield -+ - bios_enable_execution_restrictions -+ - install_PAE_kernel_on_x86-32 -+ -+ ### 1.5.3 Ensure address space layout randomization (ASLR) is enabled (Scored) -+ - sysctl_kernel_randomize_va_space -+ -+ ### 1.5.4 Ensure prelink is disabled (Scored) -+ - disable_prelink -+ -+ ## 1.6 Mandatory Access Control -+ ### 1.6.1 Configure SELinux -+ #### 1.6.1.1 Ensure SELinux is not disabled in bootloader configuration (Scored) -+ - grub2_enable_selinux -+ -+ #### 1.6.1.2 Ensure the SELinux state is enforcing (Scored) -+ - var_selinux_state=enforcing -+ - selinux_state -+ -+ #### 1.6.1.3 Ensure SELinux policy is configured (Scored) -+ - var_selinux_policy_name=targeted -+ - selinux_policytype -+ -+ #### 1.6.1.4 Ensure SETroubleshoot is not installed (Scored) -+ - package_setroubleshoot_removed -+ -+ #### 1.6.1.5 Ensure the MCS Translation Service (mcstrans) is not installed (Scored) -+ - package_mcstrans_removed -+ -+ #### 1.6.1.6 Ensure no unconfined daemons exist (Scored) -+ - selinux_confinement_of_daemons -+ -+ ### 1.6.2 Ensure SELinux is installed (Scored) -+ -+ ## 1.7 Warning Banners -+ #### 1.7.1.1 Ensure message of the day is configured properly (Scored) -+ - banner_etc_motd -+ -+ #### 1.7.1.2 Ensure local login warning banner is configured properly (Not Scored) -+ - banner_etc_issue -+ # TODO define banner text -+ #- login_banner_text= -+ -+ #### 1.7.1.3 Ensure remote login warning banner is configured properly (Not Scored) -+ -+ #### 1.7.1.4 Ensure permissions on /etc/motd are configured (Not Scored) -+ #### 1.7.1.5 Ensure permissions on /etc/issue are configured (Scored) -+ #### 1.7.1.6 Ensure permissions on /etc/issue.net are configured (Not Scored) -+ -+ ### 1.7.2 Ensure GDM login banner is configured (Scored) -+ - dconf_gnome_login_banner_text -+ - dconf_gnome_banner_enabled -+ -+ ## 1.8 Ensure updates, patches, and additional security software are installed (Scored) -+ - security_patches_up_to_date -+ -+ # 2 Services -+ -+ ## 2.1 inetd Services -+ -+ ### 2.1.1 Ensure chargen services are not enabled (Scored) -+ ### 2.1.2 Ensure daytime services are not enabled (Scored) -+ ### 2.1.3 Ensure discard services are not enabled (Scored) -+ ### 2.1.4 Ensure echo services are not enabled (Scored) -+ ### 2.1.5 Ensure time services are not enabled (Scored) -+ ### 2.1.6 Ensure tftp server is not enabled (Scored) -+ -+ ### 2.1.7 Ensure xinetd is not enabled (Scored) -+ - service_xinetd_disabled -+ -+ ## 2.2 Special Purpose Services -+ #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) -+ - service_chronyd_or_ntpd_enabled -+ -+ #### 2.2.1.2 Ensure ntp is configured (Scored) -+ # restrict is not checkec by rules below -+ - chronyd_or_ntpd_specify_remote_server -+ -+ #### 2.2.1.3 Ensure chrony is configured (Scored) -+ -+ ### 2.2.2 Ensure X Window System is not installed (Scored) -+ - package_xorg-x11-server-common_removed -+ -+ ### 2.2.3 Ensure Avahi Server is not enabled (Scored) -+ - service_avahi-daemon_disabled -+ -+ ### 2.2.4 Ensure CUPS is not enabled (Scored) -+ - service_cups_disabled -+ -+ ### 2.2.5 Ensure DHCP Server is not enabled (Scored) -+ - service_dhcpd_disabled -+ -+ ### 2.2.6 Ensure LDAP server is not enabled (Scored) -+ - package_openldap-servers_removed -+ -+ ### 2.2.7 Ensure NFS and RPC are not enabled (Scored) -+ - service_nfs_disabled -+ - service_rpcbind_disabled -+ -+ ### 2.2.8 Ensure DNS Server is not enabled (Scored) -+ - service_named_disabled -+ -+ ### 2.2.9 Ensure FTP Server is not enabled (Scored) -+ - service_vsftpd_disabled -+ -+ ### 2.2.10 Ensure HTTP server is not enabled (Scored) -+ - service_httpd_disabled -+ -+ ### 2.2.11 Ensure IMAP and POP3 server is not enabled (Scored) -+ - service_dovecot_disabled -+ -+ ### 2.2.12 Ensure Samba is not enabled (Scored) -+ - service_smb_disabled -+ -+ ### 2.2.13 Ensure HTTP Proxy Server is not enabled (Scored) -+ - service_squid_disabled -+ -+ ### 2.2.14 Ensure SNMP Server is not enabled (Scored) -+ - service_snmpd_disabled -+ -+ ### 2.2.15 Ensure mail transfer agent is configured for local-only mode (Scored) -+ - postfix_network_listening_disabled -+ -+ ### 2.2.16 Ensure NIS Server is not enabled (Scored) -+ - package_ypserv_removed -+ -+ ### 2.2.17 Ensure rsh server is not enabled (Scored) -+ - service_rsh_disabled -+ - service_rlogin_disabled -+ - service_rexec_disabled -+ -+ ### 2.2.18 Ensure talk server is not enabled (Scored) -+ - package_talk-server_removed -+ -+ ### 2.2.19 Ensure telnet server is not enabled (Scored) -+ - service_telnet_disabled -+ -+ ### 2.2.20 Ensure tftp server is not enabled (Scored) -+ - service_tftp_disabled -+ -+ ### 2.2.21 Ensure rsync service is not enabled (Scored) -+ -+ ## 2.3 Service Clients -+ ### 2.3.1 Ensure NIS Client is not installed (Scored) -+ - package_ypbind_removed -+ -+ ### 2.3.2 Ensure rsh client is not installed (Scored) -+ - package_rsh_removed -+ -+ ### 2.3.3 Ensure talk client is not installed (Scored) -+ - package_talk_removed -+ -+ ### 2.3.4 Ensure telnet client is not installed (Scored) -+ - package_telnet_removed -+ -+ ### 2.3.5 Ensure LDAP client is not installed (Scored) -+ -+ # 3 Network Configuration -+ ## 3.1 Network Parameters (Host Only) -+ ### 3.1.1 Ensure IP forwarding is disabled (Scored) -+ - sysctl_net_ipv4_ip_forward -+ -+ ### 3.1.2 Ensure packet redirect sending is disabled (Scored) -+ - sysctl_net_ipv4_conf_all_send_redirects -+ - sysctl_net_ipv4_conf_default_send_redirects -+ -+ ## 3.2 Network Parameters (Host and Router) -+ ### 3.2.1 Ensure source routed packets are not accepted (Scored) -+ - sysctl_net_ipv4_conf_all_accept_source_route -+ - sysctl_net_ipv4_conf_default_accept_source_route -+ -+ ### 3.2.2 Ensure ICMP redirects are not accepted (Scored) -+ - sysctl_net_ipv4_conf_all_accept_redirects -+ - sysctl_net_ipv4_conf_default_accept_redirects -+ -+ ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) -+ - sysctl_net_ipv4_conf_all_secure_redirects -+ - sysctl_net_ipv4_conf_default_secure_redirects -+ -+ ### 3.2.4 Ensure suspicious packets are logged (Scored) -+ - sysctl_net_ipv4_conf_all_log_martians -+ - sysctl_net_ipv4_conf_default_log_martians -+ -+ ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) -+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -+ -+ ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored) -+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses -+ -+ ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) -+ - sysctl_net_ipv4_conf_all_rp_filter -+ - sysctl_net_ipv4_conf_default_rp_filter -+ -+ ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) -+ - sysctl_net_ipv4_tcp_syncookies -+ -+ ## 3.3 IPv6 -+ ### 3.3.1 Ensure IPv6 router advertisements are not accepted (Not Scored) -+ - sysctl_net_ipv6_conf_all_accept_ra -+ - sysctl_net_ipv6_conf_default_accept_ra -+ -+ ### 3.3.2 Ensure IPv6 redirects are not accepted (Not Scored) -+ - sysctl_net_ipv6_conf_all_accept_redirects -+ - sysctl_net_ipv6_conf_default_accept_redirects -+ -+ ### 3.3.3 Ensure IPv6 is disabled (Not Scored) -+ -+ ## 3.4 TCP Wrappers -+ ### 3.4.1 Ensure TCP Wrappers is installed (Scored) -+ - package_tcp_wrappers_installed -+ -+ ### 3.4.2 Ensure /etc/hosts.allow is configured (Scored) -+ ### 3.4.3 Ensure /etc/hosts.deny is configured (Scored) -+ ### 3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored) -+ ### 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored) -+ -+ ## 3.5 Uncommon Network Protocols -+ ### 3.5.1 Ensure DCCP is disabled (Not Scored) -+ - kernel_module_dccp_disabled -+ -+ ### 3.5.2 Ensure SCTP is disabled (Not Scored) -+ - kernel_module_sctp_disabled -+ -+ ### 3.5.3 Ensure RDS is disabled (Not Scored) -+ -+ ### 3.5.4 Ensure TIPC is disabled (Not Scored) -+ - kernel_module_tipc_disabled -+ -+ ## 3.6 Firewall Configuration -+ ### 3.6.1 Ensure iptables is installed (Scored) -+ - package_iptables_installed -+ -+ ### 3.6.2 Ensure default deny firewall policy (Scored) -+ ### 3.6.3 Ensure loopback traffic is configured (Scored) -+ ### 3.6.4 Ensure outbound and established connections are configured (Not Scored) -+ ### 3.6.5 Ensure firewall rules exist for all open ports (Scored) -+ ## 3.7 Ensure wireless interfaces are disabled (Not Scored) -+ -+ # 4 Logging and Auditing -+ ## 4.1 Configure System Accounting (auditd) -+ #### 4.1.1.1 Ensure audit log storage size is configured (Not Scored) -+ - auditd_data_retention_max_log_file -+ -+ #### 4.1.1.2 Ensure system is disabled when audit logs are full (Scored) -+ - var_auditd_space_left_action=email -+ - auditd_data_retention_space_left_action -+ - var_auditd_action_mail_acct=root -+ - auditd_data_retention_action_mail_acct -+ - var_auditd_admin_space_left_action=halt -+ - auditd_data_retention_admin_space_left_action -+ -+ #### 4.1.1.3 Ensure audit logs are not automatically deleted (Scored) -+ - var_auditd_max_log_file_action=keep_logs -+ - auditd_data_retention_max_log_file_action -+ -+ ### 4.1.2 Ensure auditd service is enabled (Scored) -+ - service_auditd_enabled -+ -+ ### 4.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored) -+ - grub2_audit_argument -+ -+ ### 4.1.4 Ensure events that modify date and time information are collected (Scored) -+ - audit_rules_time_adjtimex -+ - audit_rules_time_settimeofday -+ - audit_rules_time_stime -+ - audit_rules_time_clock_settime -+ - audit_rules_time_watch_localtime -+ -+ ### 4.1.5 Ensure events that modify user/group information are collected (Scored) -+ - audit_rules_usergroup_modification_passwd -+ - audit_rules_usergroup_modification_group -+ - audit_rules_usergroup_modification_gshadow -+ - audit_rules_usergroup_modification_shadow -+ - audit_rules_usergroup_modification_opasswd -+ -+ ### 4.1.6 Ensure events that modify the system's network environment are collected (Scored) -+ - audit_rules_networkconfig_modification # needs update to cover network-sripts and system-locale -+ -+ ### 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored) -+ - audit_rules_mac_modification -+ # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264 -+ -+ ### 4.1.8 Ensure login and logout events are collected (Scored) -+ - audit_rules_login_events_lastlog -+ - audit_rules_login_events_faillock -+ -+ ### 4.1.9 Ensure session initiation information is collected (Scored) -+ - audit_rules_session_events -+ -+ ### 4.1.10 Ensure discretionary access control permission modification events are collected (Scored) -+ - audit_rules_dac_modification_chmod -+ - audit_rules_dac_modification_fchmod -+ - audit_rules_dac_modification_fchmodat -+ - audit_rules_dac_modification_chown -+ - audit_rules_dac_modification_fchown -+ - audit_rules_dac_modification_fchownat -+ - audit_rules_dac_modification_lchown -+ - audit_rules_dac_modification_setxattr -+ - audit_rules_dac_modification_lsetxattr -+ - audit_rules_dac_modification_fsetxattr -+ - audit_rules_dac_modification_removexattr -+ - audit_rules_dac_modification_lremovexattr -+ - audit_rules_dac_modification_fremovexattr -+ -+ ### 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored) -+ - audit_rules_unsuccessful_file_modification_creat -+ - audit_rules_unsuccessful_file_modification_open -+ - audit_rules_unsuccessful_file_modification_openat -+ - audit_rules_unsuccessful_file_modification_truncate -+ - audit_rules_unsuccessful_file_modification_ftruncate -+ # Opinionated selection -+ - audit_rules_unsuccessful_file_modification_open_by_handle_at -+ -+ ### 4.1.12 Ensure use of privileged commands is collected (Scored) -+ - audit_rules_privileged_commands -+ -+ ### 4.1.13 Ensure successful file system mounts are collected (Scored) -+ - audit_rules_media_export -+ -+ ### 4.1.14 Ensure file deletion events by users are collected (Scored) -+ - audit_rules_file_deletion_events_unlink -+ - audit_rules_file_deletion_events_unlinkat -+ - audit_rules_file_deletion_events_rename -+ - audit_rules_file_deletion_events_renameat -+ # Opinionated selection -+ - audit_rules_file_deletion_events_rmdir -+ -+ ### 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored) -+ - audit_rules_sysadmin_actions -+ -+ ### 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored) -+ -+ ### 4.1.17 Ensure kernel module loading and unloading is collected (Scored) -+ - audit_rules_kernel_module_loading -+ -+ ### 4.1.18 Ensure the audit configuration is immutable (Scored) -+ - audit_rules_immutable -+ -+ ## 4.2 Configure Logging -+ #### 4.2.1.1 Ensure rsyslog Service is enabled (Scored) -+ - service_rsyslog_enabled -+ -+ #### 4.2.1.2 Ensure logging is configured (Not Scored) -+ -+ #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) -+ - rsyslog_files_permissions -+ -+ #### 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored) -+ - rsyslog_remote_loghost -+ -+ #### 4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts. (Not Scored) -+ - rsyslog_nolisten -+ - rsyslog_accept_remote_messages_tcp -+ - rsyslog_accept_remote_messages_udp -+ -+ #### 4.2.2.1 Ensure syslog-ng service is enabled (Scored) -+ #### 4.2.2.2 Ensure logging is configured (Not Scored) -+ #### 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored) -+ #### 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored) -+ #### 4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored) -+ -+ ### 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored) -+ - package_rsyslog_installed -+ -+ ### 4.2.4 Ensure permissions on all logfiles are configured (Scored) -+ -+ ## 4.3 Ensure logrotate is configured (Not Scored) -+ - ensure_logrotate_activated -+ -+ # 5 Access, Authentication and Authorization -+ ## 5.1 Configure cron -+ ### 5.1.1 Ensure cron daemon is enabled (Scored) -+ - service_crond_enabled -+ -+ ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) -+ - file_groupowner_crontab -+ - file_owner_crontab -+ - file_permissions_crontab -+ -+ ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) -+ - file_groupowner_cron_hourly -+ - file_owner_cron_hourly -+ - file_permissions_cron_hourly -+ -+ ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) -+ - file_groupowner_cron_daily -+ - file_owner_cron_daily -+ - file_permissions_cron_daily -+ -+ ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) -+ - file_groupowner_cron_weekly -+ - file_owner_cron_weekly -+ - file_permissions_cron_weekly -+ -+ ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) -+ - file_groupowner_cron_monthly -+ - file_owner_cron_monthly -+ - file_permissions_cron_monthly -+ -+ ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) -+ - file_groupowner_cron_d -+ - file_owner_cron_d -+ - file_permissions_cron_d -+ -+ ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored) -+ -+ ## 5.2 SSH Server Configuration -+ ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) -+ - file_groupowner_sshd_config -+ - file_owner_sshd_config -+ - file_permissions_sshd_config -+ -+ ### 5.2.2 Ensure SSH Protocol is set to 2 (Scored) -+ - sshd_allow_only_protocol2 -+ -+ ### 5.2.3 Ensure SSH LogLevel is set to INFO (Scored) -+ - sshd_set_loglevel_info -+ -+ ### 5.2.4 Ensure SSH X11 forwarding is disabled (Scored) -+ - sshd_enable_x11_forwarding -+ -+ ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored) -+ - sshd_set_max_auth_tries -+ -+ ### 5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored) -+ - sshd_disable_rhosts -+ -+ ### 5.2.7 Ensure SSH HostbasedAuthentication is disabled (Scored) -+ - disable_host_auth -+ -+ ### 5.2.8 Ensure SSH root login is disabled (Scored) -+ - sshd_disable_root_login -+ -+ ### 5.2.9 Ensure SSH PermitEmptyPasswords is disabled (Scored) -+ - sshd_disable_empty_passwords -+ -+ ### 5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored) -+ - sshd_do_not_permit_user_env -+ -+ ### 5.2.11 Ensure only approved MAC algorithms are used (Scored) -+ - sshd_use_approved_macs # TODO: approved macs don't match -+ -+ ### 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored) -+ - sshd_set_idle_timeout -+ - sshd_set_keepalive -+ -+ ### 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored) -+ ### 5.2.14 Ensure SSH access is limited (Scored) -+ - sshd_limit_user_access -+ # TODO: cover AllowUsers, AllowGroups, DenyGroups -+ -+ ### 5.2.15 Ensure SSH warning banner is configured (Scored) -+ - sshd_enable_warning_banner -+ -+ ## 5.3 Configure PAM -+ ### 5.3.1 Ensure password creation requirements are configured (Scored) -+ - accounts_password_pam_retry -+ # TODO: looks like try_first_pass is not covered -+ - var_password_pam_minlen=14 -+ - accounts_password_pam_minlen -+ - var_password_pam_dcredit=1 -+ - accounts_password_pam_dcredit -+ - var_password_pam_ucredit=1 -+ - accounts_password_pam_ucredit -+ - var_password_pam_ocredit=1 -+ - accounts_password_pam_ocredit -+ - var_password_pam_lcredit=1 -+ - accounts_password_pam_lcredit -+ -+ ### 5.3.2 Ensure lockout for failed password attempts is configured (Scored) -+ - var_accounts_passwords_pam_faillock_unlock_time=900 -+ - var_accounts_passwords_pam_faillock_deny=5 -+ - accounts_passwords_pam_faillock_unlock_time -+ - accounts_passwords_pam_faillock_deny -+ -+ ### 5.3.3 Ensure password reuse is limited (Scored) -+ - var_password_pam_unix_remember=5 -+ - accounts_password_pam_unix_remember -+ -+ ### 5.3.4 Ensure password hashing algorithm is SHA-512 (Scored) -+ - set_password_hashing_algorithm_systemauth -+ # TODO: password-auth is not covered -+ -+ ## 5.4 User Accounts and Environment -+ ### 5.4.1 Set Shadow Password Suite Parameters -+ #### 5.4.1.1 Ensure password expiration is 365 days or less (Scored) -+ - var_accounts_maximum_age_login_defs=90 -+ - accounts_maximum_age_login_defs -+ -+ #### 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored) -+ - var_accounts_minimum_age_login_defs=7 -+ - accounts_minimum_age_login_defs -+ -+ #### 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored) -+ - var_accounts_password_warn_age_login_defs=7 -+ - accounts_password_warn_age_login_defs -+ -+ #### 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored) -+ - var_account_disable_post_pw_expiration=30 -+ - account_disable_post_pw_expiration -+ -+ #### 5.4.1.5 Ensure all users last password change date is in the past (Scored) -+ ### 5.4.2 Ensure system accounts are non-login (Scored) -+ - no_shelllogin_for_systemaccounts -+ -+ ### 5.4.3 Ensure default group for the root account is GID 0 (Scored) -+ ### 5.4.4 Ensure default user umask is 027 or more restrictive (Scored) -+ - accounts_umask_etc_bashrc -+ - accounts_umask_etc_profile -+ -+ ### 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored) -+ - accounts_tmout -+ -+ ## 5.5 Ensure root login is restricted to system console (Not Scored) -+ - no_direct_root_logins -+ -+ ## 5.6 Ensure access to the su command is restricted (Scored) -+ -+ # 6 System Maintenance -+ ## 6.1 System File Permissions -+ ### 6.1.1 Audit system file permissions (Not Scored) -+ - rpm_verify_permissions -+ - rpm_verify_ownership -+ -+ ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) -+ - file_owner_etc_passwd -+ - file_groupowner_etc_passwd -+ - file_permissions_etc_passwd -+ -+ ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) -+ - file_owner_etc_shadow -+ - file_groupowner_etc_shadow -+ - file_permissions_etc_shadow -+ -+ ### 6.1.4 Ensure permissions on /etc/group are configured (Scored) -+ - file_owner_etc_group -+ - file_groupowner_etc_group -+ - file_permissions_etc_group -+ -+ ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) -+ - file_owner_etc_gshadow -+ - file_groupowner_etc_gshadow -+ - file_permissions_etc_gshadow -+ -+ ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) -+ ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) -+ ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) -+ ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) -+ -+ ### 6.1.10 Ensure no world writable files exist (Scored) -+ - file_permissions_unauthorized_world_writable -+ -+ ### 6.1.11 Ensure no unowned files or directories exist (Scored) -+ - no_files_unowned_by_user -+ -+ ### 6.1.12 Ensure no ungrouped files or directories exist (Scored) -+ - file_permissions_ungroupowned -+ -+ ### 6.1.13 Audit SUID executables (Not Scored) -+ - file_permissions_unauthorized_suid -+ -+ ### 6.1.14 Audit SGID executables (Not Scored) -+ - file_permissions_unauthorized_sgid -+ -+ ## 6.2 User and Group Settings -+ ### 6.2.1 Ensure password fields are not empty (Scored) -+ ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) -+ ### 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow (Scored) -+ ### 6.2.4 Ensure no legacy "+" entries exist in /etc/group (Scored) -+ ### 6.2.5 Ensure root is the only UID 0 account (Scored) -+ - accounts_no_uid_except_zero -+ -+ ### 6.2.6 Ensure root PATH Integrity (Scored) -+ ### 6.2.7 Ensure all users' home directories exist (Scored) -+ ### 6.2.8 Ensure users' home directories permissions are 750 or more restrictive (Scored) -+ ### 6.2.9 Ensure users own their home directories (Scored) -+ ### 6.2.10 Ensure users' dot files are not group or world writable (Scored) -+ ### 6.2.11 Ensure no users have .forward files (Scored) -+ ### 6.2.12 Ensure no users have .netrc files (Scored) -+ ### 6.2.13 Ensure users' .netrc Files are not group or world accessible (Scored) -+ ### 6.2.14 Ensure no users have .rhosts files (Scored) -+ - no_rsh_trust_files -+ -+ ### 6.2.15 Ensure all groups in /etc/passwd exist in /etc/group (Scored) -+ ### 6.2.16 Ensure no duplicate UIDs exist (Scored) -+ ### 6.2.17 Ensure no duplicate GIDs exist (Scored) -+ ### 6.2.18 Ensure no duplicate user names exist (Scored) -+ ### 6.2.19 Ensure no duplicate group names exist (Scored) diff --git a/SOURCES/scap-security-guide-0.1.50-add_rpm_verify_warnings_PR_5755.patch b/SOURCES/scap-security-guide-0.1.50-add_rpm_verify_warnings_PR_5755.patch deleted file mode 100644 index e308713..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_rpm_verify_warnings_PR_5755.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 1e2617161624f5df945d2223f9a80f1186116f6b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 12 May 2020 14:59:41 +0200 -Subject: [PATCH 1/3] Warn about findings from rpm_verify_permissions - -There can be cases in which a Profile requires that a file permission be -more strict than package default permissions. In this cases this rule -will report the file changed by the Profile itself as a finding. - -Not all permission changes make sense to be incorporated by the -package, and currently there is no mechanism to waive these findings. ---- - .../rpm_verification/rpm_verify_permissions/rule.yml | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -index 863e2d05a3..0a91ce0108 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -@@ -67,8 +67,10 @@ ocil: |- - is expected by the RPM database: -
$ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
- --{{% if product == "rhel6" %}} - warnings: -+ - general: |- -+ Profiles may require that specific files have stricter file permissions than defined by the vendor. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment. -+{{% if product == "rhel6" %}} - - general: |- - Note: Due to a bug in the gdm package, - the RPM verify command may continue to fail even after file permissions have - -From b372888797152c859b332efae9722813b7f62ec0 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 12 May 2020 17:21:25 +0200 -Subject: [PATCH 2/3] Warn about findings from rpm_verify_ownership - -There can be cases in which a Profile requires that a file be owned -by root, while the package default owner is a different user. -In these cases this rule will report the change in file ownership -done by the Profile itself as a finding. - -Not all ownership changes make sense to be incorporated by the -package, and currently there is no mechanism to waive these -findings. ---- - .../rpm_verification/rpm_verify_ownership/rule.yml | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml -index 7ae3f61919..f888db3b2c 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml -@@ -58,8 +58,10 @@ ocil: |- - is expected by the RPM database: -
$ rpm -Va | rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'
- --{{% if product == "rhel6" %}} - warnings: -+ - general: |- -+ Profiles may require that specific files be owned by root while the default owner defined by the vendor is different. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment. -+{{% if product == "rhel6" %}} - - general: |- - Note: Due to a bug in the gdm package, - the RPM verify command may continue to fail even after file permissions have - -From c3210e05aba0b479a3122f84dc149241e5866f5a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 12 May 2020 17:29:44 +0200 -Subject: [PATCH 3/3] Warning readability changes - ---- - .../rpm_verification/rpm_verify_ownership/rule.yml | 5 ++++- - .../rpm_verification/rpm_verify_permissions/rule.yml | 5 ++++- - 2 files changed, 8 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml -index f888db3b2c..e353ecef4c 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml -@@ -60,7 +60,10 @@ ocil: |- - - warnings: - - general: |- -- Profiles may require that specific files be owned by root while the default owner defined by the vendor is different. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment. -+ Profiles may require that specific files be owned by root while the default owner defined -+ by the vendor is different. -+ Such files will be reported as a finding and need to be evaluated according to your policy -+ and deployment environment. - {{% if product == "rhel6" %}} - - general: |- - Note: Due to a bug in the gdm package, -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -index 0a91ce0108..677a239f3a 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -@@ -69,7 +69,10 @@ ocil: |- - - warnings: - - general: |- -- Profiles may require that specific files have stricter file permissions than defined by the vendor. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment. -+ Profiles may require that specific files have stricter file permissions than defined by the -+ vendor. -+ Such files will be reported as a finding and need to be evaluated according to your policy -+ and deployment environment. - {{% if product == "rhel6" %}} - - general: |- - Note: Due to a bug in the gdm package, diff --git a/SOURCES/scap-security-guide-0.1.50-add_rule_sshd_disable_x11_forwarding_PR_5554.patch b/SOURCES/scap-security-guide-0.1.50-add_rule_sshd_disable_x11_forwarding_PR_5554.patch deleted file mode 100644 index 91a4368..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_rule_sshd_disable_x11_forwarding_PR_5554.patch +++ /dev/null @@ -1,375 +0,0 @@ -From ff69d42fd57e64112af50b15ed03526a205b0f98 Mon Sep 17 00:00:00 2001 -From: eradot4027 -Date: Thu, 2 Apr 2020 13:29:17 -0400 -Subject: [PATCH 01/12] Initial commit of rule for issue 5524 - ---- - .../sshd_disable_x11_forwarding/rule.yml | 46 +++++++++++++++++++ - 1 file changed, 46 insertions(+) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -new file mode 100644 -index 0000000000..c0c01728e9 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -@@ -0,0 +1,46 @@ -+documentation_complete: true -+ -+title: 'Disable X11 Forwarding' -+ -+description: |- -+ The X11Forwarding parameter provides the ability to tunnel X11 traffic -+ through the connection to enable remote graphic connections. -+ SSH has the capability to encrypt remote X11 connections when SSH's -+ X11Forwarding option is enabled. -+

-+ To disable X11 Forwarding, add or correct the -+ following line in /etc/ssh/sshd_config: -+
X11Forwarding no
-+ -+rationale: |- -+ Disable X11 forwarding unless there is an operational requirement to use X11 -+ applications directly. There is a small risk that the remote X11 servers of -+ users who are logged in via SSH with X11 forwarding could be compromised by -+ other users on the X11 server. Note that even if X11 forwarding is disabled, -+ users can always install their own forwarders. -+ -+severity: low -+ -+references: -+ cui: 3.1.13 -+ disa: "366" -+ nist: CM-6(a),AC-17(a),AC-17(2) -+ nist-csf: DE.AE-1,PR.DS-7,PR.IP-1 -+ srg: SRG-OS-000480-GPOS-00227 -+ stigid@rhel7: "040710" -+ stigid@sle12: "030260" -+ isa-62443-2013: 'SR 7.6' -+ isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3 -+ cobit5: BAI03.08,BAI07.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS03.01 -+ iso27001-2013: A.12.1.1,A.12.1.2,A.12.1.4,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.14.2.2,A.14.2.3,A.14.2.4 -+ cis-csc: 1,11,12,13,15,16,18,20,3,4,6,9 -+ -+{{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} -+ -+template: -+ name: sshd_lineinfile -+ vars: -+ missing_parameter_pass: 'false' -+ parameter: X11Forwarding -+ rule_id: sshd_disable_x11_forwarding -+ value: 'no' - -From f1bc29396cf2953fb4cb9cb17d6b8537f7be22f1 Mon Sep 17 00:00:00 2001 -From: eradot4027 -Date: Thu, 2 Apr 2020 13:34:02 -0400 -Subject: [PATCH 02/12] Haven't found references except for Solaris 11. Remove - reference section - ---- - .../sshd_disable_x11_forwarding/rule.yml | 14 -------------- - 1 file changed, 14 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -index c0c01728e9..66872d01ab 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -@@ -21,20 +21,6 @@ rationale: |- - - severity: low - --references: -- cui: 3.1.13 -- disa: "366" -- nist: CM-6(a),AC-17(a),AC-17(2) -- nist-csf: DE.AE-1,PR.DS-7,PR.IP-1 -- srg: SRG-OS-000480-GPOS-00227 -- stigid@rhel7: "040710" -- stigid@sle12: "030260" -- isa-62443-2013: 'SR 7.6' -- isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3 -- cobit5: BAI03.08,BAI07.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS03.01 -- iso27001-2013: A.12.1.1,A.12.1.2,A.12.1.4,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.14.2.2,A.14.2.3,A.14.2.4 -- cis-csc: 1,11,12,13,15,16,18,20,3,4,6,9 -- - {{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} - - template: - -From fb105b63c1ae36f309ede1831b8bae7a8d3ca4c7 Mon Sep 17 00:00:00 2001 -From: eradot4027 -Date: Thu, 2 Apr 2020 13:56:05 -0400 -Subject: [PATCH 03/12] Added CIS Reference - ---- - .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -index 66872d01ab..88ed64c681 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -@@ -23,6 +23,9 @@ severity: low - - {{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} - -+references: -+ cis@rhel8: 5.2.6 -+ - template: - name: sshd_lineinfile - vars: - -From 93f1dd883c3bef0e0df0a0eab87a8eaa75134637 Mon Sep 17 00:00:00 2001 -From: eradot4027 -Date: Thu, 2 Apr 2020 13:58:34 -0400 -Subject: [PATCH 04/12] CIS RHEL 7 Benchmark Reference - ---- - .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -index 88ed64c681..c56d498972 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -@@ -24,8 +24,9 @@ severity: low - {{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} - - references: -+ cis@rhel7: 5.2.5 - cis@rhel8: 5.2.6 -- -+ - template: - name: sshd_lineinfile - vars: - -From 96a51e5a2496c40aa28d9aace336ee75c26afdeb Mon Sep 17 00:00:00 2001 -From: eradot4027 -Date: Thu, 2 Apr 2020 14:09:25 -0400 -Subject: [PATCH 05/12] MOre CIS References - ---- - .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -index c56d498972..92cdbc2151 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -@@ -26,6 +26,8 @@ severity: low - references: - cis@rhel7: 5.2.5 - cis@rhel8: 5.2.6 -+ cis@sle12: 5.2.4 -+ cis@sle15: 5.2.6 - - template: - name: sshd_lineinfile - -From da6fb541c8085d3f6a29f2569615201f3c88bda4 Mon Sep 17 00:00:00 2001 -From: eradot4027 -Date: Thu, 2 Apr 2020 15:39:53 -0400 -Subject: [PATCH 06/12] Modified per pull request comments. - ---- - .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -index 92cdbc2151..bea57e74aa 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -@@ -21,7 +21,9 @@ rationale: |- - - severity: low - --{{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} -+ocil_clause: "that the X11Forwarding option exists and is enabled" -+ -+ocil: '{{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}' - - references: - cis@rhel7: 5.2.5 -@@ -32,7 +34,7 @@ references: - template: - name: sshd_lineinfile - vars: -- missing_parameter_pass: 'false' -+ missing_parameter_pass: 'true' - parameter: X11Forwarding - rule_id: sshd_disable_x11_forwarding - value: 'no' - -From b0b3524c550d3007b33a2d3bdda7d8925dd2fe00 Mon Sep 17 00:00:00 2001 -From: eradot4027 -Date: Thu, 2 Apr 2020 16:17:05 -0400 -Subject: [PATCH 07/12] Modified per comment - ---- - .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -index bea57e74aa..14771fcc9a 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -@@ -23,7 +23,8 @@ severity: low - - ocil_clause: "that the X11Forwarding option exists and is enabled" - --ocil: '{{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}' -+ocil: |- -+ {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}} - - references: - cis@rhel7: 5.2.5 - -From 84f97ae10eaf3c4118f8efa00d7d887ec44db150 Mon Sep 17 00:00:00 2001 -From: eradot4027 -Date: Thu, 2 Apr 2020 16:24:28 -0400 -Subject: [PATCH 08/12] Added check to RHEL7,8 CIS Profile per request - ---- - rhel7/profiles/cis.profile | 3 ++- - 2 files changed, 11 insertions(+), 10 deletions(-) - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 739ed27200..ba413cb1d8 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -578,7 +578,8 @@ selections: - - sshd_set_loglevel_info - - ### 5.2.4 Ensure SSH X11 forwarding is disabled (Scored) -- -+ - sshd_disable_x11_forwarding -+ - ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored) - - sshd_set_max_auth_tries - - -From 1618a15fb61c447770fd54e131c15445f765eabc Mon Sep 17 00:00:00 2001 -From: eradot4027 -Date: Thu, 2 Apr 2020 20:16:53 -0400 -Subject: [PATCH 09/12] Fixed OCIL Clause - ---- - .../services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -index 14771fcc9a..09dd808e99 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -@@ -26,6 +26,7 @@ ocil_clause: "that the X11Forwarding option exists and is enabled" - ocil: |- - {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}} - -+ - references: - cis@rhel7: 5.2.5 - cis@rhel8: 5.2.6 - -From e593461ca7cc38b5125f4413c445c4f9e9261c4e Mon Sep 17 00:00:00 2001 -From: eradot4027 -Date: Fri, 3 Apr 2020 10:49:57 -0400 -Subject: [PATCH 10/12] Added OVAL and tests - ---- - .../sshd_disable_x11_forwarding/oval/shared.xml | 1 + - .../sshd_disable_x11_forwarding/tests/comment.pass.sh | 9 +++++++++ - .../tests/correct_value.pass.sh | 9 +++++++++ - .../tests/line_not_there.pass.sh | 5 +++++ - .../tests/wrong_value.fail.sh | 9 +++++++++ - 5 files changed, 33 insertions(+) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml -new file mode 100644 -index 0000000000..88b4e756f5 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml -@@ -0,0 +1 @@ -+{{{ oval_sshd_config(parameter="X11Forwarding", value="no", missing_parameter_pass=true) }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh -new file mode 100644 -index 0000000000..2b2e7869af ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then -+ sed -i "s/^X11Forwarding.*/# X11Forwarding no/" /etc/ssh/sshd_config -+else -+ echo "# X11Forwarding no" >> /etc/ssh/sshd_config -+fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh -new file mode 100644 -index 0000000000..f8b1ed4685 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then -+ sed -i "s/^X11Forwarding.*/X11Forwarding no/" /etc/ssh/sshd_config -+else -+ echo "X11Forwarding no" >> /etc/ssh/sshd_config -+fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh -new file mode 100644 -index 0000000000..53a3d754b8 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+sed -i "/^X11Forwarding.*/d" /etc/ssh/sshd_config -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh -new file mode 100644 -index 0000000000..bbb09f62d0 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then -+ sed -i "s/^X11Forwarding.*/X11Forwarding yes/" /etc/ssh/sshd_config -+else -+ echo "X11Forwarding yes" >> /etc/ssh/sshd_config -+fi - -From 192c1ee531a838c91db37108f49124295cc5cec3 Mon Sep 17 00:00:00 2001 -From: eradot4027 -Date: Fri, 3 Apr 2020 13:10:49 -0400 -Subject: [PATCH 11/12] Removed OVAL in favor of template - ---- - .../ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml | 1 - - 1 file changed, 1 deletion(-) - delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml -deleted file mode 100644 -index 88b4e756f5..0000000000 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml -+++ /dev/null -@@ -1 +0,0 @@ --{{{ oval_sshd_config(parameter="X11Forwarding", value="no", missing_parameter_pass=true) }}} - diff --git a/SOURCES/scap-security-guide-0.1.50-add_rules_accounts_backup_files_PR_5317.patch b/SOURCES/scap-security-guide-0.1.50-add_rules_accounts_backup_files_PR_5317.patch deleted file mode 100644 index 25a58ef..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_rules_accounts_backup_files_PR_5317.patch +++ /dev/null @@ -1,1025 +0,0 @@ -From f657a1b61509c591a9b1c031865b520bd2c8bbbe Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 19 Mar 2020 15:23:05 +0100 -Subject: [PATCH 1/8] Add rules for /etc/passwd- permissions and owner - ---- - .../rule.yml | 31 +++++++++++++++++ - .../file_owner_backup_etc_passwd/rule.yml | 31 +++++++++++++++++ - .../rule.yml | 33 +++++++++++++++++++ - 4 files changed, 95 insertions(+), 6 deletions(-) - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml - -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml -new file mode 100644 -index 0000000000..b4ece4eda7 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml -@@ -0,0 +1,31 @@ -+documentation_complete: true -+ -+title: 'Verify Group Who Owns Backup passwd File' -+ -+description: '{{{ describe_file_group_owner(file="/etc/passwd-", group="root") }}}' -+ -+rationale: |- -+ The /etc/passwd- file is a backup file of the /etc/passwd file and as such -+ it also contains information about the users that are configured on the system. -+ Protection of this file is critical for system security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83323-6 -+ cce@rhel8: 83324-4 -+ -+references: -+ cis@rhel7: 6.1.6 -+ cis@rhel8: 6.1.6 -+ -+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/passwd-", group="root") }}}' -+ -+ocil: '{{{ ocil_file_group_owner(file="/etc/passwd-", group="root") }}}' -+ -+template: -+ name: file_groupowner -+ vars: -+ filepath: /etc/passwd- -+ filegid: '0' -+ missing_file_pass: 'true' -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml -new file mode 100644 -index 0000000000..28ceaf57e2 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml -@@ -0,0 +1,31 @@ -+documentation_complete: true -+ -+title: 'Verify User Who Owns Backup passwd File' -+ -+description: '{{{ describe_file_owner(file="/etc/passwd-", owner="root") }}}' -+ -+rationale: |- -+ The /etc/passwd- file is a backup file of the /etc/passwd file and as such -+ it also contains information about the users that are configured on the system. -+ Protection of this file is critical for system security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83325-1 -+ cce@rhel8: 83326-9 -+ -+references: -+ cis@rhel7: 6.1.6 -+ cis@rhel8: 6.1.6 -+ -+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/passwd-", owner="root") }}}' -+ -+ocil: '{{{ ocil_file_owner(file="/etc/passwd-", owner="root") }}}' -+ -+template: -+ name: file_owner -+ vars: -+ filepath: /etc/passwd- -+ fileuid: '0' -+ missing_file_pass: 'true' -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml -new file mode 100644 -index 0000000000..3620e8d0d8 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml -@@ -0,0 +1,33 @@ -+documentation_complete: true -+ -+title: 'Verify Permissions on Backup passwd File' -+ -+description: |- -+ {{{ describe_file_permissions(file="/etc/passwd-", perms="0600") }}} -+ -+rationale: |- -+ The /etc/passwd- file is a backup file of the /etc/passwd file and as such -+ it also contains information about the users that are configured on the system. -+ Protection of this file is critical for system security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83331-9 -+ cce@rhel8: 83332-7 -+ -+references: -+ cis@rhel7: 6.1.6 -+ cis@rhel8: 6.1.6 -+ -+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-------") }}}' -+ -+ocil: |- -+ {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-------") }}} -+ -+template: -+ name: file_permissions -+ vars: -+ filepath: /etc/passwd- -+ filemode: '0600' -+ missing_file_pass: 'true' -From 5e641c50c9cb21cc664f2b6fe2ea820b96d3bde4 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 19 Mar 2020 15:44:25 +0100 -Subject: [PATCH 2/8] Add rules for /etc/shadow- permissions and owner - ---- - .../rule.yml | 37 ++++++++++++++++++ - .../file_owner_backup_etc_shadow/rule.yml | 31 +++++++++++++++ - .../rule.yml | 39 +++++++++++++++++++ - 4 files changed, 107 insertions(+), 6 deletions(-) - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml - -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml -new file mode 100644 -index 0000000000..6f4744e6cc ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml -@@ -0,0 +1,37 @@ -+documentation_complete: true -+ -+title: 'Verify User Who Owns Backup shadow File' -+ -+description: '{{{ describe_file_group_owner(file="/etc/shadow-", group="root") }}}' -+ -+rationale: |- -+ The /etc/shadow- file is a backup file of the /etc/shadow file, and as such -+ it also contains the list of local system accounts and password hashes. -+ Protection of this file is critical for system security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83414-3 -+ cce@rhel8: 83415-0 -+ -+references: -+ cis@rhel7: 6.1.7 -+ cis@rhel8: 6.1.7 -+ -+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group="root") }}}' -+ -+ocil: '{{{ ocil_file_group_owner(file="/etc/shadow-", group="root") }}}' -+ -+template: -+ name: file_groupowner -+ vars: -+ filepath: /etc/shadow- -+ filegid: '0' -+ filegid@debian8: '42' -+ filegid@debian9: '42' -+ filegid@debian10: '42' -+ filegid@ubuntu1404: '42' -+ filegid@ubuntu1604: '42' -+ filegid@ubuntu1804: '42' -+ missing_file_pass: 'true' -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml -new file mode 100644 -index 0000000000..2b5a17d6bf ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml -@@ -0,0 +1,31 @@ -+documentation_complete: true -+ -+title: 'Verify Group Who Owns Backup shadow File' -+ -+description: '{{{ describe_file_owner(file="/etc/shadow-", owner="root") }}}' -+ -+rationale: |- -+ The /etc/shadow- file is a backup file of the /etc/shadow file, and as such -+ it also contains the list of local system accounts and password hashes. -+ Protection of this file is critical for system security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83412-7 -+ cce@rhel8: 83413-5 -+ -+references: -+ cis@rhel7: 6.1.7 -+ cis@rhel8: 6.1.7 -+ -+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/shadow-", owner="root") }}}' -+ -+ocil: '{{{ ocil_file_owner(file="/etc/shadow-", owner="root") }}}' -+ -+template: -+ name: file_owner -+ vars: -+ filepath: /etc/shadow- -+ fileuid: '0' -+ missing_file_pass: 'true' -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml -new file mode 100644 -index 0000000000..6090201c11 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml -@@ -0,0 +1,39 @@ -+documentation_complete: true -+ -+title: 'Verify Permissions on Backup shadow File' -+ -+description: |- -+ {{{ describe_file_permissions(file="/etc/shadow-", perms="0000") }}} -+ -+rationale: |- -+ The /etc/shadow- file is a backup file of the /etc/shadow file, and as such -+ it also contains the list of local system accounts and password hashes. -+ Protection of this file is critical for system security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83416-8 -+ cce@rhel8: 83417-6 -+ -+references: -+ cis@rhel7: 6.1.7 -+ cis@rhel8: 6.1.7 -+ -+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow-", perms="----------") }}}' -+ -+ocil: |- -+ {{{ ocil_file_permissions(file="/etc/shadow-", perms="----------") }}} -+ -+template: -+ name: file_permissions -+ vars: -+ filepath: /etc/shadow- -+ filemode: '0000' -+ filemode@debian8: '0640' -+ filemode@debian9: '0640' -+ filemode@debian10: '0640' -+ filemode@ubuntu1404: '0640' -+ filemode@ubuntu1604: '0640' -+ filemode@ubuntu1804: '0640' -+ missing_file_pass: 'true' -From 9f206c3dede1f1fe41288559f8b465dcfe252b9e Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 19 Mar 2020 16:07:26 +0100 -Subject: [PATCH 3/8] Add rules for /etc/group- permissions and owner - ---- - .../file_groupowner_backup_etc_group/rule.yml | 31 +++++++++++++++++ - .../file_owner_backup_etc_group/rule.yml | 31 +++++++++++++++++ - .../rule.yml | 33 +++++++++++++++++++ - 4 files changed, 95 insertions(+), 6 deletions(-) - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml - -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml -new file mode 100644 -index 0000000000..6663d25ee6 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml -@@ -0,0 +1,31 @@ -+documentation_complete: true -+ -+title: 'Verify Group Who Owns Backup group File' -+ -+description: '{{{ describe_file_group_owner(file="/etc/group-", group="root") }}}' -+ -+rationale: |- -+ The /etc/group- file is a backup file of the /etc/group, and as such -+ it also contains information regarding groups that are configured on the system. -+ Protection of this file is important for system security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83474-7 -+ cce@rhel8: 83475-4 -+ -+references: -+ cis@rhel7: 6.1.8 -+ cis@rhel8: 6.1.8 -+ -+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/group-", group="root") }}}' -+ -+ocil: '{{{ ocil_file_group_owner(file="/etc/group", group="root") }}}' -+ -+template: -+ name: file_groupowner -+ vars: -+ filepath: /etc/group- -+ filegid: '0' -+ missing_file_pass: 'true' -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml -new file mode 100644 -index 0000000000..43f508a788 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml -@@ -0,0 +1,31 @@ -+documentation_complete: true -+ -+title: 'Verify User Who Owns Backup group File' -+ -+description: '{{{ describe_file_owner(file="/etc/group-", owner="root") }}}' -+ -+rationale: |- -+ The /etc/group- file is a backup file of the /etc/group, and as such -+ it also contains information regarding groups that are configured on the system. -+ Protection of this file is important for system security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83472-1 -+ cce@rhel8: 83473-9 -+ -+references: -+ cis@rhel7: 6.1.8 -+ cis@rhel8: 6.1.8 -+ -+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/group-", owner="root") }}}' -+ -+ocil: '{{{ ocil_file_owner(file="/etc/group-", owner="root") }}}' -+ -+template: -+ name: file_owner -+ vars: -+ filepath: /etc/group- -+ fileuid: '0' -+ missing_file_pass: 'true' -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml -new file mode 100644 -index 0000000000..d8e4ed220b ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml -@@ -0,0 +1,33 @@ -+documentation_complete: true -+ -+title: 'Verify Permissions on Backup group File' -+ -+description: |- -+ {{{ describe_file_permissions(file="/etc/group-", perms="0644") }}} -+ -+rationale: |- -+ The /etc/group- file is a backup file of the /etc/group, and as such -+ it also contains information regarding groups that are configured on the system. -+ Protection of this file is important for system security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83482-0 -+ cce@rhel8: 83483-8 -+ -+references: -+ cis@rhel7: 6.1.8 -+ cis@rhel8: 6.1.8 -+ -+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/group-", perms="-rw-r--r--") }}}' -+ -+ocil: |- -+ {{{ ocil_file_permissions(file="/etc/passwd", perms="-rw-r--r--") }}} -+ -+template: -+ name: file_permissions -+ vars: -+ filepath: /etc/group- -+ filemode: '0644' -+ missing_file_pass: 'true' -From 8be59a951380245f9c163731d40a0fdbbddb2ccd Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 19 Mar 2020 16:18:25 +0100 -Subject: [PATCH 4/8] Add rules for /etc/gshadow- permissions and owner - ---- - .../rule.yml | 36 ++++++++++++++++++ - .../file_owner_backup_etc_gshadow/rule.yml | 30 +++++++++++++++ - .../rule.yml | 38 +++++++++++++++++++ - 4 files changed, 104 insertions(+), 6 deletions(-) - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml - -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml -new file mode 100644 -index 0000000000..d27abdad03 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml -@@ -0,0 +1,36 @@ -+documentation_complete: true -+ -+title: 'Verify Group Who Owns Backup gshadow File' -+ -+description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group="root") }}}' -+ -+rationale: |- -+ The /etc/gshadow- file is a backup of the /etc/gshadow, and as such it -+ contains group password hashes. Protection of this file is critical for system security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83534-8 -+ cce@rhel8: 83535-5 -+ -+references: -+ cis@rhel7: 6.1.9 -+ cis@rhel8: 6.1.9 -+ -+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group="root") }}}' -+ -+ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow-", group="root") }}}' -+ -+template: -+ name: file_groupowner -+ vars: -+ filepath: /etc/gshadow- -+ filegid: '0' -+ filegid@debian8: '42' -+ filegid@debian9: '42' -+ filegid@debian10: '42' -+ filegid@ubuntu1404: '42' -+ filegid@ubuntu1604: '42' -+ filegid@ubuntu1804: '42' -+ missing_file_pass: 'true' -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml -new file mode 100644 -index 0000000000..a840f6ef55 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml -@@ -0,0 +1,30 @@ -+documentation_complete: true -+ -+title: 'Verify User Who Owns Backup gshadow File' -+ -+description: '{{{ describe_file_owner(file="/etc/gshadow-", owner="root") }}}' -+ -+rationale: |- -+ The /etc/gshadow- file is a backup of the /etc/gshadow, and as such it -+ contains group password hashes. Protection of this file is critical for system security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83532-2 -+ cce@rhel8: 83533-0 -+ -+references: -+ cis@rhel7: 6.1.9 -+ cis@rhel8: 6.1.9 -+ -+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/gshadow-", owner="root") }}}' -+ -+ocil: '{{{ ocil_file_owner(file="/etc/gshadow-", owner="root") }}}' -+ -+template: -+ name: file_owner -+ vars: -+ filepath: /etc/gshadow- -+ fileuid: '0' -+ missing_file_pass: 'true' -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -new file mode 100644 -index 0000000000..29c9556298 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+title: 'Verify Permissions on Backup gshadow File' -+ -+description: |- -+ {{{ describe_file_permissions(file="/etc/gshadow-", perms="0000") }}} -+ -+rationale: |- -+ The /etc/gshadow- file is a backup of the /etc/gshadow, and as such it -+ contains group password hashes. Protection of this file is critical for system security. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83572-8 -+ cce@rhel8: 83573-6 -+ -+references: -+ cis@rhel7: 6.1.9 -+ cis@rhel8: 6.1.9 -+ -+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms="----------") }}}' -+ -+ocil: |- -+ {{{ ocil_file_permissions(file="/etc/gshadow-", perms="----------") }}} -+ -+template: -+ name: file_permissions -+ vars: -+ filepath: /etc/gshadow- -+ filemode: '0000' -+ filemode@debian8: '0640' -+ filemode@debian9: '0640' -+ filemode@debian10: '0640' -+ filemode@ubuntu1404: '0640' -+ filemode@ubuntu1604: '0640' -+ filemode@ubuntu1804: '0640' -+ missing_file_pass: 'true' -From 7957bfd07621000047e0784a717ffc0e3e0cf769 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 19 Mar 2020 17:28:03 +0100 -Subject: [PATCH 6/8] Fix language and inconsistencies in rationale - ---- - .../file_groupowner_backup_etc_group/rule.yml | 4 ++-- - .../file_groupowner_backup_etc_gshadow/rule.yml | 4 ++-- - .../file_groupowner_backup_etc_passwd/rule.yml | 4 ++-- - .../file_groupowner_backup_etc_shadow/rule.yml | 4 ++-- - .../file_owner_backup_etc_group/rule.yml | 4 ++-- - .../file_owner_backup_etc_gshadow/rule.yml | 4 ++-- - .../file_owner_backup_etc_passwd/rule.yml | 4 ++-- - .../file_owner_backup_etc_shadow/rule.yml | 4 ++-- - .../file_permissions_backup_etc_group/rule.yml | 4 ++-- - .../file_permissions_backup_etc_gshadow/rule.yml | 4 ++-- - .../file_permissions_backup_etc_passwd/rule.yml | 4 ++-- - .../file_permissions_backup_etc_shadow/rule.yml | 4 ++-- - 12 files changed, 24 insertions(+), 24 deletions(-) - -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml -index 6663d25ee6..00bbfd8615 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml -@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup group File' - description: '{{{ describe_file_group_owner(file="/etc/group-", group="root") }}}' - - rationale: |- -- The /etc/group- file is a backup file of the /etc/group, and as such -- it also contains information regarding groups that are configured on the system. -+ The /etc/group- file is a backup file of /etc/group, and as such, -+ it contains information regarding groups that are configured on the system. - Protection of this file is important for system security. - - severity: medium -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml -index d27abdad03..fcd4dfc0cb 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml -@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup gshadow File' - description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group="root") }}}' - - rationale: |- -- The /etc/gshadow- file is a backup of the /etc/gshadow, and as such it -- contains group password hashes. Protection of this file is critical for system security. -+ The /etc/gshadow- file is a backup of /etc/gshadow, and as such, -+ it contains group password hashes. Protection of this file is critical for system security. - - severity: medium - -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml -index b4ece4eda7..0855e37012 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml -@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup passwd File' - description: '{{{ describe_file_group_owner(file="/etc/passwd-", group="root") }}}' - - rationale: |- -- The /etc/passwd- file is a backup file of the /etc/passwd file and as such -- it also contains information about the users that are configured on the system. -+ The /etc/passwd- file is a backup file of /etc/passwd, and as such, -+ it contains information about the users that are configured on the system. - Protection of this file is critical for system security. - - severity: medium -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml -index 6f4744e6cc..bbcf2deb48 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml -@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup shadow File' - description: '{{{ describe_file_group_owner(file="/etc/shadow-", group="root") }}}' - - rationale: |- -- The /etc/shadow- file is a backup file of the /etc/shadow file, and as such -- it also contains the list of local system accounts and password hashes. -+ The /etc/shadow- file is a backup file of /etc/shadow, and as such, -+ it contains the list of local system accounts and password hashes. - Protection of this file is critical for system security. - - severity: medium -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml -index 43f508a788..1e2cf1ae1a 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml -@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup group File' - description: '{{{ describe_file_owner(file="/etc/group-", owner="root") }}}' - - rationale: |- -- The /etc/group- file is a backup file of the /etc/group, and as such -- it also contains information regarding groups that are configured on the system. -+ The /etc/group- file is a backup file of /etc/group, and as such, -+ it contains information regarding groups that are configured on the system. - Protection of this file is important for system security. - - severity: medium -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml -index a840f6ef55..d90826e407 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml -@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup gshadow File' - description: '{{{ describe_file_owner(file="/etc/gshadow-", owner="root") }}}' - - rationale: |- -- The /etc/gshadow- file is a backup of the /etc/gshadow, and as such it -- contains group password hashes. Protection of this file is critical for system security. -+ The /etc/gshadow- file is a backup of /etc/gshadow, and as such, -+ it contains group password hashes. Protection of this file is critical for system security. - - severity: medium - -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml -index 28ceaf57e2..180f474d96 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml -@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup passwd File' - description: '{{{ describe_file_owner(file="/etc/passwd-", owner="root") }}}' - - rationale: |- -- The /etc/passwd- file is a backup file of the /etc/passwd file and as such -- it also contains information about the users that are configured on the system. -+ The /etc/passwd- file is a backup file of /etc/passwd, and as such, -+ it contains information about the users that are configured on the system. - Protection of this file is critical for system security. - - severity: medium -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml -index 2b5a17d6bf..260810b94f 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml -@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup shadow File' - description: '{{{ describe_file_owner(file="/etc/shadow-", owner="root") }}}' - - rationale: |- -- The /etc/shadow- file is a backup file of the /etc/shadow file, and as such -- it also contains the list of local system accounts and password hashes. -+ The /etc/shadow- file is a backup file of /etc/shadow, and as such, -+ it contains the list of local system accounts and password hashes. - Protection of this file is critical for system security. - - severity: medium -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml -index d8e4ed220b..68782db132 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml -@@ -6,8 +6,8 @@ description: |- - {{{ describe_file_permissions(file="/etc/group-", perms="0644") }}} - - rationale: |- -- The /etc/group- file is a backup file of the /etc/group, and as such -- it also contains information regarding groups that are configured on the system. -+ The /etc/group- file is a backup file of /etc/group, and as such, -+ it contains information regarding groups that are configured on the system. - Protection of this file is important for system security. - - severity: medium -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -index 29c9556298..8dc2ca59dc 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -@@ -6,8 +6,8 @@ description: |- - {{{ describe_file_permissions(file="/etc/gshadow-", perms="0000") }}} - - rationale: |- -- The /etc/gshadow- file is a backup of the /etc/gshadow, and as such it -- contains group password hashes. Protection of this file is critical for system security. -+ The /etc/gshadow- file is a backup of /etc/gshadow, and as such, -+ it contains group password hashes. Protection of this file is critical for system security. - - severity: medium - -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml -index 3620e8d0d8..b2c524d879 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml -@@ -6,8 +6,8 @@ description: |- - {{{ describe_file_permissions(file="/etc/passwd-", perms="0600") }}} - - rationale: |- -- The /etc/passwd- file is a backup file of the /etc/passwd file and as such -- it also contains information about the users that are configured on the system. -+ The /etc/passwd- file is a backup file of /etc/passwd, and as such, -+ it contains information about the users that are configured on the system. - Protection of this file is critical for system security. - - severity: medium -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml -index 6090201c11..05a7bd867f 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml -@@ -6,8 +6,8 @@ description: |- - {{{ describe_file_permissions(file="/etc/shadow-", perms="0000") }}} - - rationale: |- -- The /etc/shadow- file is a backup file of the /etc/shadow file, and as such -- it also contains the list of local system accounts and password hashes. -+ The /etc/shadow- file is a backup file of /etc/shadow, and as such, -+ it contains the list of local system accounts and password hashes. - Protection of this file is critical for system security. - - severity: medium - -From 96e63d853d7e5ec42924a7ce5a06463dfc85b4b6 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 24 Mar 2020 11:32:09 +0100 -Subject: [PATCH 7/8] Describe different group owners of shadow files - -The group owner of shadow files in debian based distros should -be the shadow group. ---- - .../file_groupowner_backup_etc_gshadow/rule.yml | 12 +++++++++--- - .../file_groupowner_backup_etc_shadow/rule.yml | 12 +++++++++--- - .../file_groupowner_etc_gshadow/rule.yml | 12 +++++++++--- - .../file_groupowner_etc_shadow/rule.yml | 12 +++++++++--- - 4 files changed, 36 insertions(+), 12 deletions(-) - -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml -index fcd4dfc0cb..6ad814ea96 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml -@@ -2,7 +2,13 @@ documentation_complete: true - - title: 'Verify Group Who Owns Backup gshadow File' - --description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group="root") }}}' -+{{% if "ubuntu" in product or "debian" in product %}} -+ {{% set target_group="shadow" %}} -+{{% else %}} -+ {{% set target_group="root" %}} -+{{% endif %}} -+ -+description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group=target_group) }}}' - - rationale: |- - The /etc/gshadow- file is a backup of /etc/gshadow, and as such, -@@ -18,9 +24,9 @@ references: - cis@rhel7: 6.1.9 - cis@rhel8: 6.1.9 - --ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group="root") }}}' -+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group=target_group) }}}' - --ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow-", group="root") }}}' -+ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow-", group=target_group) }}}' - - template: - name: file_groupowner -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml -index bbcf2deb48..51f6076c0a 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml -@@ -2,7 +2,13 @@ documentation_complete: true - - title: 'Verify User Who Owns Backup shadow File' - --description: '{{{ describe_file_group_owner(file="/etc/shadow-", group="root") }}}' -+{{% if "ubuntu" in product or "debian" in product %}} -+ {{% set target_group="shadow" %}} -+{{% else %}} -+ {{% set target_group="root" %}} -+{{% endif %}} -+ -+description: '{{{ describe_file_group_owner(file="/etc/shadow-", group=target_group) }}}' - - rationale: |- - The /etc/shadow- file is a backup file of /etc/shadow, and as such, -@@ -19,9 +25,9 @@ references: - cis@rhel7: 6.1.7 - cis@rhel8: 6.1.7 - --ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group="root") }}}' -+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group=target_group) }}}' - --ocil: '{{{ ocil_file_group_owner(file="/etc/shadow-", group="root") }}}' -+ocil: '{{{ ocil_file_group_owner(file="/etc/shadow-", group=target_group) }}}' - - template: - name: file_groupowner -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml -index c2e12377ef..2720754282 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml -@@ -2,7 +2,13 @@ documentation_complete: true - - title: 'Verify Group Who Owns gshadow File' - --description: '{{{ describe_file_group_owner(file="/etc/gshadow", group="root") }}}' -+{{% if "ubuntu" in product or "debian" in product %}} -+ {{% set target_group="shadow" %}} -+{{% else %}} -+ {{% set target_group="root" %}} -+{{% endif %}} -+ -+description: '{{{ describe_file_group_owner(file="/etc/gshadow", group=target_group) }}}' - - rationale: |- - The /etc/gshadow file contains group password hashes. Protection of this file -@@ -29,9 +35,9 @@ references: - iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 - cis-csc: 12,13,14,15,16,18,3,5 - --ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow", group="root") }}}' -+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow", group=target_group) }}}' - --ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow", group="root") }}}' -+ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow", group=target_group) }}}' - - template: - name: file_groupowner -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml -index d8a9d04142..b86a219e40 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml -@@ -2,7 +2,13 @@ documentation_complete: true - - title: 'Verify Group Who Owns shadow File' - --description: '{{{ describe_file_group_owner(file="/etc/shadow", group="root") }}}' -+{{% if "ubuntu" in product or "debian" in product %}} -+ {{% set target_group="shadow" %}} -+{{% else %}} -+ {{% set target_group="root" %}} -+{{% endif %}} -+ -+description: '{{{ describe_file_group_owner(file="/etc/shadow", group=target_group) }}}' - - rationale: |- - The /etc/shadow file stores password hashes. Protection of this file is -@@ -31,9 +37,9 @@ references: - iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 - cis-csc: 12,13,14,15,16,18,3,5 - --ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow", group="root") }}}' -+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow", group=target_group) }}}' - --ocil: '{{{ ocil_file_group_owner(file="/etc/shadow", group="root") }}}' -+ocil: '{{{ ocil_file_group_owner(file="/etc/shadow", group=target_group) }}}' - - template: - name: file_groupowner - -From 3896f75e95d902c865b8738c4a3988daa5e3091b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 24 Mar 2020 12:11:58 +0100 -Subject: [PATCH 8/8] Describe different permissions of shadow files - -The permissions of shadow files in debian based distros are expected to -be different. ---- - .../file_permissions_backup_etc_gshadow/rule.yml | 16 ++++++++++++---- - .../file_permissions_backup_etc_shadow/rule.yml | 14 +++++++++++--- - .../file_permissions_etc_gshadow/rule.yml | 14 +++++++++++--- - .../file_permissions_etc_shadow/rule.yml | 14 +++++++++++--- - 4 files changed, 45 insertions(+), 13 deletions(-) - -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -index 8dc2ca59dc..6e6857027f 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -@@ -2,8 +2,16 @@ documentation_complete: true - - title: 'Verify Permissions on Backup gshadow File' - -+{{% if "ubuntu" in product or "debian" in product %}} -+ {{% set target_perms_octal="0640" %}} -+ {{% set target_perms="-rw-r-----" %}} -+{{% else %}} -+ {{% set target_perms_octal="0000" %}} -+ {{% set target_perms="----------" %}} -+{{% endif %}} -+ - description: |- -- {{{ describe_file_permissions(file="/etc/gshadow-", perms="0000") }}} -+ {{{ describe_file_permissions(file="/etc/gshadow-", perms=target_perms_octal) }}} - - rationale: |- - The /etc/gshadow- file is a backup of /etc/gshadow, and as such, -@@ -19,10 +27,10 @@ references: - cis@rhel7: 6.1.9 - cis@rhel8: 6.1.9 - --ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms="----------") }}}' -+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms=target_perms) }}}' - --ocil: |- -- {{{ ocil_file_permissions(file="/etc/gshadow-", perms="----------") }}} -+ocil: - -+ {{{ ocil_file_permissions(file="/etc/gshadow-", perms=target_perms) }}} - - template: - name: file_permissions -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml -index 05a7bd867f..bba9f3de6c 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml -@@ -1,9 +1,17 @@ - documentation_complete: true - -+{{% if "ubuntu" in product or "debian" in product %}} -+ {{% set target_perms_octal="0640" %}} -+ {{% set target_perms="-rw-r-----" %}} -+{{% else %}} -+ {{% set target_perms_octal="0000" %}} -+ {{% set target_perms="----------" %}} -+{{% endif %}} -+ - title: 'Verify Permissions on Backup shadow File' - - description: |- -- {{{ describe_file_permissions(file="/etc/shadow-", perms="0000") }}} -+ {{{ describe_file_permissions(file="/etc/shadow-", perms=target_perms_octal) }}} - - rationale: |- - The /etc/shadow- file is a backup file of /etc/shadow, and as such, -@@ -20,10 +28,10 @@ references: - cis@rhel7: 6.1.7 - cis@rhel8: 6.1.7 - --ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow-", perms="----------") }}}' -+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow-", perms=target_perms) }}}' - - ocil: |- -- {{{ ocil_file_permissions(file="/etc/shadow-", perms="----------") }}} -+ {{{ ocil_file_permissions(file="/etc/shadow-", perms=target_perms) }}} - - template: - name: file_permissions -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml -index d1ed4475fb..7e226951ce 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml -@@ -2,8 +2,16 @@ documentation_complete: true - - title: 'Verify Permissions on gshadow File' - -+{{% if "ubuntu" in product or "debian" in product %}} -+ {{% set target_perms_octal="0640" %}} -+ {{% set target_perms="-rw-r-----" %}} -+{{% else %}} -+ {{% set target_perms_octal="0000" %}} -+ {{% set target_perms="----------" %}} -+{{% endif %}} -+ - description: |- -- {{{ describe_file_permissions(file="/etc/gshadow", perms="0000") }}} -+ {{{ describe_file_permissions(file="/etc/gshadow", perms=target_perms_octal) }}} - - rationale: |- - The /etc/gshadow file contains group password hashes. Protection of this file -@@ -31,10 +39,10 @@ references: - iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 - cis-csc: 12,13,14,15,16,18,3,5 - --ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow", perms="----------") }}}' -+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow", perms=target_perms) }}}' - - ocil: |- -- {{{ ocil_file_permissions(file="/etc/gshadow", perms="----------") }}} -+ {{{ ocil_file_permissions(file="/etc/gshadow", perms=target_perms) }}} - - template: - name: file_permissions -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml -index 61f4fb6cce..e66583627d 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml -@@ -2,8 +2,16 @@ documentation_complete: true - - title: 'Verify Permissions on shadow File' - -+{{% if "ubuntu" in product or "debian" in product %}} -+ {{% set target_perms_octal="0640" %}} -+ {{% set target_perms="-rw-r-----" %}} -+{{% else %}} -+ {{% set target_perms_octal="0000" %}} -+ {{% set target_perms="----------" %}} -+{{% endif %}} -+ - description: |- -- {{{ describe_file_permissions(file="/etc/shadow", perms="0000") }}} -+ {{{ describe_file_permissions(file="/etc/shadow", perms=target_perms_octal) }}} - - rationale: |- - The /etc/shadow file contains the list of local -@@ -36,10 +44,10 @@ references: - iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 - cis-csc: 12,13,14,15,16,18,3,5 - --ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow", perms="----------") }}}' -+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow", perms=target_perms) }}}' - - ocil: |- -- {{{ ocil_file_permissions(file="/etc/shadow", perms="----------") }}} -+ {{{ ocil_file_permissions(file="/etc/shadow", perms=target_perms) }}} - - template: - name: file_permissions diff --git a/SOURCES/scap-security-guide-0.1.50-add_rules_etc_hosts_file_permissions_PR_5323.patch b/SOURCES/scap-security-guide-0.1.50-add_rules_etc_hosts_file_permissions_PR_5323.patch deleted file mode 100644 index b513780..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_rules_etc_hosts_file_permissions_PR_5323.patch +++ /dev/null @@ -1,513 +0,0 @@ -From af42925709b8cd1512fea9e4c532fb22ada45fe3 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 20 Mar 2020 14:33:53 +0100 -Subject: [PATCH 1/4] Rules for /etc/hosts.allow permissions and owner - ---- - .../file_groupowner_etc_hosts_allow/rule.yml | 34 +++++++++++++++++++ - .../file_owner_etc_hosts_allow/rule.yml | 34 +++++++++++++++++++ - .../file_permissions_etc_hosts_allow/rule.yml | 34 +++++++++++++++++++ - rhel7/profiles/cis.profile | 4 +++ - shared/references/cce-redhat-avail.txt | 6 ---- - 5 files changed, 106 insertions(+), 6 deletions(-) - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml -new file mode 100644 -index 0000000000..7d43f93c42 ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml -@@ -0,0 +1,34 @@ -+documentation_complete: true -+ -+prodtype: ol7,rhel6,rhel7 -+ -+title: 'Verify Group Who Owns /etc/hosts.allow' -+ -+description: |- -+ {{{ describe_file_group_owner(file="/etc/hosts.allow", group="root") }}} -+ -+rationale: |- -+ The /etc/hosts.allow file is used to control access of clients to daemons in the -+ server. Insecure groupownership of this file could allow users to grant clients unrestricted -+ access or no access at all to services in the server. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83823-5 -+ cce@rhel8: 83824-3 -+ -+references: -+ cis@rhel7: 3.4.4 -+ -+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/hosts.allow", group="root") }}}' -+ -+ocil: |- -+ {{{ ocil_file_group_owner(file="/etc/hosts.allow", group="root") }}} -+ -+template: -+ name: file_groupowner -+ vars: -+ filepath: /etc/hosts.allow -+ filegid: '0' -+ missing_file_pass: 'true' -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml -new file mode 100644 -index 0000000000..a301406b45 ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml -@@ -0,0 +1,34 @@ -+documentation_complete: true -+ -+prodtype: ol7,rhel6,rhel7 -+ -+title: 'Verify User Who Owns /etc/hosts.allow' -+ -+description: |- -+ {{{ describe_file_owner(file="/etc/hosts.allow", owner="root") }}} -+ -+rationale: |- -+ The /etc/hosts.allow file is used to control access of clients to daemons in the -+ server. Insecure groupownership of this file could allow users to grant clients unrestricted -+ access or no access at all to services in the server. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83825-0 -+ cce@rhel8: 83826-8 -+ -+references: -+ cis@rhel7: 3.4.4 -+ -+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/hosts.allow", owner="root") }}}' -+ -+ocil: |- -+ {{{ ocil_file_owner(file="/etc/hosts.allow", owner="root") }}} -+ -+template: -+ name: file_owner -+ vars: -+ filepath: /etc/hosts.allow -+ fileuid: '0' -+ missing_file_pass: 'true' -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml -new file mode 100644 -index 0000000000..0a35cbf57e ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml -@@ -0,0 +1,34 @@ -+documentation_complete: true -+ -+prodtype: ol7,rhel6,rhel7 -+ -+title: 'Verify Permissions on /etc/hosts.allow' -+ -+description: |- -+ {{{ describe_file_permissions(file="/etc/hosts.allow", perms="0644") }}} -+ -+rationale: |- -+ The /etc/hosts.allow file is used to control access of clients to daemons in the -+ server. Insecure groupownership of this file could allow users to grant clients unrestricted -+ access or no access at all to services in the server. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83827-6 -+ cce@rhel8: 83828-4 -+ -+references: -+ cis@rhel7: 3.4.4 -+ -+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/hosts.allow", perms="-rw-r--r--") }}}' -+ -+ocil: |- -+ {{{ ocil_file_permissions(file="/etc/hosts.allow", perms="-rw-r--r--") }}} -+ -+template: -+ name: file_permissions -+ vars: -+ filepath: /etc/hosts.allow -+ filemode: '0644' -+ missing_file_pass: 'true' -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 486fcf9a33..e50d8ddb43 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -353,6 +353,10 @@ selections: - - configure_etc_hosts_deny - - ### 3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored) -+ - file_owner_etc_hosts_allow -+ - file_groupowner_etc_hosts_allow -+ - file_permissions_etc_hosts_allow -+ - ### 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored) - - ## 3.5 Uncommon Network Protocols -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index a0b117a964..e67f56f9aa 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -528,12 +528,6 @@ CCE-83819-3 - CCE-83820-1 - CCE-83821-9 - CCE-83822-7 --CCE-83823-5 --CCE-83824-3 --CCE-83825-0 --CCE-83826-8 --CCE-83827-6 --CCE-83828-4 - CCE-83829-2 - CCE-83830-0 - CCE-83831-8 - -From 0f43573a6c193e70e1ff02f92a0c2bf9957d2e1c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 20 Mar 2020 15:01:58 +0100 -Subject: [PATCH 2/4] Rules for /etc/hosts.deny permissions and owner - ---- - .../file_groupowner_etc_hosts_deny/rule.yml | 34 +++++++++++++++++++ - .../file_owner_etc_hosts_deny/rule.yml | 34 +++++++++++++++++++ - .../file_permissions_etc_hosts_deny/rule.yml | 34 +++++++++++++++++++ - rhel7/profiles/cis.profile | 3 ++ - shared/references/cce-redhat-avail.txt | 6 ---- - 5 files changed, 105 insertions(+), 6 deletions(-) - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml - create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml -new file mode 100644 -index 0000000000..db3105eb71 ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml -@@ -0,0 +1,34 @@ -+documentation_complete: true -+ -+prodtype: ol7,rhel6,rhel7 -+ -+title: 'Verify Group Who Owns /etc/hosts.deny' -+ -+description: |- -+ {{{ describe_file_group_owner(file="/etc/hosts.deny", group="root") }}} -+ -+rationale: |- -+ The /etc/hosts.deny file is used to control access of clients to daemons in the -+ server. Insecure groupownership of this file could allow users to grant clients unrestricted -+ access or no access at all to services in the server. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 84030-6 -+ cce@rhel8: 84031-4 -+ -+references: -+ cis@rhel7: 3.4.4 -+ -+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/hosts.deny", group="root") }}}' -+ -+ocil: |- -+ {{{ ocil_file_group_owner(file="/etc/hosts.deny", group="root") }}} -+ -+template: -+ name: file_groupowner -+ vars: -+ filepath: /etc/hosts.deny -+ filegid: '0' -+ missing_file_pass: 'true' -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml -new file mode 100644 -index 0000000000..75380c7311 ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml -@@ -0,0 +1,34 @@ -+documentation_complete: true -+ -+prodtype: ol7,rhel6,rhel7 -+ -+title: 'Verify User Who Owns /etc/hosts.deny' -+ -+description: |- -+ {{{ describe_file_owner(file="/etc/hosts.deny", owner="root") }}} -+ -+rationale: |- -+ The /etc/hosts.deny file is used to control access of clients to daemons in the -+ server. Insecure groupownership of this file could allow users to grant clients unrestricted -+ access or no access at all to services in the server. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 84032-2 -+ cce@rhel8: 84033-0 -+ -+references: -+ cis@rhel7: 3.4.5 -+ -+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/hosts.deny", owner="root") }}}' -+ -+ocil: |- -+ {{{ ocil_file_owner(file="/etc/hosts.deny", owner="root") }}} -+ -+template: -+ name: file_owner -+ vars: -+ filepath: /etc/hosts.deny -+ fileuid: '0' -+ missing_file_pass: 'true' -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml -new file mode 100644 -index 0000000000..ea73fe48cd ---- /dev/null -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml -@@ -0,0 +1,34 @@ -+documentation_complete: true -+ -+prodtype: ol7,rhel6,rhel7 -+ -+title: 'Verify Permissions on /etc/hosts.deny' -+ -+description: |- -+ {{{ describe_file_permissions(file="/etc/hosts.deny", perms="0644") }}} -+ -+rationale: |- -+ The /etc/hosts.deny file is used to control access of clients to daemons in the -+ server. Insecure groupownership of this file could allow users to grant clients unrestricted -+ access or no access at all to services in the server. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 84034-8 -+ cce@rhel8: 84035-5 -+ -+references: -+ cis@rhel7: 3.4.5 -+ -+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/hosts.deny", perms="-rw-r--r--") }}}' -+ -+ocil: |- -+ {{{ ocil_file_permissions(file="/etc/hosts.deny", perms="-rw-r--r--") }}} -+ -+template: -+ name: file_permissions -+ vars: -+ filepath: /etc/hosts.deny -+ filemode: '0644' -+ missing_file_pass: 'true' -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index e50d8ddb43..5ac119768f 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -358,6 +358,9 @@ selections: - - file_permissions_etc_hosts_allow - - ### 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored) -+ - file_owner_etc_hosts_deny -+ - file_groupowner_etc_hosts_deny -+ - file_permissions_etc_hosts_deny - - ## 3.5 Uncommon Network Protocols - ### 3.5.1 Ensure DCCP is disabled (Not Scored) -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index e67f56f9aa..bb234a3131 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -729,12 +729,6 @@ CCE-84026-4 - CCE-84027-2 - CCE-84028-0 - CCE-84029-8 --CCE-84030-6 --CCE-84031-4 --CCE-84032-2 --CCE-84033-0 --CCE-84034-8 --CCE-84035-5 - CCE-84036-3 - CCE-84037-1 - CCE-84038-9 - -From d53500477288c69027127257802bb42355ca7848 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 20 Mar 2020 16:08:57 +0100 -Subject: [PATCH 3/4] Fix cce assignmetns and references - -Rules for /etc/hosts.allow and /etc/hosts.deny apply to rhel6 and rhel7 ---- - .../file_groupowner_etc_hosts_allow/rule.yml | 4 ++-- - .../file_groupowner_etc_hosts_deny/rule.yml | 6 +++--- - .../inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml | 4 ++-- - .../inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml | 4 ++-- - .../file_permissions_etc_hosts_allow/rule.yml | 4 ++-- - .../file_permissions_etc_hosts_deny/rule.yml | 4 ++-- - 6 files changed, 13 insertions(+), 13 deletions(-) - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml -index 7d43f93c42..aa531e6ace 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml -@@ -15,8 +15,8 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: 83823-5 -- cce@rhel8: 83824-3 -+ cce@rhel6: 83823-5 -+ cce@rhel7: 83824-3 - - references: - cis@rhel7: 3.4.4 -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml -index db3105eb71..fa024f1c27 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml -@@ -15,11 +15,11 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: 84030-6 -- cce@rhel8: 84031-4 -+ cce@rhel6: 84030-6 -+ cce@rhel7: 84031-4 - - references: -- cis@rhel7: 3.4.4 -+ cis@rhel7: 3.4.5 - - ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/hosts.deny", group="root") }}}' - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml -index a301406b45..80d5630c48 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml -@@ -15,8 +15,8 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: 83825-0 -- cce@rhel8: 83826-8 -+ cce@rhel6: 83825-0 -+ cce@rhel7: 83826-0 - - references: - cis@rhel7: 3.4.4 -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml -index 75380c7311..2fc5f74355 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml -@@ -15,8 +15,8 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: 84032-2 -- cce@rhel8: 84033-0 -+ cce@rhel6: 84032-2 -+ cce@rhel7: 84033-0 - - references: - cis@rhel7: 3.4.5 -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml -index 0a35cbf57e..dc1560852a 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml -@@ -15,8 +15,8 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: 83827-6 -- cce@rhel8: 83828-4 -+ cce@rhel6: 83827-6 -+ cce@rhel7: 83828-4 - - references: - cis@rhel7: 3.4.4 -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml -index ea73fe48cd..da806139ec 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml -@@ -15,8 +15,8 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: 84034-8 -- cce@rhel8: 84035-5 -+ cce@rhel6: 84034-8 -+ cce@rhel7: 84035-5 - - references: - cis@rhel7: 3.4.5 - -From b7dc44d2feb734ed89736d1dea813b051e83cfb7 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 23 Mar 2020 14:18:24 +0100 -Subject: [PATCH 4/4] Rewrite title of ownership rules - -Rewrite title of rules for ownerhip and group ownership of of -/etc/hosts.allow and /etc/hosts.deny ---- - .../inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml | 2 +- - .../inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml | 2 +- - .../inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml | 2 +- - .../inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml -index aa531e6ace..cee37ed9c6 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - prodtype: ol7,rhel6,rhel7 - --title: 'Verify Group Who Owns /etc/hosts.allow' -+title: 'Verify Group Ownership of /etc/hosts.allow' - - description: |- - {{{ describe_file_group_owner(file="/etc/hosts.allow", group="root") }}} -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml -index fa024f1c27..403e99908b 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - prodtype: ol7,rhel6,rhel7 - --title: 'Verify Group Who Owns /etc/hosts.deny' -+title: 'Verify Group Ownership of /etc/hosts.deny' - - description: |- - {{{ describe_file_group_owner(file="/etc/hosts.deny", group="root") }}} -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml -index 80d5630c48..b34be48968 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - prodtype: ol7,rhel6,rhel7 - --title: 'Verify User Who Owns /etc/hosts.allow' -+title: 'Verify Ownership of /etc/hosts.allow' - - description: |- - {{{ describe_file_owner(file="/etc/hosts.allow", owner="root") }}} -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml -index 2fc5f74355..e53ee5bc12 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - prodtype: ol7,rhel6,rhel7 - --title: 'Verify User Who Owns /etc/hosts.deny' -+title: 'Verify Ownership of /etc/hosts.deny' - - description: |- - {{{ describe_file_owner(file="/etc/hosts.deny", owner="root") }}} diff --git a/SOURCES/scap-security-guide-0.1.50-add_rules_legacy_plus_in_passwd_PR_5339.patch b/SOURCES/scap-security-guide-0.1.50-add_rules_legacy_plus_in_passwd_PR_5339.patch deleted file mode 100644 index cf621f8..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_rules_legacy_plus_in_passwd_PR_5339.patch +++ /dev/null @@ -1,545 +0,0 @@ -From d97c8749052a095771eb48621f39530f46603acd Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 24 Mar 2020 10:02:19 +0100 -Subject: [PATCH] add rule for passwd add rule for /etc/group add rule for - /etc/shadow add rules to rhel7 and rhel8 cis profiles - ---- - .../ansible/shared.yml | 17 ++++++++++ - .../bash/shared.sh | 7 +++++ - .../oval/shared.xml | 26 ++++++++++++++++ - .../no_legacy_plus_entries_etc_group/rule.yml | 31 +++++++++++++++++++ - .../tests/correct.pass.sh | 3 ++ - .../tests/include_everything.fail.sh | 4 +++ - .../tests/include_group.fail.sh | 3 ++ - .../tests/include_name.fail.sh | 3 ++ - .../tests/multiple.fail.sh | 5 +++ - .../ansible/shared.yml | 17 ++++++++++ - .../bash/shared.sh | 7 +++++ - .../oval/shared.xml | 26 ++++++++++++++++ - .../rule.yml | 31 +++++++++++++++++++ - .../tests/correct.pass.sh | 3 ++ - .../tests/include_everything.fail.sh | 4 +++ - .../tests/include_group.fail.sh | 3 ++ - .../tests/include_name.fail.sh | 3 ++ - .../tests/multiple.fail.sh | 5 +++ - .../ansible/shared.yml | 17 ++++++++++ - .../bash/shared.sh | 7 +++++ - .../oval/shared.xml | 26 ++++++++++++++++ - .../rule.yml | 31 +++++++++++++++++++ - .../tests/correct.pass.sh | 3 ++ - .../tests/include_everything.fail.sh | 4 +++ - .../tests/include_group.fail.sh | 3 ++ - .../tests/include_name.fail.sh | 3 ++ - .../tests/multiple.fail.sh | 5 +++ - rhel7/profiles/cis.profile | 6 ++++ - 30 files changed, 314 insertions(+), 6 deletions(-) - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml -new file mode 100644 -index 000000000..acf0496e1 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml -@@ -0,0 +1,17 @@ -+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = medium -+ -+- name: "Backup the old /etc/group file" -+ copy: -+ src: /etc/group -+ dest: /etc/group- -+ remote_src: true -+ -+- name: "Remove lines starting with + from /etc/group" -+ lineinfile: -+ regexp: '^\+.*$' -+ state: absent -+ path: /etc/group -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh -new file mode 100644 -index 000000000..524cf10d5 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh -@@ -0,0 +1,7 @@ -+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 -+ -+if grep -q '^\+' /etc/group; then -+# backup old file to /etc/group- -+ cp /etc/group /etc/group- -+ sed -i '/^\+.*$/d' /etc/group -+fi -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml -new file mode 100644 -index 000000000..01ddaa125 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml -@@ -0,0 +1,26 @@ -+ -+ -+ -+ Ensure there are no legacy + NIS entries in /etc/group -+ {{{- oval_affected(products) }}} -+ No lines starting with + are in /etc/group -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/group -+ ^\+.*$ -+ 1 -+ -+ -+ -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml -new file mode 100644 -index 000000000..a47fd1089 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml -@@ -0,0 +1,31 @@ -+documentation_complete: true -+ -+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 -+ -+title: 'Ensure there are no legacy + NIS entries in /etc/group' -+ -+description: |- -+ The + character in /etc/group file marks a place where -+ entries from a network information service (NIS) should be directly inserted. -+ -+rationale: |- -+ Using this method to include entries into /etc/group is considered legacy -+ and should be avoided. These entries may provide a way for an attacker -+ to gain access to the system. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83388-9 -+ cce@rhel8: 83389-7 -+ -+references: -+ cis@rhel7: 6.2.4 -+ cis@rhel8: 6.2.5 -+ -+ocil_clause: 'the file contains legacy lines' -+ -+ocil: |- -+ To check for legacy lines in /etc/group, run the following command: -+
 grep '^\+' /etc/group
-+ The command should not return any output. -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh -new file mode 100644 -index 000000000..1adc7ac56 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+sed -i '/^\+.*$/d' /etc/group -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh -new file mode 100644 -index 000000000..1ef667771 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+ -+echo "+" >> /etc/group -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh -new file mode 100644 -index 000000000..9192157bd ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "+@group" >> /etc/group -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh -new file mode 100644 -index 000000000..709937f75 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "+name" >> /etc/group -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh -new file mode 100644 -index 000000000..79cbd5456 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+echo "+name" >> /etc/group -+echo "+" >> /etc/group -+echo "+@group" >> /etc/group -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml -new file mode 100644 -index 000000000..5baef2580 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml -@@ -0,0 +1,17 @@ -+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = medium -+ -+- name: "Backup the old /etc/passwd file" -+ copy: -+ src: /etc/passwd -+ dest: /etc/passwd- -+ remote_src: true -+ -+- name: "Remove lines starting with + from /etc/passwd" -+ lineinfile: -+ regexp: '^\+.*$' -+ state: absent -+ path: /etc/passwd -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh -new file mode 100644 -index 000000000..4bb73e017 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh -@@ -0,0 +1,7 @@ -+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 -+ -+if grep -q '^\+' /etc/passwd; then -+# backup old file to /etc/passwd- -+ cp /etc/passwd /etc/passwd- -+ sed -i '/^\+.*$/d' /etc/passwd -+fi -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml -new file mode 100644 -index 000000000..210437adb ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml -@@ -0,0 +1,26 @@ -+ -+ -+ -+ Ensure there are no legacy + NIS entries in /etc/passwd -+ {{{- oval_affected(products) }}} -+ No lines starting with + are in /etc/passwd -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/passwd -+ ^\+.*$ -+ 1 -+ -+ -+ -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml -new file mode 100644 -index 000000000..e7c5f9832 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml -@@ -0,0 +1,31 @@ -+documentation_complete: true -+ -+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 -+ -+title: 'Ensure there are no legacy + NIS entries in /etc/passwd' -+ -+description: |- -+ The + character in /etc/passwd file marks a place where -+ entries from a network information service (NIS) should be directly inserted. -+ -+rationale: |- -+ Using this method to include entries into /etc/passwd is considered legacy -+ and should be avoided. These entries may provide a way for an attacker -+ to gain access to the system. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 82889-7 -+ cce@rhel8: 82890-5 -+ -+references: -+ cis@rhel7: 6.2.2 -+ cis@rhel8: 6.2.2 -+ -+ocil_clause: 'the file contains legacy lines' -+ -+ocil: |- -+ To check for legacy lines in /etc/passwd, run the following command: -+
 grep '^\+' /etc/passwd
-+ The command should not return any output. -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh -new file mode 100644 -index 000000000..ac0b47f7a ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+sed -i '/^\+.*$/d' /etc/passwd -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh -new file mode 100644 -index 000000000..94a980029 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+ -+echo "+" >> /etc/passwd -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh -new file mode 100644 -index 000000000..90b717cc1 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "+@group" >> /etc/passwd -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh -new file mode 100644 -index 000000000..0c036c3e2 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "+name" >> /etc/passwd -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh -new file mode 100644 -index 000000000..cf16444d7 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+echo "+name" >> /etc/passwd -+echo "+" >> /etc/passwd -+echo "+@group" >> /etc/passwd -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml -new file mode 100644 -index 000000000..c969414d2 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml -@@ -0,0 +1,17 @@ -+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = medium -+ -+- name: "Backup the old /etc/shadow file" -+ copy: -+ src: /etc/shadow -+ dest: /etc/shadow- -+ remote_src: true -+ -+- name: "Remove lines starting with + from /etc/shadow" -+ lineinfile: -+ regexp: '^\+.*$' -+ state: absent -+ path: /etc/shadow -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh -new file mode 100644 -index 000000000..f8874c9f0 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh -@@ -0,0 +1,7 @@ -+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 -+ -+if grep -q '^\+' /etc/shadow; then -+# backup old file to /etc/shadow- -+ cp /etc/shadow /etc/shadow- -+ sed -i '/^\+.*$/d' /etc/shadow -+fi -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml -new file mode 100644 -index 000000000..8fad2c384 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml -@@ -0,0 +1,26 @@ -+ -+ -+ -+ Ensure there are no legacy + NIS entries in /etc/shadow -+ {{{- oval_affected(products) }}} -+ No lines starting with + are in /etc/shadow -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/shadow -+ ^\+.*$ -+ 1 -+ -+ -+ -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml -new file mode 100644 -index 000000000..beb3772b2 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml -@@ -0,0 +1,31 @@ -+documentation_complete: true -+ -+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 -+ -+title: 'Ensure there are no legacy + NIS entries in /etc/shadow' -+ -+description: |- -+ The + character in /etc/shadow file marks a place where -+ entries from a network information service (NIS) should be directly inserted. -+ -+rationale: |- -+ Using this method to include entries into /etc/shadow is considered legacy -+ and should be avoided. These entries may provide a way for an attacker -+ to gain access to the system. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83390-5 -+ cce@rhel8: 84290-6 -+ -+references: -+ cis@rhel7: 6.2.3 -+ cis@rhel8: 6.2.4 -+ -+ocil_clause: 'the file contains legacy lines' -+ -+ocil: |- -+ To check for legacy lines in /etc/shadow, run the following command: -+
 grep '^\+' /etc/shadow
-+ The command should not return any output. -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh -new file mode 100644 -index 000000000..4647b544e ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+sed -i '/^\+.*$/d' /etc/shadow -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh -new file mode 100644 -index 000000000..881e23676 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+ -+echo "+" >> /etc/shadow -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh -new file mode 100644 -index 000000000..39076bdcc ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "+@group" >> /etc/shadow -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh -new file mode 100644 -index 000000000..6cbc6e885 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "+name" >> /etc/shadow -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh -new file mode 100644 -index 000000000..b2daf1bc2 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+echo "+name" >> /etc/shadow -+echo "+" >> /etc/shadow -+echo "+@group" >> /etc/shadow -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index b66594f59..bfb1508b6 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -735,8 +735,14 @@ selections: - ## 6.2 User and Group Settings - ### 6.2.1 Ensure password fields are not empty (Scored) - ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) -+ - no_legacy_plus_entries_etc_passwd -+ - ### 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow (Scored) -+ - no_legacy_plus_entries_etc_shadow -+ - ### 6.2.4 Ensure no legacy "+" entries exist in /etc/group (Scored) -+ - no_legacy_plus_entries_etc_group -+ - ### 6.2.5 Ensure root is the only UID 0 account (Scored) - - accounts_no_uid_except_zero - --- -2.21.1 - diff --git a/SOURCES/scap-security-guide-0.1.50-add_service_rsyncd_disabled_PR_5318.patch b/SOURCES/scap-security-guide-0.1.50-add_service_rsyncd_disabled_PR_5318.patch deleted file mode 100644 index 719a99d..0000000 --- a/SOURCES/scap-security-guide-0.1.50-add_service_rsyncd_disabled_PR_5318.patch +++ /dev/null @@ -1,63 +0,0 @@ -From f2024fe66e871a4f7dc54454065f59f4b2bf31db Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 19 Mar 2020 16:48:52 +0100 -Subject: [PATCH] add rule - ---- - .../obsolete/service_rsyncd_disabled/rule.yml | 33 +++++++++++++++++++ - shared/references/cce-redhat-avail.txt | 2 -- - 2 files changed, 33 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml - -diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -new file mode 100644 -index 0000000000..9cb9d15dcc ---- /dev/null -+++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -@@ -0,0 +1,33 @@ -+documentation_complete: true -+ -+prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4 -+ -+title: 'Ensure rsyncd service is diabled' -+ -+description: |- -+ {{{ describe_service_disable("rsyncd") }}} -+ -+rationale: |- -+ The rsyncd service presents a security risk as it uses unencrypted protocols for -+ communication. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83334-3 -+ cce@rhel8: 83335-0 -+ -+references: -+ cis@rhel7: 2.2.21 -+ cis@rhel8: 2.2.3 -+ -+ocil_clause: 'the service is not disabled' -+ -+ocil: |- -+ {{{ ocil_service_disabled("rsyncd") }}} -+ -+template: -+ name: service_disabled -+ vars: -+ servicename: rsyncd -+ packagename: rsync -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index a0b117a964..67fa853d75 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -45,8 +45,6 @@ CCE-83330-1 - CCE-83331-9 - CCE-83332-7 - CCE-83333-5 --CCE-83334-3 --CCE-83335-0 - CCE-83336-8 - CCE-83337-6 - CCE-83338-4 diff --git a/SOURCES/scap-security-guide-0.1.50-ansible_audit_avoid_duplicates_PR_5650.patch b/SOURCES/scap-security-guide-0.1.50-ansible_audit_avoid_duplicates_PR_5650.patch deleted file mode 100644 index 0f3a069..0000000 --- a/SOURCES/scap-security-guide-0.1.50-ansible_audit_avoid_duplicates_PR_5650.patch +++ /dev/null @@ -1,1397 +0,0 @@ -From 92ff3c1ee5dbeae8260d8ebbb9926cc63296c72a Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 21 Apr 2020 11:04:43 +0200 -Subject: [PATCH 1/8] fix audit_rules_media_export ansible remediation - ---- - .../ansible/shared.yml | 44 +++++++++++++++++-- - 1 file changed, 40 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml -index 12a61b6d1c..944a69cfaf 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/ansible/shared.yml -@@ -11,6 +11,39 @@ - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" - -+# -+# check if rules are already present -+# -+ -+- name: Check if the rule for x86_64 is already present in /etc/audit/rules.d/* -+ find: -+ paths: "/etc/audit/rules.d/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+mount\s+-F\s+auid>={{{ auid }}}\s+-F\s+auid!=unset(\s|$)+' -+ patterns: "*.rules" -+ register: find_existing_media_export_64_rules_d -+ -+- name: Check if the rule for x86 is already present in /etc/audit/rules.d/* -+ find: -+ paths: "/etc/audit/rules.d/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+mount\s+-F\s+auid>={{{ auid }}}\s+-F\s+auid!=unset(\s|$)+' -+ patterns: "*.rules" -+ register: find_existing_media_export_32_rules_d -+ -+- name: Check if the rule for x86_64 is already present in /etc/audit/audit.rules -+ find: -+ paths: "/etc/audit/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+mount\s+-F\s+auid>={{{ auid }}}\s+-F\s+auid!=unset(\s|$)+' -+ patterns: "audit.rules" -+ register: find_existing_media_export_64_audit_rules -+ -+- name: Check if the rule for x86 is already present in /etc/audit/rules.d/* -+ find: -+ paths: "/etc/audit/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+mount\s+-F\s+auid>={{{ auid }}}\s+-F\s+auid!=unset(\s|$)+' -+ patterns: "audit.rules" -+ register: find_existing_media_export_32_audit_rules -+ -+ - # - # Inserts/replaces the rule in /etc/audit/rules.d - # -@@ -21,31 +54,33 @@ - contains: "-F key=export$" - patterns: "*.rules" - register: find_mount -+ when: (find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0) or (find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0) - - - name: If existing media export ruleset not found, use /etc/audit/rules.d/export.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/export.rules -- when: find_mount.matched is defined and find_mount.matched == 0 -+ when: find_mount.matched is defined and find_mount.matched == 0 and ((find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0) or (find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0)) - - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_mount.files | map(attribute='path') | list | first }}" -- when: find_mount.matched is defined and find_mount.matched > 0 -+ when: find_mount.matched is defined and find_mount.matched > 0 and ((find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0) or (find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0)) - - - name: Inserts/replaces the media export rule in rules.d when on x86 - lineinfile: - path: "{{ all_files[0] }}" - line: "-a always,exit -F arch=b32 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export" - create: yes -+ when: find_existing_media_export_32_rules_d is defined and find_existing_media_export_32_rules_d.matched == 0 - - - name: Inserts/replaces the media export rule in rules.d when on x86_64 - lineinfile: - path: "{{ all_files[0] }}" - line: "-a always,exit -F arch=b64 -S mount -F auid>={{{ auid }}} -F auid!=unset -F key=export" - create: yes -- when: audit_arch is defined and audit_arch == 'b64' -+ when: audit_arch is defined and audit_arch == 'b64' and find_existing_media_export_64_rules_d is defined and find_existing_media_export_64_rules_d.matched == 0 - # - # Inserts/replaces the rule in /etc/audit/audit.rules - # -@@ -55,6 +90,7 @@ - state: present - dest: /etc/audit/audit.rules - create: yes -+ when: find_existing_media_export_32_audit_rules is defined and find_existing_media_export_32_audit_rules.matched == 0 - - - name: Inserts/replaces the media export rule in audit.rules when on x86_64 - lineinfile: -@@ -62,4 +98,4 @@ - state: present - dest: /etc/audit/audit.rules - create: yes -- when: audit_arch is defined and audit_arch == 'b64' -+ when: audit_arch is defined and audit_arch == 'b64' and find_existing_media_export_64_audit_rules is defined and find_existing_media_export_64_audit_rules.matched == 0 - -From ffdfd62dc6e19ca655132f119b3998f01dea98fe Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 21 Apr 2020 14:42:40 +0200 -Subject: [PATCH 2/8] make audit_rules_kernel_module_loading ansible - remediation robust - -add test ---- - .../ansible/shared.yml | 282 ++++++++++++++++-- - .../syscalls_one_per_line_one_missing.fail.sh | 11 + - 2 files changed, 271 insertions(+), 22 deletions(-) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -index 8cc519c61b..17eb72a99d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -@@ -11,6 +11,95 @@ - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" - -+# -+# check if rules don't exist already -+# -+ -+- name: Check if rule for x86 init_module already exists in /etc/audit/rules.d/* -+ find: -+ paths: "/etc/audit/rules.d/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+init_module[\s$]+' -+ patterns: "*.rules" -+ register: find_existing_kernel_init_module_32_rules_d -+ -+- name: Check if rule for x86 delete_module already exists in /etc/audit/rules.d/* -+ find: -+ paths: "/etc/audit/rules.d/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+delete_module[\s$]+' -+ patterns: "*.rules" -+ register: find_existing_kernel_delete_module_32_rules_d -+ -+- name: Check if rule for x86 finit_module already exists in /etc/audit/rules.d/* -+ find: -+ paths: "/etc/audit/rules.d/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+finit_module[\s$]+' -+ patterns: "*.rules" -+ register: find_existing_kernel_finit_module_32_rules_d -+ -+- name: Check if rule for x86_64 init_module already exists in /etc/audit/rules.d/* -+ find: -+ paths: "/etc/audit/rules.d/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+init_module[\s$]+' -+ patterns: "*.rules" -+ register: find_existing_kernel_init_module_64_rules_d -+ -+- name: Check if rule for x86_64 delete_module already exists in /etc/audit/rules.d/* -+ find: -+ paths: "/etc/audit/rules.d/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+delete_module[\s$]+' -+ patterns: "*.rules" -+ register: find_existing_kernel_delete_module_64_rules_d -+ -+- name: Check if rule for x86_64 finit_module already exists in /etc/audit/rules.d/* -+ find: -+ paths: "/etc/audit/rules.d/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+finit_module[\s$]+' -+ patterns: "*.rules" -+ register: find_existing_kernel_finit_module_64_rules_d -+ -+- name: Check if rule for x86 init_module already exists in /etc/audit/audit.rules -+ find: -+ paths: "/etc/audit/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+init_module[\s$]+' -+ patterns: "audit.rules" -+ register: find_existing_kernel_init_module_32_audit_rules -+ -+- name: Check if rule for x86 delete_module already exists in /etc/audit/audit.rules -+ find: -+ paths: "/etc/audit/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+delete_module[\s$]+' -+ patterns: "audit.rules" -+ register: find_existing_kernel_delete_module_32_audit_rules -+ -+- name: Check if rule for x86 finit_module already exists in /etc/audit/audit.rules -+ find: -+ paths: "/etc/audit/audit.rules" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+finit_module[\s$]+' -+ patterns: "audit.rules" -+ register: find_existing_kernel_finit_module_32_audit_rules -+ -+- name: Check if rule for x86_64 init_module already exists in /etc/audit/audit.rules -+ find: -+ paths: "/etc/audit/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+init_module[\s$]+' -+ patterns: "audit.rules" -+ register: find_existing_kernel_init_module_64_audit_rules -+ -+- name: Check if rule for x86_64 delete_module already exists in /etc/audit/audit.rules -+ find: -+ paths: "/etc/audit/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+delete_module[\s$]+' -+ patterns: "audit.rules" -+ register: find_existing_kernel_delete_module_64_audit_rules -+ -+- name: Check if rule for x86_64 finit_module already exists in /etc/audit/audit.rules -+ find: -+ paths: "/etc/audit/" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+finit_module[\s$]+' -+ patterns: "audit.rules" -+ register: find_existing_kernel_finit_module_64_audit_rules -+ -+ - # - # Inserts/replaces the rule in /etc/audit/rules.d - # -@@ -34,48 +123,197 @@ - - "{{ find_modules.files | map(attribute='path') | list | first }}" - when: find_modules.matched is defined and find_modules.matched > 0 - -+# -+# create resulting lines to be inserted into appropriate files -+# -+ -+- name: Start creating remediation line for 32 bit rule in /etc/audit/rules.d -+ set_fact: -+ audit_kernel_line_32_rules_d = "-a always,exit -F arch=b32 " -+ {{% if product == "rhel6" %}} -+ when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) -+ {{% else %}} -+ when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) -+ {{% endif %}} -+ -+- name: add init_module into line for 32 bit rules.d -+ set_fact: -+ audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S init_module ' }} -+ when: find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined -+ -+- name: add delete_module into line for 32 bit rules.d -+ set_fact: -+ audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S delete_module ' }} -+ when: find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined -+ -+{{% if product != "rhel6" %}} -+- name: add finit_module into line for 32 bit rules.d -+ set_fact: -+ audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S finit_module ' }} -+ when: find_existing_kernel_finit_module_32_rules_d is defined and find_existing_finit_delete_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined -+{{% endif %}} -+ -+- name: Finish creating remediation line for 32 bit rule in /etc/audit/rules.d -+ set_fact: -+ audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-k modules' }} -+ {{% if product == "rhel6" %}} -+ when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined -+ {{% else %}} -+ when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined -+ {{% endif %}} -+ -+- name: Start creating remediation line for 64 bit rule in /etc/audit/rules.d -+ set_fact: -+ audit_kernel_line_64_rules_d = "-a always,exit -F arch=b64 " -+ {{% if product == "rhel6" %}} -+ when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) -+ {{% else %}} -+ when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) -+ {{% endif %}} -+ -+- name: add init_module into line for 64 bit rules.d -+ set_fact: -+ audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S init_module ' }} -+ when: find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined -+ -+- name: add delete_module into line for 64 bit rules.d -+ set_fact: -+ audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S delete_module ' }} -+ when: find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined -+ -+{{% if product != "rhel6" %}} -+- name: add finit_module into line for 64 bit rules.d -+ set_fact: -+ audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S finit_module ' }} -+ when: find_existing_kernel_finit_module_64_rules_d is defined and find_existing_finit_delete_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined -+{{% endif %}} -+ -+- name: Finish creating remediation line for 64 bit rule in /etc/audit/rules.d -+ set_fact: -+ audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-k modules' }} -+ {{% if product == "rhel6" %}} -+ when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined -+ {{% else %}} -+ when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined -+ {{% endif %}} -+ -+- name: Start creating remediation line for 32 bit rule in /etc/audit/audit.rules -+ set_fact: -+ audit_kernel_line_32_audit_rules = "-a always,exit -F arch=b32 " -+ {{% if product == "rhel6" %}} -+ when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) -+ {{% else %}} -+ when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) -+ {{% endif %}} -+ -+- name: add init_module into line for 32 bit rules.d -+ set_fact: -+ audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S init_module ' }} -+ when: find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined -+ -+- name: add delete_module into line for 32 bit rules.d -+ set_fact: -+ audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S delete_module ' }} -+ when: find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined -+ -+{{% if product != "rhel6" %}} -+- name: add finit_module into line for 32 bit rules.d -+ set_fact: -+ audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S finit_module ' }} -+ when: find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_finit_delete_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined -+{{% endif %}} -+ -+- name: Finish creating remediation line for 32 bit rule in /etc/audit/audit.rules -+ set_fact: -+ audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-k modules' }} -+ {{% if product == "rhel6" %}} -+ when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined -+ {{% else %}} -+ when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined -+ {{% endif %}} -+ -+- name: Start creating remediation line for 64 bit rule in /etc/audit/audit.rules -+ set_fact: -+ audit_kernel_line_64_audit_rules = "-a always,exit -F arch=b64 " -+ {{% if product == "rhel6" %}} -+ when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) -+ {{% else %}} -+ when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) -+ {{% endif %}} -+ -+- name: add init_module into line for 64 bit rules.d -+ set_fact: -+ audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S init_module ' }} -+ when: find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined -+ -+- name: add delete_module into line for 64 bit rules.d -+ set_fact: -+ audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S delete_module ' }} -+ when: find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined -+ -+{{% if product != "rhel6" %}} -+- name: add finit_module into line for 64 bit rules.d -+ set_fact: -+ audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S finit_module ' }} -+ when: find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_finit_delete_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined -+{{% endif %}} -+ -+- name: Finish creating remediation line for 64 bit rule in /etc/audit/audit.rules -+ set_fact: -+ audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-k modules' }} -+ {{% if product == "rhel6" %}} -+ when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined -+ {{% else %}} -+ when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined -+ {{% endif %}} -+ -+ -+ - - name: Inserts/replaces the modules rule in rules.d when on x86 - lineinfile: - path: "{{ all_files[0] }}" -- {{% if product == "rhel6" %}} -- line: "-a always,exit -F arch=b32 -S init_module -S delete_module -k modules" -- {{% else %}} -- line: "-a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules" -- {{% endif %}} -+ line: "{{ audit_kernel_line_32_rules_d }}" - create: yes -+ {{% if product == "rhel6" %}} -+ when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined -+ {{% else %}} -+ when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined -+ {{% endif %}} - - - name: Inserts/replaces the modules rule in rules.d when on x86_64 - lineinfile: - path: "{{ all_files[0] }}" -- {{% if product == "rhel6" %}} -- line: "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" -- {{% else %}} -- line: "-a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules" -- {{% endif %}} -+ line: "{{ audit_kernel_line_32_rules_d }}" - create: yes -- when: audit_arch is defined and audit_arch == 'b64' -+ {{% if product == "rhel6" %}} -+ when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined -+ {{% else %}} -+ when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined -+ {{% endif %}} -+ - # - # Inserts/replaces the rule in /etc/audit/audit.rules - # - - name: Inserts/replaces the modules rule in /etc/audit/audit.rules when on x86 - lineinfile: -- {{% if product == "rhel6" %}} -- line: "-a always,exit -F arch=b32 -S init_module -S delete_module -k modules" -- {{% else %}} -- line: "-a always,exit -F arch=b32 -S init_module -S delete_module -S finit_module -k modules" -- {{% endif %}} -+ line: "{{ audit_kernel_line_32_audit_rules }}" - state: present - dest: /etc/audit/audit.rules - create: yes -+ {{% if product == "rhel6" %}} -+ when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined -+ {{% else %}} -+ when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined -+ {{% endif %}} - - - name: Inserts/replaces the modules rule in audit.rules when on x86_64 - lineinfile: -- {{% if product == "rhel6" %}} -- line: "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" -- {{% else %}} -- line: "-a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules" -- {{% endif %}} -+ line: "{{ audit_kernel_line_64_audit_rules }}" - state: present - dest: /etc/audit/audit.rules - create: yes -- when: audit_arch is defined and audit_arch == 'b64' -+ {{% if product == "rhel6" %}} -+ when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined -+ {{% else %}} -+ when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined -+ {{% endif %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh -new file mode 100644 -index 0000000000..13219b7ece ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S -+# remediation = bash -+ -+# Use auditctl, on RHEL7, default is to use augenrules -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+rm -f /etc/audit/rules.d/* -+ -+# cut out irrelevant rules for this test -+sed -e '11,18d' -e '/.*init.*/d' test_audit.rules > /etc/audit/audit.rules - -From 9ababe26e4ffb0ab96de75c5fd4f911811d1085a Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 24 Apr 2020 11:10:12 +0200 -Subject: [PATCH 3/8] fix metadata in tests - ---- - .../audit_rules_kernel_module_loading/tests/default.fail.sh | 2 +- - .../tests/syscalls_multiple_per_arg.pass.sh | 2 +- - .../tests/syscalls_one_per_arg.pass.sh | 2 +- - .../tests/syscalls_one_per_line.pass.sh | 2 +- - .../tests/syscalls_one_per_line_one_missing.fail.sh | 2 +- - 5 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/default.fail.sh -index 43da7e67e5..c1ea54b990 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/default.fail.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/default.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_C2S --# remediation = bash -+ - - rm -f /etc/audit/rules.d/* - > /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh -index af0ceda059..80d5e8d6d4 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_multiple_per_arg.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_C2S --# remediation = bash -+ - - # Use auditctl, on RHEL7, default is to use augenrules - sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh -index ccc2d4beee..0e162c7c94 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_arg.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_C2S --# remediation = bash -+ - - # Use auditctl, on RHEL7, default is to use augenrules - sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh -index 48e03e071d..a043f787bc 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_C2S --# remediation = bash -+ - - # Use auditctl, on RHEL7, default is to use augenrules - sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh -index 13219b7ece..4d717db422 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/syscalls_one_per_line_one_missing.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_C2S --# remediation = bash -+ - - # Use auditctl, on RHEL7, default is to use augenrules - sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service - -From d16f0eb2ee839209bc2ace51da49ca795003a27c Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 24 Apr 2020 11:10:46 +0200 -Subject: [PATCH 4/8] rewrite audit_rules_kernel_module_loading remediation to - be effective - ---- - .../ansible/shared.yml | 364 ++++++------------ - 1 file changed, 108 insertions(+), 256 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -index 17eb72a99d..e417e147ea 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -@@ -11,103 +11,73 @@ - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" - --# --# check if rules don't exist already --# -- --- name: Check if rule for x86 init_module already exists in /etc/audit/rules.d/* -- find: -- paths: "/etc/audit/rules.d/" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+init_module[\s$]+' -- patterns: "*.rules" -- register: find_existing_kernel_init_module_32_rules_d -+- name: Declare list of syscals -+ set_fact: -+ syscalls: -+ - "init_module" -+ - "delete_module" -+ {{% if product != "rhel6" %}} -+ - "finit_module" -+ {{% endif %}} - --- name: Check if rule for x86 delete_module already exists in /etc/audit/rules.d/* -- find: -- paths: "/etc/audit/rules.d/" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+delete_module[\s$]+' -- patterns: "*.rules" -- register: find_existing_kernel_delete_module_32_rules_d -+- name: declare number of syscalls -+ set_fact: audit_kernel_number_of_syscalls="{{ syscalls|length|int }}" - --- name: Check if rule for x86 finit_module already exists in /etc/audit/rules.d/* -- find: -- paths: "/etc/audit/rules.d/" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+finit_module[\s$]+' -- patterns: "*.rules" -- register: find_existing_kernel_finit_module_32_rules_d - --- name: Check if rule for x86_64 init_module already exists in /etc/audit/rules.d/* -+- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/* - find: -- paths: "/etc/audit/rules.d/" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+init_module[\s$]+' -+ paths: "/etc/audit/rules.d" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*{{ item }}.*$' - patterns: "*.rules" -- register: find_existing_kernel_init_module_64_rules_d -+ register: audit_kernel_found_32_rules_d -+ loop: "{{ syscalls }}" - --- name: Check if rule for x86_64 delete_module already exists in /etc/audit/rules.d/* -- find: -- paths: "/etc/audit/rules.d/" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+delete_module[\s$]+' -- patterns: "*.rules" -- register: find_existing_kernel_delete_module_64_rules_d -+- name: get number of matched 32 bit syscalls in /etc/audit/rules.d/* -+ set_fact: audit_kernel_matched_32_rules_d="{{audit_kernel_found_32_rules_d.results|sum(attribute='matched')|int }}" - --- name: Check if rule for x86_64 finit_module already exists in /etc/audit/rules.d/* -+- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/* - find: -- paths: "/etc/audit/rules.d/" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+finit_module[\s$]+' -+ paths: "/etc/audit/rules.d" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*{{ item }}.*$' - patterns: "*.rules" -- register: find_existing_kernel_finit_module_64_rules_d -+ register: audit_kernel_found_64_rules_d -+ loop: "{{ syscalls }}" - --- name: Check if rule for x86 init_module already exists in /etc/audit/audit.rules -- find: -- paths: "/etc/audit/" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+init_module[\s$]+' -- patterns: "audit.rules" -- register: find_existing_kernel_init_module_32_audit_rules -- --- name: Check if rule for x86 delete_module already exists in /etc/audit/audit.rules -- find: -- paths: "/etc/audit/" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+delete_module[\s$]+' -- patterns: "audit.rules" -- register: find_existing_kernel_delete_module_32_audit_rules -+- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* -+ set_fact: audit_kernel_matched_64_rules_d="{{audit_kernel_found_64_rules_d.results|sum(attribute='matched')|int }}" - --- name: Check if rule for x86 finit_module already exists in /etc/audit/audit.rules -+- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules - find: -- paths: "/etc/audit/audit.rules" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+-S\s+finit_module[\s$]+' -+ paths: "/etc/audit" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*{{ item }}.*$' - patterns: "audit.rules" -- register: find_existing_kernel_finit_module_32_audit_rules -+ register: audit_kernel_found_32_audit_rules -+ loop: "{{ syscalls }}" - --- name: Check if rule for x86_64 init_module already exists in /etc/audit/audit.rules -- find: -- paths: "/etc/audit/" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+init_module[\s$]+' -- patterns: "audit.rules" -- register: find_existing_kernel_init_module_64_audit_rules -+- name: get number of matched 32 bit syscalls in /etc/audit/audit.rules -+ set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}" - --- name: Check if rule for x86_64 delete_module already exists in /etc/audit/audit.rules -+- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules - find: -- paths: "/etc/audit/" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+delete_module[\s$]+' -+ paths: "/etc/audit" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*{{ item }}.*$' - patterns: "audit.rules" -- register: find_existing_kernel_delete_module_64_audit_rules -+ register: audit_kernel_found_64_audit_rules -+ loop: "{{ syscalls }}" - --- name: Check if rule for x86_64 finit_module already exists in /etc/audit/audit.rules -- find: -- paths: "/etc/audit/" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+-S\s+finit_module[\s$]+' -- patterns: "audit.rules" -- register: find_existing_kernel_finit_module_64_audit_rules -+- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* -+ set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}" - - - # - # Inserts/replaces the rule in /etc/audit/rules.d - # -+ - - name: Search /etc/audit/rules.d for other kernel module loading audit rules - find: - paths: "/etc/audit/rules.d" - recurse: no -- contains: "-F key=modules$" -+ contains: "(-F key=modules)|(-k modules)$" - patterns: "*.rules" - register: find_modules - -@@ -123,197 +93,79 @@ - - "{{ find_modules.files | map(attribute='path') | list | first }}" - when: find_modules.matched is defined and find_modules.matched > 0 - --# --# create resulting lines to be inserted into appropriate files --# -- --- name: Start creating remediation line for 32 bit rule in /etc/audit/rules.d -- set_fact: -- audit_kernel_line_32_rules_d = "-a always,exit -F arch=b32 " -- {{% if product == "rhel6" %}} -- when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) -- {{% else %}} -- when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) -- {{% endif %}} -- --- name: add init_module into line for 32 bit rules.d -- set_fact: -- audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S init_module ' }} -- when: find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined -- --- name: add delete_module into line for 32 bit rules.d -- set_fact: -- audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S delete_module ' }} -- when: find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined -- --{{% if product != "rhel6" %}} --- name: add finit_module into line for 32 bit rules.d -- set_fact: -- audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-S finit_module ' }} -- when: find_existing_kernel_finit_module_32_rules_d is defined and find_existing_finit_delete_module_32_rules_d.matched == 0 and audit_kernel_line_32_rules_d is defined --{{% endif %}} -- --- name: Finish creating remediation line for 32 bit rule in /etc/audit/rules.d -- set_fact: -- audit_kernel_line_32_rules_d= {{ audit_kernel_line_32_rules_d + '-k modules' }} -- {{% if product == "rhel6" %}} -- when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined -- {{% else %}} -- when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined -- {{% endif %}} -- --- name: Start creating remediation line for 64 bit rule in /etc/audit/rules.d -- set_fact: -- audit_kernel_line_64_rules_d = "-a always,exit -F arch=b64 " -- {{% if product == "rhel6" %}} -- when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) -- {{% else %}} -- when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) -- {{% endif %}} -- --- name: add init_module into line for 64 bit rules.d -- set_fact: -- audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S init_module ' }} -- when: find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined -- --- name: add delete_module into line for 64 bit rules.d -- set_fact: -- audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S delete_module ' }} -- when: find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined -- --{{% if product != "rhel6" %}} --- name: add finit_module into line for 64 bit rules.d -- set_fact: -- audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-S finit_module ' }} -- when: find_existing_kernel_finit_module_64_rules_d is defined and find_existing_finit_delete_module_64_rules_d.matched == 0 and audit_kernel_line_64_rules_d is defined --{{% endif %}} -- --- name: Finish creating remediation line for 64 bit rule in /etc/audit/rules.d -- set_fact: -- audit_kernel_line_64_rules_d= {{ audit_kernel_line_64_rules_d + '-k modules' }} -- {{% if product == "rhel6" %}} -- when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined -- {{% else %}} -- when: (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined -- {{% endif %}} -- --- name: Start creating remediation line for 32 bit rule in /etc/audit/audit.rules -- set_fact: -- audit_kernel_line_32_audit_rules = "-a always,exit -F arch=b32 " -- {{% if product == "rhel6" %}} -- when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) -- {{% else %}} -- when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) -- {{% endif %}} -- --- name: add init_module into line for 32 bit rules.d -- set_fact: -- audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S init_module ' }} -- when: find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined -- --- name: add delete_module into line for 32 bit rules.d -- set_fact: -- audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S delete_module ' }} -- when: find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined -- --{{% if product != "rhel6" %}} --- name: add finit_module into line for 32 bit rules.d -- set_fact: -- audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-S finit_module ' }} -- when: find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_finit_delete_module_32_audit_rules.matched == 0 and audit_kernel_line_32_audit_rules is defined --{{% endif %}} -- --- name: Finish creating remediation line for 32 bit rule in /etc/audit/audit.rules -- set_fact: -- audit_kernel_line_32_audit_rules= {{ audit_kernel_line_32_audit_rules + '-k modules' }} -- {{% if product == "rhel6" %}} -- when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined -- {{% else %}} -- when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined -- {{% endif %}} -- --- name: Start creating remediation line for 64 bit rule in /etc/audit/audit.rules -- set_fact: -- audit_kernel_line_64_audit_rules = "-a always,exit -F arch=b64 " -- {{% if product == "rhel6" %}} -- when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) -- {{% else %}} -- when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) -- {{% endif %}} -- --- name: add init_module into line for 64 bit rules.d -- set_fact: -- audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S init_module ' }} -- when: find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined -- --- name: add delete_module into line for 64 bit rules.d -- set_fact: -- audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S delete_module ' }} -- when: find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined -- --{{% if product != "rhel6" %}} --- name: add finit_module into line for 64 bit rules.d -- set_fact: -- audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-S finit_module ' }} -- when: find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_finit_delete_module_64_audit_rules.matched == 0 and audit_kernel_line_64_audit_rules is defined --{{% endif %}} -- --- name: Finish creating remediation line for 64 bit rule in /etc/audit/audit.rules -- set_fact: -- audit_kernel_line_64_audit_rules= {{ audit_kernel_line_64_audit_rules + '-k modules' }} -- {{% if product == "rhel6" %}} -- when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined -- {{% else %}} -- when: (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined -- {{% endif %}} -- -- -- - - name: Inserts/replaces the modules rule in rules.d when on x86 -- lineinfile: -- path: "{{ all_files[0] }}" -- line: "{{ audit_kernel_line_32_rules_d }}" -- create: yes -- {{% if product == "rhel6" %}} -- when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined -- {{% else %}} -- when: (find_existing_kernel_init_module_32_rules_d is defined and find_existing_kernel_init_module_32_rules_d.matched == 0) or (find_existing_kernel_delete_module_32_rules_d is defined and find_existing_kernel_delete_module_32_rules_d.matched == 0) or (find_existing_kernel_finit_module_32_rules_d is defined and find_existing_kernel_finit_module_32_rules_d.matched == 0) and audit_kernel_line_32_rules_d is defined -- {{% endif %}} -+ block: -+ - name: start the line -+ set_fact: tmpline="-a always,exit -F arch=b32 " -+ - name: add syscalls -+ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -+ loop: "{{ audit_kernel_found_32_rules_d.results }}" -+ when: item.matched is defined and item.matched == 0 -+ - name: finish the line -+ set_fact: tmpline="{{ tmpline + '-k modules' }}" -+ - name: insert/replace the line in appropriate file -+ lineinfile: -+ path: "{{ all_files[0] }}" -+ line: "{{ tmpline }}" -+ create: true -+ state: present -+ when: audit_kernel_matched_32_rules_d < audit_kernel_number_of_syscalls - - - name: Inserts/replaces the modules rule in rules.d when on x86_64 -- lineinfile: -- path: "{{ all_files[0] }}" -- line: "{{ audit_kernel_line_32_rules_d }}" -- create: yes -- {{% if product == "rhel6" %}} -- when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined -- {{% else %}} -- when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_rules_d is defined and find_existing_kernel_init_module_64_rules_d.matched == 0) or (find_existing_kernel_delete_module_64_rules_d is defined and find_existing_kernel_delete_module_64_rules_d.matched == 0) or (find_existing_kernel_finit_module_64_rules_d is defined and find_existing_kernel_finit_module_64_rules_d.matched == 0) and audit_kernel_line_64_rules_d is defined -- {{% endif %}} -+ block: -+ - name: start the line -+ set_fact: tmpline="-a always,exit -F arch=b64 " -+ - name: add syscalls -+ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -+ loop: "{{ audit_kernel_found_64_rules_d.results }}" -+ when: item.matched is defined and item.matched == 0 -+ - name: finish the line -+ set_fact: tmpline="{{ tmpline + '-k modules' }}" -+ - name: insert/replace the line in appropriate file -+ lineinfile: -+ path: "{{ all_files[0] }}" -+ line: "{{ tmpline }}" -+ create: true -+ state: present -+ when: audit_kernel_matched_64_rules_d < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' -+ - - # - # Inserts/replaces the rule in /etc/audit/audit.rules - # --- name: Inserts/replaces the modules rule in /etc/audit/audit.rules when on x86 -- lineinfile: -- line: "{{ audit_kernel_line_32_audit_rules }}" -- state: present -- dest: /etc/audit/audit.rules -- create: yes -- {{% if product == "rhel6" %}} -- when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined -- {{% else %}} -- when: (find_existing_kernel_init_module_32_audit_rules is defined and find_existing_kernel_init_module_32_audit_rules.matched == 0) or (find_existing_kernel_delete_module_32_audit_rules is defined and find_existing_kernel_delete_module_32_audit_rules.matched == 0) or (find_existing_kernel_finit_module_32_audit_rules is defined and find_existing_kernel_finit_module_32_audit_rules.matched == 0) and audit_kernel_line_32_audit_rules is defined -- {{% endif %}} - --- name: Inserts/replaces the modules rule in audit.rules when on x86_64 -- lineinfile: -- line: "{{ audit_kernel_line_64_audit_rules }}" -- state: present -- dest: /etc/audit/audit.rules -- create: yes -- {{% if product == "rhel6" %}} -- when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined -- {{% else %}} -- when: audit_arch is defined and audit_arch == 'b64' and (find_existing_kernel_init_module_64_audit_rules is defined and find_existing_kernel_init_module_64_audit_rules.matched == 0) or (find_existing_kernel_delete_module_64_audit_rules is defined and find_existing_kernel_delete_module_64_audit_rules.matched == 0) or (find_existing_kernel_finit_module_64_audit_rules is defined and find_existing_kernel_finit_module_64_audit_rules.matched == 0) and audit_kernel_line_64_audit_rules is defined -- {{% endif %}} -+- name: Inserts/replaces the modules rule in audit.rules when on x86 -+ block: -+ - name: start the line -+ set_fact: tmpline="-a always,exit -F arch=b32 " -+ - name: add syscalls -+ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -+ loop: "{{ audit_kernel_found_32_audit_rules.results }}" -+ when: item.matched is defined and item.matched == 0 -+ - name: finish the line -+ set_fact: tmpline="{{ tmpline + '-k modules' }}" -+ - name: insert/replace the line in appropriate file -+ lineinfile: -+ path: "/etc/audit/audit.rules" -+ line: "{{ tmpline }}" -+ create: true -+ state: present -+ when: audit_kernel_matched_32_audit_rules < audit_kernel_number_of_syscalls -+ -+- name: Inserts/replaces the modules rule in rules.d when on x86_64 -+ block: -+ - name: start the line -+ set_fact: tmpline="-a always,exit -F arch=b64 " -+ - name: add syscalls -+ set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" -+ loop: "{{ audit_kernel_found_64_audit_rules.results }}" -+ when: item.matched is defined and item.matched == 0 -+ - name: finish the line -+ set_fact: tmpline="{{ tmpline + '-k modules' }}" -+ - name: insert/replace the line in appropriate file -+ lineinfile: -+ path: "/etc/audit/audit.rules" -+ line: "{{ tmpline }}" -+ create: true -+ state: present -+ when: audit_kernel_matched_64_audit_rules < audit_kernel_number_of_syscalls and audit_arch is defined and audit_arch == 'b64' - -From 9ab15b0a7926d8d017753d1ce9189ed22e81c35c Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 24 Apr 2020 15:55:19 +0200 -Subject: [PATCH 5/8] fix regex and task descriptions - ---- - .../ansible/shared.yml | 52 +++++++++---------- - 1 file changed, 26 insertions(+), 26 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -index e417e147ea..c82077b57a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -@@ -27,7 +27,7 @@ - - name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/* - find: - paths: "/etc/audit/rules.d" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*{{ item }}.*$' -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' - patterns: "*.rules" - register: audit_kernel_found_32_rules_d - loop: "{{ syscalls }}" -@@ -38,7 +38,7 @@ - - name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/* - find: - paths: "/etc/audit/rules.d" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*{{ item }}.*$' -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' - patterns: "*.rules" - register: audit_kernel_found_64_rules_d - loop: "{{ syscalls }}" -@@ -49,7 +49,7 @@ - - name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules - find: - paths: "/etc/audit" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*{{ item }}.*$' -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' - patterns: "audit.rules" - register: audit_kernel_found_32_audit_rules - loop: "{{ syscalls }}" -@@ -60,7 +60,7 @@ - - name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules - find: - paths: "/etc/audit" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*{{ item }}.*$' -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' - patterns: "audit.rules" - register: audit_kernel_found_64_audit_rules - loop: "{{ syscalls }}" -@@ -70,7 +70,7 @@ - - - # --# Inserts/replaces the rule in /etc/audit/rules.d -+# Inserts the rule in /etc/audit/rules.d - # - - - name: Search /etc/audit/rules.d for other kernel module loading audit rules -@@ -93,17 +93,17 @@ - - "{{ find_modules.files | map(attribute='path') | list | first }}" - when: find_modules.matched is defined and find_modules.matched > 0 - --- name: Inserts/replaces the modules rule in rules.d when on x86 -+- name: Inserts the modules rule in rules.d when on x86 - block: -- - name: start the line -+ - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b32 " -- - name: add syscalls -+ - name: "Construct rule: add syscalls" - set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" - loop: "{{ audit_kernel_found_32_rules_d.results }}" - when: item.matched is defined and item.matched == 0 -- - name: finish the line -+ - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k modules' }}" -- - name: insert/replace the line in appropriate file -+ - name: insert the line in appropriate file - lineinfile: - path: "{{ all_files[0] }}" - line: "{{ tmpline }}" -@@ -111,17 +111,17 @@ - state: present - when: audit_kernel_matched_32_rules_d < audit_kernel_number_of_syscalls - --- name: Inserts/replaces the modules rule in rules.d when on x86_64 -+- name: Inserts the modules rule in rules.d when on x86_64 - block: -- - name: start the line -+ - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b64 " -- - name: add syscalls -+ - name: "Construct rule: add syscalls" - set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" - loop: "{{ audit_kernel_found_64_rules_d.results }}" - when: item.matched is defined and item.matched == 0 -- - name: finish the line -+ - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k modules' }}" -- - name: insert/replace the line in appropriate file -+ - name: insert the line in appropriate file - lineinfile: - path: "{{ all_files[0] }}" - line: "{{ tmpline }}" -@@ -131,20 +131,20 @@ - - - # --# Inserts/replaces the rule in /etc/audit/audit.rules -+# Inserts the rule in /etc/audit/audit.rules - # - --- name: Inserts/replaces the modules rule in audit.rules when on x86 -+- name: Inserts the modules rule in audit.rules when on x86 - block: -- - name: start the line -+ - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b32 " -- - name: add syscalls -+ - name: "Construct rule: add syscalls" - set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" - loop: "{{ audit_kernel_found_32_audit_rules.results }}" - when: item.matched is defined and item.matched == 0 -- - name: finish the line -+ - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k modules' }}" -- - name: insert/replace the line in appropriate file -+ - name: insert the line in appropriate file - lineinfile: - path: "/etc/audit/audit.rules" - line: "{{ tmpline }}" -@@ -152,17 +152,17 @@ - state: present - when: audit_kernel_matched_32_audit_rules < audit_kernel_number_of_syscalls - --- name: Inserts/replaces the modules rule in rules.d when on x86_64 -+- name: Inserts the modules rule in rules.d when on x86_64 - block: -- - name: start the line -+ - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b64 " -- - name: add syscalls -+ - name: "Construct rule: add syscalls" - set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}" - loop: "{{ audit_kernel_found_64_audit_rules.results }}" - when: item.matched is defined and item.matched == 0 -- - name: finish the line -+ - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k modules' }}" -- - name: insert/replace the line in appropriate file -+ - name: insert the line in appropriate file - lineinfile: - path: "/etc/audit/audit.rules" - line: "{{ tmpline }}" - -From 391d2319bd0091271ff927300211eb0462aa84c3 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 24 Apr 2020 16:07:36 +0200 -Subject: [PATCH 6/8] reorder tasks to improve readability - ---- - .../ansible/shared.yml | 54 +++++++++---------- - 1 file changed, 26 insertions(+), 28 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -index c82077b57a..865e77ed40 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -@@ -23,6 +23,9 @@ - - name: declare number of syscalls - set_fact: audit_kernel_number_of_syscalls="{{ syscalls|length|int }}" - -+# -+#rules in /etc/audit/rules.d/* -+# - - - name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/* - find: -@@ -46,33 +49,6 @@ - - name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* - set_fact: audit_kernel_matched_64_rules_d="{{audit_kernel_found_64_rules_d.results|sum(attribute='matched')|int }}" - --- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules -- find: -- paths: "/etc/audit" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' -- patterns: "audit.rules" -- register: audit_kernel_found_32_audit_rules -- loop: "{{ syscalls }}" -- --- name: get number of matched 32 bit syscalls in /etc/audit/audit.rules -- set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}" -- --- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules -- find: -- paths: "/etc/audit" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' -- patterns: "audit.rules" -- register: audit_kernel_found_64_audit_rules -- loop: "{{ syscalls }}" -- --- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* -- set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}" -- -- --# --# Inserts the rule in /etc/audit/rules.d --# -- - - name: Search /etc/audit/rules.d for other kernel module loading audit rules - find: - paths: "/etc/audit/rules.d" -@@ -131,9 +107,31 @@ - - - # --# Inserts the rule in /etc/audit/audit.rules -+# rules in /etc/audit/audit.rules - # - -+- name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules -+ find: -+ paths: "/etc/audit" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' -+ patterns: "audit.rules" -+ register: audit_kernel_found_32_audit_rules -+ loop: "{{ syscalls }}" -+ -+- name: get number of matched 32 bit syscalls in /etc/audit/audit.rules -+ set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}" -+ -+- name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules -+ find: -+ paths: "/etc/audit" -+ contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' -+ patterns: "audit.rules" -+ register: audit_kernel_found_64_audit_rules -+ loop: "{{ syscalls }}" -+ -+- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* -+ set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}" -+ - - name: Inserts the modules rule in audit.rules when on x86 - block: - - name: "Construct rule: add rule list, action and arch" - -From c665c7949d8cc765fd489f839b73e38404ec466b Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 27 Apr 2020 09:32:01 +0200 -Subject: [PATCH 7/8] fix task names - ---- - .../ansible/shared.yml | 32 +++++++++---------- - 1 file changed, 16 insertions(+), 16 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -index 865e77ed40..ba45d40dcb 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -@@ -20,14 +20,14 @@ - - "finit_module" - {{% endif %}} - --- name: declare number of syscalls -+- name: Declare number of syscalls - set_fact: audit_kernel_number_of_syscalls="{{ syscalls|length|int }}" - - # - #rules in /etc/audit/rules.d/* - # - --- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/* -+- name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/ - find: - paths: "/etc/audit/rules.d" - contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' -@@ -35,10 +35,10 @@ - register: audit_kernel_found_32_rules_d - loop: "{{ syscalls }}" - --- name: get number of matched 32 bit syscalls in /etc/audit/rules.d/* -+- name: Get number of matched 32 bit syscalls in /etc/audit/rules.d/ - set_fact: audit_kernel_matched_32_rules_d="{{audit_kernel_found_32_rules_d.results|sum(attribute='matched')|int }}" - --- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/* -+- name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ - find: - paths: "/etc/audit/rules.d" - contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' -@@ -46,7 +46,7 @@ - register: audit_kernel_found_64_rules_d - loop: "{{ syscalls }}" - --- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* -+- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/ - set_fact: audit_kernel_matched_64_rules_d="{{audit_kernel_found_64_rules_d.results|sum(attribute='matched')|int }}" - - - name: Search /etc/audit/rules.d for other kernel module loading audit rules -@@ -57,7 +57,7 @@ - patterns: "*.rules" - register: find_modules - --- name: If existing kernel module loading ruleset not found, use /etc/audit/rules.d/modules.rules as the recipient for the rule -+- name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/modules.rules -@@ -69,7 +69,7 @@ - - "{{ find_modules.files | map(attribute='path') | list | first }}" - when: find_modules.matched is defined and find_modules.matched > 0 - --- name: Inserts the modules rule in rules.d when on x86 -+- name: "Insert the modules rule in {{ all_files[0] }} when on x86" - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b32 " -@@ -79,7 +79,7 @@ - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k modules' }}" -- - name: insert the line in appropriate file -+ - name: "Insert the line in {{ all_files[0] }}" - lineinfile: - path: "{{ all_files[0] }}" - line: "{{ tmpline }}" -@@ -87,7 +87,7 @@ - state: present - when: audit_kernel_matched_32_rules_d < audit_kernel_number_of_syscalls - --- name: Inserts the modules rule in rules.d when on x86_64 -+- name: "Insert the modules rule in {{ all_files[0] }} when on x86_64" - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b64 " -@@ -97,7 +97,7 @@ - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k modules' }}" -- - name: insert the line in appropriate file -+ - name: "Insert the line in {{ all_files[0] }}" - lineinfile: - path: "{{ all_files[0] }}" - line: "{{ tmpline }}" -@@ -118,7 +118,7 @@ - register: audit_kernel_found_32_audit_rules - loop: "{{ syscalls }}" - --- name: get number of matched 32 bit syscalls in /etc/audit/audit.rules -+- name: Get number of matched 32 bit syscalls in /etc/audit/audit.rules - set_fact: audit_kernel_matched_32_audit_rules="{{audit_kernel_found_32_audit_rules.results|sum(attribute='matched')|int }}" - - - name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules -@@ -129,10 +129,10 @@ - register: audit_kernel_found_64_audit_rules - loop: "{{ syscalls }}" - --- name: get number of matched 64 bit syscalls in /etc/audit/rules.d/* -+- name: Get number of matched 64 bit syscalls in /etc/audit/rules.d/* - set_fact: audit_kernel_matched_64_audit_rules="{{audit_kernel_found_64_audit_rules.results|sum(attribute='matched')|int }}" - --- name: Inserts the modules rule in audit.rules when on x86 -+- name: Insert the modules rule in /etc/audit/audit.rules when on x86 - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b32 " -@@ -142,7 +142,7 @@ - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k modules' }}" -- - name: insert the line in appropriate file -+ - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: "/etc/audit/audit.rules" - line: "{{ tmpline }}" -@@ -150,7 +150,7 @@ - state: present - when: audit_kernel_matched_32_audit_rules < audit_kernel_number_of_syscalls - --- name: Inserts the modules rule in rules.d when on x86_64 -+- name: Insert the modules rule in /etc/audit/rules.d when on x86_64 - block: - - name: "Construct rule: add rule list, action and arch" - set_fact: tmpline="-a always,exit -F arch=b64 " -@@ -160,7 +160,7 @@ - when: item.matched is defined and item.matched == 0 - - name: "Construct rule: add key" - set_fact: tmpline="{{ tmpline + '-k modules' }}" -- - name: insert the line in appropriate file -+ - name: Insert the line in /etc/audit/audit.rules - lineinfile: - path: "/etc/audit/audit.rules" - line: "{{ tmpline }}" - -From f8c997abea70edc40c29afd81f134da788f7c1b2 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 27 Apr 2020 11:59:25 +0200 -Subject: [PATCH 8/8] fix regex to prevent duplicate lines - ---- - .../audit_rules_kernel_module_loading/ansible/shared.yml | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -index ba45d40dcb..9d028a598d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -@@ -30,7 +30,7 @@ - - name: Check existence of syscalls for 32 bit architecture in /etc/audit/rules.d/ - find: - paths: "/etc/audit/rules.d" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' -+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "*.rules" - register: audit_kernel_found_32_rules_d - loop: "{{ syscalls }}" -@@ -41,7 +41,7 @@ - - name: Check existence of syscalls for 64 bit architecture in /etc/audit/rules.d/ - find: - paths: "/etc/audit/rules.d" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' -+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "*.rules" - register: audit_kernel_found_64_rules_d - loop: "{{ syscalls }}" -@@ -113,7 +113,7 @@ - - name: Check existence of syscalls for 32 bit architecture in /etc/audit/audit.rules - find: - paths: "/etc/audit" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b32\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' -+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "audit.rules" - register: audit_kernel_found_32_audit_rules - loop: "{{ syscalls }}" -@@ -124,7 +124,7 @@ - - name: Check existence of syscalls for 64 bit architecture in /etc/audit/audit.rules - find: - paths: "/etc/audit" -- contains: '^\s*-a\s+always,exit\s+-F\s+arch=b64\s+.*-S\s+.*[\s,]+{{ item }}[\s,]+.*$' -+ contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$' - patterns: "audit.rules" - register: audit_kernel_found_64_audit_rules - loop: "{{ syscalls }}" diff --git a/SOURCES/scap-security-guide-0.1.50-ansible_audit_sysadmin_actions_PR_5288.patch b/SOURCES/scap-security-guide-0.1.50-ansible_audit_sysadmin_actions_PR_5288.patch deleted file mode 100644 index ecf186e..0000000 --- a/SOURCES/scap-security-guide-0.1.50-ansible_audit_sysadmin_actions_PR_5288.patch +++ /dev/null @@ -1,185 +0,0 @@ -From f65d1b37c7433085f19dc10454067be7d0bfb180 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 12 Mar 2020 16:27:53 +0100 -Subject: [PATCH 1/3] Fix remediatino for /etc/sudoers.d/ and OVAL check - -Add missing '/' to remediation and add OVAL checks for /etc/sudoers.d/. ---- - .../bash/shared.sh | 4 ++-- - .../oval/shared.xml | 20 +++++++++++++++++++ - 2 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh -index 8e38874006..b6a4e7ef41 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/bash/shared.sh -@@ -7,5 +7,5 @@ - fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions" - fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions" - --fix_audit_watch_rule "auditctl" "/etc/sudoers.d" "wa" "actions" --fix_audit_watch_rule "augenrules" "/etc/sudoers.d" "wa" "actions" -+fix_audit_watch_rule "auditctl" "/etc/sudoers.d/" "wa" "actions" -+fix_audit_watch_rule "augenrules" "/etc/sudoers.d/" "wa" "actions" -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml -index 172d2216b2..136630e695 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml -@@ -9,10 +9,12 @@ - - - -+ - - - - -+ - - -
-@@ -26,6 +28,15 @@ - 1 - - -+ -+ -+ -+ -+ ^/etc/audit/rules\.d/.*\.rules$ -+ ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ -+ 1 -+ -+ - - - -@@ -35,4 +46,13 @@ - 1 - - -+ -+ -+ -+ -+ /etc/audit/audit.rules -+ ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ -+ 1 -+ -+ -
- -From 2aa6680981aa0f730c671106ca019c357b3beba7 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 13 Mar 2020 18:33:38 +0100 -Subject: [PATCH 2/3] Add Ansible for audit_rules_sysadmin_actions - ---- - .../ansible/shared.yml | 53 +++++++++++++++++++ - 1 file changed, 53 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml -new file mode 100644 -index 0000000000..6700eea565 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/ansible/shared.yml -@@ -0,0 +1,53 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+# Inserts/replaces the rule in /etc/audit/rules.d -+ -+- name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions -+ find: -+ paths: "/etc/audit/rules.d" -+ recurse: no -+ contains: "^.*/etc/sudoers.*$" -+ patterns: "*.rules" -+ register: find_audit_sysadmin_actions -+ -+- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule -+ set_fact: -+ all_sysadmin_actions_files: -+ - /etc/audit/rules.d/actions.rules -+ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched == 0 -+ -+- name: Use matched file as the recipient for the rule -+ set_fact: -+ all_sysadmin_actions_files: -+ - "{{ find_audit_sysadmin_actions.files | map(attribute='path') | list | first }}" -+ when: find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched > 0 -+ -+- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d -+ lineinfile: -+ path: "{{ all_sysadmin_actions_files[0] }}" -+ line: '-w /etc/sudoers -p wa -k actions' -+ create: yes -+ -+- name: Inserts/replaces audit rule for /etc/sudoers.d rule in rules.d -+ lineinfile: -+ path: "{{ all_sysadmin_actions_files[0] }}" -+ line: '-w /etc/sudoers.d/ -p wa -k actions' -+ create: yes -+ -+# Inserts/replaces the {{{ NAME }}} rule in /etc/audit/audit.rules -+ -+- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules -+ lineinfile: -+ path: /etc/audit/audit.rules -+ line: '-w /etc/sudoers -p wa -k actions' -+ create: yes -+ -+- name: Inserts/replaces audit rule for /etc/sudoers.d in audit.rules -+ lineinfile: -+ path: /etc/audit/audit.rules -+ line: '-w /etc/sudoers.d/ -p wa -k actions' -+ create: yes - -From 3d5cc1d32fa7c4e2c3de11d178c33459804d1a58 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 13 Mar 2020 18:42:05 +0100 -Subject: [PATCH 3/3] Simple tests for audit_rules_sysadmin_actions - ---- - .../audit_rules_sysadmin_actions/tests/correct.pass.sh | 4 ++++ - .../audit_rules_sysadmin_actions/tests/empty.fail.sh | 4 ++++ - .../audit_rules_sysadmin_actions/tests/missing_slash.fail.sh | 4 ++++ - 3 files changed, 12 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh -new file mode 100644 -index 0000000000..4d5f09b7b8 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/correct.pass.sh -@@ -0,0 +1,4 @@ -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+ -+echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/rules.d/actions.rules -+echo "-w /etc/sudoers.d/ -p wa -k actions" >> /etc/audit/rules.d/actions.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh -new file mode 100644 -index 0000000000..c14af6a088 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/empty.fail.sh -@@ -0,0 +1,4 @@ -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+ -+rm -f /etc/audit/rules.d/* -+> /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh -new file mode 100644 -index 0000000000..09af980183 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/tests/missing_slash.fail.sh -@@ -0,0 +1,4 @@ -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+ -+echo "-w /etc/sudoers -p wa -k actions" >> /etc/audit/rules.d/actions.rules -+echo "-w /etc/sudoers.d -p wa -k actions" >> /etc/audit/rules.d/actions.rules diff --git a/SOURCES/scap-security-guide-0.1.50-audit_data_retention_reference_PR_5294.patch b/SOURCES/scap-security-guide-0.1.50-audit_data_retention_reference_PR_5294.patch deleted file mode 100644 index e95b8f4..0000000 --- a/SOURCES/scap-security-guide-0.1.50-audit_data_retention_reference_PR_5294.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 3aac5ee7def088ed0e24540753c3d8cb8dd3ed56 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 16 Mar 2020 16:47:04 +0100 -Subject: [PATCH] Update audit data retention selects and variables - -Select variable values, and also fix rule selected twice. ---- - .../auditd_data_retention_space_left_action/rule.yml | 2 +- - 2 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml -index 1ffa489a3f..07747138ed 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml -@@ -39,7 +39,7 @@ references: - srg@rhel6: SRG-OS-000045 - disa@rhel6: 140,143 - stigid@rhel7: "030340" -- cis: 5.2.1.2 -+ cis@rhel8: 4.1.2.3 - cjis: 5.4.1.1 - cui: 3.3.1 - disa: "1855" diff --git a/SOURCES/scap-security-guide-0.1.50-audit_installed_reference_PR_5292.patch b/SOURCES/scap-security-guide-0.1.50-audit_installed_reference_PR_5292.patch deleted file mode 100644 index 248d0e1..0000000 --- a/SOURCES/scap-security-guide-0.1.50-audit_installed_reference_PR_5292.patch +++ /dev/null @@ -1,22 +0,0 @@ -From aa8d8a96e6598482ef4ed518d739bf50385dcbb9 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 16 Mar 2020 16:11:31 +0100 -Subject: [PATCH] Add package_audit_installed - -Package audit depends on audit-libs. ---- - linux_os/guide/system/auditing/package_audit_installed/rule.yml | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml -index a5cea0c971..40ed326d2a 100644 ---- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml -+++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml -@@ -20,6 +20,7 @@ references: - nist: AC-7(a),AU-7(1),AU-7(2),AU-14,AU-12(2),AU-2(a),CM-6(a) - anssi: NT28(R50) - srg: SRG-OS-000480-GPOS-00227,SRG-OS-000122-GPOS-00063 -+ cis@rhel8: 4.1.1.1 - - template: - name: package_installed diff --git a/SOURCES/scap-security-guide-0.1.50-audit_login_events_references_PR_5296.patch b/SOURCES/scap-security-guide-0.1.50-audit_login_events_references_PR_5296.patch deleted file mode 100644 index 8174387..0000000 --- a/SOURCES/scap-security-guide-0.1.50-audit_login_events_references_PR_5296.patch +++ /dev/null @@ -1,84 +0,0 @@ -From f1889f8d92324bea16a6f41726ec0bbca52ef0f2 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 16 Mar 2020 17:34:12 +0100 -Subject: [PATCH 1/2] Select rules for audit login events - ---- - .../audit_login_events/audit_rules_login_events/rule.yml | 1 - - .../audit_rules_login_events_faillock/rule.yml | 1 + - .../audit_rules_login_events_lastlog/rule.yml | 2 +- - 4 files changed, 4 insertions(+), 7 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml -index 45367cf313..0a9a73caac 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml -@@ -34,7 +34,6 @@ identifiers: - references: - nist@rhel6: AC-3(10) - nist-csf@rhel6: PR.AC-4,PR.AC-6,PR.PT-3 -- cis: 5.2.8 - cjis: 5.4.1.1 - cui: 3.1.7 - disa: 172,2884 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml -index 4d2af18816..257e99fb48 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml -@@ -31,6 +31,7 @@ identifiers: - - references: - cis: 5.2.8 -+ cis@rhel8: 4.1.4 - cui: 3.1.7 - disa: 172,2884,126 - hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -index 355004ae98..7400d6a0d3 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -@@ -30,7 +30,7 @@ identifiers: - cce@ocp4: 82584-4 - - references: -- cis: 5.2.8 -+ cis@rhel8: 4.1.4 - cui: 3.1.7 - disa: 172,2884,126 - hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) - -From a6d171b6fcea7042b17e07b2e8598c5523d92f28 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 19 Mar 2020 11:44:51 +0100 -Subject: [PATCH 2/2] Add RHEL7 CIS references for login events rules - ---- - .../audit_rules_login_events_faillock/rule.yml | 2 +- - .../audit_rules_login_events_lastlog/rule.yml | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml -index 257e99fb48..eacab5f522 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml -@@ -30,7 +30,7 @@ identifiers: - cce@ocp4: 82583-6 - - references: -- cis: 5.2.8 -+ cis@rhel7: 4.1.8 - cis@rhel8: 4.1.4 - cui: 3.1.7 - disa: 172,2884,126 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -index 7400d6a0d3..7fce76ab02 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -@@ -30,6 +30,7 @@ identifiers: - cce@ocp4: 82584-4 - - references: -+ cis@rhel7: 4.1.8 - cis@rhel8: 4.1.4 - cui: 3.1.7 - disa: 172,2884,126 diff --git a/SOURCES/scap-security-guide-0.1.50-banner_permissions_and_owners_PR_5302.patch b/SOURCES/scap-security-guide-0.1.50-banner_permissions_and_owners_PR_5302.patch deleted file mode 100644 index 973b27d..0000000 --- a/SOURCES/scap-security-guide-0.1.50-banner_permissions_and_owners_PR_5302.patch +++ /dev/null @@ -1,416 +0,0 @@ -From 6b015c09b43ecac4226c5bcf974794a1b2a8d557 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 17 Mar 2020 17:27:09 +0100 -Subject: [PATCH 1/8] Add rule for permissions of /etc/motd - ---- - .../file_permissions_etc_motd/rule.yml | 33 +++++++++++++++++++ - 3 files changed, 35 insertions(+), 3 deletions(-) - create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -new file mode 100644 -index 0000000000..6d81eb43d1 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -@@ -0,0 +1,33 @@ -+documentation_complete: true -+ -+title: 'Verify permissions on Message of the Day Banner' -+ -+description: |- -+ {{{ describe_file_permissions(file="/etc/motd", perms="0644") }}} -+ -+rationale: |- -+ Display of a standardized and approved use notification before granting -+ access to the operating system ensures privacy and security notification -+ verbiage used is consistent with applicable federal laws, Executive Orders, -+ directives, policies, regulations, standards, and guidance.
-+ Proper permissions will ensure that only root user can modify the banner. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83337-6 -+ cce@rhel8: 83338-4 -+ -+references: -+ cis@rhel7: 1.7.1.4 -+ cis@rhel8: 1.8.1.4 -+ -+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/motd", perms="-rw-r--r--") }}}' -+ -+ocil: '{{{ ocil_file_permissions(file="/etc/motd", perms="-rw-r--r--") }}}' -+ -+template: -+ name: file_permissions -+ vars: -+ filepath: /etc/motd -+ filemode: '0644' -From 9448111043016e27bc319cfc6606361edd235f38 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 17 Mar 2020 17:47:09 +0100 -Subject: [PATCH 2/8] Add rule for permissions of /etc/issue - ---- - .../file_permissions_etc_issue/rule.yml | 33 +++++++++++++++++++ - 3 files changed, 35 insertions(+), 3 deletions(-) - create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -new file mode 100644 -index 0000000000..323c3b93b6 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -@@ -0,0 +1,33 @@ -+documentation_complete: true -+ -+title: 'Verify permissions on System Login Banner' -+ -+description: |- -+ {{{ describe_file_permissions(file="/etc/issue", perms="0644") }}} -+ -+rationale: |- -+ Display of a standardized and approved use notification before granting -+ access to the operating system ensures privacy and security notification -+ verbiage used is consistent with applicable federal laws, Executive Orders, -+ directives, policies, regulations, standards, and guidance.
-+ Proper permissions will ensure that only root user can modify the banner. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83347-5 -+ cce@rhel8: 83348-3 -+ -+references: -+ cis@rhel7: 1.7.1.5 -+ cis@rhel8: 1.8.1.5 -+ -+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/issue", perms="-rw-r--r--") }}}' -+ -+ocil: '{{{ ocil_file_permissions(file="/etc/issue", perms="-rw-r--r--") }}}' -+ -+template: -+ name: file_permissions -+ vars: -+ filepath: /etc/issue -+ filemode: '0644' -From 927265b500b38a9ba0eefd94ecce5de4c8fc3ac2 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 17 Mar 2020 19:12:48 +0100 -Subject: [PATCH 3/8] Select rules for /etc/crontab permissions - ---- - .../services/cron_and_at/file_groupowner_crontab/rule.yml | 3 ++- - .../guide/services/cron_and_at/file_owner_crontab/rule.yml | 3 ++- - .../services/cron_and_at/file_permissions_crontab/rule.yml | 3 ++- - 4 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -index 8df80cb535..29d0c882b4 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82223-9 - - references: -- cis: 5.1.2 -+ cis@rhel7: 5.1.2 -+ cis@rhel8: 5.1.2 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -index a10a283a86..6ac696229f 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82224-7 - - references: -- cis: 5.1.2 -+ cis@rhel7: 5.1.2 -+ cis@rhel8: 5.1.2 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml -index 126bffd0bb..f587ab67ef 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82206-4 - - references: -- cis: 5.1.2 -+ cis@rhel7: 5.1.2 -+ cis@rhel8: 5.1.2 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -From 51d320c401981dd06d097bb2850c9a7aa6977059 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 17 Mar 2020 19:16:22 +0100 -Subject: [PATCH 4/8] Select rules for /etc/cron.hourly permissions - ---- - .../cron_and_at/file_groupowner_cron_hourly/rule.yml | 3 ++- - .../services/cron_and_at/file_owner_cron_hourly/rule.yml | 3 ++- - .../cron_and_at/file_permissions_cron_hourly/rule.yml | 3 ++- - 4 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -index c3545bca73..514dc5510e 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82227-0 - - references: -- cis: 5.1.3 -+ cis@rhel7: 5.1.3 -+ cis@rhel8: 5.1.3 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -index 298a03bbec..2b4a8c6047 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82209-8 - - references: -- cis: 5.1.3 -+ cis@rhel7: 5.1.3 -+ cis@rhel8: 5.1.3 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml -index 1d06872cf4..e726d64966 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82230-4 - - references: -- cis: 5.1.3 -+ cis@rhel7: 5.1.3 -+ cis@rhel8: 5.1.3 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -From 94cd82ae26481d8d7343fcc65e6b2f5e88cefd3b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 17 Mar 2020 19:18:41 +0100 -Subject: [PATCH 5/8] Select rules for /etc/cron.daily permissions - ---- - .../cron_and_at/file_groupowner_cron_daily/rule.yml | 3 ++- - .../services/cron_and_at/file_owner_cron_daily/rule.yml | 3 ++- - .../cron_and_at/file_permissions_cron_daily/rule.yml | 3 ++- - 4 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -index 53e1800074..38e4fdde5e 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82234-6 - - references: -- cis: 5.1.4 -+ cis@rhel7: 5.1.4 -+ cis@rhel8: 5.1.4 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -index ed6e76e419..86625ac049 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82237-9 - - references: -- cis: 5.1.4 -+ cis@rhel7: 5.1.4 -+ cis@rhel8: 5.1.4 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml -index 4313ffb6ab..6e57b028cd 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82240-3 - - references: -- cis: 5.1.4 -+ cis@rhel7: 5.1.4 -+ cis@rhel8: 5.1.4 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -From a8d0f1253631913f27bcb9f6d70b46234feda723 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 17 Mar 2020 19:21:12 +0100 -Subject: [PATCH 6/8] Select rules for /etc/cron.weekly permissions - ---- - .../cron_and_at/file_groupowner_cron_weekly/rule.yml | 3 ++- - .../services/cron_and_at/file_owner_cron_weekly/rule.yml | 3 ++- - .../cron_and_at/file_permissions_cron_weekly/rule.yml | 3 ++- - 4 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -index de1ac8c656..4760ea55f6 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82244-5 - - references: -- cis: 5.1.5 -+ cis@rhel7: 5.1.5 -+ cis@rhel8: 5.1.5 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -index f5bba63516..e5e3de8cd1 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82247-8 - - references: -- cis: 5.1.5 -+ cis@rhel7: 5.1.5 -+ cis@rhel8: 5.1.5 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml -index 523ea17731..daf345338a 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82253-6 - - references: -- cis: 5.1.5 -+ cis@rhel7: 5.1.5 -+ cis@rhel8: 5.1.5 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -From 35176b1486c57bfd6a981a8719de65f09d200380 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 17 Mar 2020 19:25:12 +0100 -Subject: [PATCH 7/8] Select rules for /etc/cron.monthly permissions - ---- - .../cron_and_at/file_groupowner_cron_monthly/rule.yml | 3 ++- - .../services/cron_and_at/file_owner_cron_monthly/rule.yml | 3 ++- - .../cron_and_at/file_permissions_cron_monthly/rule.yml | 3 ++- - 4 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -index a664d78b0a..2a11340ec4 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82256-9 - - references: -- cis: 5.1.6 -+ cis@rhel7: 5.1.6 -+ cis@rhel8: 5.1.6 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -index 35f2bc19ed..76c671aa06 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82260-1 - - references: -- cis: 5.1.6 -+ cis@rhel7: 5.1.6 -+ cis@rhel8: 5.1.6 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml -index b4d1863633..cc186ff7a1 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82263-5 - - references: -- cis: 5.1.6 -+ cis@rhel7: 5.1.6 -+ cis@rhel8: 5.1.6 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -From 5b839624790399a1dbca16478fef9b3e628df1d4 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 17 Mar 2020 19:27:55 +0100 -Subject: [PATCH 8/8] Select rules for /etc/cron.d permissions - ---- - .../services/cron_and_at/file_groupowner_cron_d/rule.yml | 3 ++- - .../guide/services/cron_and_at/file_owner_cron_d/rule.yml | 3 ++- - .../services/cron_and_at/file_permissions_cron_d/rule.yml | 3 ++- - 4 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -index 3add79db18..6b1a3faf05 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82268-4 - - references: -- cis: 5.1.7 -+ cis@rhel7: 5.1.7 -+ cis@rhel8: 5.1.7 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -index 8778109761..88586a0268 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82272-6 - - references: -- cis: 5.1.7 -+ cis@rhel7: 5.1.7 -+ cis@rhel8: 5.1.7 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml -index cd0dc6167a..f904dce932 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml -@@ -20,7 +20,8 @@ identifiers: - cce@rhel8: 82277-5 - - references: -- cis: 5.1.7 -+ cis@rhel7: 5.1.7 -+ cis@rhel8: 5.1.7 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 diff --git a/SOURCES/scap-security-guide-0.1.50-change_disable_ipv6_rule_PR_5574.patch b/SOURCES/scap-security-guide-0.1.50-change_disable_ipv6_rule_PR_5574.patch deleted file mode 100644 index 5c3b38f..0000000 --- a/SOURCES/scap-security-guide-0.1.50-change_disable_ipv6_rule_PR_5574.patch +++ /dev/null @@ -1,23 +0,0 @@ -From a75db592d49e0257a51c6aab782c50b3b60eab47 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 8 Apr 2020 12:35:45 +0200 -Subject: [PATCH] change rules for disabling ipv6 - ---- - rhel7/profiles/cis.profile | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 739ed27200..a99f87a3c8 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -351,7 +351,7 @@ selections: - - sysctl_net_ipv6_conf_default_accept_redirects - - ### 3.3.3 Ensure IPv6 is disabled (Not Scored) -- - grub2_ipv6_disable_argument -+ - kernel_module_ipv6_option_disabled - - ## 3.4 TCP Wrappers - ### 3.4.1 Ensure TCP Wrappers is installed (Scored) - diff --git a/SOURCES/scap-security-guide-0.1.50-check_banner_owners_and_groupowners_PR_5335.patch b/SOURCES/scap-security-guide-0.1.50-check_banner_owners_and_groupowners_PR_5335.patch deleted file mode 100644 index e6e0901..0000000 --- a/SOURCES/scap-security-guide-0.1.50-check_banner_owners_and_groupowners_PR_5335.patch +++ /dev/null @@ -1,344 +0,0 @@ -From db7bff613cb14543378661c1bf78582ada09d84a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 24 Mar 2020 09:31:41 +0100 -Subject: [PATCH 1/4] Add rules to check owners of /etc/issue - ---- - .../file_groupowner_etc_issue/rule.yml | 35 +++++++++++++++++++ - .../file_owner_etc_issue/rule.yml | 35 +++++++++++++++++++ - .../file_permissions_etc_issue/rule.yml | 2 ++ - shared/references/cce-redhat-avail.txt | 4 --- - 4 files changed, 72 insertions(+), 4 deletions(-) - create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml - create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml -new file mode 100644 -index 0000000000..fe22c4ceda ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml -@@ -0,0 +1,35 @@ -+documentation_complete: true -+ -+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 -+ -+title: 'Verify group ownership of System Login Banner' -+ -+description: |- -+ {{{ describe_file_group_owner(file="/etc/issue", group="root") }}} -+ -+rationale: |- -+ Display of a standardized and approved use notification before granting -+ access to the operating system ensures privacy and security notification -+ verbiage used is consistent with applicable federal laws, Executive Orders, -+ directives, policies, regulations, standards, and guidance.
-+ Proper group ownership will ensure that only root user can modify the banner. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83707-0 -+ cce@rhel8: 83708-8 -+ -+references: -+ cis@rhel7: 1.7.1.5 -+ cis@rhel8: 1.8.1.5 -+ -+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/issue", group="root") }}}' -+ -+ocil: '{{{ ocil_file_group_owner(file="/etc/issue", group="root") }}}' -+ -+template: -+ name: file_groupowner -+ vars: -+ filepath: /etc/issue -+ filegid: '0' -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml -new file mode 100644 -index 0000000000..1a96fc1bee ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml -@@ -0,0 +1,35 @@ -+documentation_complete: true -+ -+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 -+ -+title: 'Verify ownership of System Login Banner' -+ -+description: |- -+ {{{ describe_file_owner(file="/etc/issue", owner="root") }}} -+ -+rationale: |- -+ Display of a standardized and approved use notification before granting -+ access to the operating system ensures privacy and security notification -+ verbiage used is consistent with applicable federal laws, Executive Orders, -+ directives, policies, regulations, standards, and guidance.
-+ Proper ownership will ensure that only root user can modify the banner. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83717-9 -+ cce@rhel8: 83718-7 -+ -+references: -+ cis@rhel7: 1.7.1.5 -+ cis@rhel8: 1.8.1.5 -+ -+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/issue", owner="root") }}}' -+ -+ocil: '{{{ ocil_file_owner(file="/etc/issue", owner="root") }}}' -+ -+template: -+ name: file_owner -+ vars: -+ filepath: /etc/issue -+ fileuid: '0' -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -index 323c3b93b6..6082783b89 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -@@ -1,5 +1,7 @@ - documentation_complete: true - -+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 -+ - title: 'Verify permissions on System Login Banner' - - description: |- -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 4a8668ed97..565be50dcf 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -394,8 +394,6 @@ CCE-83703-9 - CCE-83704-7 - CCE-83705-4 - CCE-83706-2 --CCE-83707-0 --CCE-83708-8 - CCE-83709-6 - CCE-83710-4 - CCE-83711-2 -@@ -404,8 +402,6 @@ CCE-83713-8 - CCE-83714-6 - CCE-83715-3 - CCE-83716-1 --CCE-83717-9 --CCE-83718-7 - CCE-83719-5 - CCE-83720-3 - CCE-83721-1 - -From ac323a919cd97ee34d17d96ca20d10e8ad25ac43 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 24 Mar 2020 09:50:54 +0100 -Subject: [PATCH 2/4] Add rules to check owners of /etc/motd - ---- - .../file_groupowner_etc_motd/rule.yml | 35 +++++++++++++++++++ - .../file_owner_etc_motd/rule.yml | 35 +++++++++++++++++++ - .../file_permissions_etc_motd/rule.yml | 2 ++ - shared/references/cce-redhat-avail.txt | 4 --- - 4 files changed, 72 insertions(+), 4 deletions(-) - create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml - create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -new file mode 100644 -index 0000000000..21ff3fb62a ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -@@ -0,0 +1,35 @@ -+documentation_complete: true -+ -+prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 -+ -+title: 'Verify group ownership of Message of the Day Banner' -+ -+description: |- -+ {{{ describe_file_group_owner(file="/etc/motd", group="root") }}} -+ -+rationale: |- -+ Display of a standardized and approved use notification before granting -+ access to the operating system ensures privacy and security notification -+ verbiage used is consistent with applicable federal laws, Executive Orders, -+ directives, policies, regulations, standards, and guidance.
-+ Proper group ownerhip will ensure that only root user can modify the banner. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83727-8 -+ cce@rhel8: 83728-6 -+ -+references: -+ cis@rhel7: 1.7.1.4 -+ cis@rhel8: 1.8.1.4 -+ -+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/motd", group="root") }}}' -+ -+ocil: '{{{ ocil_file_group_owner(file="/etc/motd", group="root") }}}' -+ -+template: -+ name: file_groupowner -+ vars: -+ filepath: /etc/motd -+ filegid: '0' -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml -new file mode 100644 -index 0000000000..27fed965fb ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml -@@ -0,0 +1,35 @@ -+documentation_complete: true -+ -+prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 -+ -+title: 'Verify ownership of Message of the Day Banner' -+ -+description: |- -+ {{{ describe_file_owner(file="/etc/motd", owner="root") }}} -+ -+rationale: |- -+ Display of a standardized and approved use notification before granting -+ access to the operating system ensures privacy and security notification -+ verbiage used is consistent with applicable federal laws, Executive Orders, -+ directives, policies, regulations, standards, and guidance.
-+ Proper ownerhip will ensure that only root user can modify the banner. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel7: 83737-7 -+ cce@rhel8: 83738-5 -+ -+references: -+ cis@rhel7: 1.7.1.4 -+ cis@rhel8: 1.8.1.4 -+ -+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/motd", owner="root") }}}' -+ -+ocil: '{{{ ocil_file_owner(file="/etc/motd", owner="root") }}}' -+ -+template: -+ name: file_owner -+ vars: -+ filepath: /etc/motd -+ fileuid: '0' -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -index 6d81eb43d1..ca789dc6f8 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -@@ -1,5 +1,7 @@ - documentation_complete: true - -+prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 -+ - title: 'Verify permissions on Message of the Day Banner' - - description: |- -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 565be50dcf..5986154a5a 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -410,8 +410,6 @@ CCE-83723-7 - CCE-83724-5 - CCE-83725-2 - CCE-83726-0 --CCE-83727-8 --CCE-83728-6 - CCE-83729-4 - CCE-83730-2 - CCE-83731-0 -@@ -420,8 +418,6 @@ CCE-83733-6 - CCE-83734-4 - CCE-83735-1 - CCE-83736-9 --CCE-83737-7 --CCE-83738-5 - CCE-83739-3 - CCE-83740-1 - CCE-83741-9 - -From 3f0c74420e052b6ea18cef45896a48f24cd3c5df Mon Sep 17 00:00:00 2001 -From: Watson Yuuma Sato -Date: Tue, 24 Mar 2020 13:32:34 +0100 -Subject: [PATCH 3/4] Update - linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Co-Authored-By: Jan Černý ---- - .../accounts/accounts-banners/file_groupowner_etc_motd/rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -index 21ff3fb62a..9cebc074dd 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -@@ -12,7 +12,7 @@ rationale: |- - access to the operating system ensures privacy and security notification - verbiage used is consistent with applicable federal laws, Executive Orders, - directives, policies, regulations, standards, and guidance.
-- Proper group ownerhip will ensure that only root user can modify the banner. -+ Proper group ownership will ensure that only root user can modify the banner. - - severity: medium - - -From 3138bbcee2a997eb0c8f74eabdcac9f71944e191 Mon Sep 17 00:00:00 2001 -From: Watson Yuuma Sato -Date: Tue, 24 Mar 2020 13:33:40 +0100 -Subject: [PATCH 4/4] Fix typo in title of rule -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Co-Authored-By: Jan Černý ---- - .../accounts-banners/file_groupowner_etc_issue/rule.yml | 2 +- - .../accounts/accounts-banners/file_groupowner_etc_motd/rule.yml | 2 +- - .../accounts/accounts-banners/file_owner_etc_motd/rule.yml | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml -index fe22c4ceda..6ff4e0a95a 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 - --title: 'Verify group ownership of System Login Banner' -+title: 'Verify Group Ownership of System Login Banner' - - description: |- - {{{ describe_file_group_owner(file="/etc/issue", group="root") }}} -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -index 9cebc074dd..8c66e997ac 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 - --title: 'Verify group ownership of Message of the Day Banner' -+title: 'Verify Group Ownership of Message of the Day Banner' - - description: |- - {{{ describe_file_group_owner(file="/etc/motd", group="root") }}} -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml -index 27fed965fb..8d963ae75d 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml -@@ -12,7 +12,7 @@ rationale: |- - access to the operating system ensures privacy and security notification - verbiage used is consistent with applicable federal laws, Executive Orders, - directives, policies, regulations, standards, and guidance.
-- Proper ownerhip will ensure that only root user can modify the banner. -+ Proper ownership will ensure that only root user can modify the banner. - - severity: medium - diff --git a/SOURCES/scap-security-guide-0.1.50-chrony_references_PR_5331.patch b/SOURCES/scap-security-guide-0.1.50-chrony_references_PR_5331.patch deleted file mode 100644 index 714012c..0000000 --- a/SOURCES/scap-security-guide-0.1.50-chrony_references_PR_5331.patch +++ /dev/null @@ -1,188 +0,0 @@ -From c55c92fba234846412ae8d5947aee6bfeb3ca924 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 20 Mar 2020 11:50:25 +0100 -Subject: [PATCH 1/4] Remove sshd_enable_x11_forwarding - ---- - rhel7/profiles/cis.profile | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 486fcf9a33..53d3819822 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -558,7 +558,6 @@ selections: - - sshd_set_loglevel_info - - ### 5.2.4 Ensure SSH X11 forwarding is disabled (Scored) -- - sshd_enable_x11_forwarding - - ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored) - - sshd_set_max_auth_tries - -From 9a719c47408b9b5aa980cd37affbff9180f253e0 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 23 Mar 2020 15:00:23 +0100 -Subject: [PATCH 2/4] Add a few more selections to rhel7 profile - -- Rule for libselinux installed -- Rule for service tftp disabled -- Rule for kernel module RDS disabled ---- - rhel7/profiles/cis.profile | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 53d3819822..a9c78dc140 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -172,6 +172,7 @@ selections: - - selinux_confinement_of_daemons - - ### 1.6.2 Ensure SELinux is installed (Scored) -+ - package_libselinux_installed - - ## 1.7 Warning Banners - #### 1.7.1.1 Ensure message of the day is configured properly (Scored) -@@ -205,6 +206,7 @@ selections: - ### 2.1.4 Ensure echo services are not enabled (Scored) - ### 2.1.5 Ensure time services are not enabled (Scored) - ### 2.1.6 Ensure tftp server is not enabled (Scored) -+ - service_tftp_disabled - - ### 2.1.7 Ensure xinetd is not enabled (Scored) - - service_xinetd_disabled -@@ -363,6 +365,7 @@ selections: - - kernel_module_sctp_disabled - - ### 3.5.3 Ensure RDS is disabled (Not Scored) -+ - kernel_module_rds_disabled - - ### 3.5.4 Ensure TIPC is disabled (Not Scored) - - kernel_module_tipc_disabled - -From 1aaf4f300eb2304c81b962dfaab4dc475a1041ee Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 23 Mar 2020 15:16:48 +0100 -Subject: [PATCH 3/4] Select rule for Chrony and fix rhel7 references - ---- - .../guide/services/ntp/chronyd_run_as_chrony_user/rule.yml | 2 +- - .../services/ntp/chronyd_specify_remote_server/rule.yml | 1 + - .../guide/services/ntp/package_chrony_installed/rule.yml | 1 + - linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 1 + - rhel7/profiles/cis.profile | 5 ++++- - 5 files changed, 8 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -index cd641ce0cb..2e5596b972 100644 ---- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -@@ -24,7 +24,7 @@ severity: medium - platform: chrony - - references: -- cis@rhel7: 2.2.1.2 -+ cis@rhel7: 2.2.1.3 - cis@rhel8: 2.2.1.2 - - identifiers: -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -index bc8815b068..ea4c955c8e 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -@@ -25,6 +25,7 @@ identifiers: - cce@rhel8: 82873-1 - - references: -+ cis@rhel7: 2.2.1.3 - cis@rhel8: 2.2.1.2 - - ocil_clause: 'a remote time server is not configured' -diff --git a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -index 2549f48b71..f6dc1f427f 100644 ---- a/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -+++ b/linux_os/guide/services/ntp/package_chrony_installed/rule.yml -@@ -21,6 +21,7 @@ identifiers: - cce@rhel8: 82874-9 - - references: -+ cis@rhel7: 2.2.1.1 - cis@rhel8: 2.2.1.1 - - {{{ complete_ocil_entry_package(package="chrony") }}} -diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -index 7b3a0a2a13..94269dfd54 100644 ---- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -@@ -24,6 +24,7 @@ identifiers: - cce@rhel8: 82875-6 - - references: -+ cis@rhel7: 2.2.1.3 - cis@rhel8: 2.2.1.2 - - ocil_clause: 'the chronyd process is not running' -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index a9c78dc140..108a728bbf 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -213,13 +213,16 @@ selections: - - ## 2.2 Special Purpose Services - #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) -- - service_chronyd_or_ntpd_enabled -+ - package_chrony_installed - - #### 2.2.1.2 Ensure ntp is configured (Scored) - # restrict is not checkec by rules below - - chronyd_or_ntpd_specify_remote_server - - #### 2.2.1.3 Ensure chrony is configured (Scored) -+ - service_chronyd_enabled -+ - chronyd_specify_remote_server -+ - chronyd_run_as_chrony_user - - ### 2.2.2 Ensure X Window System is not installed (Scored) - - package_xorg-x11-server-common_removed - -From 54150d23a06043fdd11af3fd8be9e0c4845e6c55 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 23 Mar 2020 15:17:16 +0100 -Subject: [PATCH 4/4] Select rules for backup account files - -Select rules to check permissions and owner of important backup account -files. ---- - rhel7/profiles/cis.profile | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 108a728bbf..0fc919950f 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -689,9 +689,24 @@ selections: - - file_permissions_etc_gshadow - - ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) -+ - file_owner_backup_etc_passwd -+ - file_groupowner_backup_etc_passwd -+ - file_permissions_backup_etc_passwd -+ - ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) -+ - file_owner_backup_etc_shadow -+ - file_groupowner_backup_etc_shadow -+ - file_permissions_backup_etc_shadow -+ - ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) -+ - file_owner_backup_etc_group -+ - file_groupowner_backup_etc_group -+ - file_permissions_backup_etc_group -+ - ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) -+ - file_owner_backup_etc_gshadow -+ - file_groupowner_backup_etc_gshadow -+ - file_permissions_backup_etc_gshadow - - ### 6.1.10 Ensure no world writable files exist (Scored) - - file_permissions_unauthorized_world_writable diff --git a/SOURCES/scap-security-guide-0.1.50-drop_configure_etc_hosts_deny_remediation_PR_5652.patch b/SOURCES/scap-security-guide-0.1.50-drop_configure_etc_hosts_deny_remediation_PR_5652.patch deleted file mode 100644 index 965ca97..0000000 --- a/SOURCES/scap-security-guide-0.1.50-drop_configure_etc_hosts_deny_remediation_PR_5652.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 74dfdeffe59ed7ed1e31151df3fefe98f1dc8876 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 21 Apr 2020 15:41:27 +0200 -Subject: [PATCH 1/3] remove remediations, add warning - ---- - .../configure_etc_hosts_deny/ansible/shared.yml | 7 ------- - .../configure_etc_hosts_deny/bash/shared.sh | 3 --- - .../configure_etc_hosts_deny/rule.yml | 12 ++++++++++++ - 3 files changed, 12 insertions(+), 10 deletions(-) - delete mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml - delete mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml -deleted file mode 100644 -index 480bde9f80..0000000000 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/ansible/shared.yml -+++ /dev/null -@@ -1,7 +0,0 @@ --# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 --# reboot = false --# strategy = restrict --# complexity = low --# disruption = medium -- --{{{ ansible_lineinfile(msg='', path='/etc/hosts.deny', regex='', new_line='ALL: ALL', create='true', state='present') }}} -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh -deleted file mode 100644 -index e1def7a9ab..0000000000 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/bash/shared.sh -+++ /dev/null -@@ -1,3 +0,0 @@ --# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 -- --{{{ set_config_file(path="/etc/hosts.deny", parameter="ALL:", value="ALL", create=true, insert_after="EOF", insert_before="", insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -index ec53cc799f..fb3143d24b 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -@@ -10,6 +10,10 @@ description: |- - The following line in the file ensures that access to services supporting this mechanism is denied to any clients - not mentioned in /etc/hosts.allow: -
ALL: ALL
-+ It is advised to inspect available network services which might be affected by modification of file mentioned above prior to performing the remediation of this rule. -+ If there exist services which might be affected and access to them should not be blocked, -+ modify the /etc/hosts.deny file appropriately before performing the remediation. -+ - - rationale: |- - Correct configuration in /etc/hosts.deny ensures that no explicitly mentioned clients will be able to connect to services supporting this access control mechanism. -@@ -29,3 +33,11 @@ ocil: |- -
cat /etc/hosts.deny
- Verify that the output contains the following line: -
ALL: ALL
-+ -+warnings: -+ - management: |- -+ enabling this rule affects all connections to serviceswhich honor /etc/hosts.allow and /etc/hosts.deny files. -+ Connections to such servicesfrom any hosts which are not explicitly mentioned in /etc/hosts.allow will be rejected. -+ As the /etc/hosts.allow file is often left empty, there is a chance that remediation of this rule might prevent the system from accepting SSH connections and therefore limiting management access. -+ Therefore, this rule will not be remediated automatically. For information about manual process -+ of remediation see the rule description. - -From 3622b07d64f6a923143b0b5d34aa6b19571f3889 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 22 Apr 2020 12:42:20 +0200 -Subject: [PATCH 2/3] fix wording - ---- - .../configure_etc_hosts_deny/rule.yml | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -index fb3143d24b..effed82fd8 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -@@ -12,7 +12,7 @@ description: |- -
ALL: ALL
- It is advised to inspect available network services which might be affected by modification of file mentioned above prior to performing the remediation of this rule. - If there exist services which might be affected and access to them should not be blocked, -- modify the /etc/hosts.deny file appropriately before performing the remediation. -+ modify the /etc/hosts.allow file appropriately before performing the remediation. - - - rationale: |- -@@ -35,9 +35,9 @@ ocil: |- -
ALL: ALL
- - warnings: -- - management: |- -- enabling this rule affects all connections to serviceswhich honor /etc/hosts.allow and /etc/hosts.deny files. -- Connections to such servicesfrom any hosts which are not explicitly mentioned in /etc/hosts.allow will be rejected. -- As the /etc/hosts.allow file is often left empty, there is a chance that remediation of this rule might prevent the system from accepting SSH connections and therefore limiting management access. -- Therefore, this rule will not be remediated automatically. For information about manual process -- of remediation see the rule description. -+ - functionality: |- -+ This rule affects all access to serviceswhich honor /etc/hosts.allow and /etc/hosts.deny files. -+ Connections to services originating from hosts not explicitly mentioned in /etc/hosts.allow will be rejected. -+ As the /etc/hosts.allow is empty by default, make sure it is appropriately configured before applying remediation for this rule. -+ To avoid locking down all network access to the system, this rule doesn't perform automated remediation. -+ For information about manual process of remediation see the rule description. - -From 4f98610b8366c55c9e212a2cd6feeb2b4002c111 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 24 Apr 2020 11:48:57 +0200 -Subject: [PATCH 3/3] fix wording - ---- - .../inetd_and_xinetd/configure_etc_hosts_deny/rule.yml | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -index effed82fd8..f2fc86748f 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/configure_etc_hosts_deny/rule.yml -@@ -36,8 +36,7 @@ ocil: |- - - warnings: - - functionality: |- -- This rule affects all access to serviceswhich honor /etc/hosts.allow and /etc/hosts.deny files. -+ This rule affects all access to services which honor /etc/hosts.allow and /etc/hosts.deny files. - Connections to services originating from hosts not explicitly mentioned in /etc/hosts.allow will be rejected. -- As the /etc/hosts.allow is empty by default, make sure it is appropriately configured before applying remediation for this rule. - To avoid locking down all network access to the system, this rule doesn't perform automated remediation. - For information about manual process of remediation see the rule description. diff --git a/SOURCES/scap-security-guide-0.1.50-fix_ansible_macro_watch_rule_PR_5716.patch b/SOURCES/scap-security-guide-0.1.50-fix_ansible_macro_watch_rule_PR_5716.patch deleted file mode 100644 index 9039671..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_ansible_macro_watch_rule_PR_5716.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b87b0e68c3c0cfb9439f8b9b5bb1c553d1a53de0 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 28 Apr 2020 17:10:25 +0200 -Subject: [PATCH] fix regex and remove recurse from tasks - ---- - shared/macros-ansible.jinja | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 884b562ae4..92ee35e08c 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -277,6 +277,7 @@ regex_replace("\(n\)\*", "\\n") - {{% macro ansible_deregexify_banner_backslash() -%}} - regex_replace("\\", "") - {{%- endmacro %}} -+ - {{# - The following macro remediates one audit watch rule in /etc/audit/rules.d directory. - The macro requires following parameters: -@@ -289,7 +290,6 @@ in some file within /etc/audit/rules.d/, the new rule will be appended to this f - - name: Check if watch rule for {{{ path }}} already exists in /etc/audit/rules.d/ - find: - paths: "/etc/audit/rules.d" -- recurse: no - contains: '^\s*-w\s+{{{ path }}}\s+-p\s+{{{ permissions }}}(\s|$)+' - patterns: "*.rules" - register: find_existing_watch_rules_d -@@ -297,8 +297,7 @@ in some file within /etc/audit/rules.d/, the new rule will be appended to this f - - name: Search /etc/audit/rules.d for other rules with specified key {{{ key }}} - find: - paths: "/etc/audit/rules.d" -- recurse: no -- contains: "^.*(-F key=)(|-k ){{{ key }}}$" -+ contains: '^.*(?:-F key=|-k\s+){{{ key }}}$' - patterns: "*.rules" - register: find_watch_key - when: find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched == 0 diff --git a/SOURCES/scap-security-guide-0.1.50-fix_ansible_postfix_listening_PR_5353.patch b/SOURCES/scap-security-guide-0.1.50-fix_ansible_postfix_listening_PR_5353.patch deleted file mode 100644 index 20659eb..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_ansible_postfix_listening_PR_5353.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 450492b27e3e77ca271a08cd14e4a03f1535c722 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 27 Mar 2020 10:46:07 +0100 -Subject: [PATCH] ansible remediation checks for package presence - ---- - .../postfix_network_listening_disabled/ansible/shared.yml | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml -index 18936b5fb3..f3d2af7614 100644 ---- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml -+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml -@@ -5,4 +5,8 @@ - # disruption = low - - (xccdf-var var_postfix_inet_interfaces) - --{{{ ansible_lineinfile(msg='Ensure mail transfer agent is configured for local-only mode', path='/etc/postfix/main.cf', regex='^inet_interfaces\s*=\s.*', new_line='inet_interfaces = {{ var_postfix_inet_interfaces }}', create='no', state='present', insert_after='^inet_interfaces\s*=\s.*') }}} -+- name: "Gather list of packages" -+ package_facts: -+ manager: auto -+ -+{{{ ansible_lineinfile(msg='Make changes to Postfix configuration file', path='/etc/postfix/main.cf', regex='^inet_interfaces\s*=\s.*', new_line='inet_interfaces = {{ var_postfix_inet_interfaces }}', create='no', state='present', insert_after='^inet_interfaces\s*=\s.*', when='"postfix" in ansible_facts.packages') }}} diff --git a/SOURCES/scap-security-guide-0.1.50-fix_ansible_template_mount_options_PR_5752.patch b/SOURCES/scap-security-guide-0.1.50-fix_ansible_template_mount_options_PR_5752.patch deleted file mode 100644 index 275dced..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_ansible_template_mount_options_PR_5752.patch +++ /dev/null @@ -1,208 +0,0 @@ -From fa3e18fa8b1939b5173a889d2d6e696c67a49b56 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 11 May 2020 17:44:32 +0200 -Subject: [PATCH 1/6] Do not duplicate mount point options - -The Ansible remediation for mount options was always adding the option. ---- - shared/templates/template_ANSIBLE_mount_option | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option -index cfb55859ac..08fa14208f 100644 ---- a/shared/templates/template_ANSIBLE_mount_option -+++ b/shared/templates/template_ANSIBLE_mount_option -@@ -27,5 +27,6 @@ - state: "mounted" - fstype: "{{ mount_info.fstype }}" - when: -+ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options - - device_name.stdout is defined - - (device_name.stdout | length > 0) - -From 67f899077d542dbeb57b1772d6f86b029e0be066 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 11 May 2020 17:46:23 +0200 -Subject: [PATCH 2/6] Keep any already defined mount options - -When mount doesn't need to exist to remediate, check whether mtab sets -the mountpoint and extend any already configured option. ---- - shared/templates/template_ANSIBLE_mount_option | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option -index 08fa14208f..aa5b5e2f8d 100644 ---- a/shared/templates/template_ANSIBLE_mount_option -+++ b/shared/templates/template_ANSIBLE_mount_option -@@ -9,6 +9,16 @@ - failed_when: device_name.rc > 1 - changed_when: False - -+{{% if MOUNT_HAS_TO_EXIST == "no" %}} -+- name: Check mtab information associated to mountpoint -+ command: findmnt --mtab '{{{ MOUNTPOINT }}}' -+ register: device_name -+ failed_when: device_name.rc > 1 -+ changed_when: False -+ when: -+ - device_name.stdout is defined and device_name.stdout == "" -+{{% endif %}} -+ - - name: create mount_info dictionary variable - set_fact: - mount_info: "{{ mount_info|default({})|combine({item.0: item.1}) }}" - -From 035d388383195637c79a2d47f3f100753a96c43f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 11 May 2020 17:50:49 +0200 -Subject: [PATCH 3/6] Fix task naming in Ansible mount option template - ---- - shared/templates/template_ANSIBLE_mount_option | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option -index aa5b5e2f8d..7452dfbc05 100644 ---- a/shared/templates/template_ANSIBLE_mount_option -+++ b/shared/templates/template_ANSIBLE_mount_option -@@ -3,7 +3,7 @@ - # strategy = configure - # complexity = low - # disruption = high --- name: get back mount information associated to mountpoint -+- name: Check fstab information associated to mountpoint - command: findmnt --fstab '{{{ MOUNTPOINT }}}' - register: device_name - failed_when: device_name.rc > 1 -@@ -19,7 +19,7 @@ - - device_name.stdout is defined and device_name.stdout == "" - {{% endif %}} - --- name: create mount_info dictionary variable -+- name: Create mount_info dictionary variable - set_fact: - mount_info: "{{ mount_info|default({})|combine({item.0: item.1}) }}" - with_together: - -From 3c302161bc0aaa6dfb765e7e9abf40aff90c42ce Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 11 May 2020 18:04:05 +0200 -Subject: [PATCH 4/6] Add tests for mount option noexed in /dev/shm - -Tests added: -- No entry in fstab -- Entry in fstab without options -- Tests profile metadata fixed, they don't need to be tested using a - specific profile. ---- - .../mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh | 3 +++ - .../tests/multiple_entries_in_mtab.fail.sh | 1 - - .../tests/no_entry_in_fstab.fail.sh | 4 ++++ - 3 files changed, 7 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh - create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh - -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh -new file mode 100644 -index 0000000000..515d690e1f ---- /dev/null -+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "tmpfs /dev/shm tmpfs rw,seclabel,nodev,nosuid 0 0" >> /etc/fstab -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh -index dd56f9bb6c..d7721b791d 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh -+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh -@@ -1,5 +1,4 @@ - #!/bin/bash --# profiles = xccdf_org.ssgproject.content_profile_ospp - - cat /etc/mtab > /etc/mtab.old - # destroy symlink -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh -new file mode 100644 -index 0000000000..f484a3614c ---- /dev/null -+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+# make sure there is no entry for /dev/shm -+sed -i '/\/dev\/shm/d' /etc/fstab - -From f74beb900a0cf0d40bc1b85d518f8f7bf27f8d76 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 12 May 2020 12:06:53 +0200 -Subject: [PATCH 5/6] Update mount_option template documentation - -Now the 'mount_has_to_exist' parameter is used in Ansible remediations. -As 'mount_has_to_exist=no' is only used for /dev/shm rules, the Ansible -remediation will add options based on existing ones consulting -/etc/mtab. ---- - docs/manual/developer_guide.adoc | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc -index 9d73e870f9..74fc869c51 100644 ---- a/docs/manual/developer_guide.adoc -+++ b/docs/manual/developer_guide.adoc -@@ -1574,7 +1574,7 @@ mount_option:: - ** *mountoption* - mount option, eg. `nosuid` - ** *filesystem* - filesystem in `/etc/fstab`, eg. `tmpfs`. Used only in Bash remediation. - ** *type* - filesystem type. Used only in Bash remediation. --** *mount_has_to_exist* - Used only in Bash remediation. Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`. -+** *mount_has_to_exist* - Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`. - * Languages: Anaconda, Ansible, Bash, OVAL - - mount_option_remote_filesystems:: - -From 5abea4f5773d5099e57d1645f1565c5afeadf426 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 12 May 2020 12:51:23 +0200 -Subject: [PATCH 6/6] Check all tabfiles when entry in fstab can be created by - Ansible - -Skipped tasks still register facts! Instead of executing a task based on -results of fstab mounts, lets just change the actual task to check all -tab files. ---- - shared/templates/template_ANSIBLE_mount_option | 17 +++++++---------- - 1 file changed, 7 insertions(+), 10 deletions(-) - -diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option -index 7452dfbc05..95bede25f9 100644 ---- a/shared/templates/template_ANSIBLE_mount_option -+++ b/shared/templates/template_ANSIBLE_mount_option -@@ -3,21 +3,18 @@ - # strategy = configure - # complexity = low - # disruption = high --- name: Check fstab information associated to mountpoint -- command: findmnt --fstab '{{{ MOUNTPOINT }}}' -- register: device_name -- failed_when: device_name.rc > 1 -- changed_when: False - - {{% if MOUNT_HAS_TO_EXIST == "no" %}} --- name: Check mtab information associated to mountpoint -- command: findmnt --mtab '{{{ MOUNTPOINT }}}' -+ {{% set TABFILE="" %}} -+{{% else %}} -+ {{% set TABFILE="--fstab" %}} -+{{% endif %}} -+ -+- name: Check information associated to mountpoint -+ command: findmnt {{{ TABFILE }}} '{{{ MOUNTPOINT }}}' - register: device_name - failed_when: device_name.rc > 1 - changed_when: False -- when: -- - device_name.stdout is defined and device_name.stdout == "" --{{% endif %}} - - - name: Create mount_info dictionary variable - set_fact: diff --git a/SOURCES/scap-security-guide-0.1.50-fix_audit_privileged_commands_test_metadata_PR_5739.patch b/SOURCES/scap-security-guide-0.1.50-fix_audit_privileged_commands_test_metadata_PR_5739.patch deleted file mode 100644 index 23ea605..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_audit_privileged_commands_test_metadata_PR_5739.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 76309b336d0b7837a12bea6546e44cecde3eede4 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Tue, 5 May 2020 15:34:54 +0200 -Subject: [PATCH] Remove outdated OSPP metadata from test scenario for - audit_rules_privileged_commands. - ---- - .../tests/augenrules_duplicated.fail.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh -index c01b95aa9e..429cbe67be 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh -@@ -1,5 +1,5 @@ - #!/bin/bash --# profiles = xccdf_org.ssgproject.content_profile_ospp,xccdf_org.ssgproject.content_profile_pci-dss -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss - # Remediation for this rule cannot remove the duplicates - # remediation = none - # platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 diff --git a/SOURCES/scap-security-guide-0.1.50-fix_audit_rules_privileged_commands.patch b/SOURCES/scap-security-guide-0.1.50-fix_audit_rules_privileged_commands.patch deleted file mode 100644 index 050b304..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_audit_rules_privileged_commands.patch +++ /dev/null @@ -1,304 +0,0 @@ -From e0a51fa56dbdf13392b9e7730fbb8caf58f6a4cc Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Fri, 3 Apr 2020 14:29:17 +0200 -Subject: [PATCH] Fix regex in remediation - -Binaries with common prefix (sudo vs sudoedit) were not handled properly -Force ordering of account and audit group -Rename rhel7 tests and make them applicable for rhel8 too -Add regression tests -Explain and make reordering pretty ---- - ...ctl_default.fail.sh => auditctl_default.fail.sh} | 2 +- - ...g_rule.fail.sh => auditctl_missing_rule.fail.sh} | 2 +- - ...l_one_rule.fail.sh => auditctl_one_rule.fail.sh} | 4 ++-- - ...ed.pass.sh => auditctl_rules_configured.pass.sh} | 2 +- - ...s_default.fail.sh => augenrules_default.fail.sh} | 2 +- - ...icated.fail.sh => augenrules_duplicated.fail.sh} | 2 +- - ...rule.fail.sh => augenrules_missing_rule.fail.sh} | 2 +- - .../tests/augenrules_one_rule.fail.sh | 7 +++++++ - ....pass.sh => augenrules_rules_configured.pass.sh} | 2 +- - ... augenrules_rules_configured_mixed_keys.pass.sh} | 2 +- - ...l.sh => augenrules_two_rules_mixed_keys.fail.sh} | 2 +- - ...il.sh => augenrules_two_rules_sep_files.fail.sh} | 2 +- - .../tests/rhel7_augenrules_one_rule.fail.sh | 7 ------- - ...h_own_key.pass.sh => rules_with_own_key.pass.sh} | 2 +- - ...m_audit_rules_privileged_commands_remediation.sh | 2 +- - ssg/build_yaml.py | 13 +++++++++++-- - 16 files changed, 32 insertions(+), 23 deletions(-) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_default.fail.sh => auditctl_default.fail.sh} (74%) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_missing_rule.fail.sh => auditctl_missing_rule.fail.sh} (82%) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_one_rule.fail.sh => auditctl_one_rule.fail.sh} (50%) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_auditctl_rules_configured.pass.sh => auditctl_rules_configured.pass.sh} (80%) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_default.fail.sh => augenrules_default.fail.sh} (63%) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_duplicated.fail.sh => augenrules_duplicated.fail.sh} (85%) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_missing_rule.fail.sh => augenrules_missing_rule.fail.sh} (78%) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_rules_configured.pass.sh => augenrules_rules_configured.pass.sh} (74%) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_rules_configured_mixed_keys.pass.sh => augenrules_rules_configured_mixed_keys.pass.sh} (83%) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_two_rules_mixed_keys.fail.sh => augenrules_two_rules_mixed_keys.fail.sh} (84%) - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_augenrules_two_rules_sep_files.fail.sh => augenrules_two_rules_sep_files.fail.sh} (84%) - delete mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh - rename linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/{rhel7_rules_with_own_key.pass.sh => rules_with_own_key.pass.sh} (70%) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh -similarity index 74% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_default.fail.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh -index 5668e9d59..b89717805 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_default.fail.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_default.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7 -+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - - sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_missing_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh -similarity index 82% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_missing_rule.fail.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh -index 9ff90cc2b..1b8f348c4 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_missing_rule.fail.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_missing_rule.fail.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7 -+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - - ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/audit.rules - sed -i '/newgrp/d' /etc/audit/audit.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh -similarity index 50% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_one_rule.fail.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh -index c74a0cc7c..16c6fada0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_one_rule.fail.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7 -+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - --echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules -+echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules - sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_rules_configured.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh -similarity index 80% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_rules_configured.pass.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh -index c9f338efd..911ce1798 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_auditctl_rules_configured.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_configured.pass.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7 -+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - - ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/audit.rules - sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh -similarity index 63% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_default.fail.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh -index 4713a5360..6281f0751 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_default.fail.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_default.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7,Fedora -+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - - # augenrules is default for rhel7 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_duplicated.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh -similarity index 85% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_duplicated.fail.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh -index 19b12d090..c01b95aa9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_duplicated.fail.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_duplicated.fail.sh -@@ -2,7 +2,7 @@ - # profiles = xccdf_org.ssgproject.content_profile_ospp,xccdf_org.ssgproject.content_profile_pci-dss - # Remediation for this rule cannot remove the duplicates - # remediation = none --# platform = Red Hat Enterprise Linux 7,Fedora -+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - - mkdir -p /etc/audit/rules.d - ./generate_privileged_commands_rule.sh 1000 privileged /tmp/privileged.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_missing_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh -similarity index 78% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_missing_rule.fail.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh -index c007f5dd2..ba3b8dd57 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_missing_rule.fail.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_missing_rule.fail.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7,Fedora -+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - - mkdir -p /etc/audit/rules.d - ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh -new file mode 100644 -index 000000000..a136bb885 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = bash -+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 -+ -+mkdir -p /etc/audit/rules.d -+echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh -similarity index 74% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured.pass.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh -index 913ca4402..2badda362 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured.pass.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7,Fedora -+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - - mkdir -p /etc/audit/rules.d - ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured_mixed_keys.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh -similarity index 83% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured_mixed_keys.pass.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh -index a0ba4fac7..2a9c64215 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_rules_configured_mixed_keys.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_configured_mixed_keys.pass.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7,Fedora -+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - - mkdir -p /etc/audit/rules.d - ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_mixed_keys.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh -similarity index 84% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_mixed_keys.fail.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh -index bc4a7c4bf..316d836d4 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_mixed_keys.fail.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7,Fedora -+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - - mkdir -p /etc/audit/rules.d - echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_sep_files.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh -similarity index 84% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_sep_files.fail.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh -index 0e7091053..78db285d1 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_two_rules_sep_files.fail.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7,Fedora -+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - - mkdir -p /etc/audit/rules.d - echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/priv.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh -deleted file mode 100644 -index 591109a01..000000000 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_augenrules_one_rule.fail.sh -+++ /dev/null -@@ -1,7 +0,0 @@ --#!/bin/bash --# profiles = xccdf_org.ssgproject.content_profile_pci-dss --# remediation = bash --# platform = Red Hat Enterprise Linux 7 -- --mkdir -p /etc/audit/rules.d --echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_rules_with_own_key.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh -similarity index 70% -rename from linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_rules_with_own_key.pass.sh -rename to linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh -index c40fd133d..123dd6dcd 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rhel7_rules_with_own_key.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/rules_with_own_key.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7,Fedora -+# platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - - ./generate_privileged_commands_rule.sh 1000 own_key /etc/audit/rules.d/privileged.rules -diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh -index 6112f6adb..f595c71cb 100644 ---- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh -+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh -@@ -99,7 +99,7 @@ do - # * existing rule contains all arguments from expected rule form (though can contain - # them in arbitrary order) - -- base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \ -+ base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d' \ - -e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \ - -e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d' \ - -e '/-k \|-F key=/!d' "$afile") -diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py -index 5e681b7e0..e3e138283 100644 ---- a/ssg/build_yaml.py -+++ b/ssg/build_yaml.py -@@ -695,13 +695,22 @@ class Group(object): - # top level group, this ensures groups that further configure a package or service - # are after rules that install or remove it. - groups_in_group = list(self.groups.keys()) -+ # The account group has to precede audit group because -+ # the rule package_screen_installed is desired to be executed before the rule -+ # audit_rules_privileged_commands, othervise the rule -+ # does not catch newly installed screeen binary during remediation -+ # and report fail - # The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS. - # the firewalld_activation must come before ruleset_modifications, othervise - # remediations for ruleset_modifications won't work - # rules from group disabling_ipv6 must precede rules from configuring_ipv6, - # otherwise the remediation prints error although it is successful -- priority_order = ["fips", "crypto", "firewalld_activation", -- "ruleset_modifications", "disabling_ipv6", "configuring_ipv6"] -+ priority_order = [ -+ "accounts", "auditing", -+ "fips", "crypto", -+ "firewalld_activation", "ruleset_modifications", -+ "disabling_ipv6", "configuring_ipv6" -+ ] - groups_in_group = reorder_according_to_ordering(groups_in_group, priority_order) - for group_id in groups_in_group: - _group = self.groups[group_id] --- -2.21.1 - diff --git a/SOURCES/scap-security-guide-0.1.50-fix_banner_etc_motd_PR_5319.patch b/SOURCES/scap-security-guide-0.1.50-fix_banner_etc_motd_PR_5319.patch deleted file mode 100644 index 3c0314f..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_banner_etc_motd_PR_5319.patch +++ /dev/null @@ -1,217 +0,0 @@ -From 023412217f4a73e47a7b5d8786b2b10974015615 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 19 Mar 2020 16:55:29 +0100 -Subject: [PATCH 1/4] Make banner_etc_motd like banner_etc_issue - -Both rules source the banner from the same XCCDF variable. ---- - .../banner_etc_motd/bash/shared.sh | 18 +++++++++++++----- - .../banner_etc_motd/oval/shared.xml | 8 +++++++- - 2 files changed, 20 insertions(+), 6 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh -index ac04d93dd5..d731063b5a 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh -@@ -2,12 +2,20 @@ - . /usr/share/scap-security-guide/remediation_functions - populate login_banner_text - --# There was a regular-expression matching various banners, needs to be expanded --expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g') --formatted=$(echo "$expanded" | fold -sw 80) -+# Multiple regexes transform the banner regex into a usable banner -+# 0 - Remove anchors around the banner text -+{{{ bash_deregexify_banner_anchors("login_banner_text") }}} -+# 1 - Keep only the first banners if there are multiple -+# (dod_banners contains the long and short banner) -+{{{ bash_deregexify_multiple_banners("login_banner_text") }}} -+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -+{{{ bash_deregexify_banner_space("login_banner_text") }}} -+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") -+{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}} -+# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). -+{{{ bash_deregexify_banner_backslash("login_banner_text") }}} -+formatted=$(echo "$login_banner_text" | fold -sw 80) - - cat </etc/motd - $formatted - EOF -- --printf "\n" >> /etc/motd -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml -index dfd3bb69c0..9b20ee032a 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml -@@ -18,14 +18,20 @@ - - - -+ - - - -+ - /etc/motd -- -+ ^(.*)$ - 1 - - -+ -+ -+ -+ - - - - -From 38e7680395d78371a12d3afd2561533d9f1860c3 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 19 Mar 2020 16:59:45 +0100 -Subject: [PATCH 2/4] Add Ansible for banner_etc_motd - ---- - .../banner_etc_motd/ansible/shared.yml | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml -new file mode 100644 -index 0000000000..dfc1c519b7 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml -@@ -0,0 +1,17 @@ -+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# reboot = false -+# strategy = unknown -+# complexity = low -+# disruption = medium -+- (xccdf-var login_banner_text) -+ -+- name: "{{{ rule_title }}} - remove incorrect banner" -+ file: -+ state: absent -+ path: /etc/motd -+ -+- name: "{{{ rule_title }}} - add correct banner" -+ lineinfile: -+ dest: /etc/motd -+ line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' -+ create: yes - -From c6ea356cef8678cdf248fc8363767d8615fb7423 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 19 Mar 2020 17:20:38 +0100 -Subject: [PATCH 3/4] Use profile "all" to test banner_etc_motd - -When the profile doesn't do any selection, the default value is used. -When the variable doesn't define a default value, the first value is -considered the default. - -The test scenarios of banner_etcmotd are aligned with the first value of -login_banner_text. ---- - .../tests/banner_etc_motd_disa_dod_default_banner.pass.sh | 2 -- - .../tests/banner_etc_motd_disa_dod_short.pass.sh | 2 -- - .../tests/banner_etc_motd_disa_double_banner.fail.sh | 2 -- - .../tests/banner_etc_motd_disa_usgcb_banner.fail.sh | 2 -- - .../tests/banner_etc_motd_ospp_usbcg_banner.fail.sh | 2 -- - .../tests/banner_etc_motd_ospp_usbcg_banner.pass.sh | 2 -- - 6 files changed, 12 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh -index a926abd7dd..96e5e11e5b 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_default_banner.pass.sh -@@ -1,6 +1,4 @@ - #!/bin/bash --# --# profiles = xccdf_org.ssgproject.content_profile_stig - - # dod_default banner - echo "You are accessing a U.S. Government (USG) Information System (IS) that is -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh -index a2624e1066..ddf1efa43c 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_dod_short.pass.sh -@@ -1,6 +1,4 @@ - #!/bin/bash --# --# profiles = xccdf_org.ssgproject.content_profile_stig - - # dod_short banner - echo "I've read & consent to terms in IS user agreem't." > /etc/motd -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh -index 93c00cfde7..8cd0d30fa9 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_double_banner.fail.sh -@@ -1,6 +1,4 @@ - #!/bin/bash --# --# profiles = xccdf_org.ssgproject.content_profile_stig - - # dod_default|dod_short banner - echo "You are accessing a U.S. Government (USG) Information System (IS) that is -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh -index 3878983a19..5abacbb535 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_disa_usgcb_banner.fail.sh -@@ -1,6 +1,4 @@ - #!/bin/bash --# --# profiles = xccdf_org.ssgproject.content_profile_stig - - # usgcb_default banner - echo "-- WARNING -- This system is for the use of authorized users only. Individuals -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh -index c82a8e39b2..43b2e0a2e9 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.fail.sh -@@ -1,5 +1,3 @@ - #!/bin/bash --# --# profiles = xccdf_org.ssgproject.content_profile_ospp - - echo "This is not the expected banner" > /etc/motd -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh -index 41894c998b..5abacbb535 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh -@@ -1,6 +1,4 @@ - #!/bin/bash --# --# profiles = xccdf_org.ssgproject.content_profile_ospp - - # usgcb_default banner - echo "-- WARNING -- This system is for the use of authorized users only. Individuals - -From 4cb5b1f167a1ac3de94626d82eb6d3779a443475 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 19 Mar 2020 18:04:14 +0100 -Subject: [PATCH 4/4] Remove test that doesn't make sense - -At the moment no profile selects this rules. -The value of the variable will be the default (first) value of -variable login_banner_text. Thus, second pass test doesn't make sense. ---- - .../tests/banner_etc_motd_ospp_usbcg_banner.pass.sh | 10 ---------- - 1 file changed, 10 deletions(-) - delete mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh -deleted file mode 100644 -index 5abacbb535..0000000000 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_ospp_usbcg_banner.pass.sh -+++ /dev/null -@@ -1,10 +0,0 @@ --#!/bin/bash -- --# usgcb_default banner --echo "-- WARNING -- This system is for the use of authorized users only. Individuals --using this computer system without authority or in excess of their authority --are subject to having all their activities on this system monitored and --recorded by system personnel. Anyone using this system expressly consents to --such monitoring and is advised that if such monitoring reveals possible --evidence of criminal activity system personal may provide the evidence of such --monitoring to law enforcement officials." > /etc/motd diff --git a/SOURCES/scap-security-guide-0.1.50-fix_boot_target_after_xorg_removed_PR_5625.patch b/SOURCES/scap-security-guide-0.1.50-fix_boot_target_after_xorg_removed_PR_5625.patch deleted file mode 100644 index 663f92b..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_boot_target_after_xorg_removed_PR_5625.patch +++ /dev/null @@ -1,538 +0,0 @@ -From 6429aa7d29a6c93a6c6826d6fa99cee162ed1c22 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Mon, 20 Apr 2020 12:50:27 +0200 -Subject: [PATCH 01/10] Add warning to package_xorg-x11-server-common_removed. - -When this package is removed from a GUI environment system, it may end up with a black -screen after restarting it. ---- - .../package_xorg-x11-server-common_removed/rule.yml | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -index 4ce51a8141..04ee90b4d5 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -@@ -9,8 +9,8 @@ description: |- - installed. If X Windows is not installed then the system cannot boot into graphical user mode. - This prevents the system from being accidentally or maliciously booted into a graphical.target - mode. To do so, run the following command: --
$ sudo yum groupremove "X Window System"
--
$ sudo yum remove xorg-x11-server-common
-+
$ sudo {{{ pkg_manager }}} groupremove "X Window System"
-+
$ sudo {{{ pkg_manager }}} remove xorg-x11-server-common
- - rationale: |- - Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security -@@ -47,6 +47,14 @@ ocil: |- - The output should be: -
package xorg-x11-server-common is not installed
- -+warnings: -+ - functionality: |- -+ The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your -+ overall security posture. Removing the package xorg-x11-server-common package can -+ potentially remove the graphical target which might bring your system to an inconsistent state requiring -+ additional configuration to access the system again. If a GUI is an operational requirement, a tailored profile -+ that removes this rule should used before continuing installation. -+ - template: - name: package_removed - vars: - -From 9f767c7c60e1a5b35e30cbe7f9d81288dd26ac9e Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Mon, 20 Apr 2020 12:51:48 +0200 -Subject: [PATCH 02/10] SSGTS: Encode string to UTF-8 before writing into file. - ---- - tests/ssg_test_suite/oscap.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tests/ssg_test_suite/oscap.py b/tests/ssg_test_suite/oscap.py -index 301c326835..2858963373 100644 ---- a/tests/ssg_test_suite/oscap.py -+++ b/tests/ssg_test_suite/oscap.py -@@ -170,7 +170,7 @@ def run_stage_remediation_ansible(run_type, formatting, verbose_path): - # Appends output of ansible-playbook to the verbose_path file. - with open(verbose_path, 'a') as f: - f.write('Stdout of "{}":'.format(command_string)) -- f.write(output) -+ f.write(output.encode("utf-8")) - if returncode != 0: - msg = ( - 'Ansible playbook remediation run has ' -@@ -199,7 +199,7 @@ def run_stage_remediation_bash(run_type, formatting, verbose_path): - # Appends output of script execution to the verbose_path file. - with open(verbose_path, 'a') as f: - f.write('Stdout of "{}":'.format(command_string)) -- f.write(output) -+ f.write(output.encode("utf-8")) - if returncode != 0: - msg = ( - 'Bash script remediation run has exited with return code {} ' - -From 2cb9a0eac96e2dd44c2ca8e50c8460e9f220f977 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Mon, 20 Apr 2020 12:52:36 +0200 -Subject: [PATCH 03/10] Add check and remediation for xwindows_runlevel_target. - -Select this rule in profiles (RHEL6 profiles are not included) that select -package_xorg-x11-server-common_removed since this rule removes a -package that is dependent when using a system with GUI and the target -needs to be changed from graphical.target to multi-user.target otherwise -the system ends with having a black screen after restarting it. ---- - .../ansible/shared.yml | 12 +++++ - .../xwindows_runlevel_target/bash/shared.sh | 7 +++ - .../xwindows_runlevel_target/oval/shared.xml | 49 +++++++++++++++++++ - .../xwindows_runlevel_target/rule.yml | 3 +- - .../tests/correct_target.pass.sh | 5 ++ - .../tests/wrong_target.fail.sh | 5 ++ - rhel7/profiles/cis.profile | 1 + - 10 files changed, 84 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml - create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh - create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml - create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh - create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh - -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml -new file mode 100644 -index 0000000000..49cdaeb7aa ---- /dev/null -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml -@@ -0,0 +1,12 @@ -+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+- name: get default target -+ command: systemctl get-default -+ register: default_target -+- name: Switch to multi-user runlevel -+ command: systemctl set-default multi-user.target -+ when: default_target.stdout != "multi-user.target" -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh -new file mode 100644 -index 0000000000..289a38483c ---- /dev/null -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh -@@ -0,0 +1,7 @@ -+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+systemctl set-default multi-user.target -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml -new file mode 100644 -index 0000000000..94c372ffec ---- /dev/null -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml -@@ -0,0 +1,49 @@ -+{{%- if init_system == "systemd" and target_oval_version == [5, 10] -%}} -+{{# this is the only scenario this definition cannot handle, there is no good alternative for symlink_test for OVAL 5.10 #}} -+{{%- else -%}} -+ -+ -+ -+ Disable X Windows Startup By Setting Default SystemD Target -+ {{{- oval_affected(products) }}} -+ {{%- if init_system == "systemd" %}} -+ Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target. -+ {{%- else %}} -+ Checks /etc/inittab to ensure that default runlevel is set to 3. -+ {{%- endif %}} -+ -+ {{%- if init_system == "systemd" %}} -+ -+ -+ -+ {{%- else %}} -+ -+ -+ -+ {{%- endif %}} -+ -+ {{%- if init_system == "systemd" %}} -+ -+ -+ -+ -+ -+ /etc/systemd/system/default.target -+ -+ -+ /etc/systemd/system/default.target -+ ^/usr/lib/systemd/system/multi-user.target$ -+ -+ {{%- else %}} -+ -+ -+ -+ -+ /etc/inittab -+ ^[\s]*id:3:initdefault:[\s]*$ -+ 1 -+ -+ {{%- endif %}} -+ -+{{%- endif -%}} -+ -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml -index ed5882941c..cd04fcde8f 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,rhel7,rhel8 -+prodtype: fedora,rhel7,rhel8,sle12,rhv4 - - title: 'Disable X Windows Startup By Setting Default Target' - -@@ -24,6 +24,7 @@ severity: medium - - identifiers: - cce@rhel7: 27285-6 -+ cce@rhel8: 83380-6 - - references: - disa: "366" -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh -new file mode 100644 -index 0000000000..33835c8f50 ---- /dev/null -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 -+ -+rm -f /etc/systemd/system/default.target -+ln -s /usr/lib/systemd/system/multi-user.target /etc/systemd/system/default.target -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh -new file mode 100644 -index 0000000000..9313dbb5a2 ---- /dev/null -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 -+ -+rm -f /etc/systemd/system/default.target -+ln -s /usr/lib/systemd/system/graphical.target /etc/systemd/system/default.target -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 886e9a963a..0826a49547 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -226,6 +226,7 @@ selections: - - ### 2.2.2 Ensure X Window System is not installed (Scored) - - package_xorg-x11-server-common_removed -+ - xwindows_runlevel_target - - ### 2.2.3 Ensure Avahi Server is not enabled (Scored) - - service_avahi-daemon_disabled - -From 3e1381a89b54591b7ca6a6b54cf56c6594cb87c0 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Mon, 20 Apr 2020 17:46:08 +0200 -Subject: [PATCH 04/10] Simplify xwindows_runlevel_target artifacts. - ---- - .../rule.yml | 2 ++ - .../ansible/shared.yml | 1 + - .../xwindows_runlevel_target/oval/shared.xml | 23 +------------------ - .../tests/correct_target.pass.sh | 3 +-- - .../tests/wrong_target.fail.sh | 3 +-- - 5 files changed, 6 insertions(+), 26 deletions(-) - -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -index 04ee90b4d5..934205472b 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -@@ -9,7 +9,9 @@ description: |- - installed. If X Windows is not installed then the system cannot boot into graphical user mode. - This prevents the system from being accidentally or maliciously booted into a graphical.target - mode. To do so, run the following command: -+ {{%- if product != "rhel8" and product != "rhv4" -%}} -
$ sudo {{{ pkg_manager }}} groupremove "X Window System"
-+ {{%- endif %}} -
$ sudo {{{ pkg_manager }}} remove xorg-x11-server-common
- - rationale: |- -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml -index 49cdaeb7aa..2677c96ac7 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml -@@ -7,6 +7,7 @@ - - name: get default target - command: systemctl get-default - register: default_target -+ - - name: Switch to multi-user runlevel - command: systemctl set-default multi-user.target - when: default_target.stdout != "multi-user.target" -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml -index 94c372ffec..16e15df8e1 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml -@@ -6,23 +6,12 @@ - - Disable X Windows Startup By Setting Default SystemD Target - {{{- oval_affected(products) }}} -- {{%- if init_system == "systemd" %}} -- Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target. -- {{%- else %}} -- Checks /etc/inittab to ensure that default runlevel is set to 3. -- {{%- endif %}} -+ Ensure that the default runlevel target is set to multi-user.target. - -- {{%- if init_system == "systemd" %}} - - - -- {{%- else %}} -- -- -- -- {{%- endif %}} - -- {{%- if init_system == "systemd" %}} - - - -@@ -34,16 +23,6 @@ - /etc/systemd/system/default.target - ^/usr/lib/systemd/system/multi-user.target$ - -- {{%- else %}} -- -- -- -- -- /etc/inittab -- ^[\s]*id:3:initdefault:[\s]*$ -- 1 -- -- {{%- endif %}} - - {{%- endif -%}} - -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh -index 33835c8f50..f7837a25b7 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh -@@ -1,5 +1,4 @@ - #!/bin/bash - # platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - --rm -f /etc/systemd/system/default.target --ln -s /usr/lib/systemd/system/multi-user.target /etc/systemd/system/default.target -+systemctl set-default multi-user.target -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh -index 9313dbb5a2..5a20e8ce3a 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh -@@ -1,5 +1,4 @@ - #!/bin/bash - # platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - --rm -f /etc/systemd/system/default.target --ln -s /usr/lib/systemd/system/graphical.target /etc/systemd/system/default.target -+systemctl set-default graphical.target - -From bf0a5b6760b58ae5a7927781af3f24443b732554 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Mon, 20 Apr 2020 23:23:00 +0200 -Subject: [PATCH 05/10] Update list of available CCE. - ---- - shared/references/cce-redhat-avail.txt | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index c10448ff8d..4debf015dd 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -71,7 +71,6 @@ CCE-83376-4 - CCE-83377-2 - CCE-83378-0 - CCE-83379-8 --CCE-83380-6 - CCE-83381-4 - CCE-83382-2 - CCE-83383-0 - -From e4ab5d8502aba4e4f55aa1d6394fe47f893e68ff Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 23 Apr 2020 16:01:06 +0200 -Subject: [PATCH 06/10] Update ansible remediation for xwindows_runlevel_target - to use file module. - ---- - .../xwindows_runlevel_target/ansible/shared.yml | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml -index 2677c96ac7..72a3c5415a 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml -@@ -4,10 +4,9 @@ - # complexity = low - # disruption = low - --- name: get default target -- command: systemctl get-default -- register: default_target -- - - name: Switch to multi-user runlevel -- command: systemctl set-default multi-user.target -- when: default_target.stdout != "multi-user.target" -+ file: -+ src: /usr/lib/systemd/system/multi-user.target -+ dest: /etc/systemd/system/default.target -+ state: link -+ force: yes - -From d19185cd39abcb413351894384a8c603ee768470 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 23 Apr 2020 16:01:52 +0200 -Subject: [PATCH 07/10] Update rule package_xorg-x11-server-common_removed - metadata. - -For RHEL8 based products the group id that represents base Xorg packages -is called "base-x". ---- - .../package_xorg-x11-server-common_removed/rule.yml | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -index 934205472b..099ef2bc7b 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml -@@ -9,7 +9,9 @@ description: |- - installed. If X Windows is not installed then the system cannot boot into graphical user mode. - This prevents the system from being accidentally or maliciously booted into a graphical.target - mode. To do so, run the following command: -- {{%- if product != "rhel8" and product != "rhv4" -%}} -+ {{%- if product == "rhel8" or product == "rhv4" -%}} -+
$ sudo {{{ pkg_manager }}} groupremove base-x
-+ {{%- else %}} -
$ sudo {{{ pkg_manager }}} groupremove "X Window System"
- {{%- endif %}} -
$ sudo {{{ pkg_manager }}} remove xorg-x11-server-common
-@@ -52,10 +54,10 @@ ocil: |- - warnings: - - functionality: |- - The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your -- overall security posture. Removing the package xorg-x11-server-common package can -- potentially remove the graphical target which might bring your system to an inconsistent state requiring -- additional configuration to access the system again. If a GUI is an operational requirement, a tailored profile -- that removes this rule should used before continuing installation. -+ overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target -+ which might bring your system to an inconsistent state requiring additional configuration to access the system -+ again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before -+ continuing installation. - - template: - name: package_removed - -From 568ea36774cd41778c5ffcb004c11b538697f39b Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 23 Apr 2020 17:13:58 +0200 -Subject: [PATCH 08/10] OVAL Check for xwindows_runlevel_target consider files - from both /usr and /lib directory prefix. - ---- - .../xwindows_runlevel_target/oval/shared.xml | 2 +- - .../tests/correct_target_under_lib.pass.sh | 4 ++++ - .../tests/wrong_target_under_lib.fail.sh | 4 ++++ - 3 files changed, 9 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh - create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh - -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml -index 16e15df8e1..97f51c3140 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml -@@ -21,7 +21,7 @@ - - - /etc/systemd/system/default.target -- ^/usr/lib/systemd/system/multi-user.target$ -+ ^(/usr)?/lib/systemd/system/multi-user.target$ - - - {{%- endif -%}} -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh -new file mode 100644 -index 0000000000..f7837a25b7 ---- /dev/null -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 -+ -+systemctl set-default multi-user.target -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh -new file mode 100644 -index 0000000000..408409b9b1 ---- /dev/null -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 -+ -+ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target - -From e39030c464385251d0688ccb609ad10718b22359 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 23 Apr 2020 17:14:51 +0200 -Subject: [PATCH 09/10] Update command output from instructions on how to - manually set multi-user.target. - ---- - .../disabling_xwindows/xwindows_runlevel_target/rule.yml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml -index cd04fcde8f..79457b2b4f 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml -@@ -11,8 +11,8 @@ description: |- - multi-user.target will prevent automatic startup of the X server. To do so, run: -
$ systemctl set-default multi-user.target
- You should see the following output: --
rm '/etc/systemd/system/default.target'
--    ln -s '/usr/lib/systemd/system/multi-user.target' '/etc/systemd/system/default.target'
-+
Removed symlink /etc/systemd/system/default.target.
-+    Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
- - rationale: |- - Services that are not required for system and application processes - -From 2965265fcaf9b14b53866e33d18eeb89f50902c1 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 23 Apr 2020 17:32:21 +0200 -Subject: [PATCH 10/10] Fix location of symlink created by test scenario for - xwindows_runlevel_target. - ---- - .../tests/correct_target_under_lib.pass.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh -index f7837a25b7..dc698edc50 100644 ---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh -+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh -@@ -1,4 +1,4 @@ - #!/bin/bash - # platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 - --systemctl set-default multi-user.target -+ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target diff --git a/SOURCES/scap-security-guide-0.1.50-fix_chronyd_rule_title_PR_5309.patch b/SOURCES/scap-security-guide-0.1.50-fix_chronyd_rule_title_PR_5309.patch deleted file mode 100644 index 37cbac1..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_chronyd_rule_title_PR_5309.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 6cf3a337a6f69d93ac31a344ccf039bfa3a93d66 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 18 Mar 2020 17:49:57 +0100 -Subject: [PATCH] remove ntp mention from rule title - ---- - .../guide/services/ntp/chronyd_specify_remote_server/rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -index b2177fc76e..bc8815b068 100644 ---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/rule.yml -@@ -1,7 +1,7 @@ - documentation_complete: true - - --title: 'A remote NTP server for Chrony is configured' -+title: 'A remote time server for Chrony is configured' - - description: |- - Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to diff --git a/SOURCES/scap-security-guide-0.1.50-fix_ipv6_disable_rule_PR_5547.patch b/SOURCES/scap-security-guide-0.1.50-fix_ipv6_disable_rule_PR_5547.patch deleted file mode 100644 index 4be74b6..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_ipv6_disable_rule_PR_5547.patch +++ /dev/null @@ -1,488 +0,0 @@ -From c91d25e9398028bd9b0032a776456bf5ff6fdeed Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 31 Mar 2020 12:45:32 +0200 -Subject: [PATCH 1/5] modify templates - ---- - shared/templates/template_OVAL_grub2_bootloader_argument | 2 +- - ssg/templates.py | 3 +++ - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument -index 77497d21bc..132e676cc5 100644 ---- a/shared/templates/template_OVAL_grub2_bootloader_argument -+++ b/shared/templates/template_OVAL_grub2_bootloader_argument -@@ -1,5 +1,5 @@ - -- -+ - - Ensure GRUB 2 is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}} - {{{- oval_affected(products) }}} -diff --git a/ssg/templates.py b/ssg/templates.py -index e5ed4890b4..7e4264d0e2 100644 ---- a/ssg/templates.py -+++ b/ssg/templates.py -@@ -200,6 +200,9 @@ def file_permissions(data, lang): - - @template(["ansible", "bash", "oval"]) - def grub2_bootloader_argument(data, lang): -+ if lang == "oval": -+ # solve the case where argument contains dot -+ data["arg_name"].replace(".", "\\.") - data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"] - return data - - -From bd6ebf4ae6e579ef56c6420307e4c39fc5637258 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 31 Mar 2020 12:46:56 +0200 -Subject: [PATCH 2/5] rename rule, add tests - ---- - .../rule.yml | 0 - .../arg_not_there_etcdefaultgrub.fail.sh | 7 ++++++ - ...e_etcdefaultgrub_recovery_disabled.fail.sh | 17 +++++++++++++ - .../tests/arg_not_there_rhel7.fail.sh | 8 +++++++ - .../tests/arg_not_there_rhel8.fail.sh | 8 +++++++ - .../tests/correct_grubby.pass.sh | 13 ++++++++++ - .../tests/correct_grubenv.pass.sh | 4 ++++ - .../tests/correct_recovery_disabled.pass.sh | 24 +++++++++++++++++++ - .../tests/correct_value.pass.sh | 12 ++++++++++ - .../tests/wrong_value_etcdefaultgrub.fail.sh | 11 +++++++++ - ...e_etcdefaultgrub_recovery_disabled.fail.sh | 22 +++++++++++++++++ - .../tests/wrong_value_rhel7.fail.sh | 13 ++++++++++ - .../tests/wrong_value_rhel8.fail.sh | 12 ++++++++++ - 13 files changed, 151 insertions(+) - rename linux_os/guide/system/network/network-ipv6/disabling_ipv6/{grub2_disable_ipv6 => grub2_ipv6_disable_argument}/rule.yml (100%) - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh - create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh - -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml -similarity index 100% -rename from linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml -rename to linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh -new file mode 100644 -index 0000000000..33f6be147e ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bas -+# platform = Red Hat Enterprise Linux 7 -+ -+# Removes ipv6.disable argument from kernel command line in /etc/default/grub -+if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' -+fi -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh -new file mode 100644 -index 0000000000..6163f9fbaa ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh -@@ -0,0 +1,17 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 7 -+# Removes ipv6.disable argument from kernel command line in /etc/default/grub -+if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then -+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' -+fi -+ -+# removing the parameter from the no recovery kernel parameters as well -+sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' -+ -+# disabling recovery -+sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub' -+ -+#if the line is not present at all, add it -+if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then -+ echo 'GRUB_CMDLINE_LINUX_DEFAULT=""' >> /etc/default/grub -+fi -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh -new file mode 100644 -index 0000000000..5becb561a6 ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 7 -+ -+# Removes ipv6.disable argument from kernel command line in /boot/grub2/grub.cfg -+file="/boot/grub2/grub.cfg" -+if grep -q '^.*ipv6\.disable=.*' "$file" ; then -+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 \2/' "$file" -+fi -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh -new file mode 100644 -index 0000000000..5d8daaa6bc ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 8 -+ -+# Removes ipv6.disable argument from kernel command line in /boot/grub2/grubenv -+file="/boot/grub2/grubenv" -+if grep -q '^.*ipv6\.disable=.*' "$file" ; then -+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 \2/' "$file" -+fi -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh -new file mode 100644 -index 0000000000..59b18bd049 ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh -@@ -0,0 +1,13 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 7 -+ -+# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby -+if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then -+ # modify the GRUB command-line if an ipv6.disable= arg already exists -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub' -+else -+ # no ipv6.disable=arg is present, append it -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub' -+fi -+ -+grubby --update-kernel=ALL --args="ipv6.disable=1" -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh -new file mode 100644 -index 0000000000..0e84a458ca ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 8 -+ -+grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1" -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh -new file mode 100644 -index 0000000000..e36f81903d ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh -@@ -0,0 +1,24 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 7 -+ -+# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby -+if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then -+ # modify the GRUB command-line if an ipv6.disable= arg already exists -+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub' -+else -+ # no ipv6.disable=arg is present, append it -+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub' -+fi -+ -+# removing the parameter from the no recovery kernel parameters as well -+sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' -+ -+# disabling recovery -+sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub' -+ -+#if the line is not present at all, add it -+if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then -+ echo 'GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"' >> /etc/default/grub -+fi -+ -+grubby --update-kernel=ALL --args="ipv6.disable=1" -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh -new file mode 100644 -index 0000000000..eb7c07ce7f ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh -@@ -0,0 +1,12 @@ -+#!/bin/bash -+ -+# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby -+if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then -+ # modify the GRUB command-line if an ipv6.disable= arg already exists -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub' -+else -+ # no ipv6.disable=arg is present, append it -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub' -+fi -+ -+grubby --update-kernel=ALL --args="ipv6.disable=1" -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh -new file mode 100644 -index 0000000000..4e7492b588 ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 7 -+ -+# Break the ipv6.disable argument in kernel command line in /etc/default/grub -+if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then -+ # modify the GRUB command-line if an ipv6.disable= arg already exists -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=0 \2/' '/etc/default/grub' -+else -+ # no ipv6.disable=arg is present, append it -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=0"/' '/etc/default/grub' -+fi -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh -new file mode 100644 -index 0000000000..85cc596ca8 ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh -@@ -0,0 +1,22 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 7 -+ -+# Break the ipv6.disable argument in kernel command line in /etc/default/grub -+if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then -+ # modify the GRUB command-line if an ipv6.disable= arg already exists -+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=0 \2/' '/etc/default/grub' -+else -+ # no ipv6\.disable=arg is present, append it -+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 ipv6\.disable=0"/' '/etc/default/grub' -+fi -+ -+# removing the parameter from the no recovery kernel parameters as well -+sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' -+ -+# disabling recovery -+sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub' -+ -+#if the line is not present at all, add it -+if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then -+ echo 'GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=0"' >> /etc/default/grub -+fi -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh -new file mode 100644 -index 0000000000..a37b45c4ad ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh -@@ -0,0 +1,13 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 7 -+ -+# Break the ipv6.disable argument in kernel command line in /boot/grub2/grub.cfg -+file="/boot/grub2/grub.cfg" -+if grep -q '^.*ipv6\.disable=.*' "$file" ; then -+ # modify the GRUB command-line if an ipv6.disable= arg already exists -+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 ipv6\.disable=0 \2/' "$file" -+else -+ # no ipv6.disable=arg is present, append it -+ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 ipv6\.disable=0/' "$file" -+fi -+ -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh -new file mode 100644 -index 0000000000..db339c3534 ---- /dev/null -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh -@@ -0,0 +1,12 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 8 -+ -+# Break the ipv6.disable argument in kernel command line in /boot/grub2/grubenv -+file="/boot/grub2/grubenv" -+if grep -q '^.*ipv6\.disable=.*' "$file" ; then -+ # modify the GRUB command-line if an ipv6.disable= arg already exists -+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 ipv6\.disable=0 \2/' "$file" -+else -+ # no ipv6.disable=arg is present, append it -+ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 ipv6\.disable=0/' "$file" -+fi - -From b55cda3227d9fdcc1eac91e3e4cd22aaf03e80c5 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 31 Mar 2020 12:47:20 +0200 -Subject: [PATCH 3/5] adjust cis profiles - ---- - rhel7/profiles/cis.profile | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 76506c9369..739ed27200 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -351,7 +351,7 @@ selections: - - sysctl_net_ipv6_conf_default_accept_redirects - - ### 3.3.3 Ensure IPv6 is disabled (Not Scored) -- - grub2_disable_ipv6 -+ - grub2_ipv6_disable_argument - - ## 3.4 TCP Wrappers - ### 3.4.1 Ensure TCP Wrappers is installed (Scored) - -From 7421ab585ec1e0314298a2dbb6b0b181daf53bce Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 31 Mar 2020 16:04:27 +0200 -Subject: [PATCH 4/5] add escaped dot only in arg_name_value - ---- - ssg/templates.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ssg/templates.py b/ssg/templates.py -index 7e4264d0e2..ba6d8dc7fe 100644 ---- a/ssg/templates.py -+++ b/ssg/templates.py -@@ -200,10 +200,10 @@ def file_permissions(data, lang): - - @template(["ansible", "bash", "oval"]) - def grub2_bootloader_argument(data, lang): -+ data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"] - if lang == "oval": - # solve the case where argument contains dot -- data["arg_name"].replace(".", "\\.") -- data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"] -+ data["arg_name_value"] = data["arg_name_value"].replace(".", "\\.") - return data - - - -From 3e41fffc62e50e771a2f410d43bd600c8e5849ee Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 1 Apr 2020 11:58:11 +0200 -Subject: [PATCH 5/5] make oval ids use _ instead of . - ---- - .../template_OVAL_grub2_bootloader_argument | 44 +++++++++---------- - ssg/templates.py | 6 ++- - 2 files changed, 26 insertions(+), 24 deletions(-) - -diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument -index 132e676cc5..a18f85f5e8 100644 ---- a/shared/templates/template_OVAL_grub2_bootloader_argument -+++ b/shared/templates/template_OVAL_grub2_bootloader_argument -@@ -7,61 +7,61 @@ - - - {{% if product in ["rhel7", "ol7", "rhv4"] %}} -- - -- - -- - - - - {{% else %}} -- - {{% endif %}} - - - - {{% if product in ["rhel7", "ol7", "rhv4"] %}} -- -- -- -+ -+ - - -- -+ - /etc/default/grub - ^\s*GRUB_CMDLINE_LINUX="(.*)"$ - 1 - - -- -- -- -+ -+ - - -- - /etc/default/grub - ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ - 1 - - -- -- -- -+ -+ - - -- - /boot/grub2/grub.cfg - {{% if product == "rhel7" %}} -@@ -74,14 +74,14 @@ - - {{% else %}} - -- -- -- -+ -+ - - -- - /boot/grub2/grubenv - ^kernelopts=(.*)$ -@@ -90,9 +90,9 @@ - - {{% endif %}} - -- -- ^.*{{{ ARG_NAME_VALUE }}}.*$ -+ ^.*{{{ ESCAPED_ARG_NAME_VALUE }}}.*$ - - - -diff --git a/ssg/templates.py b/ssg/templates.py -index ba6d8dc7fe..3f12968b66 100644 ---- a/ssg/templates.py -+++ b/ssg/templates.py -@@ -202,8 +202,10 @@ def file_permissions(data, lang): - def grub2_bootloader_argument(data, lang): - data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"] - if lang == "oval": -- # solve the case where argument contains dot -- data["arg_name_value"] = data["arg_name_value"].replace(".", "\\.") -+ # escape dot, this is used in oval regex -+ data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.") -+ # replace . with _, this is used in test / object / state ids -+ data["sanitized_arg_name"] = data["arg_name"].replace(".", "_") - return data - - diff --git a/SOURCES/scap-security-guide-0.1.50-fix_permissions_backup_etc_passwd_PR_5619.patch b/SOURCES/scap-security-guide-0.1.50-fix_permissions_backup_etc_passwd_PR_5619.patch deleted file mode 100644 index cf42393..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_permissions_backup_etc_passwd_PR_5619.patch +++ /dev/null @@ -1,84 +0,0 @@ -From b5b96f3f1c20ba75e6af9bdcf2729a6513db8e48 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 16 Apr 2020 15:01:16 +0200 -Subject: [PATCH] Change permissions to 644 for passwd- file from rule - file_permissions_backup_etc_passwd. - ---- - .../file_permissions_backup_etc_passwd/rule.yml | 8 ++++---- - .../tests/adduser.pass.sh | 10 ++++++++++ - .../tests/correct_value.pass.sh | 4 ++++ - .../tests/wrong_value.fail.sh | 5 +++++ - 5 files changed, 24 insertions(+), 5 deletions(-) - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh - create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh - -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml -index cd1dded6f7..c5106b0cda 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml -@@ -3,7 +3,7 @@ documentation_complete: true - title: 'Verify Permissions on Backup passwd File' - - description: |- -- {{{ describe_file_permissions(file="/etc/passwd-", perms="0600") }}} -+ {{{ describe_file_permissions(file="/etc/passwd-", perms="0644") }}} - - rationale: |- - The /etc/passwd- file is a backup file of /etc/passwd, and as such, -@@ -21,14 +21,14 @@ references: - cis@rhel7: 6.1.6 - cis@rhel8: 6.1.6 - --ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-------") }}}' -+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-r--r--") }}}' - - ocil: |- -- {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-------") }}} -+ {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-r--r--") }}} - - template: - name: file_permissions - vars: - filepath: /etc/passwd- -- filemode: '0600' -+ filemode: '0644' - missing_file_pass: 'true' -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh -new file mode 100644 -index 0000000000..e053a5a87b ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+USER=ssgttuser -+ -+# set wrong permissions -+chmod 600 /etc/passwd- -+ -+# useradd will copy the backup file with permissions from the -+# actual /etc/passwd file containing correct permissions -+useradd ${USER} -+ -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh -new file mode 100644 -index 0000000000..223ece7df2 ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+chmod 644 /etc/passwd- -+ -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh -new file mode 100644 -index 0000000000..d0030f9b5e ---- /dev/null -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+# the expected is 644 -+chmod 660 /etc/passwd- -+ diff --git a/SOURCES/scap-security-guide-0.1.50-fix_rule_rsyslog_nolisten_regex_PR_5557.patch b/SOURCES/scap-security-guide-0.1.50-fix_rule_rsyslog_nolisten_regex_PR_5557.patch deleted file mode 100644 index 2c06323..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_rule_rsyslog_nolisten_regex_PR_5557.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0a22bbbaeabd9c13254ef251479e9d74143620e6 Mon Sep 17 00:00:00 2001 -From: Ilya Okomin -Date: Mon, 23 Mar 2020 20:07:47 -0400 -Subject: [PATCH] Fix rsyslog_nolisten regex to match rule description - -Signed-off-by: Ilya Okomin ---- - .../rsyslog_nolisten/oval/shared.xml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml -index e38dee5bbc..b56281e283 100644 ---- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml -+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml -@@ -16,13 +16,13 @@ - - - - - - - /etc/rsyslog.conf -- ^[\s]*\$(?:Input(?:TCP|RELP)|UDP)ServerRun -+ ^[\s]*\$((?:Input(?:TCP|RELP)|UDP)ServerRun|ModLoad[\s]+(imtcp|imudp|imrelp)) - 1 - - diff --git a/SOURCES/scap-security-guide-0.1.50-fix_service_chronyd_enabled_PR_5325.patch b/SOURCES/scap-security-guide-0.1.50-fix_service_chronyd_enabled_PR_5325.patch deleted file mode 100644 index dcdcb38..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_service_chronyd_enabled_PR_5325.patch +++ /dev/null @@ -1,19 +0,0 @@ -From e5592bf29987e0989a5a4400669cfff3e1d7b6da Mon Sep 17 00:00:00 2001 -From: Klaas Demter -Date: Fri, 20 Mar 2020 16:16:40 +0100 -Subject: [PATCH] Fix service check service_chronyd_enabled to use proper rhel - package name - ---- - linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -index 829d662afe..7b3a0a2a13 100644 ---- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -+++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml -@@ -34,3 +34,4 @@ template: - name: service_enabled - vars: - servicename: chronyd -+ packagename: chrony diff --git a/SOURCES/scap-security-guide-0.1.50-fix_sysctl_rules_description.patch b/SOURCES/scap-security-guide-0.1.50-fix_sysctl_rules_description.patch deleted file mode 100644 index 42f9811..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_sysctl_rules_description.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 99ad87babd43c95dc2787ba7e0301b3d2b650ab9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Tue, 10 Mar 2020 13:44:23 +0100 -Subject: [PATCH 1/3] Fix description of sysctl rules. - -As there is no way how to make the project aware of sysctl parameter defaults -in Linux upstream kernel or in specific Linux distributions, -the parameter has to be explicitly specified in a config file. ---- - shared/macros.jinja | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/shared/macros.jinja b/shared/macros.jinja -index 8a25acc937..ce27536dc2 100644 ---- a/shared/macros.jinja -+++ b/shared/macros.jinja -@@ -602,8 +602,8 @@ ocil_clause: "the correct value is not returned" - run the following command: -
$ sudo sysctl -w {{{ sysctl }}}={{{ value }}}
- -- If this is not the system default value, add the following line to a file in the -- directory /etc/sysctl.d: -+ To make sure that the setting is persistent, -+ add the following line to a file in the directory /etc/sysctl.d: -
{{{ sysctl }}} = {{{ value }}}
- {{%- endmacro %}} - - -From 5bffa9dc3d62f67364abb034b7da877935156764 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Wed, 11 Mar 2020 16:14:13 +0100 -Subject: [PATCH 2/3] Improved the OCIL entry for sysctl rules. - ---- - shared/macros.jinja | 19 +++++++++++-------- - 1 file changed, 11 insertions(+), 8 deletions(-) - -diff --git a/shared/macros.jinja b/shared/macros.jinja -index ce27536dc2..f81dbc7de6 100644 ---- a/shared/macros.jinja -+++ b/shared/macros.jinja -@@ -577,15 +577,18 @@ ocil_clause: "{{{ sebool }}} is not enabled" - - - {{% macro ocil_sysctl_option_value(sysctl, value) -%}} -- The status of the {{{ sysctl }}} kernel parameter can be queried -- by running the following command: --
$ sysctl {{{ sysctl }}}
-- The output of the command should indicate a value of {{{ value }}}. -- If this value is not the default value, investigate how it could have been -- adjusted at runtime, and verify it is not set improperly. This has to be checked -- in all files in the /etc/sysctl.d directory and the deprecated -- /etc/sysctl.conf. You can verify this by running the following command: -+ The persistent kernel parameter configuration is performed by specifying the appropriate -+ assignment in any file located in the
/etc/sysctl.d
directory. -+ Verify that there is not any existing incorrect configuration by executing the following command: -+
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
-+ If any other assignments that -+
{{{ sysctl }}} = {{{ value }}}
-+ are found, or the correct assignment is duplicated, remove those offending lines from respective files, -+ and make sure that exactly one file in -+ /etc/sysctl.d contains {{{ sysctl }}} = {{{ value }}}, and that one assignment -+ is returned when -
$ grep -r {{{ sysctl }}} /etc/sysctl.conf /etc/sysctl.d
-+ is executed. - {{%- endmacro %}} - - - -From 5b5edc64773be690e4046dc88de9407d7c470702 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 12 Mar 2020 15:27:26 +0100 -Subject: [PATCH 3/3] Improved the text based on the reviewer feedback. - ---- - shared/macros.jinja | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/shared/macros.jinja b/shared/macros.jinja -index f81dbc7de6..edbaeeb56c 100644 ---- a/shared/macros.jinja -+++ b/shared/macros.jinja -@@ -577,11 +577,18 @@ ocil_clause: "{{{ sebool }}} is not enabled" - - - {{% macro ocil_sysctl_option_value(sysctl, value) -%}} -+ The runtime status of the {{{ sysctl }}} kernel parameter can be queried -+ by running the following command: -+
$ sysctl {{{ sysctl }}}
-+ The output of the command should indicate a value of {{{ value }}}. -+ The preferable way how to assure the runtime compliance is to have -+ correct persistent configuration, and rebooting the system. -+ - The persistent kernel parameter configuration is performed by specifying the appropriate - assignment in any file located in the
/etc/sysctl.d
directory. - Verify that there is not any existing incorrect configuration by executing the following command: -
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
-- If any other assignments that -+ If any assignments other than -
{{{ sysctl }}} = {{{ value }}}
- are found, or the correct assignment is duplicated, remove those offending lines from respective files, - and make sure that exactly one file in diff --git a/SOURCES/scap-security-guide-0.1.50-fix_test_suite_on_python3_PR_5711.patch b/SOURCES/scap-security-guide-0.1.50-fix_test_suite_on_python3_PR_5711.patch deleted file mode 100644 index 1c8c0a5..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_test_suite_on_python3_PR_5711.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 9b2801d9ea538ba0e5c611b597e454801cb52c15 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Mon, 27 Apr 2020 18:37:45 +0200 -Subject: [PATCH] Fix SSGTS when running with python3 and writing binary data - to file. - ---- - tests/ssg_test_suite/oscap.py | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/tests/ssg_test_suite/oscap.py b/tests/ssg_test_suite/oscap.py -index 2858963373..2cbb18bc13 100644 ---- a/tests/ssg_test_suite/oscap.py -+++ b/tests/ssg_test_suite/oscap.py -@@ -168,8 +168,8 @@ def run_stage_remediation_ansible(run_type, formatting, verbose_path): - command_string = ' '.join(command) - returncode, output = common.run_cmd_local(command, verbose_path) - # Appends output of ansible-playbook to the verbose_path file. -- with open(verbose_path, 'a') as f: -- f.write('Stdout of "{}":'.format(command_string)) -+ with open(verbose_path, 'ab') as f: -+ f.write('Stdout of "{}":'.format(command_string).encode("utf-8")) - f.write(output.encode("utf-8")) - if returncode != 0: - msg = ( -@@ -197,8 +197,8 @@ def run_stage_remediation_bash(run_type, formatting, verbose_path): - returncode, output = common.run_cmd_remote( - command_string, formatting['domain_ip'], verbose_path) - # Appends output of script execution to the verbose_path file. -- with open(verbose_path, 'a') as f: -- f.write('Stdout of "{}":'.format(command_string)) -+ with open(verbose_path, 'ab') as f: -+ f.write('Stdout of "{}":'.format(command_string).encode("utf-8")) - f.write(output.encode("utf-8")) - if returncode != 0: - msg = ( diff --git a/SOURCES/scap-security-guide-0.1.50-fix_typo_in_cce_assignment_PR_5340.patch b/SOURCES/scap-security-guide-0.1.50-fix_typo_in_cce_assignment_PR_5340.patch deleted file mode 100644 index 709d211..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_typo_in_cce_assignment_PR_5340.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 0d95fdad5f8ac29d6f0866e531d0a545dca81879 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 24 Mar 2020 17:44:33 +0100 -Subject: [PATCH] Fix typo in CCE assignment - ---- - .../inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml -index b34be48968..41ce29300a 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml -@@ -16,7 +16,7 @@ severity: medium - - identifiers: - cce@rhel6: 83825-0 -- cce@rhel7: 83826-0 -+ cce@rhel7: 83826-8 - - references: - cis@rhel7: 3.4.4 diff --git a/SOURCES/scap-security-guide-0.1.50-fix_typo_in_ocil_clause_PR_5342.patch b/SOURCES/scap-security-guide-0.1.50-fix_typo_in_ocil_clause_PR_5342.patch deleted file mode 100644 index 9ec7bbe..0000000 --- a/SOURCES/scap-security-guide-0.1.50-fix_typo_in_ocil_clause_PR_5342.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 27157ac9cd4d37af08d3022c389d090bf21e81a8 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 24 Mar 2020 19:22:48 +0100 -Subject: [PATCH] Fix typo in ocil clause - ---- - .../file_permissions_backup_etc_gshadow/rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -index 6e6857027f..e9e3b8abea 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml -@@ -29,7 +29,7 @@ references: - - ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms=target_perms) }}}' - --ocil: - -+ocil: |- - {{{ ocil_file_permissions(file="/etc/gshadow-", perms=target_perms) }}} - - template: diff --git a/SOURCES/scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch b/SOURCES/scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch deleted file mode 100644 index f706894..0000000 --- a/SOURCES/scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch +++ /dev/null @@ -1,315 +0,0 @@ -From 67f0ba457c2dafd9077d80bd17d10857fe31a55d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Wed, 18 Mar 2020 16:44:49 +0100 -Subject: [PATCH 1/2] Parametrized the sshd_use_approved_ciphers rule. - ---- - .../ansible/shared.yml | 4 ++- - .../sshd_use_approved_ciphers/bash/shared.sh | 4 ++- - .../sshd_use_approved_ciphers/oval/shared.xml | 33 ++++++++++++++++--- - .../sshd_use_approved_ciphers/rule.yml | 3 +- - .../tests/stig_comment.fail.sh | 9 +++++ - .../tests/stig_correct_reduced_list.pass.sh | 9 +++++ - .../tests/stig_correct_scrambled.pass.sh | 9 +++++ - .../tests/stig_correct_value_full.pass.sh | 9 +++++ - .../tests/stig_line_not_there.fail.sh | 5 +++ - .../tests/stig_wrong_value.fail.sh | 9 +++++ - .../tests/wrong_value.fail.sh | 2 +- - .../sshd_use_approved_macs/rule.yml | 1 + - .../services/ssh/sshd_approved_ciphers.var | 16 +++++++++ - rhel7/profiles/stig.profile | 1 + - shared/macros.jinja | 5 +++ - 15 files changed, 111 insertions(+), 8 deletions(-) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh - create mode 100644 linux_os/guide/services/ssh/sshd_approved_ciphers.var - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml -index ea05a8f896..ef331a843e 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml -@@ -3,4 +3,6 @@ - # strategy = restrict - # complexity = low - # disruption = low --{{{ ansible_sshd_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc") }}} -+- (xccdf-var sshd_approved_ciphers) -+ -+{{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh -index 2475923e6e..a294138272 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh -@@ -3,4 +3,6 @@ - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions - --replace_or_append '/etc/ssh/sshd_config' '^Ciphers' 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' '@CCENUM@' '%s %s' -+populate sshd_approved_ciphers -+ -+replace_or_append '/etc/ssh/sshd_config' '^Ciphers' "$sshd_approved_ciphers" '@CCENUM@' '%s %s' -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml -index 84c3c8aa48..19b63d404f 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml -@@ -32,14 +32,39 @@ - - - -- - -- -- -+ -+ -+ -+ -+ var_sshd_config_ciphers -+ -+ -+ -+ -+ -+ -+ - /etc/ssh/sshd_config -- ^[\s]*(?i)Ciphers(?-i)[\s]+((aes128-ctr|aes192-ctr|aes256-ctr|aes128-cbc|aes192-cbc|aes256-cbc|3des-cbc|rijndael-cbc@lysator\.liu\.se),?)+[\s]*(?:|(?:#.*))?$ -+ ^[\s]*(?i)Ciphers(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ - 1 - -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml -index f85b9016f9..e043b12c93 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml -@@ -13,7 +13,7 @@ description: |- - The man page sshd_config(5) contains a list of supported ciphers. - {{% if product in ["rhel7","ol7"] %}} -

-- The following ciphers are FIPS 140-2 certified on {{{ full_name }}}: -+ Only the following ciphers are FIPS 140-2 certified on {{{ full_name }}}: -
- aes128-ctr -
- aes192-ctr -
- aes256-ctr -@@ -31,6 +31,7 @@ description: |- - {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}} - {{% endif %}} - {{% endif %}} -+ The rule is parametrized to use the following ciphers: {{{ sub_var_value("sshd_approved_ciphers") }}}. - - rationale: |- - Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh -new file mode 100644 -index 0000000000..1be6371045 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_stig -+ -+if grep -q "^Ciphers" /etc/ssh/sshd_config; then -+ sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config -+else -+ echo "# Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config -+fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh -new file mode 100644 -index 0000000000..5393d96617 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_stig -+ -+if grep -q "^Ciphers" /etc/ssh/sshd_config; then -+ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr/" /etc/ssh/sshd_config -+else -+ echo "Ciphers aes128-ctr,aes192-ctr" >> /etc/ssh/sshd_config -+fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh -new file mode 100644 -index 0000000000..cd1fbde03b ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_stig -+ -+if grep -q "^Ciphers" /etc/ssh/sshd_config; then -+ sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr,aes256-ctr/" /etc/ssh/sshd_config -+else -+ echo "Ciphers aes192-ctr,aes128-ctr,aes256-ctr" >> /etc/ssh/sshd_config -+fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh -new file mode 100644 -index 0000000000..ad6d9f887c ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_stig -+ -+if grep -q "^Ciphers" /etc/ssh/sshd_config; then -+ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config -+else -+ echo 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' >> /etc/ssh/sshd_config -+fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh -new file mode 100644 -index 0000000000..f73d82e221 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_stig -+ -+sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh -new file mode 100644 -index 0000000000..46b437944f ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_stig -+ -+if grep -q "^Ciphers" /etc/ssh/sshd_config; then -+ sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc/" /etc/ssh/sshd_config -+else -+ echo "Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" >> /etc/ssh/sshd_config -+fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh -index 550c55968b..ffd8eda6e8 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh -@@ -5,5 +5,5 @@ - if grep -q "^Ciphers" /etc/ssh/sshd_config; then - sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config - else -- echo "Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config -+ echo "# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config - fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml -index b64be010cd..6a582c9577 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml -@@ -32,6 +32,7 @@ description: |- - {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}} - {{% endif %}} - {{% endif %}} -+ The rule is parametrized to use the following MACs: {{{ sub_var_value("sshd_approved_macs") }}}. - - rationale: |- - DoD Information Systems are required to use FIPS-approved cryptographic hash -diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var -new file mode 100644 -index 0000000000..66d0776949 ---- /dev/null -+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var -@@ -0,0 +1,16 @@ -+documentation_complete: true -+ -+title: 'SSH Approved ciphers by FIPS' -+ -+description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server." -+ -+type: string -+ -+operator: equals -+ -+interactive: false -+ -+options: -+ stig: aes128-ctr,aes192-ctr,aes256-ctr -+ default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se -+ -diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile -index e148325d3e..9b6ecfa543 100644 ---- a/rhel7/profiles/stig.profile -+++ b/rhel7/profiles/stig.profile -@@ -228,6 +228,7 @@ selections: - - install_antivirus - - accounts_max_concurrent_login_sessions - - configure_firewalld_ports -+ - sshd_approved_ciphers=stig - - sshd_use_approved_ciphers - - accounts_tmout - - sshd_enable_warning_banner -diff --git a/shared/macros.jinja b/shared/macros.jinja -index edbaeeb56c..d80eeb69b3 100644 ---- a/shared/macros.jinja -+++ b/shared/macros.jinja -@@ -35,6 +35,11 @@ ocil_clause: "the {{{ option }}} is not present in the output line, or there is - {{%- endmacro %}} - - -+{{% macro sub_var_value(varname) -%}} -+ -+{{%- endmacro %}} -+ -+ - {{% macro complete_ocil_entry_mount_option(point, option) -%}} - ocil: | - {{{ ocil_mount_option(point, option) | indent(4) }}} - -From 12eca02a6d16d723c90fb95b21d9992af53befab Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 19 Mar 2020 09:56:35 +0100 -Subject: [PATCH 2/2] Streamlined description by removing ineffective escape - sequences. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Co-Authored-By: Jan Černý ---- - linux_os/guide/services/ssh/sshd_approved_ciphers.var | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var -index 66d0776949..30e58336ce 100644 ---- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var -+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var -@@ -2,7 +2,7 @@ documentation_complete: true - - title: 'SSH Approved ciphers by FIPS' - --description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server." -+description: "Specify the FIPS approved ciphers that are used for data integrity protection by the SSH server." - - type: string - -@@ -13,4 +13,3 @@ interactive: false - options: - stig: aes128-ctr,aes192-ctr,aes256-ctr - default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se -- diff --git a/SOURCES/scap-security-guide-0.1.50-removable_media_PR_5278.patch b/SOURCES/scap-security-guide-0.1.50-removable_media_PR_5278.patch deleted file mode 100644 index 545a973..0000000 --- a/SOURCES/scap-security-guide-0.1.50-removable_media_PR_5278.patch +++ /dev/null @@ -1,373 +0,0 @@ -diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc -index 76c1c10218..d2b94207d4 100644 ---- a/docs/manual/developer_guide.adoc -+++ b/docs/manual/developer_guide.adoc -@@ -1555,12 +1555,9 @@ mount_option_remote_filesystems:: - * Languages: Ansible, Bash, OVAL - - mount_option_removable_partitions:: --* Checks if all removable media mounts are mounted with a specific option. -+* Checks if all removable media mounts are mounted with a specific option. Unlike other mount option templates, this template doesn't use the mount point, but the block device. The block device path (eg. `/dev/cdrom`) is always set to `var_removable_partition`. This is an XCCDF Value, defined in `link:{rootdir}/linux_os/guide/system/permissions/partitions/var_removable_partition.var[var_removable_partition.var]` - * Parameters: --** *mountpoint* - always set to `var_removable_partition`. This is an XCCDF Value, defined in `link:{rootdir}/linux_os/guide/system/permissions/partitions/var_removable_partition.var[var_removable_partition.var]` - ** *mountoption* - mount option, eg. `nodev` --** *filesystem* - filesystem of new mount point (used when adding new entry in `/etc/fstab`), eg. `tmpfs`. Used only in Bash remediation. --** *mount_has_to_exist* - Used only in Bash remediation. Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`. - * Languages: Anaconda, Ansible, Bash, OVAL - - package_installed:: -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml -index 7fd5237f1d..ef3fed7bac 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml -@@ -39,8 +39,6 @@ platform: machine - template: - name: mount_option_removable_partitions - vars: -- mount_has_to_exist: 'yes' - mountoption: nodev -- mountpoint: var_removable_partition - backends: - anaconda: 'off' -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml -index 0cff560310..b95e2394a7 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml -@@ -47,8 +47,6 @@ platform: machine - template: - name: mount_option_removable_partitions - vars: -- mount_has_to_exist: 'yes' - mountoption: noexec -- mountpoint: var_removable_partition - backends: - anaconda: 'off' -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_bad_opts.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_bad_opts.fail.sh -new file mode 100644 -index 0000000000..10fd6cdad0 ---- /dev/null -+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_bad_opts.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+touch /dev/cdrom -+echo "/dev/cdrom /var/cdrom iso9660 ro 0 0" > /etc/fstab -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_good_opts.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_good_opts.pass.sh -new file mode 100644 -index 0000000000..ae33d8312a ---- /dev/null -+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_good_opts.pass.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+touch /dev/cdrom -+echo "/dev/cdrom /var/cdrom iso9660 noexec 0 0" > /etc/fstab -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts.fail.sh -new file mode 100644 -index 0000000000..a68453097d ---- /dev/null -+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+touch /dev/cdrom -+echo "/dev/cdrom /media/cdrom iso9660 ro,noauto,nosuid,nodev,defaults 0 0" >> /etc/fstab -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts.pass.sh -new file mode 100644 -index 0000000000..472a5e0578 ---- /dev/null -+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts.pass.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+touch /dev/cdrom -+echo "/dev/cdrom /media/cdrom iso9660 ro,noauto,nosuid,noexec,nodev 0 0" >> /etc/fstab -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts_first.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts_first.pass.sh -new file mode 100644 -index 0000000000..ab2815f713 ---- /dev/null -+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts_first.pass.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+touch /dev/cdrom -+echo "/dev/cdrom /media/cdrom iso9660 noexec,ro,noauto,nosuid,nodev 0 0" >> /etc/fstab -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts_last.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts_last.pass.sh -new file mode 100644 -index 0000000000..5316c7c319 ---- /dev/null -+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/cd_multiple_opts_last.pass.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+touch /dev/cdrom -+echo "/dev/cdrom /media/cdrom iso9660 ro,noauto,nosuid,nodev,noexec 0 0" >> /etc/fstab -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/dvd_bad_opts.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/dvd_bad_opts.fail.sh -deleted file mode 100644 -index 96540c9f34..0000000000 ---- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/dvd_bad_opts.fail.sh -+++ /dev/null -@@ -1,8 +0,0 @@ --#!/bin/bash --# --# profiles = xccdf_org.ssgproject.content_profile_C2S -- --. $SHARED/removable_partitions.sh -- --touch /dev/dvd --dvdrom_fstab_line > /etc/fstab -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/dvd_good_opts.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/dvd_good_opts.pass.sh -deleted file mode 100644 -index 1f29c61f23..0000000000 ---- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/dvd_good_opts.pass.sh -+++ /dev/null -@@ -1,8 +0,0 @@ --#!/bin/bash --# --# profiles = xccdf_org.ssgproject.content_profile_C2S -- --. $SHARED/removable_partitions.sh -- --touch /dev/dvd --dvdrom_fstab_line noexec > /etc/fstab -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/no_partitions.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/no_partitions.pass.sh -index 9f348f24c2..cb39b089ec 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/no_partitions.pass.sh -+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/tests/no_partitions.pass.sh -@@ -1,6 +1,7 @@ - #!/bin/bash --# --# profiles = xccdf_org.ssgproject.content_profile_C2S -+ -+# Regression test for rhbz#1403905 -+# The rule should pass if there is no removable media entry in /etc/fstab - - touch /dev/cdrom - echo "" > /etc/fstab -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml -index 1ec828b015..b77c48a295 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml -@@ -41,8 +41,6 @@ platform: machine - template: - name: mount_option_removable_partitions - vars: -- mount_has_to_exist: 'yes' - mountoption: nosuid -- mountpoint: var_removable_partition - backends: - anaconda: 'off' -diff --git a/shared/templates/template_ANACONDA_mount_option_removable_partitions b/shared/templates/template_ANACONDA_mount_option_removable_partitions -index 8092f6648a..b4510ae804 100644 ---- a/shared/templates/template_ANACONDA_mount_option_removable_partitions -+++ b/shared/templates/template_ANACONDA_mount_option_removable_partitions -@@ -4,4 +4,4 @@ - # complexity = low - # disruption = high - --part (anaconda-populate {{{ MOUNTPOINT }}}) --mountoptions="{{{ MOUNTOPTION }}}" -+part (anaconda-populate var_removable_partition) --mountoptions="{{{ MOUNTOPTION }}}" -diff --git a/shared/templates/template_ANSIBLE_mount_option_removable_partitions b/shared/templates/template_ANSIBLE_mount_option_removable_partitions -index aafce84762..374499261d 100644 ---- a/shared/templates/template_ANSIBLE_mount_option_removable_partitions -+++ b/shared/templates/template_ANSIBLE_mount_option_removable_partitions -@@ -3,31 +3,11 @@ - # strategy = configure - # complexity = low - # disruption = high --- (xccdf-var {{{ MOUNTPOINT }}}) -+- (xccdf-var var_removable_partition) - --- name: get back mount information associated to mountpoint -- command: findmnt --fstab '{{ {{{ MOUNTPOINT }}} }}' -- register: device_name -- failed_when: device_name.rc > 1 -- changed_when: False -- --- name: create mount_info dictionary variable -- set_fact: -- mount_info: "{{ mount_info|default({})|combine({item.0: item.1}) }}" -- with_together: -- - "{{ device_name.stdout_lines[0].split() | list | lower }}" -- - "{{ device_name.stdout_lines[1].split() | list }}" -- when: -- - device_name.stdout is defined and device_name.stdout_lines is defined -- - (device_name.stdout | length > 0) -- --- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}} -- mount: -- path: "{{ {{{ MOUNTPOINT }}} }}" -- src: "{{ mount_info.source }}" -- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}" -- state: "mounted" -- fstype: "{{ mount_info.fstype }}" -- when: -- - device_name.stdout is defined -- - (device_name.stdout | length > 0) -+- name: Ensure permission {{{ MOUNTOPTION }}} are set on var_removable_partition -+ lineinfile: -+ path: /etc/fstab -+ regexp: '^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$' -+ backrefs: yes -+ line: '\1 \2 \3 \4,{{{ MOUNTOPTION }}} \5' -diff --git a/shared/templates/template_BASH_mount_option_removable_partitions b/shared/templates/template_BASH_mount_option_removable_partitions -index dad2c8b718..5293bffc1a 100644 ---- a/shared/templates/template_BASH_mount_option_removable_partitions -+++ b/shared/templates/template_BASH_mount_option_removable_partitions -@@ -4,19 +4,15 @@ - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions - --populate {{{ MOUNTPOINT }}} -+populate var_removable_partition - --include_mount_options_functions -+device_regex="^\s*$var_removable_partition\s\+" -+mount_option="{{{ MOUNTOPTION }}}" - --function perform_remediation { -- # test "$mount_has_to_exist" = 'yes' -- if test "{{{ MOUNT_HAS_TO_EXIST }}}" = 'yes'; then -- assert_mount_point_in_fstab "${{{ MOUNTPOINT }}}" || { echo "Not remediating, because there is no record of ${{{ MOUNTPOINT }}} in /etc/fstab" >&2; return 1; } -- fi -- -- ensure_mount_option_in_fstab "${{{ MOUNTPOINT }}}" "{{{ MOUNTOPTION }}}" "{{{ FILESYSTEM }}}" "{{{ TYPE }}}" -- -- ensure_partition_is_mounted "${{{ MOUNTPOINT }}}" --} -- --perform_remediation -+if grep -q $device_regex /etc/fstab ; then -+ previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') -+ sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab -+else -+ echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 -+ return 1 -+fi -diff --git a/shared/templates/template_OVAL_mount_option_removable_partitions b/shared/templates/template_OVAL_mount_option_removable_partitions -index 8b1987fbb5..4304c175e1 100644 ---- a/shared/templates/template_OVAL_mount_option_removable_partitions -+++ b/shared/templates/template_OVAL_mount_option_removable_partitions -@@ -1,39 +1,31 @@ - -- -+ - - Add {{{ MOUNTOPTION }}} Option to Removable Media Partitions - {{{- oval_affected(products) }}} - The {{{ MOUNTOPTION }}} option should be enabled for all removable devices mounts in /etc/fstab. - - -- - - -+ names in /etc/fstab are configured with '{{{ MOUNTOPTION }}}' option --> - - - -- -- -- -- - - - - -- -- -+ -- -- - - - -@@ -58,7 +50,7 @@ - - - -+ names to check /etc/fstab --> - - - -@@ -74,27 +66,8 @@ - ^.*,?{{{ MOUNTOPTION }}},?.*$ - - -- -- -- -- -- -- -- ^.*$ -- -- state_{{{ MOUNTOPTION }}}_runtime_cd_dvd_drive -- -- -- -- -- {{{ MOUNTOPTION }}} -- -- - -+ Check if configured with '{{{ MOUNTOPTION }}}' mount option in both /etc/fstab --> - - - -@@ -121,25 +94,6 @@ - ^.*,?{{{ MOUNTOPTION }}},?.* - - -- -- -- -- -- -- -- ^.*$ -- -- state_{{{ MOUNTOPTION }}}_runtime_not_cd_dvd_drive -- -- -- -- -- {{{ MOUNTOPTION }}} -- -- - - - -diff --git a/ssg/templates.py b/ssg/templates.py -index e5ed4890b4..d0af1b19da 100644 ---- a/ssg/templates.py -+++ b/ssg/templates.py -@@ -237,7 +237,7 @@ def mount_option_remote_filesystems(data, lang): - - @template(["anaconda", "ansible", "bash", "oval"]) - def mount_option_removable_partitions(data, lang): -- return _mount_option(data, lang) -+ return data - - - @template(["anaconda", "ansible", "bash", "oval", "puppet"]) diff --git a/SOURCES/scap-security-guide-0.1.50-run_chronyd_as_chrony_user_PR_5298.patch b/SOURCES/scap-security-guide-0.1.50-run_chronyd_as_chrony_user_PR_5298.patch deleted file mode 100644 index f7e4de4..0000000 --- a/SOURCES/scap-security-guide-0.1.50-run_chronyd_as_chrony_user_PR_5298.patch +++ /dev/null @@ -1,450 +0,0 @@ -From 894d50c90ad9fd9431c8198a082f4742b168c7c8 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 17 Mar 2020 09:31:32 +0100 -Subject: [PATCH 1/8] add rule - ---- - .../ntp/chronyd_run_as_chrony_user/rule.yml | 40 +++++++++++++++++++ - shared/references/cce-redhat-avail.txt | 2 - - 2 files changed, 40 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml - -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -new file mode 100644 -index 0000000000..00a9e1d046 ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -@@ -0,0 +1,40 @@ -+documentation_complete: true -+ -+prodtype: rhel7,rhel8,fedora -+ -+title: 'Ensure thatchronyd is running under chrony user account' -+ -+description: |- -+ chrony is a daemon which implements the Network Time Protocol (NTP) is designed to -+ synchronize system clocks across a variety of systems and use a source that is highly -+ accurate. More information on chrony can be found at -+ {{{ weblink(link="http://chrony.tuxfamily.org/) }}}. -+ Chrony can be configured to be a client and/or a server. -+ To ensure that chronyd is running under chrony user account, Add or edit the -+ OPTIONS variable in /etc/sysconfig/chronyd to include ' -u chrony ': -+
OPTIONS="-u chrony"
-+ This recommendation only applies if chrony is in use on the system. -+ -+rationale: |- -+ If chrony is in use on the system proper configuration is vital to ensuring time synchronization -+ is working properly. -+ -+severity: medium -+ -+platform: ntp -+ -+references: -+ cis@rhel7: 2.2.1.2 -+ cis@rhel8: 2.2.1.2 -+ -+identifiers: -+ cce@rhel7: 82878-0 -+ cce@rhel8: 82879-8 -+ -+ocil_clause: 'chronyd is not running under chrony user account' -+ -+ocil: |- -+ Run the following command and verify that -u chrony is included in OPTIONS: -+
# grep "^OPTIONS" /etc/sysconfig/chronyd
-+    OPTIONS="-u chrony"
-+ -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index a12a6355fc..53b8232431 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -3,8 +3,6 @@ CCE-82874-9 - CCE-82875-6 - CCE-82876-4 - CCE-82877-2 --CCE-82878-0 --CCE-82879-8 - CCE-82880-6 - CCE-82882-2 - CCE-82883-0 - -From 8a6213bc0a5cfe5005b3d4c9c2e331bc361a9eec Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 17 Mar 2020 10:47:23 +0100 -Subject: [PATCH 2/8] add chrony cpe to rhel7, rhel8, fedora - ---- - .../ntp/chronyd_run_as_chrony_user/rule.yml | 6 +++--- - 6 files changed, 39 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -index 00a9e1d046..811ab8ac91 100644 ---- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -@@ -5,10 +5,10 @@ prodtype: rhel7,rhel8,fedora - title: 'Ensure thatchronyd is running under chrony user account' - - description: |- -- chrony is a daemon which implements the Network Time Protocol (NTP) is designed to -+ chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to - synchronize system clocks across a variety of systems and use a source that is highly - accurate. More information on chrony can be found at -- {{{ weblink(link="http://chrony.tuxfamily.org/) }}}. -+ {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. - Chrony can be configured to be a client and/or a server. - To ensure that chronyd is running under chrony user account, Add or edit the - OPTIONS variable in /etc/sysconfig/chronyd to include ' -u chrony ': -@@ -21,7 +21,7 @@ rationale: |- - - severity: medium - --platform: ntp -+platform: chrony - - references: - cis@rhel7: 2.2.1.2 -From f32d587b8d6f916f0ed35000348de111a0ff3347 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 17 Mar 2020 10:47:56 +0100 -Subject: [PATCH 3/8] add remediations - ---- - .../ansible/shared.yml | 30 +++++++++++++++++++ - .../chronyd_run_as_chrony_user/bash/shared.sh | 9 ++++++ - 2 files changed, 39 insertions(+) - create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml - create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh - -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml -new file mode 100644 -index 0000000000..f9c29734c0 ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml -@@ -0,0 +1,30 @@ -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 -+# reboot = false -+# strategy = configure -+# complexity = low -+# disruption = low -+ -+- name: "detect if file is not empty or missing" -+ find: -+ path: /etc/sysconfig/ -+ patterns: chronyd -+ contains: '^([\s]*OPTIONS=["]?[^"]*)("?)' -+ register: chronyd_file -+ -+- name: "replace existing setting or create a new file, rest is handled by different task" -+ lineinfile: -+ path: /etc/sysconfig/chronyd -+ regexp: '^([\s]*OPTIONS=["]?[^"]*)("?)' -+ line: '\1 -u chrony\2' -+ state: present -+ create: True -+ backrefs: True -+ when: chronyd_file.matched > 0 -+ -+- name: "put line into file, assume file was empty" -+ lineinfile: -+ path: /etc/sysconfig/chronyd -+ line: 'OPTIONS="-u chrony"' -+ state: present -+ create: True -+ when: chronyd_file.matched == 0 -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh -new file mode 100644 -index 0000000000..4210e28560 ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh -@@ -0,0 +1,9 @@ -+# platform = Red Hat Enterprise Linux 7,multi_platform_fedora,Red Hat Enterprise Linux 8 -+ -+if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then -+ # trying to solve cases where the parameter after OPTIONS -+ #may or may not be enclosed in quotes -+ sed -i -E 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd -+else -+ echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd -+fi - -From 93055dfbb432ca08fbe215ddc40235b3c815a604 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 17 Mar 2020 10:48:31 +0100 -Subject: [PATCH 4/8] add oval check - ---- - .../services/ntp/chronyd_run_as_chrony_user/oval/shared.xml | 1 + - 1 file changed, 1 insertion(+) - create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml - -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml -new file mode 100644 -index 0000000000..fe2936bc92 ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml -@@ -0,0 +1 @@ -+{{{ oval_check_config_file(path='/etc/sysconfig/chronyd', prefix_regex='^[ \\t]*', parameter='OPTIONS', separator_regex='=', value='["]?.*-u chrony.*["]?', missing_parameter_pass=false, missing_config_file_fail=true) }}} - -From 4e1c628a1aca02a578aa1e9401c7d4c48367bc5d Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 17 Mar 2020 10:48:45 +0100 -Subject: [PATCH 5/8] add tests - ---- - .../ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh | 5 +++++ - .../ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh | 6 ++++++ - .../chronyd_run_as_chrony_user/tests/empty_options.fail.sh | 5 +++++ - .../chronyd_run_as_chrony_user/tests/file_missing.fail.sh | 5 +++++ - .../ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh | 5 +++++ - 5 files changed, 26 insertions(+) - create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh - create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh - create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh - create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh - create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh - -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh -new file mode 100644 -index 0000000000..44783378ce ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+yum -y install chrony -+ -+echo 'OPTIONS="-u chrony"' > /etc/sysconfig/chronyd -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh -new file mode 100644 -index 0000000000..51f5b8663f ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+yum -y install ntp -+ -+echo "" > /etc/sysconfig/ntpd -+echo "" > /usr/lib/systemd/system/ntpd.service -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh -new file mode 100644 -index 0000000000..c38004ae8a ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty_options.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+yum -y install chrony -+ -+echo 'OPTIONS=""' > /etc/sysconfig/chronyd -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh -new file mode 100644 -index 0000000000..c5e5c97b85 ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+yum -y install chrony -+ -+rm -f /etc/sysconfig/ntpd -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh -new file mode 100644 -index 0000000000..72ef399539 ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+yum -y install chrony -+ -+echo 'OPTIONS="-u root:root"' > /etc/sysconfig/chronyd - -From 72e02f1d773b513cb2bcfac35cef2b17b036c7a6 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 18 Mar 2020 12:09:26 +0100 -Subject: [PATCH 6/8] fix wording and ansible - ---- - .../ntp/chronyd_run_as_chrony_user/ansible/shared.yml | 9 ++++----- - .../services/ntp/chronyd_run_as_chrony_user/rule.yml | 4 ++-- - 2 files changed, 6 insertions(+), 7 deletions(-) - -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml -index f9c29734c0..42acdff9f4 100644 ---- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml -@@ -4,24 +4,23 @@ - # complexity = low - # disruption = low - --- name: "detect if file is not empty or missing" -+- name: "Detect if file /etc/sysconfig/chronyd is not empty or missing" - find: - path: /etc/sysconfig/ - patterns: chronyd - contains: '^([\s]*OPTIONS=["]?[^"]*)("?)' - register: chronyd_file - --- name: "replace existing setting or create a new file, rest is handled by different task" -+- name: "Correct existing in /etc/sysconfig/chronyd to run chronyd as chrony user" - lineinfile: - path: /etc/sysconfig/chronyd - regexp: '^([\s]*OPTIONS=["]?[^"]*)("?)' - line: '\1 -u chrony\2' - state: present -- create: True - backrefs: True -- when: chronyd_file.matched > 0 -+ when: chronyd_file is defined and chronyd_file.matched > 0 - --- name: "put line into file, assume file was empty" -+- name: "Insert correct line into /etc/sysconfig/chronyd ensuring chronyd runs as chrony user" - lineinfile: - path: /etc/sysconfig/chronyd - line: 'OPTIONS="-u chrony"' -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -index 811ab8ac91..cd641ce0cb 100644 ---- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - prodtype: rhel7,rhel8,fedora - --title: 'Ensure thatchronyd is running under chrony user account' -+title: 'Ensure that chronyd is running under chrony user account' - - description: |- - chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to -@@ -11,7 +11,7 @@ description: |- - {{{ weblink(link="http://chrony.tuxfamily.org/") }}}. - Chrony can be configured to be a client and/or a server. - To ensure that chronyd is running under chrony user account, Add or edit the -- OPTIONS variable in /etc/sysconfig/chronyd to include ' -u chrony ': -+ OPTIONS variable in /etc/sysconfig/chronyd to include -u chrony: -
OPTIONS="-u chrony"
- This recommendation only applies if chrony is in use on the system. - - -From 0885706c1d1e9f2b0dfd1150736549e0d1a036c1 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 18 Mar 2020 12:09:56 +0100 -Subject: [PATCH 7/8] fix and add tests - ---- - .../tests/correct_multiple_options.pass.sh | 5 +++++ - .../ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh | 3 +-- - .../chronyd_run_as_chrony_user/tests/file_missing.fail.sh | 2 +- - .../chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh | 5 +++++ - 4 files changed, 12 insertions(+), 3 deletions(-) - create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh - create mode 100644 linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh - -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh -new file mode 100644 -index 0000000000..12f14a7e28 ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/correct_multiple_options.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+yum -y install chrony -+ -+echo 'OPTIONS="-g -u chrony"' > /etc/sysconfig/chronyd -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh -index 51f5b8663f..85b4995681 100644 ---- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh -@@ -2,5 +2,4 @@ - - yum -y install ntp - --echo "" > /etc/sysconfig/ntpd --echo "" > /usr/lib/systemd/system/ntpd.service -+echo "" > /etc/sysconfig/chronyd -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh -index c5e5c97b85..96787432db 100644 ---- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/file_missing.fail.sh -@@ -2,4 +2,4 @@ - - yum -y install chrony - --rm -f /etc/sysconfig/ntpd -+rm -f /etc/sysconfig/chronyd -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh -new file mode 100644 -index 0000000000..4c3a51181a ---- /dev/null -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/wrong_line_2.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+yum -y install chrony -+ -+echo 'OPTIONS="-g"' > /etc/sysconfig/chronyd - -From 1ffcfa459d95f335747e158adf1596323f72e518 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 18 Mar 2020 15:57:11 +0100 -Subject: [PATCH 8/8] fix remediations to remove any previous user - configuration - -fix test ---- - .../ntp/chronyd_run_as_chrony_user/ansible/shared.yml | 11 +++++++++-- - .../ntp/chronyd_run_as_chrony_user/bash/shared.sh | 2 +- - .../chronyd_run_as_chrony_user/tests/empty.fail.sh | 2 +- - 3 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml -index 42acdff9f4..e60dd11eb2 100644 ---- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml -@@ -11,7 +11,14 @@ - contains: '^([\s]*OPTIONS=["]?[^"]*)("?)' - register: chronyd_file - --- name: "Correct existing in /etc/sysconfig/chronyd to run chronyd as chrony user" -+- name: "Remove any previous configuration of user used to run chronyd process" -+ replace: -+ path: /etc/sysconfig/chronyd -+ regexp: '\s*-u\s+\w+\s*' -+ replace: ' ' -+ when: chronyd_file is defined and chronyd_file.matched > 0 -+ -+- name: "Correct existing line in /etc/sysconfig/chronyd to run chronyd as chrony user" - lineinfile: - path: /etc/sysconfig/chronyd - regexp: '^([\s]*OPTIONS=["]?[^"]*)("?)' -@@ -26,4 +33,4 @@ - line: 'OPTIONS="-u chrony"' - state: present - create: True -- when: chronyd_file.matched == 0 -+ when: chronyd_file is defined and chronyd_file.matched == 0 -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh -index 4210e28560..83acc51db0 100644 ---- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/shared.sh -@@ -3,7 +3,7 @@ - if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then - # trying to solve cases where the parameter after OPTIONS - #may or may not be enclosed in quotes -- sed -i -E 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd -+ sed -i -E -e 's/\s*-u\s+\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd - else - echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd - fi -diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh -index 85b4995681..4a4f21ced7 100644 ---- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh -+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/tests/empty.fail.sh -@@ -1,5 +1,5 @@ - #!/bin/bash - --yum -y install ntp -+yum -y install chrony - - echo "" > /etc/sysconfig/chronyd diff --git a/SOURCES/scap-security-guide-0.1.50-simplify_login_banner.patch b/SOURCES/scap-security-guide-0.1.50-simplify_login_banner.patch deleted file mode 100644 index 1a1a271..0000000 --- a/SOURCES/scap-security-guide-0.1.50-simplify_login_banner.patch +++ /dev/null @@ -1,1728 +0,0 @@ -From fb5fe8c7dea9c83558b9e4fd7d2235caff6bd4db Mon Sep 17 00:00:00 2001 -From: Marek Haicman -Date: Wed, 4 Dec 2019 15:11:39 +0100 -Subject: [PATCH 01/27] Create macro to translate text to banner text. - -With banner texts having every whitespace replaced with more complex regular -expression, it's not really readable in that form. This macro should provide -way to write human readable text in source, and get machine readable text -as the output. ---- - .../var_web_login_banner_text.var | 15 ++++++--------- - .../banner_etc_issue/bash/shared.sh | 2 +- - ...disa_dod_default_banner_no_newline.fail.sh | 19 +++++++++++++++++++ - .../accounts-banners/login_banner_text.var | 12 ++++++------ - shared/macros.jinja | 4 ++++ - ssg/build_yaml.py | 2 +- - 6 files changed, 37 insertions(+), 17 deletions(-) - create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh - -diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -index 61ebea65f3..72a728659b 100644 ---- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -@@ -4,7 +4,7 @@ title: 'Web Login Banner Verbiage' - - description: |- - Enter an appropriate login banner for your organization. Please note that new lines must -- be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. -+ be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. - - type: string - -@@ -13,11 +13,8 @@ operator: equals - interactive: false - - options: -- dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$ -- dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. -- dod_short: I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t. -- dss_odaa_default: "[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times.[\\s\\n]+This[\\s\\n]+is[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+and[\\s\\n]+related[\\s\\n]+equipment[\\s\\n]+are[\\s\\n]+intended[\\s\\n]+for[\\s\\n]+the[\\s\\n]+communication,[\\s\\n]+transmission,[\\s\\n]+processing,[\\s\\n]+and[\\s\\n]+storage[\\s\\n]+of[\\s\\n]+official[\\s\\n]+U.S.[\\s\\n]+Government[\\s\\n]+or[\\s\\n]+other[\\s\\n]+authorized[\\s\\n]+information[\\s\\n]+only.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times[\\s\\n]+to[\\s\\n]+ensure[\\s\\n]+proper[\\s\\n]+functioning[\\s\\n]+of[\\\ -- s\\n]+equipment[\\s\\n]+and[\\s\\n]+systems[\\s\\n]+including[\\s\\n]+security[\\s\\n]+devices[\\s\\n]+and[\\s\\n]+systems,[\\s\\n]+to[\\s\\n]+prevent[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+and[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+statutes[\\s\\n]+and[\\s\\n]+security[\\s\\n]+regulations,[\\s\\n]+to[\\s\\n]+deter[\\s\\n]+criminal[\\s\\n]+activity,[\\s\\n]+and[\\s\\n]+for[\\s\\n]+other[\\s\\n]+similar[\\s\\n]+purposes.[\\s\\n]+Any[\\s\\n]+user[\\s\\n]+of[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+should[\\s\\n]+be[\\s\\n]+aware[\\s\\n]+that[\\s\\n]+any[\\s\\n]+information[\\s\\n]+placed[\\s\\n]+in[\\s\\n]+the[\\s\\n]+system[\\s\\n]+is[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+and[\\s\\n]+is[\\s\\n]+not[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+any[\\s\\n]+expectation[\\s\\n]+of[\\s\\n]+privacy.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\\ -- s\\n]+reveals[\\s\\n]+possible[\\s\\n]+evidence[\\s\\n]+of[\\s\\n]+violation[\\s\\n]+of[\\s\\n]+criminal[\\s\\n]+statutes,[\\s\\n]+this[\\s\\n]+evidence[\\s\\n]+and[\\s\\n]+any[\\s\\n]+other[\\s\\n]+related[\\s\\n]+information,[\\s\\n]+including[\\s\\n]+identification[\\s\\n]+information[\\s\\n]+about[\\s\\n]+the[\\s\\n]+user,[\\s\\n]+may[\\s\\n]+be[\\s\\n]+provided[\\s\\n]+to[\\s\\n]+law[\\s\\n]+enforcement[\\s\\n]+officials.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+reveals[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+unauthorized[\\s\\n]+use,[\\s\\n]+employees[\\s\\n]+who[\\s\\n]+violate[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+make[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+of[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+appropriate[\\s\\n]+disciplinary[\\\ -- s\\n]+action.[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times." -- usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. -+ dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}} -+ dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}} -+ dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}} -+ dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} -+ usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -index 9617934e4f..54bc576551 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -@@ -3,7 +3,7 @@ - populate login_banner_text - - # There was a regular-expression matching various banners, needs to be expanded --expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g') -+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g') - formatted=$(echo "$expanded" | fold -sw 80) - - cat </etc/issue -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh -new file mode 100644 -index 0000000000..00121bae96 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh -@@ -0,0 +1,19 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_stig -+ -+# dod_default banner -+echo "You are accessing a U.S. Government (USG) Information System (IS) that is -+provided for USG-authorized use only. By using this IS (which includes any -+device attached to this IS), you consent to the following conditions:-The USG routinely intercepts and monitors communications on this IS for -+purposes including, but not limited to, penetration testing, COMSEC monitoring, -+network operations and defense, personnel misconduct (PM), law enforcement -+(LE), and counterintelligence (CI) investigations.-At any time, the USG may inspect and seize data stored on this IS.-Communications using, or data stored on, this IS are not private, are subject -+to routine monitoring, interception, and search, and may be disclosed or used -+for any USG-authorized purpose.-This IS includes security measures (e.g., authentication and access controls) -+to protect USG interests--not for your personal benefit or privacy.-Notwithstanding the above, using this IS does not constitute consent to PM, LE -+or CI investigative searching or monitoring of the content of privileged -+communications, or work product, related to personal representation or services -+by attorneys, psychotherapists, or clergy, and their assistants. Such -+communications and work product are private and confidential. See User -+Agreement for details." > /etc/issue -diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -index f3a4795bce..0c398bee9c 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -@@ -4,7 +4,7 @@ title: 'Login Banner Verbiage' - - description: |- - Enter an appropriate login banner for your organization. Please note that new lines must -- be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. -+ be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. - - type: string - -@@ -14,8 +14,8 @@ interactive: false - - options: - # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters -- dod_banners: (^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) -- dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. -- dod_short: I(\\\')*(\')*ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t. -- dss_odaa_default: Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U.S.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times. -- usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. -+ dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}} -+ dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}} -+ dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}} -+ dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} -+ usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} -diff --git a/shared/macros.jinja b/shared/macros.jinja -index 8a25acc937..3c617040bf 100644 ---- a/shared/macros.jinja -+++ b/shared/macros.jinja -@@ -657,3 +657,7 @@ openssl() - ) - - {{%- endmacro %}} -+ -+{{% macro banner_flexibler(banner_text) -%}} -+{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}} -+{{% endmacro %}} -diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py -index 357d0e8d99..700e496246 100644 ---- a/ssg/build_yaml.py -+++ b/ssg/build_yaml.py -@@ -327,7 +327,7 @@ def __init__(self, id_): - - @staticmethod - def from_yaml(yaml_file, env_yaml=None): -- yaml_contents = open_and_expand(yaml_file, env_yaml) -+ yaml_contents = open_and_macro_expand(yaml_file, env_yaml) - if yaml_contents is None: - return None - - -From 23185944dd5db08cfee599c62717f1b0f23df683 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 27 Feb 2020 18:03:37 +0100 -Subject: [PATCH 02/27] Fix stripping of short banner from dod_banners - -Format of dod_banners changed a bit, and stripping of tailing -short dod banner got broken. - -Goal of dod_banners is to check for either long or shord DoD, but -default to remediating with the long banner. ---- - .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +- - .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -index 54bc576551..1b2052a658 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -@@ -3,7 +3,7 @@ - populate login_banner_text - - # There was a regular-expression matching various banners, needs to be expanded --expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g') -+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g') - formatted=$(echo "$expanded" | fold -sw 80) - - cat </etc/issue -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -index 1614098c8c..bc6a31bc74 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -@@ -2,7 +2,7 @@ - . /usr/share/scap-security-guide/remediation_functions - populate login_banner_text - --expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') -+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') - - {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} - {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} - -From ed7a96bc41d31ceeeb6b75b2a9565521f4f3eda5 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 2 Mar 2020 17:31:49 +0100 -Subject: [PATCH 03/27] Fix test scenarios for OSPP profile - -OSPP profile doesn't select banner_etc_issue ---- - ...banner_etc_issue_ospp_usbcg_banner.fail.sh | 2 +- - ...banner_etc_issue_ospp_usbcg_banner.pass.sh | 30 +++++++++++++------ - 2 files changed, 22 insertions(+), 10 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh -index db0b72089c..0f962279be 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh -@@ -1,5 +1,5 @@ - #!/bin/bash - # --# profiles = xccdf_org.ssgproject.content_profile_ospp -+# profiles = xccdf_org.ssgproject.content_profile_stig - - echo "This is not the expected banner" > /etc/issue -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh -index d36b3a146b..9bb0319323 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh -@@ -1,12 +1,24 @@ - #!/bin/bash - # --# profiles = xccdf_org.ssgproject.content_profile_ospp -+# profiles = xccdf_org.ssgproject.content_profile_stig - --# usgcb_default banner --echo "-- WARNING -- This system is for the use of authorized users only. Individuals --using this computer system without authority or in excess of their authority --are subject to having all their activities on this system monitored and --recorded by system personnel. Anyone using this system expressly consents to --such monitoring and is advised that if such monitoring reveals possible --evidence of criminal activity system personal may provide the evidence of such --monitoring to law enforcement officials." > /etc/issue -+# dod_banners banner -+echo "You are accessing a U.S. Government (USG) Information System (IS) that is -+provided for USG-authorized use only. By using this IS (which includes any -+device attached to this IS), you consent to the following conditions: -+-The USG routinely intercepts and monitors communications on this IS for -+purposes including, but not limited to, penetration testing, COMSEC monitoring, -+network operations and defense, personnel misconduct (PM), law enforcement -+(LE), and counterintelligence (CI) investigations. -+-At any time, the USG may inspect and seize data stored on this IS. -+-Communications using, or data stored on, this IS are not private, are subject -+to routine monitoring, interception, and search, and may be disclosed or used -+for any USG-authorized purpose. -+-This IS includes security measures (e.g., authentication and access controls) -+to protect USG interests--not for your personal benefit or privacy. -+-Notwithstanding the above, using this IS does not constitute consent to PM, LE -+or CI investigative searching or monitoring of the content of privileged -+communications, or work product, related to personal representation or services -+by attorneys, psychotherapists, or clergy, and their assistants. Such -+communications and work product are private and confidential. See User -+Agreement for details." > /etc/issue - -From c0e947ab378de0c3c45b1a0be0b3f7a239c3d6f4 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 3 Mar 2020 10:26:40 +0100 -Subject: [PATCH 04/27] Update test scenario metadata for banner tests - ---- - .../dconf_gnome_login_banner_text/tests/correct_value.pass.sh | 1 + - .../tests/correct_value_stig.pass.sh | 2 +- - .../tests/missing_value_stig.fail.sh | 2 +- - .../dconf_gnome_login_banner_text/tests/wrong_value.fail.sh | 1 + - .../tests/wrong_value_stig.fail.sh | 2 +- - 5 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh -index 2c92fcbeb8..230a8b0a22 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value.pass.sh -@@ -1,4 +1,5 @@ - #!/bin/bash -+# platform = Red Hat Enterprise Linux 7 - # profiles = xccdf_org.ssgproject.content_profile_ncp - - source $SHARED/dconf_test_functions.sh -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh -index 8a142b740e..d59f9071f0 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh -@@ -1,5 +1,5 @@ - #!/bin/bash --# platform = Red Hat Enterprise Linux 7 -+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 - # profiles = xccdf_org.ssgproject.content_profile_stig - - source $SHARED/dconf_test_functions.sh -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh -index 1fea01471e..9638681130 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh -@@ -1,5 +1,5 @@ - #!/bin/bash --# platform = Red Hat Enterprise Linux 7 -+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 - # profiles = xccdf_org.ssgproject.content_profile_stig - - source $SHARED/dconf_test_functions.sh -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh -index af4ea0ab82..7f7123a8be 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh -@@ -1,4 +1,5 @@ - #!/bin/bash -+# platform = Red Hat Enterprise Linux 7 - # profiles = xccdf_org.ssgproject.content_profile_ncp - - source $SHARED/dconf_test_functions.sh -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh -index e0f43ec001..cd65f885a2 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh -@@ -1,5 +1,5 @@ - #!/bin/bash --# platform = Red Hat Enterprise Linux 7 -+# platform = Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 - # profiles = xccdf_org.ssgproject.content_profile_stig - - source $SHARED/dconf_test_functions.sh - -From 12f6616d83a23de27ebca932710a8128474068ff Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 3 Mar 2020 10:28:07 +0100 -Subject: [PATCH 05/27] Fix text of banners, remove space after dash - -Per DISA STIG reference, there is no space after the list items. ---- - .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- - .../tests/correct_value_stig.pass.sh | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -index bc6a31bc74..d9dca1bef9 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -@@ -2,7 +2,7 @@ - . /usr/share/scap-security-guide/remediation_functions - populate login_banner_text - --expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') -+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') - - {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} - {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh -index d59f9071f0..dca4b8e99b 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh -@@ -6,7 +6,7 @@ source $SHARED/dconf_test_functions.sh - - install_dconf_and_gdm_if_needed - --login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" -+login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" - expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') - - clean_dconf_settings - -From b09ddb6a040c980ccf1c55d3f4fe700953195d77 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 3 Mar 2020 11:01:25 +0100 -Subject: [PATCH 06/27] Make banner compatible with console and dconf - -The banner in /etc/issue is expected to have actual newlines, while the -banner in /etc/dconf/db/gdm.d/ is expected to have the escape sequence -'\n'. - -This commit transforms the newline from the input banner into a regex -that matches either the newline or the escape sequence. - -During remediation, each rule will replace the regular expression for -the correct "version" of the newline. ---- - .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +- - .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- - shared/macros.jinja | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -index 1b2052a658..fcaaa2c794 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -@@ -3,7 +3,7 @@ - populate login_banner_text - - # There was a regular-expression matching various banners, needs to be expanded --expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/\[n\]+/\n/g') -+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') - formatted=$(echo "$expanded" | fold -sw 80) - - cat </etc/issue -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -index d9dca1bef9..2b51e7c94c 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -@@ -2,7 +2,7 @@ - . /usr/share/scap-security-guide/remediation_functions - populate login_banner_text - --expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') -+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') - - {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} - {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} -diff --git a/shared/macros.jinja b/shared/macros.jinja -index 3c617040bf..b178088f0c 100644 ---- a/shared/macros.jinja -+++ b/shared/macros.jinja -@@ -659,5 +659,5 @@ openssl() - {{%- endmacro %}} - - {{% macro banner_flexibler(banner_text) -%}} --{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "[\\n]+") }}} -+{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") }}} - {{% endmacro %}} - -From fc6fe07f12faac1023b65551eaa82dc50e12303b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 3 Mar 2020 12:46:30 +0100 -Subject: [PATCH 07/27] Simplify banner remediation regexes - -Remove unneded sed's for single quote (\x27) ---- - .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +- - .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -index fcaaa2c794..5d079e9271 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -@@ -3,7 +3,7 @@ - populate login_banner_text - - # There was a regular-expression matching various banners, needs to be expanded --expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') -+expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') - formatted=$(echo "$expanded" | fold -sw 80) - - cat </etc/issue -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -index 2b51e7c94c..568942e892 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -@@ -2,7 +2,7 @@ - . /usr/share/scap-security-guide/remediation_functions - populate login_banner_text - --expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') -+expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;') - - {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} - {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} - -From f94f4ba5a5d650c5ae50f83d59b7464e7f785b9d Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 3 Mar 2020 12:48:10 +0100 -Subject: [PATCH 08/27] Document what the regexes do in the banner - ---- - .../accounts-banners/banner_etc_issue/bash/shared.sh | 7 ++++++- - .../dconf_gnome_login_banner_text/bash/shared.sh | 8 ++++++++ - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -index 5d079e9271..07b88bf039 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -@@ -2,7 +2,12 @@ - . /usr/share/scap-security-guide/remediation_functions - populate login_banner_text - --# There was a regular-expression matching various banners, needs to be expanded -+# Multiple regexes transform the banner regex into a usable banner -+# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. -+# (dod_banners contains the long and shor banner) -+# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") -+# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") -+# 4- Remove any leftover backslash. (From any parethesis in the banner, for example). - expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') - formatted=$(echo "$expanded" | fold -sw 80) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -index 568942e892..658205bd2c 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -@@ -2,6 +2,14 @@ - . /usr/share/scap-security-guide/remediation_functions - populate login_banner_text - -+# Multiple regexes transform the banner regex into a usable banner -+# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. -+# (dod_banners contains the long and shor banner) -+# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") -+# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") -+# 4- Remove any leftover backslash. (From any parethesis in the banner, for example). -+# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n"). -+# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". - expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;') - - {{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} - -From b7545c3ab81758f89e034fdab7f2c573f287d770 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 3 Mar 2020 12:49:02 +0100 -Subject: [PATCH 09/27] Add rule to check dconf banner - -The STIG profile sets the banner, and checks whether it is enabled for -dconf, but never checked the banner text. ---- - rhel8/profiles/stig.profile | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile -index 7eb1869a3c..f315df7d06 100644 ---- a/rhel8/profiles/stig.profile -+++ b/rhel8/profiles/stig.profile -@@ -21,6 +21,7 @@ extends: ospp - - login_banner_text=dod_banners - - dconf_db_up_to_date - - dconf_gnome_banner_enabled -+ - dconf_gnome_login_banner_text - - banner_etc_issue - - accounts_password_set_min_life_existing - - accounts_password_set_max_life_existing - -From 21ae88f72c1c9a324041637b0f52eea6b90fb03f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 6 Mar 2020 15:37:46 +0100 -Subject: [PATCH 10/27] Fix Ansible for dconf banner-message-text lock - ---- - .../dconf_gnome_login_banner_text/ansible/shared.yml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml -index 6946c9ddf7..303f505968 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml -@@ -38,7 +38,7 @@ - - name: "Prevent user modification of the GNOME3 Login Warning Banner Text" - lineinfile: - path: '/etc/dconf/db/gdm.d/locks/00-security-settings-lock' -- regexp: '^org/gnome/login-screen/banner-message-text$' -- line: 'org/gnome/login-screen/banner-message-text' -+ regexp: '^/org/gnome/login-screen/banner-message-text$' -+ line: '/org/gnome/login-screen/banner-message-text' - create: yes - state: present - -From 54ec93ae3254c726b8313646419fa9f1a9fbbcb5 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 6 Mar 2020 15:58:38 +0100 -Subject: [PATCH 11/27] Fix banner regex stripping for Ansible - -Do similar regex stripping as done in Bash remediaiton. -The triple single quotes is necessary for the jinja template expansion -to add the banner wrapped in single quotes. ---- - .../dconf_gnome_login_banner_text/ansible/shared.yml | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml -index 303f505968..5d5e92530a 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml -@@ -32,8 +32,9 @@ - dest: /etc/dconf/db/gdm.d/00-security-settings - section: org/gnome/login-screen - option: banner-message-text -- value: '{{ login_banner_text }}' -+ value: '''{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)\*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}''' - create: yes -+ no_extra_spaces: yes - - - name: "Prevent user modification of the GNOME3 Login Warning Banner Text" - lineinfile: - -From a4755e87a66ad8b47f22444bde9a2e48c6f33aca Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 6 Mar 2020 16:09:50 +0100 -Subject: [PATCH 12/27] Add Ansible remediation for banner_etc_issue - ---- - .../banner_etc_issue/ansible/shared.yml | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml -new file mode 100644 -index 0000000000..e136304020 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml -@@ -0,0 +1,12 @@ -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol -+# reboot = false -+# strategy = unknown -+# complexity = low -+# disruption = medium -+- (xccdf-var login_banner_text) -+ -+- name: "{{{ rule_title }}}" -+ lineinfile: -+ dest: /etc/issue -+ line: '{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}' -+ create: yes - -From ac5d4b7482f4dc673f8f5d8dbbc95c42700bb251 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 6 Mar 2020 16:52:09 +0100 -Subject: [PATCH 13/27] Update reference RHEL8 STIG profile - ---- - tests/data/profile_stability/rhel8/stig.profile | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 843267d589..381cf54b3a 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -84,6 +84,7 @@ selections: - - coredump_disable_storage - - dconf_db_up_to_date - - dconf_gnome_banner_enabled -+- dconf_gnome_login_banner_text - - disable_ctrlaltdel_burstaction - - disable_ctrlaltdel_reboot - - disable_host_auth - -From 6b27221e857cefe7efaa04f4491c506ea0cb096c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Sat, 7 Mar 2020 13:12:28 +0100 -Subject: [PATCH 14/27] Move bash banner deregexification to macros - -This aims to increase maintenability and readability. -Every step in the deregexification is a separate macro. -The macros 'bash_deregexify_banner_etc_issue' and -'bash_deregexify_banner_dconf_gnome' build upon the basic steps. ---- - .../banner_etc_issue/bash/shared.sh | 9 ++++--- - .../bash/shared.sh | 10 +++++--- - shared/macros-bash.jinja | 25 +++++++++++++++++++ - 3 files changed, 38 insertions(+), 6 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -index 07b88bf039..119413005e 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -@@ -4,12 +4,15 @@ populate login_banner_text - - # Multiple regexes transform the banner regex into a usable banner - # 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. --# (dod_banners contains the long and shor banner) -+# (dod_banners contains the long and short banner) -+{{{ bash_deregexify_multiple_banners("login_banner_text") }}} - # 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") -+{{{ bash_deregexify_banner_space("login_banner_text") }}} - # 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") -+{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}} - # 4- Remove any leftover backslash. (From any parethesis in the banner, for example). --expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/\n/g;s/\\//g;') --formatted=$(echo "$expanded" | fold -sw 80) -+{{{ bash_deregexify_banner_backslash("login_banner_text") }}} -+formatted=$(echo "$login_banner_text" | fold -sw 80) - - cat </etc/issue - $formatted -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -index 658205bd2c..4011932790 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -@@ -4,13 +4,17 @@ populate login_banner_text - - # Multiple regexes transform the banner regex into a usable banner - # 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. --# (dod_banners contains the long and shor banner) -+# (dod_banners contains the long and short banner) -+{{{ bash_deregexify_multiple_banners("login_banner_text") }}} - # 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") -+{{{ bash_deregexify_banner_space("login_banner_text") }}} - # 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") -+{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}} - # 4- Remove any leftover backslash. (From any parethesis in the banner, for example). -+{{{ bash_deregexify_banner_backslash("login_banner_text") }}} - # 5- Removes the newline "token." (Transforms them into newline escape sequences "\n"). - # ( Needs to be done after 4, otherwise the escapce sequence will become just "n". --expanded=$(echo "$login_banner_text" | sed 's/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\]+/ /g;s/(?:\[\\n\]+|(?:\\n)+)/(n)\*/g;s/\\//g;s/(n)\*/\\n/g;') -+{{{ bash_deregexify_banner_newline_token("login_banner_text")}}} - --{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${expanded}'", "gdm.d", "00-security-settings") }}} -+{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", "gdm.d", "00-security-settings") }}} - {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", "gdm.d", "00-security-settings-lock") }}} -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index 2756cc0c00..6d72684c6d 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -521,3 +521,28 @@ cat << 'EOF' > {{{ filepath }}} - {{{ contents|trim() }}} - EOF - {{%- endmacro %}} -+ -+{{# Strips multibanner regex and keeps only the first banner #}} -+{{% macro bash_deregexify_multiple_banners(banner_var_name) -%}} -+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\^(\(.*\)|.*$/\1/g') -+{{%- endmacro %}} -+ -+{{# Strips whitespace or newline regex #}} -+{{% macro bash_deregexify_banner_space(banner_var_name) -%}} -+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\[\\s\\n\]+/ /g') -+{{%- endmacro %}} -+ -+{{# Strips newline or newline escape sequence regex #}} -+{{% macro bash_deregexify_banner_newline(banner_var_name, newline) -%}} -+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(?:\[\\n\]+|(?:\\n)+)/{{{ newline }}}/g') -+{{%- endmacro %}} -+ -+{{# Strips newline token for a newline escape sequence regex #}} -+{{% macro bash_deregexify_banner_newline_token(banner_var_name) -%}} -+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(n)\*/\\n/g') -+{{%- endmacro %}} -+ -+{{# Strips backslash regex #}} -+{{% macro bash_deregexify_banner_backslash(banner_var_name) -%}} -+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\\//g') -+{{%- endmacro %}} - -From 4e2f96de31ed24c5e58ffc8da07b689a461d385f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Sat, 7 Mar 2020 14:04:40 +0100 -Subject: [PATCH 15/27] Move ansible banner deregexification to macros - -This aims to increase maintenability and readability. -Every step in the deregexification is a separate macro. -The macros 'ansible_deregexify_banner_etc_issue' and -'ansible_deregexify_banner_dconf_gnome' build upon the basic steps. ---- - .../banner_etc_issue/ansible/shared.yml | 2 +- - .../ansible/shared.yml | 2 +- - shared/macros-ansible.jinja | 54 +++++++++++++++++++ - 3 files changed, 56 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml -index e136304020..42c19194e4 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml -@@ -8,5 +8,5 @@ - - name: "{{{ rule_title }}}" - lineinfile: - dest: /etc/issue -- line: '{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "\n") | regex_replace("\\", "") | wordwrap() }}' -+ line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' - create: yes -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml -index 5d5e92530a..40cce05fbc 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml -@@ -32,7 +32,7 @@ - dest: /etc/dconf/db/gdm.d/00-security-settings - section: org/gnome/login-screen - option: banner-message-text -- value: '''{{ login_banner_text | regex_replace("\^\((.*)\|.*$", "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "(n)\*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}''' -+ value: '{{{ ansible_deregexify_banner_dconf_gnome("login_banner_text") }}}' - create: yes - no_extra_spaces: yes - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 0d023553a7..5deb7ceb80 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -217,3 +217,57 @@ - {{{ contents|trim()|indent(8) }}} - force: yes - {{%- endmacro %}} -+ -+{{# -+ Formats a banner regex for use in /etc/issue -+ Parameters: -+ - banner_var_name - name of ansible variable with the banner regex -+#}} -+{{% macro ansible_deregexify_banner_etc_issue(banner_var_name) -%}} -+{{ {{{ banner_var_name }}} | -+{{{ ansible_deregexify_multiple_banners() }}} | -+{{{ ansible_deregexify_banner_space() }}} | -+{{{ ansible_deregexify_banner_newline("\\n") }}} | -+{{{ ansible_deregexify_banner_backslash() }}} | -+wordwrap() }} -+{{%- endmacro %}} -+ -+{{# -+ Formats a banner regex for use in dconf -+ Parameters: -+ - banner_var_name - name of ansible variable with the banner regex -+#}} -+{{% macro ansible_deregexify_banner_dconf_gnome(banner_var_name) -%}} -+''{{ {{{ banner_var_name }}} | -+{{{ ansible_deregexify_multiple_banners() }}} | -+{{{ ansible_deregexify_banner_space() }}} | -+{{{ ansible_deregexify_banner_newline("(n)*") }}} | -+{{{ ansible_deregexify_banner_backslash() }}} | -+{{{ ansible_deregexify_banner_newline_token()}}} }}'' -+{{%- endmacro %}} -+ -+ line: '{{ login_banner_text | | regex_replace("\\", "") | wordwrap() }}' -+{{# Strips multibanner regex and keeps only the first banner #}} -+{{% macro ansible_deregexify_multiple_banners() -%}} -+regex_replace("\^\((.*)\|.*$", "\1") -+{{%- endmacro %}} -+ -+{{# Strips whitespace or newline regex #}} -+{{% macro ansible_deregexify_banner_space() -%}} -+regex_replace("\[\\s\\n\]\+"," ") -+{{%- endmacro %}} -+ -+{{# Strips newline or newline escape sequence regex #}} -+{{% macro ansible_deregexify_banner_newline(newline) -%}} -+regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", "{{{ newline }}}") -+{{%- endmacro %}} -+ -+{{# Strips newline token for a newline escape sequence regex #}} -+{{% macro ansible_deregexify_banner_newline_token() -%}} -+regex_replace("\(n\)\*", "\\n") -+{{%- endmacro %}} -+ -+{{# Strips backslash regex #}} -+{{% macro ansible_deregexify_banner_backslash() -%}} -+regex_replace("\\", "") -+{{%- endmacro %}} - -From 890e79ea0a9eff8cab05d8ef06e96900d95b2617 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Sun, 8 Mar 2020 10:58:12 +0100 -Subject: [PATCH 16/27] Move the DoD banners into jinja variables - -The variables are used to easily combine them in the regex for the -"multiple banners allowed regex". -Lets avoid repeating ourselves. ---- - .../httpd_secure_content/var_web_login_banner_text.var | 9 ++++++--- - .../accounts/accounts-banners/login_banner_text.var | 9 ++++++--- - 2 files changed, 12 insertions(+), 6 deletions(-) - -diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -index 72a728659b..96b6ac8e71 100644 ---- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -@@ -12,9 +12,12 @@ operator: equals - - interactive: false - -+{{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} -+{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}} -+ - options: -- dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}} -- dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}} -- dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}} -+ dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} -+ dod_default: {{{ banner_flexibler(var_dod_default) }}} -+ dod_short: {{{ banner_flexibler(var_dod_short) }}} - dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} - usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} -diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -index 0c398bee9c..400a4299e6 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -@@ -12,10 +12,13 @@ operator: equals - - interactive: false - -+{{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} -+{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}} -+ - options: - # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters -- dod_banners: {{{ banner_flexibler(banner_text="^(You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.|I\\'ve read \& consent to terms in IS user agreem\\'t.)$") }}} -- dod_default: {{{ banner_flexibler(banner_text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.") }}} -- dod_short: {{{ banner_flexibler(banner_text="I\\'ve read \& consent to terms in IS user agreem\\'t.") }}} -+ dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} -+ dod_default: {{{ banner_flexibler(var_dod_default) }}} -+ dod_short: {{{ banner_flexibler(var_dod_short) }}} - dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} - usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} - -From f17b39f5a55f92ae4d0e4e03cbd26dd55137b083 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Sun, 8 Mar 2020 11:14:09 +0100 -Subject: [PATCH 17/27] Remove unecessary escapping in short banner - ---- - .../httpd_secure_content/var_web_login_banner_text.var | 2 +- - .../system/accounts/accounts-banners/login_banner_text.var | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -index 96b6ac8e71..c98d2441cf 100644 ---- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -@@ -13,7 +13,7 @@ operator: equals - interactive: false - - {{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} --{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}} -+{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} - - options: - dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} -diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -index 400a4299e6..fc65772554 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -@@ -13,7 +13,7 @@ operator: equals - interactive: false - - {{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} --{{% set var_dod_short = "I\\'ve read \& consent to terms in IS user agreem\\'t." %}} -+{{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} - - options: - # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters - -From bb2dcd9212bb6e83c53bfb9df10bc7e236dec722 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Sun, 8 Mar 2020 15:23:31 +0100 -Subject: [PATCH 18/27] Add utility to regexify a login banner - -Moved the banner_flexibler macro to python code, and renamed to -banner_regexify, to be aligned with Ansible and Bash counter parts -"deregexify". - -The utility will make it easy to add you own login banner on a tailoring -file, or via SCAP Workbench. ---- - .../var_web_login_banner_text.var | 10 +++---- - .../accounts-banners/login_banner_text.var | 10 +++---- - shared/macros.jinja | 4 --- - ssg/jinja.py | 3 +- - ssg/utils.py | 3 ++ - utils/regexify_banner.py | 29 +++++++++++++++++++ - 6 files changed, 44 insertions(+), 15 deletions(-) - create mode 100644 utils/regexify_banner.py - -diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -index c98d2441cf..d3f72cbd97 100644 ---- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -@@ -16,8 +16,8 @@ interactive: false - {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} - - options: -- dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} -- dod_default: {{{ banner_flexibler(var_dod_default) }}} -- dod_short: {{{ banner_flexibler(var_dod_short) }}} -- dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} -- usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} -+ dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} -+ dod_default: {{{ banner_regexify(var_dod_default) }}} -+ dod_short: {{{ banner_regexify(var_dod_short) }}} -+ dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} -+ usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} -diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -index fc65772554..f6eab9bf33 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -@@ -17,8 +17,8 @@ interactive: false - - options: - # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters -- dod_banners: {{{ banner_flexibler("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} -- dod_default: {{{ banner_flexibler(var_dod_default) }}} -- dod_short: {{{ banner_flexibler(var_dod_short) }}} -- dss_odaa_default: {{{ banner_flexibler(banner_text="Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} -- usgcb_default: {{{ banner_flexibler(banner_text="-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} -+ dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} -+ dod_default: {{{ banner_regexify(var_dod_default) }}} -+ dod_short: {{{ banner_regexify(var_dod_short) }}} -+ dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} -+ usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} -diff --git a/shared/macros.jinja b/shared/macros.jinja -index b178088f0c..8a25acc937 100644 ---- a/shared/macros.jinja -+++ b/shared/macros.jinja -@@ -657,7 +657,3 @@ openssl() - ) - - {{%- endmacro %}} -- --{{% macro banner_flexibler(banner_text) -%}} --{{{ banner_text|replace("\n", "BFLMPSVZ")|replace(" ", "[\s\\n]+")|replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") }}} --{{% endmacro %}} -diff --git a/ssg/jinja.py b/ssg/jinja.py -index 700466b8c3..471fbf4140 100644 ---- a/ssg/jinja.py -+++ b/ssg/jinja.py -@@ -10,7 +10,7 @@ - JINJA_MACROS_BASH_DEFINITIONS, - JINJA_MACROS_OVAL_DEFINITIONS, - ) --from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform -+from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform, banner_regexify - - - class MacroError(RuntimeError): -@@ -112,6 +112,7 @@ def add_python_functions(substitutions_dict): - substitutions_dict['prodtype_to_name'] = prodtype_to_name - substitutions_dict['name_to_platform'] = name_to_platform - substitutions_dict['prodtype_to_platform'] = prodtype_to_platform -+ substitutions_dict['banner_regexify'] = banner_regexify - substitutions_dict['raise'] = raise_exception - - -diff --git a/ssg/utils.py b/ssg/utils.py -index 16b1aebe33..3823e02a2d 100644 ---- a/ssg/utils.py -+++ b/ssg/utils.py -@@ -248,3 +248,6 @@ def mkdir_p(path): - pass - else: - raise -+ -+def banner_regexify(banner_text): -+ return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") -diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py -new file mode 100644 -index 0000000000..7bdf69b702 ---- /dev/null -+++ b/utils/regexify_banner.py -@@ -0,0 +1,29 @@ -+import argparse -+import ssg.utils -+ -+def parse_args(): -+ p = argparse.ArgumentParser() -+ p.add_argument("--output", help="Path to output regexified banner") -+ p.add_argument("input", help="Path to file with banner to regexify") -+ -+ return p.parse_args() -+ -+ -+def main(): -+ -+ args = parse_args() -+ with open(args.input, "r") as file_in: -+ # rstrip is used to remove newline at the end of file -+ banner_text = file_in.read().rstrip() -+ -+ banner_regex = ssg.utils.banner_regexify(banner_text) -+ -+ if args.output: -+ with open(args.output, "w") as file_out: -+ file_out.write(banner_regex) -+ else: -+ print(banner_regex) -+ -+ -+if __name__ == "__main__": -+ main() - -From 5c81e70d14ee90877630610bf0a2215199a3e491 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Sun, 8 Mar 2020 15:31:12 +0100 -Subject: [PATCH 19/27] Move the macro to be a Jinja2 filter - -This is done so that we can apply banner_regexify indvidually in each -banner of dod_banners. ---- - .../httpd_secure_content/var_web_login_banner_text.var | 10 +++++----- - .../accounts/accounts-banners/login_banner_text.var | 10 +++++----- - ssg/jinja.py | 2 +- - 3 files changed, 11 insertions(+), 11 deletions(-) - -diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -index d3f72cbd97..e990f0cb23 100644 ---- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -@@ -16,8 +16,8 @@ interactive: false - {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} - - options: -- dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} -- dod_default: {{{ banner_regexify(var_dod_default) }}} -- dod_short: {{{ banner_regexify(var_dod_short) }}} -- dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} -- usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} -+ dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}} -+ dod_default: {{{ var_dod_default|banner_regexify }}} -+ dod_short: {{{ var_dod_short|banner_regexify }}} -+ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}} -+ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}} -diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -index f6eab9bf33..e059174cb5 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -@@ -17,8 +17,8 @@ interactive: false - - options: - # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters -- dod_banners: {{{ banner_regexify("^(" ~ var_dod_default ~ "|" ~ var_dod_short ~ ")$") }}} -- dod_default: {{{ banner_regexify(var_dod_default) }}} -- dod_short: {{{ banner_regexify(var_dod_short) }}} -- dss_odaa_default: {{{ banner_regexify("Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.") }}} -- usgcb_default: {{{ banner_regexify("-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.") }}} -+ dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}} -+ dod_default: {{{ var_dod_default|banner_regexify }}} -+ dod_short: {{{ var_dod_short|banner_regexify }}} -+ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}} -+ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}} -diff --git a/ssg/jinja.py b/ssg/jinja.py -index 471fbf4140..e779466838 100644 ---- a/ssg/jinja.py -+++ b/ssg/jinja.py -@@ -71,6 +71,7 @@ def _get_jinja_environment(substitutions_dict): - loader=AbsolutePathFileSystemLoader(), - bytecode_cache=bytecode_cache - ) -+ _get_jinja_environment.env.filters['banner_regexify'] = banner_regexify - - return _get_jinja_environment.env - -@@ -112,7 +113,6 @@ def add_python_functions(substitutions_dict): - substitutions_dict['prodtype_to_name'] = prodtype_to_name - substitutions_dict['name_to_platform'] = name_to_platform - substitutions_dict['prodtype_to_platform'] = prodtype_to_platform -- substitutions_dict['banner_regexify'] = banner_regexify - substitutions_dict['raise'] = raise_exception - - - -From d416cb9e78842767f08d9c38d9ea0b79b05f00dd Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Sun, 8 Mar 2020 15:53:07 +0100 -Subject: [PATCH 20/27] Automatically escape regex unsafe chars in banner - -Let the banner_regexify filter escape regex unsafe chars, no need for -manual escaping. ---- - .../httpd_secure_content/var_web_login_banner_text.var | 2 +- - .../system/accounts/accounts-banners/login_banner_text.var | 2 +- - ssg/utils.py | 5 +++++ - 3 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -index e990f0cb23..e59cdc0782 100644 ---- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -@@ -12,7 +12,7 @@ operator: equals - - interactive: false - --{{% set var_dod_default = "You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} -+{{% set var_dod_default = "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} - {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} - - options: -diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -index e059174cb5..1c6a39f481 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -@@ -12,7 +12,7 @@ operator: equals - - interactive: false - --{{% set var_dod_default="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only. By using this IS \(which includes any device attached to this IS\), you consent to the following conditions\:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} -+{{% set var_dod_default="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." %}} - {{% set var_dod_short = "I've read & consent to terms in IS user agreem't." %}} - - options: -diff --git a/ssg/utils.py b/ssg/utils.py -index 3823e02a2d..7584e38a16 100644 ---- a/ssg/utils.py -+++ b/ssg/utils.py -@@ -250,4 +250,9 @@ def mkdir_p(path): - raise - - def banner_regexify(banner_text): -+ # We could use re.escape(), but it escapes too many characters, including plain white space. -+ # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it. -+ # See https://docs.python.org/3/library/re.html#re.sub -+ # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped. -+ banner_text = re.sub(r"([#$&*+-.^`|~:()])", r"\\\1", banner_text) - return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") - -From 35e962ce5c5c28d29d120723715d64dcbd567197 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Sun, 8 Mar 2020 17:00:26 +0100 -Subject: [PATCH 21/27] Document the new macros, filter and utility - ---- - docs/manual/developer_guide.adoc | 26 ++++++++++++++++++++++++++ - 1 file changed, 26 insertions(+) - -diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc -index 76c1c10218..739a6a823c 100644 ---- a/docs/manual/developer_guide.adoc -+++ b/docs/manual/developer_guide.adoc -@@ -752,6 +752,14 @@ $ ./build-scripts/profile_tool.py sub --profile1 rhel7/profiles/ospp.profile --p - - This will result in a new YAML profile containing exclusive rules to the profile pointed by the --profile1 option. - -+=== Generating login banner regular expressions -+ -+Rules like `banner_etc_issue` and `dconf_gnome_login_banner_text` will check for configuration of login banners and remediate them. Both rules source the banner text from the same variable `login_banner_text`, and the banner texts need to be in the form of a regular expression. -+There are a few utilities you can use to transform your text into the appropriate regular expression: -+ -+When adding a new banner directly to the `login_banner_text`, use the custom Jinja filter `banner_regexify`. + -+If customizing content via SCAP Workbench, or directly writing your tailoring XML, use `utils/regexify_banner.py` to generate the appropriate regular expression. -+ - == Contributing with XCCDFs, OVALs and remediations - - There are three main types of content in the project, they are rules, defined using the XCCDF standard, checks, usually written in link:https://oval.mitre.org/language/about/[OVAL] format, and remediations, that can be executed on ansible, bash, anaconda installer, puppet and ignition. -@@ -1279,6 +1287,8 @@ Jinja macros for Ansible content are located in `/shared/macros-ansible.jinja`. - - `ansible_sshd_set` -- set a parameter in the sshd configuration - - `ansible_etc_profile_set` -- ensure a command gets executed or a variable gets set in /etc/profile or /etc/profile.d - - `ansible_tmux_set` -- set a command in tmux configuration -+- `ansible_deregexify_banner_etc_issue` -- Formats a banner regex for use in /etc/issue -+- `ansible_deregexify_banner_dconf_gnome` -- Formats a banner regex for use in dconf - - They also include several low-level macros: - -@@ -1289,6 +1299,14 @@ They also include several low-level macros: - - `ansible_set_config_file` -- for configuration files; set the given configuration value and ensure no conflicting values - - `ansible_set_config_file_dir` -- for configuration files and files in configuration directories; set the given configuration value and ensure no conflicting values - -+Low level macros to make login banner regular expressions usable in Ansible remediations -+ -+- `ansible_deregexify_multiple_banners` -- Strips multibanner regex and keeps only the first banner -+- `ansible_deregexify_banner_space` -- Strips whitespace or newline regex -+- `ansible_deregexify_banner_newline` -- Strips newline or newline escape sequence regex -+- `ansible_deregexify_banner_newline_token` -- Strips newline token for a newline escape sequence regex -+- `ansible_deregexify_banner_backslash` - Strips backslash regex -+ - When `msg` is absent from any of the above macros, rule title will be substituted instead. - - Whenever possible, please reuse the macros and form high-level simplifications. -@@ -1348,6 +1366,14 @@ Available low-level Jinja macros that can be used in Bash remediations: - - `die` - Function to terminate the remediation - - `set_config_file` - Add an entry to a text configuration file - -+Low level macros to make login banner regular expressions usable in Bash remediations -+ -+- `bash_deregexify_multiple_banners` - Strips multibanner regex and keeps only the first banner -+- `bash_deregexify_banner_space` - Strips whitespace or newline regex -+- `bash_deregexify_banner_newline` - Strips newline or newline escape sequence regex -+- `bash_deregexify_banner_newline_token` - Strips newline token for a newline escape sequence regex -+- `bash_deregexify_banner_backslash` - Strips backslash regex -+ - === Templating - - Writing OVAL checks, Bash, or any other content can be tedious work. For - -From ad5526d6704299cfd01c818fa8a79e3587b90cb5 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Sun, 8 Mar 2020 17:56:44 +0100 -Subject: [PATCH 22/27] Code style fixes - ---- - ssg/jinja.py | 7 ++++++- - ssg/utils.py | 5 ++++- - utils/regexify_banner.py | 1 + - 3 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/ssg/jinja.py b/ssg/jinja.py -index e779466838..e014768e2b 100644 ---- a/ssg/jinja.py -+++ b/ssg/jinja.py -@@ -10,7 +10,12 @@ - JINJA_MACROS_BASH_DEFINITIONS, - JINJA_MACROS_OVAL_DEFINITIONS, - ) --from .utils import required_key, prodtype_to_name, name_to_platform, prodtype_to_platform, banner_regexify -+from .utils import (required_key, -+ prodtype_to_name, -+ name_to_platform, -+ prodtype_to_platform, -+ banner_regexify -+ ) - - - class MacroError(RuntimeError): -diff --git a/ssg/utils.py b/ssg/utils.py -index 7584e38a16..472ac73b81 100644 ---- a/ssg/utils.py -+++ b/ssg/utils.py -@@ -249,10 +249,13 @@ def mkdir_p(path): - else: - raise - -+ - def banner_regexify(banner_text): - # We could use re.escape(), but it escapes too many characters, including plain white space. - # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it. - # See https://docs.python.org/3/library/re.html#re.sub - # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped. - banner_text = re.sub(r"([#$&*+-.^`|~:()])", r"\\\1", banner_text) -- return banner_text.replace("\n", "BFLMPSVZ").replace(" ", "[\s\\n]+").replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") -+ banner_text = banner_text.replace("\n", "BFLMPSVZ") -+ banner_text = banner_text.replace(" ", "[\\s\\n]+") -+ return banner_text.replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") -diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py -index 7bdf69b702..c794c02a37 100644 ---- a/utils/regexify_banner.py -+++ b/utils/regexify_banner.py -@@ -1,6 +1,7 @@ - import argparse - import ssg.utils - -+ - def parse_args(): - p = argparse.ArgumentParser() - p.add_argument("--output", help="Path to output regexified banner") - -From 86439fed8f2d431da76bd613c87b38c4eda6457b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 11 Mar 2020 13:44:02 +0100 -Subject: [PATCH 23/27] regexify_banner.py: Set x permission and shebang - ---- - utils/regexify_banner.py | 1 + - 1 file changed, 1 insertion(+) - mode change 100644 => 100755 utils/regexify_banner.py - -diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py -old mode 100644 -new mode 100755 -index c794c02a37..15584693bf ---- a/utils/regexify_banner.py -+++ b/utils/regexify_banner.py -@@ -1,3 +1,4 @@ -+#!/usr/bin/env python - import argparse - import ssg.utils - - -From 556018017f7fbb2d7707aaf673ecd9d4edb53aae Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 11 Mar 2020 14:16:03 +0100 -Subject: [PATCH 24/27] The whole /etc/issue file should be evaluated - -Added test scenario where the banner is followed by an -extraneous line. This caused the rule to pass unexpectedly. - -Updated OVAL check to consider the all lines of /etc/issue the object to -be evaluated and compared against a state. -Also updated Bash remediation to not add extra newline at the end, and -Asnbile remediation to remove any extraneous line in /etc/issue ---- - .../banner_etc_issue/ansible/shared.yml | 7 ++++- - .../banner_etc_issue/bash/shared.sh | 2 -- - .../banner_etc_issue/oval/shared.xml | 8 ++++- - ...ner_etc_issue_disa_with_extra_line.fail.sh | 30 +++++++++++++++++++ - 4 files changed, 43 insertions(+), 4 deletions(-) - create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml -index 42c19194e4..21f0925268 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml -@@ -5,7 +5,12 @@ - # disruption = medium - - (xccdf-var login_banner_text) - --- name: "{{{ rule_title }}}" -+- name: "{{{ rule_title }}} - remove incorrect banner" -+ file: -+ state: absent -+ path: /etc/issue -+ -+- name: "{{{ rule_title }}} - add correct banner" - lineinfile: - dest: /etc/issue - line: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -index 119413005e..1a0c11f569 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -@@ -17,5 +17,3 @@ formatted=$(echo "$login_banner_text" | fold -sw 80) - cat </etc/issue - $formatted - EOF -- --printf "\n" >> /etc/issue -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml -index 3317251d41..032c65b340 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml -@@ -12,14 +12,20 @@ - - - -+ - - - -+ - /etc/issue -- -+ ^(.*)$ - 1 - - -+ -+ -+ -+ - - - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh -new file mode 100644 -index 0000000000..dfa48bd61a ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh -@@ -0,0 +1,30 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_stig -+ -+# dod_default|dod_short banner -+echo "You are accessing a U.S. Government (USG) Information System (IS) that is -+provided for USG-authorized use only. By using this IS (which includes any -+device attached to this IS), you consent to the following conditions: -+ -+-The USG routinely intercepts and monitors communications on this IS for -+purposes including, but not limited to, penetration testing, COMSEC monitoring, -+network operations and defense, personnel misconduct (PM), law enforcement -+(LE), and counterintelligence (CI) investigations. -+ -+-At any time, the USG may inspect and seize data stored on this IS. -+ -+-Communications using, or data stored on, this IS are not private, are subject -+to routine monitoring, interception, and search, and may be disclosed or used -+for any USG-authorized purpose. -+ -+-This IS includes security measures (e.g., authentication and access controls) -+to protect USG interests--not for your personal benefit or privacy. -+ -+-Notwithstanding the above, using this IS does not constitute consent to PM, LE -+or CI investigative searching or monitoring of the content of privileged -+communications, or work product, related to personal representation or services -+by attorneys, psychotherapists, or clergy, and their assistants. Such -+communications and work product are private and confidential. See User -+Agreement for details. -+Extra line at end." > /etc/issue - -From 488c5259595032f25dd98d45c1b38a65ed248647 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 11 Mar 2020 18:52:37 +0100 -Subject: [PATCH 25/27] Wrap banner text with regex anchors - -We need to be sure that the whole banners matches the banner variable. -This commit includes a test scenario that reproduces the issue. - -All the harness around banners have been updated, regexify, deregexify -and utility. ---- - .../var_web_login_banner_text.var | 8 ++++---- - .../banner_etc_issue/bash/shared.sh | 10 ++++++---- - .../dconf_gnome_login_banner_text/bash/shared.sh | 12 +++++++----- - .../tests/wrapped_banner.fail.sh | 16 ++++++++++++++++ - .../accounts-banners/login_banner_text.var | 8 ++++---- - shared/macros-ansible.jinja | 10 ++++++++-- - shared/macros-bash.jinja | 7 ++++++- - ssg/jinja.py | 4 +++- - ssg/utils.py | 3 +++ - utils/regexify_banner.py | 1 + - 10 files changed, 58 insertions(+), 21 deletions(-) - create mode 100644 linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh - -diff --git a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -index e59cdc0782..dc10e8c3cf 100644 ---- a/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -+++ b/linux_os/guide/services/http/securing_httpd/httpd_secure_content/var_web_login_banner_text.var -@@ -17,7 +17,7 @@ interactive: false - - options: - dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}} -- dod_default: {{{ var_dod_default|banner_regexify }}} -- dod_short: {{{ var_dod_short|banner_regexify }}} -- dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}} -- usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}} -+ dod_default: {{{ var_dod_default|banner_regexify|banner_anchor_wrap }}} -+ dod_short: {{{ var_dod_short|banner_regexify|banner_anchor_wrap }}} -+ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify|banner_anchor_wrap }}} -+ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify|banner_anchor_wrap }}} -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -index 1a0c11f569..30449d5e9d 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh -@@ -3,14 +3,16 @@ - populate login_banner_text - - # Multiple regexes transform the banner regex into a usable banner --# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. -+# 0 - Remove anchors around the banner text -+{{{ bash_deregexify_banner_anchors("login_banner_text") }}} -+# 1 - Keep only the first banners if there are multiple - # (dod_banners contains the long and short banner) - {{{ bash_deregexify_multiple_banners("login_banner_text") }}} --# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") -+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") - {{{ bash_deregexify_banner_space("login_banner_text") }}} --# 3- Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") -+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") - {{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}} --# 4- Remove any leftover backslash. (From any parethesis in the banner, for example). -+# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). - {{{ bash_deregexify_banner_backslash("login_banner_text") }}} - formatted=$(echo "$login_banner_text" | fold -sw 80) - -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -index 4011932790..85ddd893c6 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh -@@ -3,16 +3,18 @@ - populate login_banner_text - - # Multiple regexes transform the banner regex into a usable banner --# 1 - Keep only the first banners if there are multiple, and remove wrapping regex syntax. -+# 0 - Remove anchors around the banner text -+{{{ bash_deregexify_banner_anchors("login_banner_text") }}} -+# 1 - Keep only the first banners if there are multiple - # (dod_banners contains the long and short banner) - {{{ bash_deregexify_multiple_banners("login_banner_text") }}} --# 2- Add spaces ' '. (Transforms regex for "space or newline" into a " ") -+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") - {{{ bash_deregexify_banner_space("login_banner_text") }}} --# 3- Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") -+# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") - {{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}} --# 4- Remove any leftover backslash. (From any parethesis in the banner, for example). -+# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). - {{{ bash_deregexify_banner_backslash("login_banner_text") }}} --# 5- Removes the newline "token." (Transforms them into newline escape sequences "\n"). -+# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). - # ( Needs to be done after 4, otherwise the escapce sequence will become just "n". - {{{ bash_deregexify_banner_newline_token("login_banner_text")}}} - -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh -new file mode 100644 -index 0000000000..1c6b9a23af ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh -@@ -0,0 +1,16 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 7 -+# profiles = xccdf_org.ssgproject.content_profile_ncp -+ -+source $SHARED/dconf_test_functions.sh -+ -+install_dconf_and_gdm_if_needed -+ -+login_banner_text="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after." -+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock" -+ -+dconf update -diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -index 1c6a39f481..d00782f380 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -+++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var -@@ -18,7 +18,7 @@ interactive: false - options: - # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accomodate banners of 1300 characters - dod_banners: {{{ "^(" ~ var_dod_default|banner_regexify ~ "|" ~ var_dod_short|banner_regexify ~ ")$" }}} -- dod_default: {{{ var_dod_default|banner_regexify }}} -- dod_short: {{{ var_dod_short|banner_regexify }}} -- dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify }}} -- usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify }}} -+ dod_default: {{{ var_dod_default|banner_regexify|banner_anchor_wrap }}} -+ dod_short: {{{ var_dod_short|banner_regexify|banner_anchor_wrap }}} -+ dss_odaa_default: {{{ "Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times."|banner_regexify|banner_anchor_wrap }}} -+ usgcb_default: {{{ "-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."|banner_regexify|banner_anchor_wrap }}} -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 5deb7ceb80..11fb79a4d9 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -225,6 +225,7 @@ - #}} - {{% macro ansible_deregexify_banner_etc_issue(banner_var_name) -%}} - {{ {{{ banner_var_name }}} | -+{{{ ansible_deregexify_banner_anchors() }}} | - {{{ ansible_deregexify_multiple_banners() }}} | - {{{ ansible_deregexify_banner_space() }}} | - {{{ ansible_deregexify_banner_newline("\\n") }}} | -@@ -239,6 +240,7 @@ wordwrap() }} - #}} - {{% macro ansible_deregexify_banner_dconf_gnome(banner_var_name) -%}} - ''{{ {{{ banner_var_name }}} | -+{{{ ansible_deregexify_banner_anchors() }}} | - {{{ ansible_deregexify_multiple_banners() }}} | - {{{ ansible_deregexify_banner_space() }}} | - {{{ ansible_deregexify_banner_newline("(n)*") }}} | -@@ -246,10 +248,14 @@ wordwrap() }} - {{{ ansible_deregexify_banner_newline_token()}}} }}'' - {{%- endmacro %}} - -- line: '{{ login_banner_text | | regex_replace("\\", "") | wordwrap() }}' -+{{# Strips anchors around the banner #}} -+{{% macro ansible_deregexify_banner_anchors() -%}} -+regex_replace("^\^(.*)\$$", "\1") -+{{%- endmacro %}} -+ - {{# Strips multibanner regex and keeps only the first banner #}} - {{% macro ansible_deregexify_multiple_banners() -%}} --regex_replace("\^\((.*)\|.*$", "\1") -+regex_replace("\((.*)\|.*$", "\1") - {{%- endmacro %}} - - {{# Strips whitespace or newline regex #}} -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index 6d72684c6d..03b381c3ca 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -522,9 +522,14 @@ cat << 'EOF' > {{{ filepath }}} - EOF - {{%- endmacro %}} - -+{{# Strips anchors regex around the banner text #}} -+{{% macro bash_deregexify_banner_anchors(banner_var_name) -%}} -+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^\^\(.*\)\$$/\1/g') -+{{%- endmacro %}} -+ - {{# Strips multibanner regex and keeps only the first banner #}} - {{% macro bash_deregexify_multiple_banners(banner_var_name) -%}} --{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/\^(\(.*\)|.*$/\1/g') -+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(\(.*\)|.*$/\1/g') - {{%- endmacro %}} - - {{# Strips whitespace or newline regex #}} -diff --git a/ssg/jinja.py b/ssg/jinja.py -index e014768e2b..da3e403a1b 100644 ---- a/ssg/jinja.py -+++ b/ssg/jinja.py -@@ -14,7 +14,8 @@ - prodtype_to_name, - name_to_platform, - prodtype_to_platform, -- banner_regexify -+ banner_regexify, -+ banner_anchor_wrap - ) - - -@@ -77,6 +78,7 @@ def _get_jinja_environment(substitutions_dict): - bytecode_cache=bytecode_cache - ) - _get_jinja_environment.env.filters['banner_regexify'] = banner_regexify -+ _get_jinja_environment.env.filters['banner_anchor_wrap'] = banner_anchor_wrap - - return _get_jinja_environment.env - -diff --git a/ssg/utils.py b/ssg/utils.py -index 472ac73b81..9b437d5556 100644 ---- a/ssg/utils.py -+++ b/ssg/utils.py -@@ -259,3 +259,6 @@ def banner_regexify(banner_text): - banner_text = banner_text.replace("\n", "BFLMPSVZ") - banner_text = banner_text.replace(" ", "[\\s\\n]+") - return banner_text.replace("BFLMPSVZ", "(?:[\\n]+|(?:\\\\n)+)") -+ -+def banner_anchor_wrap(banner_text): -+ return "^" + banner_text + "$" -diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py -index 15584693bf..c17213d66d 100755 ---- a/utils/regexify_banner.py -+++ b/utils/regexify_banner.py -@@ -19,6 +19,7 @@ def main(): - banner_text = file_in.read().rstrip() - - banner_regex = ssg.utils.banner_regexify(banner_text) -+ banner_regex = ssg.utils.banner_anchor_wrap(banner_text) - - if args.output: - with open(args.output, "w") as file_out: - -From d30eb89a68ae536707b8535c47eba4a422e2f252 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 12 Mar 2020 13:27:22 +0100 -Subject: [PATCH 26/27] Fix call of banner_anchor_wrap - ---- - utils/regexify_banner.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/utils/regexify_banner.py b/utils/regexify_banner.py -index c17213d66d..16ec4ba6ef 100755 ---- a/utils/regexify_banner.py -+++ b/utils/regexify_banner.py -@@ -19,7 +19,7 @@ def main(): - banner_text = file_in.read().rstrip() - - banner_regex = ssg.utils.banner_regexify(banner_text) -- banner_regex = ssg.utils.banner_anchor_wrap(banner_text) -+ banner_regex = ssg.utils.banner_anchor_wrap(banner_regex) - - if args.output: - with open(args.output, "w") as file_out: - -From 90280f39e8548f2a7a22d1e328de72bc1b756099 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 12 Mar 2020 16:09:25 +0100 -Subject: [PATCH 27/27] Fix multiple banner regex stripping - -Anchor the opening parenthesis to beginning of banner, and add anchord -closing parenthesis to pattern. ---- - shared/macros-ansible.jinja | 2 +- - shared/macros-bash.jinja | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 11fb79a4d9..b020246ef2 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -255,7 +255,7 @@ regex_replace("^\^(.*)\$$", "\1") - - {{# Strips multibanner regex and keeps only the first banner #}} - {{% macro ansible_deregexify_multiple_banners() -%}} --regex_replace("\((.*)\|.*$", "\1") -+regex_replace("^\((.*)\|.*\)$", "\1") - {{%- endmacro %}} - - {{# Strips whitespace or newline regex #}} -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index 03b381c3ca..bc6c6f6486 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -529,7 +529,7 @@ EOF - - {{# Strips multibanner regex and keeps only the first banner #}} - {{% macro bash_deregexify_multiple_banners(banner_var_name) -%}} --{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/(\(.*\)|.*$/\1/g') -+{{{ banner_var_name }}}=$(echo "${{{ banner_var_name }}}" | sed 's/^(\(.*\)|.*)$/\1/g') - {{%- endmacro %}} - - {{# Strips whitespace or newline regex #}} diff --git a/SOURCES/scap-security-guide-0.1.50-ssh_references_PR_5297.patch b/SOURCES/scap-security-guide-0.1.50-ssh_references_PR_5297.patch deleted file mode 100644 index c293cc4..0000000 --- a/SOURCES/scap-security-guide-0.1.50-ssh_references_PR_5297.patch +++ /dev/null @@ -1,324 +0,0 @@ -From 287fec018a738821ed62670fd202c3db40ed5300 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 16 Mar 2020 19:37:57 +0100 -Subject: [PATCH 1/4] Select rules for SSH and add references - ---- - .../rule.yml | 1 + - .../file_permissions_sshd_pub_key/rule.yml | 1 + - .../ssh/ssh_server/disable_host_auth/rule.yml | 3 +- - .../sshd_disable_empty_passwords/rule.yml | 3 +- - .../ssh_server/sshd_disable_rhosts/rule.yml | 3 +- - .../sshd_disable_root_login/rule.yml | 3 +- - .../sshd_do_not_permit_user_env/rule.yml | 3 +- - .../sshd_enable_warning_banner/rule.yml | 3 +- - .../sshd_enable_x11_forwarding/rule.yml | 3 +- - .../ssh_server/sshd_set_idle_timeout/rule.yml | 3 +- - .../ssh_server/sshd_set_keepalive/rule.yml | 3 +- - .../sshd_set_loglevel_info/rule.yml | 1 + - .../sshd_set_max_auth_tries/rule.yml | 1 + - .../configure_ssh_crypto_policy/rule.yml | 1 + - 15 files changed, 51 insertions(+), 22 deletions(-) - -diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml -index b1b7ccabaa..108c9c5ce0 100644 ---- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml -+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml -@@ -33,6 +33,7 @@ references: - cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 - iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 - cis-csc: 12,13,14,15,16,18,3,5 -+ cis@rhel8: 5.2.3 - - ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}' - -diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml -index da3dead155..714b507db1 100644 ---- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml -+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml -@@ -28,6 +28,7 @@ references: - cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 - iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 - cis-csc: 12,13,14,15,16,18,3,5 -+ cis@rhel8: 5.2.4 - - ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*.pub", perms="-rw-r--r--") }}}' - -diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml -index de5580b9f5..9db9fd7516 100644 ---- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml -@@ -27,7 +27,8 @@ references: - stigid@rhel6: "000236" - srg@rhel6: SRG-OS-000106 - disa@rhel6: 765,766 -- cis: 5.2.7 -+ cis@rhel8: 5.2.7 -+ cis@rhel8: 5.2.9 - cjis: 5.5.6 - cui: 3.1.12 - disa: "366" -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml -index 25908a4e4d..b9bbe1e48e 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml -@@ -28,7 +28,8 @@ references: - stigid@rhel6: "000239" - srg@rhel6: SRG-OS-000106 - disa@rhel6: 765,766 -- cis: 5.2.9 -+ cis@rhel7: 5.2.9 -+ cis@rhel8: 5.2.11 - cjis: 5.5.6 - cui: 3.1.1,3.1.5 - disa: "366" -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml -index fd960a55ae..3a5d16c052 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml -@@ -27,7 +27,8 @@ references: - stigid@rhel6: "000234" - srg@rhel6: SRG-OS-000106 - disa@rhel6: 765,766 -- cis: 5.2.6 -+ ci@rhel8s: 5.2.6 -+ ci@rhel8s: 5.2.8 - cjis: 5.5.6 - cui: 3.1.12 - disa: "366" -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml -index 8b9cba960f..c6e7d7986c 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml -@@ -28,7 +28,8 @@ references: - stigid@rhel6: "000237" - srg@rhel6: SRG-OS-000109 - disa@rhel6: '770' -- cis: 5.2.8 -+ cis@rhel7: 5.2.8 -+ cis@rhel8: 5.2.10 - cjis: 5.5.6 - cui: '3.1.1,3.1.5' - disa: 366,770 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml -index f25d2a690a..f1a09a1b8d 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml -@@ -23,7 +23,8 @@ references: - stigid@rhel6: "000241" - srg@rhel6: SRG-OS-000242 - disa@rhel6: '1414' -- cis: 5.2.10 -+ cis@rhel7: 5.2.10 -+ cis@rhel8: 5.2.12 - cjis: 5.5.6 - cui: 3.1.12 - disa: "366" -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml -index f32287ff7c..4aa26eeb90 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml -@@ -25,7 +25,8 @@ identifiers: - references: - stigid@rhel6: "000240" - srg@rhel6: SRG-OS-000023 -- cis: 5.2.16 -+ cis@rhel7: 5.2.15 -+ cis@rhel8: 5.2.15 - cjis: 5.5.6 - cui: 3.1.9 - disa: 48,50,1384,1385,1386,1387,1388 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml -index 5d50c2ed07..5fdca265fa 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml -@@ -22,7 +22,8 @@ identifiers: - cce@rhel8: 82421-9 - - references: -- cis: 5.2.4 -+ cis@rhel7: 5.2.4 -+ cis@rhel8: 5.2.6 - cui: 3.1.13 - disa: "366" - nist: CM-6(a),AC-17(a),AC-17(2) -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -index 7cf263bef4..347610cd6f 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -@@ -34,7 +34,8 @@ references: - stigid@rhel6: "000230" - srg@rhel6: SRG-OS-000163 - disa@rhel6: '879' -- cis: 5.2.12 -+ cis@rhel7: 5.2.12 -+ cis@rhel8: 5.2.13 - cjis: 5.5.6 - cui: 3.1.11 - disa: 879,1133,2361 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml -index cc9f62b0af..65aac90ace 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml -@@ -23,7 +23,8 @@ references: - stigid@rhel6: "000231" - srg@rhel6: SRG-OS-000126 - disa@rhel6: '879' -- cis: 5.2.12 -+ cis@rhel7: 5.2.12 -+ cis@rhel8: 5.2.13 - cjis: 5.5.6 - cui: 3.1.11 - disa: 879,1133,2361 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml -index 26eca336b2..e9e84cdf9b 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml -@@ -26,6 +26,7 @@ references: - cis@debian8: 9.3.2 - cis@debian10: 9.3.2 - cis@rhel7: 5.2.3 -+ cis@rhel8: 5.2.5 - nist: AC-17(a),CM-6(a) - - ocil_clause: 'it is commented out or is not enabled' -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -index 6fd7a4b6bd..1661b78773 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml -@@ -21,6 +21,7 @@ references: - cis@debian8: 9.3.5 - cis@debian9: 9.3.5 - cis@rhel7: 5.2.5 -+ cis@rhel8: 5.2.7 - - ocil_clause: 'it is commented out or not configured properly' - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -index b9d8b06028..db5ce07f0e 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -@@ -23,6 +23,7 @@ identifiers: - - references: - nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13 -+ cis@rhel8: 5.2.20 - - ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd' - -From 74741eeab94571d881faf27221c75b2b3ea98c0f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 17 Mar 2020 15:08:50 +0100 -Subject: [PATCH 2/4] Fix typos in CIS references - ---- - .../guide/services/ssh/ssh_server/disable_host_auth/rule.yml | 2 +- - .../services/ssh/ssh_server/sshd_disable_rhosts/rule.yml | 4 ++-- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml -index 9db9fd7516..d19bfd4538 100644 ---- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml -@@ -27,7 +27,7 @@ references: - stigid@rhel6: "000236" - srg@rhel6: SRG-OS-000106 - disa@rhel6: 765,766 -- cis@rhel8: 5.2.7 -+ cis@rhel7: 5.2.7 - cis@rhel8: 5.2.9 - cjis: 5.5.6 - cui: 3.1.12 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml -index 3a5d16c052..5dafad7462 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml -@@ -27,8 +27,8 @@ references: - stigid@rhel6: "000234" - srg@rhel6: SRG-OS-000106 - disa@rhel6: 765,766 -- ci@rhel8s: 5.2.6 -- ci@rhel8s: 5.2.8 -+ cis@rhel7: 5.2.6 -+ cis@rhel8: 5.2.8 - cjis: 5.5.6 - cui: 3.1.12 - disa: "366" - -From 65f019d15c73a2d4f081a1506939d862bda946cf Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 17 Mar 2020 19:43:16 +0100 -Subject: [PATCH 3/4] Update CIS references for sshd_config - ---- - .../guide/services/ssh/file_groupowner_sshd_config/rule.yml | 3 ++- - linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml | 3 ++- - .../guide/services/ssh/file_permissions_sshd_config/rule.yml | 3 ++- - 3 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml -index a9c09765d0..e53ac9d6b9 100644 ---- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml -+++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml -@@ -21,7 +21,8 @@ identifiers: - cce@rhel8: 82901-0 - - references: -- cis: 5.2.1 -+ cis@rhel7: 5.2.1 -+ cis@rhel8: 5.2.1 - nist: AC-17(a),CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml -index 5a80d04763..ca1cc19eeb 100644 ---- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml -+++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml -@@ -21,7 +21,8 @@ identifiers: - cce@rhel8: 82898-8 - - references: -- cis: 5.2.1 -+ cis@rhel7: 5.2.1 -+ cis@rhel8: 5.2.1 - nist: AC-17(a),CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 -diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml -index 13bdab401e..e40868dac4 100644 ---- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml -+++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml -@@ -21,7 +21,8 @@ identifiers: - cce@rhel8: 82894-7 - - references: -- cis: 5.2.1 -+ cis@rhel7: 5.2.1 -+ cis@rhel8: 5.2.1 - nist: AC-17(a),CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - srg: SRG-OS-000480-GPOS-00227 - -From 9b9f7978409f23775f623d1c398f5b448ac73c94 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 19 Mar 2020 13:17:03 +0100 -Subject: [PATCH 4/4] Remove incorrect rule selection and its references - -Policy would like X11 forwarding disabled, not enabled. ---- - .../services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml | 2 -- - 2 files changed, 1 insertion(+), 3 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml -index 5fdca265fa..4dedae6e8b 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml -@@ -22,8 +22,6 @@ identifiers: - cce@rhel8: 82421-9 - - references: -- cis@rhel7: 5.2.4 -- cis@rhel8: 5.2.6 - cui: 3.1.13 - disa: "366" - nist: CM-6(a),AC-17(a),AC-17(2) diff --git a/SOURCES/scap-security-guide-0.1.50-sshd_allow_p2.patch b/SOURCES/scap-security-guide-0.1.50-sshd_allow_p2.patch deleted file mode 100644 index f1061b2..0000000 --- a/SOURCES/scap-security-guide-0.1.50-sshd_allow_p2.patch +++ /dev/null @@ -1,137 +0,0 @@ -From 1d9a85c7b4e2f168d48884db10c7c71a534588d2 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 14 Apr 2020 16:38:09 +0200 -Subject: [PATCH 1/2] sshd_allow_only_protocol2 revert from template to - individual check and remediations - ---- - .../ansible/shared.yml | 6 +++ - .../sshd_allow_only_protocol2/bash/shared.sh | 6 +++ - .../sshd_allow_only_protocol2/oval/shared.xml | 45 +++++++++++++++++++ - .../sshd_allow_only_protocol2/rule.yml | 8 ---- - 4 files changed, 57 insertions(+), 8 deletions(-) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml -new file mode 100644 -index 0000000000..39102e5d78 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml -@@ -0,0 +1,6 @@ -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+{{{ ansible_sshd_set(parameter="Protocol", value="2") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh -new file mode 100644 -index 0000000000..590e96d150 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh -@@ -0,0 +1,6 @@ -+# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv -+ -+# Include source function library. -+. /usr/share/scap-security-guide/remediation_functions -+ -+replace_or_append '/etc/ssh/sshd_config' '^Protocol' '2' '@CCENUM@' '%s %s' -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml -new file mode 100644 -index 0000000000..948c40561c ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml -@@ -0,0 +1,45 @@ -+ -+ -+ -+ Ensure Only Protocol 2 Connections Allowed -+ -+ multi_platform_wrlinux -+ multi_platform_rhel -+ multi_platform_rhv -+ multi_platform_debian -+ multi_platform_ubuntu -+ multi_platform_ol -+ -+ The OpenSSH daemon should be running protocol 2. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/ssh/sshd_config -+ ^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$ -+ 1 -+ -+ -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml -index c0cb97c9e8..2c91fd0c36 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml -@@ -62,11 +62,3 @@ warnings: - As of openssh-server version 7.4 and above, the only protocol - supported is version 2, and line
Protocol 2
in - /etc/ssh/sshd_config is not necessary. -- --template: -- name: sshd_lineinfile -- vars: -- missing_parameter_pass: 'false' -- parameter: Protocol -- rule_id: sshd_allow_only_protocol2 -- value: '2' - -From 4993ccd288caa17aad8888b065cfbff605ff1c24 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 15 Apr 2020 09:56:35 +0200 -Subject: [PATCH 2/2] add oval_affected jinja macro - ---- - .../ssh_server/sshd_allow_only_protocol2/oval/shared.xml | 9 +-------- - 1 file changed, 1 insertion(+), 8 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml -index 948c40561c..e1a4ee4448 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml -@@ -2,14 +2,7 @@ - - - Ensure Only Protocol 2 Connections Allowed -- -- multi_platform_wrlinux -- multi_platform_rhel -- multi_platform_rhv -- multi_platform_debian -- multi_platform_ubuntu -- multi_platform_ol -- -+ {{{- oval_affected(products) }}} - The OpenSSH daemon should be running protocol 2. - - -Date: Tue, 17 Mar 2020 15:54:35 +0100 -Subject: [PATCH 1/2] Select rules for system file permissions - -And update references for these rules ---- - .../rule.yml | 3 +- - .../rule.yml | 3 +- - .../rule.yml | 3 +- - .../file_permissions_ungroupowned/rule.yml | 3 +- - .../files/no_files_unowned_by_user/rule.yml | 3 +- - .../file_groupowner_etc_group/rule.yml | 3 +- - .../file_groupowner_etc_gshadow/rule.yml | 3 +- - .../file_groupowner_etc_passwd/rule.yml | 3 +- - .../file_groupowner_etc_shadow/rule.yml | 3 +- - .../file_owner_etc_group/rule.yml | 3 +- - .../file_owner_etc_gshadow/rule.yml | 3 +- - .../file_owner_etc_passwd/rule.yml | 3 +- - .../file_owner_etc_shadow/rule.yml | 3 +- - .../file_permissions_etc_group/rule.yml | 3 +- - .../file_permissions_etc_gshadow/rule.yml | 3 +- - .../file_permissions_etc_passwd/rule.yml | 3 +- - .../file_permissions_etc_shadow/rule.yml | 3 +- - 18 files changed, 74 insertions(+), 18 deletions(-) - -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -index 32c176d67f..fb00519f64 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -@@ -31,7 +31,8 @@ identifiers: - - references: - anssi: NT28(R37),NT28(R38) -- cis: 6.1.14 -+ cis@rhel7: 6.1.14 -+ cis@rhel8: 6.1.14 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - isa-62443-2013: 'SR 2.1,SR 5.2' -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -index ae5f1307ce..3c7898b912 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -@@ -31,7 +31,8 @@ identifiers: - - references: - anssi: NT28(R37),NT28(R38) -- cis: 6.1.13 -+ cis@rhel7: 6.1.13 -+ cis@rhel8: 6.1.13 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - isa-62443-2013: 'SR 2.1,SR 5.2' -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml -index c70b7989c6..871da04b77 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/rule.yml -@@ -28,7 +28,8 @@ identifiers: - references: - stigid@rhel6: "000282" - srg@rhel6: SRG-OS-999999 -- cis: 6.1.10 -+ cis@rhel7: 6.1.10 -+ cis@rhel8: 6.1.10 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - isa-62443-2013: 'SR 2.1,SR 5.2' -diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -index e51cd7e1ea..2fe8c27da3 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -@@ -27,7 +27,8 @@ identifiers: - - references: - disa@rhel6: '224' -- cis: 6.1.12 -+ cis@rhel7: 6.1.12 -+ cis@rhel8: 6.1.12 - disa: "02165" - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.DS-5,PR.PT-3 -diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -index f2fb1f2d20..a8bf12ff81 100644 ---- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -@@ -27,7 +27,8 @@ identifiers: - - references: - disa@rhel6: '224' -- cis: 6.1.11 -+ cis@rhel7: 6.1.11 -+ cis@rhel8: 6.1.11 - disa: "002165" - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.AC-6,PR.DS-5,PR.IP-1,PR.PT-3 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml -index 5ffa26b0f2..53301cbbf5 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_group/rule.yml -@@ -19,7 +19,8 @@ references: - stigid@rhel6: "000043" - srg@rhel6: SRG-OS-999999 - disa@rhel6: '225' -- cis: 6.1.4 -+ cis@rhel7: 6.1.4 -+ cis@rhel8: 6.1.4 - cjis: 5.5.2.2 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml -index 6c770216f1..c2e12377ef 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml -@@ -19,7 +19,8 @@ references: - stigid@rhel6: "000037" - srg@rhel6: SRG-OS-999999 - disa@rhel6: '225' -- cis: 6.1.5 -+ cis@rhel7: 6.1.5 -+ cis@rhel8: 6.1.5 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - isa-62443-2013: 'SR 2.1,SR 5.2' -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml -index ad9814e836..86e2e6c25c 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_passwd/rule.yml -@@ -19,7 +19,8 @@ references: - stigid@rhel6: "000040" - srg@rhel6: SRG-OS-999999 - disa@rhel6: '225' -- cis: 6.1.2 -+ cis@rhel7: 6.1.2 -+ cis@rhel8: 6.1.2 - cjis: 5.5.2.2 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml -index 5147551c0f..d8a9d04142 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml -@@ -19,7 +19,8 @@ references: - stigid@rhel6: "000034" - srg@rhel6: SRG-OS-999999 - disa@rhel6: '225' -- cis: 6.1.3 -+ cis@rhel7: 6.1.3 -+ cis@rhel8: 6.1.3 - cjis: 5.5.2.2 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml -index 48cbe081be..ee0433c568 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_group/rule.yml -@@ -18,7 +18,8 @@ identifiers: - references: - stigid@rhel6: "000042" - srg@rhel6: SRG-OS-999999 -- cis: 6.1.4 -+ cis@rhel7: 6.1.4 -+ cis@rhel8: 6.1.4 - cjis: 5.5.2.2 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml -index a1e65af70a..39f1b83381 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml -@@ -19,7 +19,8 @@ references: - stigid@rhel6: "000036" - srg@rhel6: SRG-OS-999999 - disa@rhel6: '366' -- cis: 6.1.5 -+ cis@rhel7: 6.1.5 -+ cis@rhel8: 6.1.5 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - isa-62443-2013: 'SR 2.1,SR 5.2' -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml -index 9b5048001e..e19de1bba2 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_passwd/rule.yml -@@ -19,7 +19,8 @@ references: - stigid@rhel6: "000039" - srg@rhel6: SRG-OS-999999 - disa@rhel6: '225' -- cis: 6.1.2 -+ cis@rhel7: 6.1.2 -+ cis@rhel8: 6.1.2 - cjis: 5.5.2.2 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml -index cf8e6e4a3e..989cb11c62 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml -@@ -22,7 +22,8 @@ references: - stigid@rhel6: "000033" - srg@rhel6: SRG-OS-999999 - disa@rhel6: '225' -- cis: 6.1.3 -+ cis@rhel7: 6.1.3 -+ cis@rhel8: 6.1.3 - cjis: 5.5.2.2 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml -index 8e5f39a13e..38ff43d62c 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_group/rule.yml -@@ -20,7 +20,8 @@ references: - stigid@rhel6: "000044" - srg@rhel6: SRG-OS-999999 - disa@rhel6: '225' -- cis: 6.1.4 -+ cis@rhel7: 6.1.4 -+ cis@rhel8: 6.1.4 - cjis: 5.5.2.2 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml -index c8d8c8a73c..d1ed4475fb 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml -@@ -21,7 +21,8 @@ references: - stigid@rhel6: "000038" - srg@rhel6: SRG-OS-999999 - disa@rhel6: '225' -- cis: 6.1.5 -+ cis@rhel7: 6.1.5 -+ cis@rhel8: 6.1.5 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - isa-62443-2013: 'SR 2.1,SR 5.2' -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml -index d72b5277f1..ac48885925 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_passwd/rule.yml -@@ -22,7 +22,8 @@ references: - stigid@rhel6: "000041" - srg@rhel6: SRG-OS-999999 - disa@rhel6: '225' -- cis: 6.1.2 -+ cis@rhel7: 6.1.2 -+ cis@rhel8: 6.1.2 - cjis: 5.5.2.2 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 -diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml -index 7ec0b092f5..61f4fb6cce 100644 ---- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml -+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml -@@ -24,7 +24,8 @@ references: - stigid@rhel6: "000035" - srg@rhel6: SRG-OS-999999 - disa@rhel6: '225' -- cis: 6.1.3 -+ cis@rhel7: 6.1.3 -+ cis@rhel8: 6.1.3 - cjis: 5.5.2.2 - nist: CM-6(a),AC-6(1) - nist-csf: PR.AC-4,PR.DS-5 - -From b7f33f79e59d58cf6181e8fdb7879f40f54bb63a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 17 Mar 2020 15:56:17 +0100 -Subject: [PATCH 2/2] Update references for rpm_verification rules - -These rule checks whether permission and ownership of all installed -files are according to what the vendor (package provider) expects. - -These rules can contribute to the for specific permissions and -ownerships of specific files, granted the package is aligned with the -rules. ---- - .../rpm_verification/rpm_verify_ownership/rule.yml | 3 ++- - .../rpm_verification/rpm_verify_permissions/rule.yml | 4 +++- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml -index 6c3c857442..1503836f75 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml -@@ -35,7 +35,8 @@ references: - nist-csf@rhel6: PR.DS-6,PR.DS-8 - srg@rhel6: SRG-OS-000257,SRG-OS-000258 - stigid@rhel6: "000279" -- cis: 1.2.6,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9,6.2.3 -+ cis@rhel7: 1.7.1.4,1.7.1.5,1.7.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9 -+ cis@rhel8: 1.8.1.4,1.8.1.5,1.8.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9 - cjis: 5.10.4.1 - cui: 3.3.8,3.4.1 - disa: 1494,1496 -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -index d6cc546921..1b3dd500b3 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -@@ -41,7 +41,9 @@ references: - nist-csf@rhel6: PR.DS-6,PR.IP-8 - srg@rhel6: SRG-OS-999999,SRG-OS-000256 - stigid@rhel6: "000518" -- cis: 1.2.6,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9,6.2.3 -+ cis@rhel7: 1.7.1.4,1.7.1.5,1.7.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9 -+ cis@rhel8: 1.8.1.4,1.8.1.5,1.8.1.6,6.1.1,6.1.2,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9 -+ - cjis: 5.10.4.1 - cui: 3.3.8,3.4.1 - disa: 1494,1496 diff --git a/SOURCES/scap-security-guide-0.1.50-update_cis_profile_PR_5349.patch b/SOURCES/scap-security-guide-0.1.50-update_cis_profile_PR_5349.patch deleted file mode 100644 index d830eb0..0000000 --- a/SOURCES/scap-security-guide-0.1.50-update_cis_profile_PR_5349.patch +++ /dev/null @@ -1,94 +0,0 @@ -From c06a414187f3792413bfc86366e1578d2d22275d Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 25 Mar 2020 09:48:24 +0100 -Subject: [PATCH 1/3] Select newly developed rules in rhel7 CIS - ---- - rhel7/profiles/cis.profile | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index affcf70ce2..06f0a8e3dd 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -300,6 +300,7 @@ selections: - - package_telnet_removed - - ### 2.3.5 Ensure LDAP client is not installed (Scored) -+ - package_openldap-clients_removed - - # 3 Network Configuration - ## 3.1 Network Parameters (Host Only) - -From ec2add9b21d7555134d736a57d729ffa1a537cff Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 25 Mar 2020 09:51:14 +0100 -Subject: [PATCH 2/3] Select rule to disable wireless interfaces - -Inspired by rhel8 benchmark. -Updated references as well. ---- - .../wireless_software/wireless_disable_interfaces/rule.yml | 1 + - rhel7/profiles/cis.profile | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -index 76d94fe8f1..f364fbdce6 100644 ---- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -@@ -31,7 +31,8 @@ identifiers: - references: - stigid@rhel6: "000293" - stigid@rhel7: "041010" -- cis: 4.3.1 -+ cis@rhel7: "3.7" -+ cis@rhel8: "3.5" - cui: 3.1.16 - disa: 85,2418 - nist: AC-18(a),AC-18(3),CM-7(a),CM-7(b),CM-6(a),MP-7 -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 06f0a8e3dd..d34d617579 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -393,6 +393,7 @@ selections: - ### 3.6.4 Ensure outbound and established connections are configured (Not Scored) - ### 3.6.5 Ensure firewall rules exist for all open ports (Scored) - ## 3.7 Ensure wireless interfaces are disabled (Not Scored) -+ - wireless_disable_interfaces - - # 4 Logging and Auditing - ## 4.1 Configure System Accounting (auditd) - -From 76f98f39cf9f90009c30e09d9c995402a5b46847 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 25 Mar 2020 10:52:58 +0100 -Subject: [PATCH 3/3] Comment out not applicable requirements - ---- - rhel7/profiles/cis.profile | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index d34d617579..76506c9369 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -216,8 +216,8 @@ selections: - - package_chrony_installed - - #### 2.2.1.2 Ensure ntp is configured (Scored) -- # restrict is not checkec by rules below -- - chronyd_or_ntpd_specify_remote_server -+ # This requirement is not applicable -+ # This profile opts to use chrony rather than ntp - - #### 2.2.1.3 Ensure chrony is configured (Scored) - - service_chronyd_enabled -@@ -517,6 +517,8 @@ selections: - #### 4.2.2.3 Ensure syslog-ng default file permissions configured (Scored) - #### 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host (Not Scored) - #### 4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored) -+ # Whole section 4.2.2.X is not applicable -+ # This profile opts to use rsyslog rather than syslog-ng - - ### 4.2.3 Ensure rsyslog or syslog-ng is installed (Scored) - - package_rsyslog_installed diff --git a/SOURCES/scap-security-guide-0.1.50-update_sshd_disable_x11_forwarding_PR_5610.patch b/SOURCES/scap-security-guide-0.1.50-update_sshd_disable_x11_forwarding_PR_5610.patch deleted file mode 100644 index 3027eaf..0000000 --- a/SOURCES/scap-security-guide-0.1.50-update_sshd_disable_x11_forwarding_PR_5610.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 9931560aa3bca34cc1a5231b370dc86618ba6d9b Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 16 Apr 2020 14:04:40 +0200 -Subject: [PATCH 1/2] Add CCE identifiers to sshd_disable_x11_forwarding. - ---- - .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 +++ - shared/references/cce-redhat-avail.txt | 2 -- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -index 09dd808e99..91297a03b9 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -@@ -26,6 +26,9 @@ ocil_clause: "that the X11Forwarding option exists and is enabled" - ocil: |- - {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}} - -+identifiers: -+ cce@rhel7: 83359-0 -+ cce@rhel8: 83360-8 - - references: - cis@rhel7: 5.2.5 -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index c10448ff8d..cbba06db56 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -50,8 +50,6 @@ CCE-83355-8 - CCE-83356-6 - CCE-83357-4 - CCE-83358-2 --CCE-83359-0 --CCE-83360-8 - CCE-83361-6 - CCE-83362-4 - CCE-83363-2 - -From 176d03b11b60c0ae41ace2e95e4bb2688f5ac429 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 16 Apr 2020 14:05:26 +0200 -Subject: [PATCH 2/2] Correct CIS reference number for RHEL7. - ---- - .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -index 91297a03b9..23cb0a07f8 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml -@@ -31,7 +31,7 @@ identifiers: - cce@rhel8: 83360-8 - - references: -- cis@rhel7: 5.2.5 -+ cis@rhel7: 5.2.4 - cis@rhel8: 5.2.6 - cis@sle12: 5.2.4 - cis@sle15: 5.2.6 diff --git a/SOURCES/scap-security-guide-0.1.50-warn_nonlocal_users_groups.patch b/SOURCES/scap-security-guide-0.1.50-warn_nonlocal_users_groups.patch deleted file mode 100644 index bb43508..0000000 --- a/SOURCES/scap-security-guide-0.1.50-warn_nonlocal_users_groups.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 4fc0688db8f97d1ee10bfd5162764ffef57356c9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Wed, 22 Apr 2020 16:58:12 +0200 -Subject: [PATCH] Added a warning to rules about only local user backends being - considered. - ---- - .../permissions/files/file_permissions_ungroupowned/rule.yml | 5 +++++ - .../permissions/files/no_files_unowned_by_user/rule.yml | 5 +++++ - 2 files changed, 10 insertions(+) - -diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -index dba303d0ed..e99d035831 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -@@ -53,3 +53,8 @@ ocil: |- - Either remove all files and directories from the system that do not have a valid group, - or assign a valid group with the chgrp command: -
$ sudo chgrp group file
-+ -+warnings: -+ - general: |- -+ This rule only considers local groups. -+ If you have your groups defined outside /etc/group, the rule won't consider those. -diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -index 7cd9b787a4..72bf327519 100644 ---- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml -@@ -54,3 +54,8 @@ ocil: |- - valid user, or assign a valid user to all unowned files and directories on - the system with the chown command: -
$ sudo chown user file
-+ -+warnings: -+ - general: |- -+ This rule only considers local users. -+ If you have your users defined outside /etc/passwd, the rule won't consider those. diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch deleted file mode 100644 index ff529ca..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 11:52:35 +0200 -Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line - -Very likey a copy-pasta error from bash remediation for -audit_rules_immutable ---- - .../audit_rules_system_shutdown/bash/shared.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -index 1c9748ce9b..b56513cdcd 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -@@ -8,7 +8,7 @@ - # files to check if '-f .*' setting is present in that '*.rules' file already. - # If found, delete such occurrence since auditctl(8) manual page instructs the - # '-f 2' rule should be placed as the last rule in the configuration --find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' -+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' - - # Append '-f 2' requirement at the end of both: - # * /etc/audit/audit.rules file (for auditctl case) - -From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 12:12:21 +0200 -Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown - -Along with very basic test scenarios ---- - .../ansible/shared.yml | 28 +++++++++++++++++++ - .../tests/augen_correct.pass.sh | 4 +++ - .../tests/augen_e_2_immutable.fail.sh | 3 ++ - 3 files changed, 35 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml -new file mode 100644 -index 0000000000..b9e8fa87fa ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml -@@ -0,0 +1,28 @@ -+# platform = multi_platform_all -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+- name: Collect all files from /etc/audit/rules.d with .rules extension -+ find: -+ paths: "/etc/audit/rules.d/" -+ patterns: "*.rules" -+ register: find_rules_d -+ -+- name: Remove the -f option from all Audit config files -+ lineinfile: -+ path: "{{ item }}" -+ regexp: '^\s*(?:-f)\s+.*$' -+ state: absent -+ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" -+ -+- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules -+ lineinfile: -+ path: "{{ item }}" -+ create: True -+ line: "-f 2" -+ loop: -+ - "/etc/audit/audit.rules" -+ - "/etc/audit/rules.d/immutable.rules" -+ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh -new file mode 100644 -index 0000000000..0587b937e0 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+echo "-e 2" > /etc/audit/rules.d/immutable.rules -+echo "-f 2" >> /etc/audit/rules.d/immutable.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh -new file mode 100644 -index 0000000000..fa5b7231df ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "-e 2" > /etc/audit/rules.d/immutable.rules - -From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 14:06:08 +0200 -Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name - ---- - .../audit_rules_immutable/ansible/shared.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -index 5ac7b3dabb..1cafb744cc 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -@@ -17,7 +17,7 @@ - state: absent - loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" - --- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules -+- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules - lineinfile: - path: "{{ item }}" - create: True - -From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 11:02:56 +0200 -Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix - ---- - .../audit_rules_system_shutdown/bash/shared.sh | 8 -------- - 1 file changed, 8 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -index b56513cdcd..a349bb1ca1 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -@@ -4,16 +4,8 @@ - # - # /etc/audit/audit.rules, (for auditctl case) - # /etc/audit/rules.d/*.rules (for augenrules case) --# --# files to check if '-f .*' setting is present in that '*.rules' file already. --# If found, delete such occurrence since auditctl(8) manual page instructs the --# '-f 2' rule should be placed as the last rule in the configuration - find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' - --# Append '-f 2' requirement at the end of both: --# * /etc/audit/audit.rules file (for auditctl case) --# * /etc/audit/rules.d/immutable.rules (for augenrules case) -- - for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" - do - echo '' >> $AUDIT_FILE diff --git a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch deleted file mode 100644 index ec364a5..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 21 May 2020 18:16:43 +0200 -Subject: [PATCH] Attribute content to CIS - -And update the description a bit. ---- - rhel7/profiles/cis.profile | 8 +++++--- - 2 files changed, 10 insertions(+), 6 deletions(-) - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 0826a49547..829c388133 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -3,9 +3,11 @@ documentation_complete: true - title: 'CIS Red Hat Enterprise Linux 7 Benchmark' - - description: |- -- This baseline aligns to the Center for Internet Security -- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released -- 12-27-2017. -+ This profile defines a baseline that aligns to the Center for Internet Security® -+ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017. -+ -+ This profile includes Center for Internet Security® -+ Red Hat Enterprise Linux 7 CIS Benchmarks™ content. - - selections: - # Necessary for dconf rules diff --git a/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch deleted file mode 100644 index 620c19d..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch +++ /dev/null @@ -1,141 +0,0 @@ -From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 25 May 2020 12:17:48 +0200 -Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8 - ---- - rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++ - 2 files changed, 250 insertions(+) - create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg - -diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg -new file mode 100644 -index 0000000000..14c82c4231 ---- /dev/null -+++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg -@@ -0,0 +1,125 @@ -+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server -+# Version: 0.0.1 -+# Date: 2020-05-25 -+# -+# Based on: -+# http://fedoraproject.org/wiki/Anaconda/Kickstart -+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -+ -+# Install a fresh new system (optional) -+install -+ -+# Specify installation method to use for installation -+# To use a different one comment out the 'url' one below, update -+# the selected choice with proper options & un-comment it -+# -+# Install from an installation tree on a remote server via FTP or HTTP: -+# --url the URL to install from -+# -+# Example: -+# -+# url --url=http://192.168.122.1/image -+# -+# Modify concrete URL in the above example appropriately to reflect the actual -+# environment machine is to be installed in -+# -+# Other possible / supported installation methods: -+# * install from the first CD-ROM/DVD drive on the system: -+# -+# cdrom -+# -+# * install from a directory of ISO images on a local drive: -+# -+# harddrive --partition=hdb2 --dir=/tmp/install-tree -+# -+# * install from provided NFS server: -+# -+# nfs --server= --dir= [--opts=] -+# -+ -+# Set language to use during installation and the default language to use on the installed system (required) -+lang en_US.UTF-8 -+ -+# Set system keyboard type / layout (required) -+keyboard us -+ -+# Configure network information for target system and activate network devices in the installer environment (optional) -+# --onboot enable device at a boot time -+# --device device to be activated and / or configured with the network command -+# --bootproto method to obtain networking configuration for device (default dhcp) -+# --noipv6 disable IPv6 on this device -+# -+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, -+# "--bootproto=static" must be used. For example: -+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 -+# -+network --onboot yes --device eth0 --bootproto dhcp --noipv6 -+ -+# Set the system's root password (required) -+# Plaintext password is: server -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 -+ -+# The selected profile will restrict root login -+# Add a user that can login and escalate privileges -+# Plaintext password is: admin123 -+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted -+ -+# Configure firewall settings for the system (optional) -+# --enabled reject incoming connections that are not in response to outbound requests -+# --ssh allow sshd service through the firewall -+firewall --enabled --ssh -+ -+# Set up the authentication options for the system (required) -+# --enableshadow enable shadowed passwords by default -+# --passalgo hash / crypt algorithm for new passwords -+# See the manual page for authconfig for a complete list of possible options. -+authconfig --enableshadow --passalgo=sha512 -+ -+# State of SELinux on the installed system (optional) -+# Defaults to enforcing -+selinux --enforcing -+ -+# Set the system time zone (required) -+timezone --utc America/New_York -+ -+# Specify how the bootloader should be installed (required) -+# Plaintext password is: password -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 -+ -+# Initialize (format) all disks (optional) -+zerombr -+ -+# The following partition layout scheme assumes disk of size 20GB or larger -+# Modify size of partitions appropriately to reflect actual machine's hardware -+# -+# Remove Linux partitions from the system prior to creating new ones (optional) -+# --linux erase all Linux partitions -+# --initlabel initialize the disk label to the default based on the underlying architecture -+clearpart --linux --initlabel -+ -+# Create primary system partitions (required for installs) -+autopart -+ -+# Harden installation with HIPAA profile -+# For more details and configuration options see command %addon org_fedora_oscap in -+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands -+%addon org_fedora_oscap -+ content-type = scap-security-guide -+ profile = xccdf_org.ssgproject.content_profile_hipaa -+%end -+ -+# Packages selection (%packages section is required) -+%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section -+ -+# Reboot after the installation is complete (optional) -+# --eject attempt to eject CD or DVD media before rebooting -+reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch deleted file mode 100644 index 1e028b7..0000000 --- a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 23:36:18 +0200 -Subject: [PATCH] Ansible mount_option: split mount and option task - -Separate task that adds mount options mounts the mountpoint into two tasks. -Conditioning the "mount" task on the absence of the target mount option -caused the task to always be skipped when mount option was alredy present, -and could result in the mount point not being mounted. ---- - shared/templates/template_ANSIBLE_mount_option | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option -index 95bede25f9..a0cf8d6b7a 100644 ---- a/shared/templates/template_ANSIBLE_mount_option -+++ b/shared/templates/template_ANSIBLE_mount_option -@@ -26,14 +26,19 @@ - - device_name.stdout is defined and device_name.stdout_lines is defined - - (device_name.stdout | length > 0) - --- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}} -+- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options -+ set_fact: -+ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}" -+ when: -+ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options -+ -+- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option - mount: - path: "{{{ MOUNTPOINT }}}" - src: "{{ mount_info.source }}" -- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}" -+ opts: "{{ mount_info.options }}" - state: "mounted" - fstype: "{{ mount_info.fstype }}" - when: -- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options - - device_name.stdout is defined - - (device_name.stdout | length > 0) diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch deleted file mode 100644 index 47b9cdb..0000000 --- a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch +++ /dev/null @@ -1,33 +0,0 @@ -From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 14 May 2020 16:46:07 +0200 -Subject: [PATCH] reorder groups because of permissions verification - ---- - ssg/build_yaml.py | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py -index e3e138283c..c9f3179c08 100644 ---- a/ssg/build_yaml.py -+++ b/ssg/build_yaml.py -@@ -700,6 +700,11 @@ def to_xml_element(self): - # audit_rules_privileged_commands, othervise the rule - # does not catch newly installed screeen binary during remediation - # and report fail -+ # the software group should come before the -+ # bootloader-grub2 group because of conflict between -+ # rules rpm_verify_permissions and file_permissions_grub2_cfg -+ # specific rules concerning permissions should -+ # be applied after the general rpm_verify_permissions - # The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS. - # the firewalld_activation must come before ruleset_modifications, othervise - # remediations for ruleset_modifications won't work -@@ -707,6 +712,7 @@ def to_xml_element(self): - # otherwise the remediation prints error although it is successful - priority_order = [ - "accounts", "auditing", -+ "software", "bootloader-grub2", - "fips", "crypto", - "firewalld_activation", "ruleset_modifications", - "disabling_ipv6", "configuring_ipv6" diff --git a/SOURCES/scap-security-guide-0.1.53-add_ocil_rsyslog_nolisten-PR_6074.patch b/SOURCES/scap-security-guide-0.1.53-add_ocil_rsyslog_nolisten-PR_6074.patch new file mode 100644 index 0000000..3b9e02a --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-add_ocil_rsyslog_nolisten-PR_6074.patch @@ -0,0 +1,57 @@ +From b38f6629ee59b6531d8c4be1cb31e83b5dfde54c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 11 Sep 2020 15:51:24 +0200 +Subject: [PATCH 1/2] add ocil + +--- + .../rsyslog_nolisten/rule.yml | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml +index 6785ebcc86..6a3495f80e 100644 +--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml +@@ -41,3 +41,16 @@ references: + cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 + stigid@rhel7: RHEL-07-031010 + cis@rhel8: 4.2.1.6 ++ ++ocil_clause: "rsyslog accepts remote messages" ++ ++ocil: |- ++ Display the contents of the configuration file: ++
cat /etc/rsyslog.conf
++ Make sure that following lines are not present in the configuration: ++
$ModLoad imtcp
++    $InputTCPServerRun port
++    $ModLoad imudp
++    $UDPServerRun port
++    $ModLoad imrelp
++    $InputRELPServerRun port
+ +From 6959ddb2dbc12d4fa2ff7f6ee9e71820d5dde0f8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Wed, 16 Sep 2020 11:58:21 +0200 +Subject: [PATCH 2/2] Fix text according to review feedback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-authored-by: Jan Černý +--- + .../rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml +index 6a3495f80e..f529cbca89 100644 +--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml +@@ -47,7 +47,7 @@ ocil_clause: "rsyslog accepts remote messages" + ocil: |- + Display the contents of the configuration file: +
cat /etc/rsyslog.conf
+- Make sure that following lines are not present in the configuration: ++ Make sure that the following lines are not present in the output: +
$ModLoad imtcp
+     $InputTCPServerRun port
+     $ModLoad imudp
diff --git a/SOURCES/scap-security-guide-0.1.53-add_stig_RHEL_07_040190-PR_6044.patch b/SOURCES/scap-security-guide-0.1.53-add_stig_RHEL_07_040190-PR_6044.patch
new file mode 100644
index 0000000..d3453aa
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.53-add_stig_RHEL_07_040190-PR_6044.patch
@@ -0,0 +1,276 @@
+From a89f73985d5d92acc75229004bafdc931f5ed750 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker 
+Date: Thu, 3 Sep 2020 18:09:53 +0200
+Subject: [PATCH 1/2] Introduce new rule sssd_ldap_configure_tls_reqcert.
+
+---
+ .../ansible/shared.yml                        |  6 +++
+ .../bash/shared.sh                            |  6 +++
+ .../oval/shared.xml                           | 24 ++++++++++++
+ .../sssd_ldap_configure_tls_reqcert/rule.yml  | 39 +++++++++++++++++++
+ ...rovider_and_reqcert_never.notapplicable.sh |  7 ++++
+ .../tests/correct_value.pass.sh               |  5 +++
+ .../id_provider_is_set_to_ad.notapplicable.sh |  6 +++
+ ...ldap_id_provider_and_reqcert_never.fail.sh |  6 +++
+ .../tests/ldap_tls_reqcert_not_there.fail.sh  |  6 +++
+ rhel7/profiles/stig.profile                   |  1 +
+ shared/references/cce-redhat-avail.txt        |  2 -
+ tests/shared/sssd.conf                        |  1 +
+ 12 files changed, 107 insertions(+), 2 deletions(-)
+ create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml
+ create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh
+ create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
+ create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
+ create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh
+ create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh
+ create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh
+ create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh
+ create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh
+
+diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml
+new file mode 100644
+index 0000000000..891b3e2f97
+--- /dev/null
++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml
+@@ -0,0 +1,6 @@
++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
++# reboot = false
++# strategy = unknown
++# complexity = low
++# disruption = medium
++{{{ ansible_sssd_ldap_config(parameter="ldap_tls_reqcert", value="demand") }}}
+diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh
+new file mode 100644
+index 0000000000..62c2febc46
+--- /dev/null
++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh
+@@ -0,0 +1,6 @@
++# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol
++
++# Include source function library.
++. /usr/share/scap-security-guide/remediation_functions
++
++{{{ bash_sssd_ldap_config(parameter="ldap_tls_reqcert", value="demand") }}}
+diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
+new file mode 100644
+index 0000000000..9d3db0488f
+--- /dev/null
++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
+@@ -0,0 +1,24 @@
++
++  
++    
++      Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server
++      {{{- oval_affected(products) }}}
++      Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions.
++    
++    
++      
++    
++  
++
++  
++    
++  
++
++  
++    /etc/sssd/sssd.conf
++    ^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_tls_reqcert[ \t]*=[ \t]*((?i)demand)[ \t]*$
++    1
++  
++
+diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
+new file mode 100644
+index 0000000000..4dee11bcfb
+--- /dev/null
++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
+@@ -0,0 +1,39 @@
++documentation_complete: true
++
++prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019
++
++title: 'Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server'
++
++description: |-
++    Configure SSSD to demand a valid certificate from the server to
++    protect the integrity of LDAP remote access sessions. By setting
++    the 
ldap_tls_reqcert
option in
/etc/sssd/sssd.conf
++ to demand. ++ ++rationale: |- ++ Without a valid certificate presented to the LDAP client backend, the identity of a ++ server can be forged compromising LDAP remote access sessions. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: CCE-84061-1 ++ cce@rhel8: CCE-84062-9 ++ ++references: ++ stigid@ol7: OL07-00-040190 ++ disa: CCI-001453 ++ nist: SC-12(3),CM-6(a) ++ srg: SRG-OS-000250-GPOS-00093 ++ stigid@rhel7: RHEL-07-040190 ++ ++ocil_clause: 'the TLS reqcert is not set to demand' ++ ++ocil: |- ++ To verify the LDAP client backend demands a valid certificate from the server in ++ remote ldap access sessions, run the following command: ++
$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf
++ The output should return the following: ++
ldap_tls_reqcert = demand
++ ++platform: sssd-ldap +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh +new file mode 100644 +index 0000000000..3b82743f8d +--- /dev/null ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++. $SHARED/setup_config_files.sh ++setup_correct_sssd_config ++sed -i 's/ldap_tls_reqcert = demand/ldap_id_use_start_tls = never/' /etc/sssd/sssd.conf ++sed -i 's/id_provider = ldap/id_provider = ad/' /etc/sssd/sssd.conf +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh +new file mode 100644 +index 0000000000..82bff74acf +--- /dev/null ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++. $SHARED/setup_config_files.sh ++setup_correct_sssd_config +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh +new file mode 100644 +index 0000000000..21f3af4c96 +--- /dev/null ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++. $SHARED/setup_config_files.sh ++setup_correct_sssd_config ++sed -i 's/id_provider = ldap/id_provider = ad/' /etc/sssd/sssd.conf +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh +new file mode 100644 +index 0000000000..0fe620475e +--- /dev/null ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++. $SHARED/setup_config_files.sh ++setup_correct_sssd_config ++sed -i 's/ldap_tls_reqcert = demand/ldap_id_use_start_tls = never/' /etc/sssd/sssd.conf +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh +new file mode 100644 +index 0000000000..0e01fafb6f +--- /dev/null ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++. $SHARED/setup_config_files.sh ++setup_correct_sssd_config ++sed -i '/ldap_tls_reqcert/d' /etc/sssd/sssd.conf +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index b820d30608..1b41b85857 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -236,6 +236,7 @@ selections: + - sssd_ldap_start_tls.severity=medium + - sssd_ldap_configure_tls_ca_dir + - sssd_ldap_configure_tls_ca ++ - sssd_ldap_configure_tls_reqcert + - sysctl_kernel_randomize_va_space + - package_openssh-server_installed + - sshd_required=yes +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 4609b82680..7ab5eb179e 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -650,8 +650,6 @@ CCE-84057-9 + CCE-84058-7 + CCE-84059-5 + CCE-84060-3 +-CCE-84061-1 +-CCE-84062-9 + CCE-84063-7 + CCE-84064-5 + CCE-84065-2 +diff --git a/tests/shared/sssd.conf b/tests/shared/sssd.conf +index dc51456425..6903a25d37 100644 +--- a/tests/shared/sssd.conf ++++ b/tests/shared/sssd.conf +@@ -9,6 +9,7 @@ ldap_search_base = dc=com + ldap_tls_cacertdir = /etc/openldap/cacerts + cache_credentials = True + krb5_store_password_if_offline = True ++ldap_tls_reqcert = demand + + + [sssd] + +From daf742ec9dad984e17e8a99bd7793bc9f44a32c4 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 21 Sep 2020 17:24:08 +0200 +Subject: [PATCH 2/2] Use oval_metadata macro and update text of rule + sssd_ldap_configure_tls_reqcert. + +--- + .../sssd_ldap_configure_tls_reqcert/oval/shared.xml | 7 ++----- + .../sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml | 4 ++-- + 2 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml +index 9d3db0488f..688cf17abb 100644 +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml +@@ -1,10 +1,7 @@ + + +- +- Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server +- {{{- oval_affected(products) }}} +- Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions. +- ++ {{{ oval_metadata("Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions.", ++ title="Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server") }}} + + + +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml +index 4dee11bcfb..731b7c0846 100644 +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml +@@ -6,7 +6,7 @@ title: 'Configure SSSD LDAP Backend Client to Demand a Valid Certificate from th + + description: |- + Configure SSSD to demand a valid certificate from the server to +- protect the integrity of LDAP remote access sessions. By setting ++ protect the integrity of LDAP remote access sessions by setting + the
ldap_tls_reqcert
option in
/etc/sssd/sssd.conf
+ to demand. + +@@ -31,7 +31,7 @@ ocil_clause: 'the TLS reqcert is not set to demand' + + ocil: |- + To verify the LDAP client backend demands a valid certificate from the server in +- remote ldap access sessions, run the following command: ++ remote LDAP access sessions, run the following command: +
$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf
+ The output should return the following: +
ldap_tls_reqcert = demand
diff --git a/SOURCES/scap-security-guide-0.1.53-ansible_platforms-PR_6025.patch b/SOURCES/scap-security-guide-0.1.53-ansible_platforms-PR_6025.patch new file mode 100644 index 0000000..16d2f4e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-ansible_platforms-PR_6025.patch @@ -0,0 +1,278 @@ +From 844be904d8de624abe9bbe620d7a06417dfff842 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 27 Aug 2020 13:19:01 +0200 +Subject: [PATCH 1/5] Align Ansible task applicability with CPE platform + +Adds a when clause to Ansible snippets of rules with Package CPE platform. + +If the when clause is added, a fact_packages Task needs to added as +well. +--- + ssg/build_remediations.py | 52 ++++++++++++++++++++++++++++++++++++--- + 1 file changed, 49 insertions(+), 3 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index a9ef3014ac..597aed5889 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -6,8 +6,7 @@ + import os.path + import re + import codecs +-from collections import defaultdict, namedtuple +- ++from collections import defaultdict, namedtuple, OrderedDict + + import ssg.yaml + from . import build_yaml +@@ -343,10 +342,46 @@ def _get_rule_reference(self, ref_class): + else: + return [] + ++ def inject_package_facts_task(self, parsed_snippet): ++ """ Injects a package_facts task only if ++ the snippet has a task with a when clause with ansible_facts.packages, ++ and the snippet doesn't already have an package_facts task ++ """ ++ has_package_facts_task = False ++ has_ansible_facts_packages_clause = False ++ ++ for p_task in parsed_snippet: ++ # We are only interested in the OrderedDicts, which represent Ansible tasks ++ if not isinstance(p_task, dict): ++ continue ++ ++ if "package_facts" in p_task: ++ has_package_facts_task = True ++ ++ if "ansible_facts.packages" in p_task.get("when", ""): ++ has_ansible_facts_packages_clause = True ++ ++ if has_ansible_facts_packages_clause and not has_package_facts_task: ++ facts_task = OrderedDict({'name': 'Gather the package facts', ++ 'package_facts': {'manager': 'auto'}}) ++ parsed_snippet.insert(0, facts_task) ++ + def update_when_from_rule(self, to_update): + additional_when = "" +- if self.associated_rule.platform == "machine": ++ rule_platform = self.associated_rule.platform ++ if rule_platform == "machine": + additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]' ++ elif rule_platform is not None: ++ # Assume any other platform is a Package CPE ++ ++ # It doesn't make sense to add a conditional on the task that ++ # gathers data for the conditional ++ if "package_facts" in to_update: ++ return ++ ++ additional_when = '"' + rule_platform + '" in ansible_facts.packages' ++ # After adding the conditional, we need to make sure package_facts are collected. ++ # This is done via inject_package_facts_task() + to_update.setdefault("when", "") + new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when) + if not new_when: +@@ -355,10 +390,21 @@ def update_when_from_rule(self, to_update): + to_update["when"] = new_when + + def update(self, parsed, config): ++ # We split the remediation update in three steps ++ ++ # 1. Update the when clause + for p in parsed: + if not isinstance(p, dict): + continue + self.update_when_from_rule(p) ++ ++ # 2. Inject any extra task necessary ++ self.inject_package_facts_task(parsed) ++ ++ # 3. Add tags to all tasks, including the ones we have injected ++ for p in parsed: ++ if not isinstance(p, dict): ++ continue + self.update_tags_from_config(p, config) + self.update_tags_from_rule(p) + + +From 60e5723e0e35ec8d79bafdd113f04691e61738e7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 27 Aug 2020 17:09:06 +0200 +Subject: [PATCH 2/5] Add inherited_platform to Rule + +This field is exported to the rule when it is resolved. +--- + ssg/build_yaml.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py +index 4ba114eee4..fe290ffc05 100644 +--- a/ssg/build_yaml.py ++++ b/ssg/build_yaml.py +@@ -832,6 +832,7 @@ class Rule(object): + "conflicts": lambda: list(), + "requires": lambda: list(), + "platform": lambda: None, ++ "inherited_platforms": lambda: list(), + "template": lambda: None, + } + +@@ -851,6 +852,7 @@ def __init__(self, id_): + self.requires = [] + self.conflicts = [] + self.platform = None ++ self.inherited_platforms = [] # platforms inherited from the group + self.template = None + + @classmethod +@@ -1293,6 +1295,9 @@ def _process_rules(self): + continue + self.all_rules.add(rule) + self.loaded_group.add_rule(rule) ++ ++ rule.inherited_platforms.append(self.loaded_group.platform) ++ + if self.resolved_rules_dir: + output_for_rule = os.path.join( + self.resolved_rules_dir, "{id_}.yml".format(id_=rule.id_)) + +From 3a0bb0d2981670e90a8eaca53b28e1a6f7cc29d6 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 27 Aug 2020 17:21:35 +0200 +Subject: [PATCH 3/5] Add when clauses for inherited platforms too + +Consider the Rule's Group platform while including 'when' clauses to +Ansible snippets. + +Some rules have two platforms, a machine platform and a package +platform. One of them is represented of the Rule, and the other is +represented in the Rule's Group. + +The platforms are organized like this to due limiation in XCCDF, +multiple platforms in a Rule are ORed, not ANDed. +--- + ssg/build_remediations.py | 44 ++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 17 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 597aed5889..a2a996d0af 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -358,8 +358,13 @@ def inject_package_facts_task(self, parsed_snippet): + if "package_facts" in p_task: + has_package_facts_task = True + +- if "ansible_facts.packages" in p_task.get("when", ""): +- has_ansible_facts_packages_clause = True ++ # When clause of the task can be string or a list, lets normalize to list ++ task_when = p_task.get("when", "") ++ if type(task_when) is str: ++ task_when = [ task_when ] ++ for when in task_when: ++ if "ansible_facts.packages" in when: ++ has_ansible_facts_packages_clause = True + + if has_ansible_facts_packages_clause and not has_package_facts_task: + facts_task = OrderedDict({'name': 'Gather the package facts', +@@ -367,21 +372,26 @@ def inject_package_facts_task(self, parsed_snippet): + parsed_snippet.insert(0, facts_task) + + def update_when_from_rule(self, to_update): +- additional_when = "" +- rule_platform = self.associated_rule.platform +- if rule_platform == "machine": +- additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]' +- elif rule_platform is not None: +- # Assume any other platform is a Package CPE +- +- # It doesn't make sense to add a conditional on the task that +- # gathers data for the conditional +- if "package_facts" in to_update: +- return +- +- additional_when = '"' + rule_platform + '" in ansible_facts.packages' +- # After adding the conditional, we need to make sure package_facts are collected. +- # This is done via inject_package_facts_task() ++ additional_when = [] ++ ++ rule_platforms = set([self.associated_rule.platform] + ++ self.associated_rule.inherited_platforms) ++ ++ for platform in rule_platforms: ++ if platform == "machine": ++ additional_when.append('ansible_virtualization_type not in ["docker", "lxc", "openvz"]') ++ elif platform is not None: ++ # Assume any other platform is a Package CPE ++ ++ # It doesn't make sense to add a conditional on the task that ++ # gathers data for the conditional ++ if "package_facts" in to_update: ++ continue ++ ++ additional_when.append('"' + platform + '" in ansible_facts.packages') ++ # After adding the conditional, we need to make sure package_facts are collected. ++ # This is done via inject_package_facts_task() ++ + to_update.setdefault("when", "") + new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when) + if not new_when: + +From 99c92e39bccc3fcfadca41096e66ca146137b207 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 31 Aug 2020 16:06:14 +0200 +Subject: [PATCH 4/5] Improve inherihted and rule's platforms handling + +Add a quick comment too. +--- + ssg/build_remediations.py | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index a2a996d0af..9e622ef740 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -374,8 +374,9 @@ def inject_package_facts_task(self, parsed_snippet): + def update_when_from_rule(self, to_update): + additional_when = [] + +- rule_platforms = set([self.associated_rule.platform] + +- self.associated_rule.inherited_platforms) ++ # There can be repeated inherited platforms and rule platforms ++ rule_platforms = set(self.associated_rule.inherited_platforms) ++ rule_platforms.add(self.associated_rule.platform) + + for platform in rule_platforms: + if platform == "machine": + +From 596da9993edfbd244cbaa6d797abbd68b2e82185 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 31 Aug 2020 16:10:53 +0200 +Subject: [PATCH 5/5] Code style and grammar changes + +--- + ssg/build_remediations.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 9e622ef740..866450dd8c 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -345,7 +345,7 @@ def _get_rule_reference(self, ref_class): + def inject_package_facts_task(self, parsed_snippet): + """ Injects a package_facts task only if + the snippet has a task with a when clause with ansible_facts.packages, +- and the snippet doesn't already have an package_facts task ++ and the snippet doesn't already have a package_facts task + """ + has_package_facts_task = False + has_ansible_facts_packages_clause = False +@@ -361,7 +361,7 @@ def inject_package_facts_task(self, parsed_snippet): + # When clause of the task can be string or a list, lets normalize to list + task_when = p_task.get("when", "") + if type(task_when) is str: +- task_when = [ task_when ] ++ task_when = [task_when] + for when in task_when: + if "ansible_facts.packages" in when: + has_ansible_facts_packages_clause = True diff --git a/SOURCES/scap-security-guide-0.1.53-bash_platforms-PR_6061.patch b/SOURCES/scap-security-guide-0.1.53-bash_platforms-PR_6061.patch new file mode 100644 index 0000000..f1510d8 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-bash_platforms-PR_6061.patch @@ -0,0 +1,241 @@ +From c05cce1a4a5eb95be857b07948fda0c95cdaa106 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 8 Sep 2020 14:36:07 +0200 +Subject: [PATCH 1/5] Align Bash applicability with CPE platform + +Wraps the remediation of rules with Packager CPE Platform +with an if condition that checks for the respective +platforms's package. +--- + ssg/build_remediations.py | 45 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index ccbdf9fc1f..2d4a805e78 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -27,6 +27,13 @@ + 'kubernetes': '.yml' + } + ++PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = { ++ 'apt_get': 'dpkg-query -s {} &>/dev/null', ++ 'dnf': 'rpm --quiet -q {}', ++ 'yum': 'rpm --quiet -q {}', ++ 'zypper': 'rpm --quiet -q {}', ++} ++ + FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED' + + REMEDIATION_CONFIG_KEYS = ['complexity', 'disruption', 'platform', 'reboot', +@@ -262,6 +269,44 @@ class BashRemediation(Remediation): + def __init__(self, file_path): + super(BashRemediation, self).__init__(file_path, "bash") + ++ def parse_from_file_with_jinja(self, env_yaml): ++ self.local_env_yaml.update(env_yaml) ++ result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml) ++ ++ # There can be repeated inherited platforms and rule platforms ++ rule_platforms = set(self.associated_rule.inherited_platforms) ++ rule_platforms.add(self.associated_rule.platform) ++ ++ platform_conditionals = [] ++ for platform in rule_platforms: ++ if platform == "machine": ++ # Based on check installed_env_is_a_container ++ platform_conditionals.append('[ ! -f /.dockerenv -a ! -f /run/.containerenv ]') ++ elif platform is not None: ++ # Assume any other platform is a Package CPE ++ ++ # Some package names are different from the platform names ++ if platform in self.local_env_yaml["platform_package_overrides"]: ++ platform = self.local_env_yaml["platform_package_overrides"].get(platform) ++ ++ # Adjust package check command according to the pkg_manager ++ pkg_manager = self.local_env_yaml["pkg_manager"] ++ pkg_check_command = PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND[pkg_manager] ++ platform_conditionals.append(pkg_check_command.format(platform)) ++ ++ if platform_conditionals: ++ platform_fix_text = "# Remediation is applicable only in certain platforms\n" ++ ++ cond = platform_conditionals.pop(0) ++ platform_fix_text += "if {}".format(cond) ++ for cond in platform_conditionals: ++ platform_fix_text += " && {}".format(cond) ++ platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents) ++ ++ remediation = namedtuple('remediation', ['contents', 'config']) ++ result = remediation(contents=platform_fix_text, config=result.config) ++ ++ return result + + class AnsibleRemediation(Remediation): + def __init__(self, file_path): + +From 19e0c3b709e091159655d37b8ce5d693750f0a81 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 8 Sep 2020 14:41:01 +0200 +Subject: [PATCH 2/5] Handle Bash platform wrapping in xccdf expansion + +Adjust expansion of subs and variables not to remove the whole beginning +of the fix test. This was removing the package conditional wrapping. +--- + ssg/build_remediations.py | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 2d4a805e78..49ec557000 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -736,14 +736,16 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions): + patcomp = re.compile(pattern, re.DOTALL) + fixparts = re.split(patcomp, fix.text) + if fixparts[0] is not None: +- # Split the portion of fix.text from fix start to first call of +- # remediation function, keeping only the third part: +- # * tail to hold part of the fix.text after inclusion, +- # but before first call of remediation function ++ # Split the portion of fix.text at the string remediation_functions, ++ # and remove preceeding comment whenever it is there. ++ # * head holds part of the fix.text before ++ # remediation_functions string ++ # * tail holds part of the fix.text after the ++ # remediation_functions string + try: +- rfpattern = '(.*remediation_functions)(.*)' +- rfpatcomp = re.compile(rfpattern, re.DOTALL) +- _, _, tail, _ = re.split(rfpatcomp, fixparts[0], maxsplit=2) ++ rfpattern = r'((?:# Include source function library\.\n)?.*remediation_functions)' ++ rfpatcomp = re.compile(rfpattern) ++ head, _, tail = re.split(rfpatcomp, fixparts[0], maxsplit=1) + except ValueError: + sys.stderr.write("Processing fix.text for: %s rule\n" + % fix.get('rule')) +@@ -751,9 +753,10 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions): + "after inclusion of remediation functions." + " Aborting..\n") + sys.exit(1) +- # If the 'tail' is not empty, make it new fix.text. ++ # If the 'head' is not empty, make it new fix.text. + # Otherwise use '' +- fix.text = tail if tail is not None else '' ++ fix.text = head if head is not None else '' ++ fix.text += tail if tail is not None else '' + # Drop the first element of 'fixparts' since it has been processed + fixparts.pop(0) + # Perform sanity check on new 'fixparts' list content (to continue + +From 1292b93dc35a9a308464f1effb7f10f8de6db457 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 8 Sep 2020 20:56:17 +0200 +Subject: [PATCH 3/5] Check if remediation has associated rule before use + +--- + ssg/build_remediations.py | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 49ec557000..85f7139d8f 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -273,9 +273,11 @@ def parse_from_file_with_jinja(self, env_yaml): + self.local_env_yaml.update(env_yaml) + result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml) + +- # There can be repeated inherited platforms and rule platforms +- rule_platforms = set(self.associated_rule.inherited_platforms) +- rule_platforms.add(self.associated_rule.platform) ++ rule_platforms = set() ++ if self.associated_rule: ++ # There can be repeated inherited platforms and rule platforms ++ rule_platforms.update(self.associated_rule.inherited_platforms) ++ rule_platforms.add(self.associated_rule.platform) + + platform_conditionals = [] + for platform in rule_platforms: + +From 7953a02e61bb56b501c56f46972247751292dcbb Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 10 Sep 2020 10:59:43 +0200 +Subject: [PATCH 4/5] Fix python2 compat and improve code readability + +--- + ssg/build_remediations.py | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 85f7139d8f..673d6d0cc6 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -28,10 +28,10 @@ + } + + PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = { +- 'apt_get': 'dpkg-query -s {} &>/dev/null', +- 'dnf': 'rpm --quiet -q {}', +- 'yum': 'rpm --quiet -q {}', +- 'zypper': 'rpm --quiet -q {}', ++ 'apt_get': 'dpkg-query -s {0} &>/dev/null', ++ 'dnf': 'rpm --quiet -q {0}', ++ 'yum': 'rpm --quiet -q {0}', ++ 'zypper': 'rpm --quiet -q {0}', + } + + FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED' +@@ -297,16 +297,23 @@ def parse_from_file_with_jinja(self, env_yaml): + platform_conditionals.append(pkg_check_command.format(platform)) + + if platform_conditionals: +- platform_fix_text = "# Remediation is applicable only in certain platforms\n" ++ wrapped_fix_text = ["# Remediation is applicable only in certain platforms"] + +- cond = platform_conditionals.pop(0) +- platform_fix_text += "if {}".format(cond) +- for cond in platform_conditionals: +- platform_fix_text += " && {}".format(cond) +- platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents) ++ all_conditions = " && ".join(platform_conditionals) ++ wrapped_fix_text.append("if {0}; then".format(all_conditions)) ++ ++ # Avoid adding extra blank line ++ if not result.contents.startswith("\n"): ++ wrapped_fix_text.append("") ++ ++ wrapped_fix_text.append("{0}".format(result.contents)) ++ wrapped_fix_text.append("") ++ wrapped_fix_text.append("else") ++ wrapped_fix_text.append(" >&2 echo 'Remediation is not applicable, nothing was done'") ++ wrapped_fix_text.append("fi") + + remediation = namedtuple('remediation', ['contents', 'config']) +- result = remediation(contents=platform_fix_text, config=result.config) ++ result = remediation(contents="\n".join(wrapped_fix_text), config=result.config) + + return result + + +From 0bd3912651367c64789bb3d67b44c3b8848708c0 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 10 Sep 2020 17:25:27 +0200 +Subject: [PATCH 5/5] Document the perils of indenting wrapped Bash fixes + +--- + ssg/build_remediations.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 673d6d0cc6..f269d4d2d6 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -306,6 +306,9 @@ def parse_from_file_with_jinja(self, env_yaml): + if not result.contents.startswith("\n"): + wrapped_fix_text.append("") + ++ # It is possible to indent the original body of the remediation with textwrap.indent(), ++ # however, it is not supported by python2, and there is a risk of breaking remediations ++ # For example, remediations with a here-doc block could be affected. + wrapped_fix_text.append("{0}".format(result.contents)) + wrapped_fix_text.append("") + wrapped_fix_text.append("else") diff --git a/SOURCES/scap-security-guide-0.1.53-clean_boilerplate-PR_6042.patch b/SOURCES/scap-security-guide-0.1.53-clean_boilerplate-PR_6042.patch new file mode 100644 index 0000000..8ed22b3 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-clean_boilerplate-PR_6042.patch @@ -0,0 +1,7131 @@ +From 845ad1f66b3c92cf1293a421ec4b8d785077b29c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 3 Sep 2020 16:24:12 +0200 +Subject: [PATCH 1/6] Remove the OVAL boilerplate in favor of the oval_metadata + macro. + +--- + .../oval/shared.xml | 11 +----- + .../apt_sources_list_official/oval/shared.xml | 8 +--- + .../oval/shared.xml | 10 +---- + .../ftp_log_transactions/oval/shared.xml | 11 +----- + .../ftp_present_banner/oval/shared.xml | 12 +----- + .../dir_perms_etc_httpd_conf/oval/shared.xml | 8 +--- + .../dir_perms_var_log_httpd/oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../dovecot_enable_ssl/oval/shared.xml | 8 +--- + .../oval/shared.xml | 11 +----- + .../enable_ldap_client/oval/shared.xml | 10 +---- + .../ldap_client_start_tls/oval/shared.xml | 9 +---- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 9 +---- + .../oval/shared.xml | 9 +---- + .../postfix_server_banner/oval/shared.xml | 8 +--- + .../no_insecure_locks_exports/oval/shared.xml | 10 +---- + .../oval/shared.xml | 13 +------ + .../ntp/chronyd_client_only/oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 6 +-- + .../ntp/ntpd_run_as_ntp_user/oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 6 +-- + .../no_host_based_files/oval/shared.xml | 12 +----- + .../no_rsh_trust_files/oval/shared.xml | 10 +---- + .../no_user_host_based_files/oval/shared.xml | 12 +----- + .../tftpd_uses_secure_mode/oval/shared.xml | 11 +----- + .../cups_disable_browsing/oval/shared.xml | 10 +---- + .../cups_disable_printserver/oval/shared.xml | 10 +---- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 8 +--- + .../snmpd_use_newer_protocol/oval/shared.xml | 8 +--- + .../firewalld_sshd_disabled/oval/shared.xml | 11 +----- + .../oval/shared.xml | 14 +------ + .../sshd_allow_only_protocol2/oval/shared.xml | 6 +-- + .../sshd_disable_compression/oval/shared.xml | 6 +-- + .../sshd_disable_rhosts_rsa/oval/shared.xml | 8 +--- + .../sshd_rekey_limit/oval/shared.xml | 6 +-- + .../sshd_set_idle_timeout/oval/shared.xml | 10 +---- + .../sshd_set_keepalive/oval/shared.xml | 10 +---- + .../sshd_set_max_auth_tries/oval/shared.xml | 10 +---- + .../sshd_set_max_sessions/oval/shared.xml | 10 +---- + .../sshd_use_approved_ciphers/oval/shared.xml | 11 +----- + .../sshd_use_approved_macs/oval/shared.xml | 12 +----- + .../sshd_use_priv_separation/oval/shared.xml | 8 +--- + .../oval/shared.xml | 10 +---- + .../sssd_ldap_start_tls/oval/shared.xml | 6 +-- + .../sssd_enable_pam_services/oval/shared.xml | 8 +--- + .../sssd_enable_smartcards/oval/shared.xml | 14 +------ + .../sssd_memcache_timeout/oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../sssd_run_as_sssd_user/oval/shared.xml | 6 +-- + .../oval/shared.xml | 10 +---- + .../usbguard_allow_hid/oval/shared.xml | 10 +---- + .../oval/shared.xml | 6 +-- + .../usbguard_allow_hub/oval/shared.xml | 10 +---- + .../xwindows_runlevel_setting/oval/shared.xml | 13 +------ + .../xwindows_runlevel_target/oval/shared.xml | 6 +-- + .../banner_etc_issue/oval/shared.xml | 6 +-- + .../banner_etc_motd/oval/shared.xml | 12 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../display_login_attempts/oval/shared.xml | 12 +----- + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 15 +------- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 8 +--- + .../disable_ctrlaltdel_reboot/oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 14 +------ + .../require_singleuser_auth/oval/shared.xml | 8 +--- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 10 +---- + .../no_tmux_in_shells/oval/shared.xml | 10 +---- + .../oval/shared.xml | 14 +------ + .../configure_opensc_nss_db/oval/shared.xml | 10 +---- + .../force_opensc_card_drivers/oval/shared.xml | 14 +------ + .../oval/shared.xml | 9 +---- + .../smartcard_auth/oval/shared.xml | 10 +---- + .../oval/shared.xml | 12 +----- + .../account_unique_name/oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../gid_passwd_group_same/oval/shared.xml | 12 +----- + .../no_empty_passwords/oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../no_netrc_files/oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../no_direct_root_logins/oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 6 +-- + .../accounts_logon_fail_delay/oval/shared.xml | 10 +---- + .../oval/shared.xml | 13 +------ + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 11 +----- + .../root_path_no_dot/oval/shared.xml | 13 +------ + .../accounts_umask_etc_bashrc/oval/shared.xml | 10 +---- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 13 +------ + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../audit_rules_login_events/oval/shared.xml | 13 +------ + .../oval/shared.xml | 6 +-- + .../audit_rules_immutable/oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 13 +------ + .../oval/shared.xml | 14 +------ + .../audit_rules_time_adjtimex/oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../audit_rules_time_stime/oval/shared.xml | 8 +--- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../audit_rules_for_ospp/oval/shared.xml | 10 +---- + .../oval/shared.xml | 8 +--- + .../file_groupowner_grub2_cfg/oval/shared.xml | 8 +--- + .../file_owner_efi_grub2_cfg/oval/shared.xml | 8 +--- + .../file_owner_grub2_cfg/oval/shared.xml | 8 +--- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 8 +--- + .../grub2_admin_username/oval/shared.xml | 6 +-- + .../grub2_enable_iommu_force/oval/shared.xml | 8 +--- + .../grub2_password/oval/shared.xml | 6 +-- + .../grub2_uefi_admin_username/oval/shared.xml | 6 +-- + .../grub2_uefi_password/oval/shared.xml | 6 +-- + .../zipl_bls_entries_only/oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../rsyslog_cron_logging/oval/shared.xml | 12 +----- + .../oval/shared.xml | 13 +------ + .../rsyslog_files_ownership/oval/shared.xml | 13 +------ + .../rsyslog_files_permissions/oval/shared.xml | 13 +------ + .../oval/shared.xml | 10 +---- + .../rsyslog_nolisten/oval/shared.xml | 12 +----- + .../rsyslog_remote_loghost/oval/shared.xml | 14 +------ + .../rsyslog_remote_tls/oval/shared.xml | 10 +---- + .../rsyslog_remote_tls_cacert/oval/shared.xml | 10 +---- + .../configure_firewalld_ports/oval/shared.xml | 14 +------ + .../oval/shared.xml | 13 +------ + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 9 +---- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 9 +---- + .../oval/shared.xml | 8 +--- + .../network_ipv6_disable_rpc/oval/shared.xml | 9 +---- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 14 +------ + .../oval/shared.xml | 11 +----- + .../network_disable_zeroconf/oval/shared.xml | 10 +---- + .../network_nmcli_permissions/oval/shared.xml | 6 +-- + .../network_sniffer_disabled/oval/shared.xml | 11 +----- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 12 +----- + .../no_files_unowned_by_user/oval/shared.xml | 11 +----- + .../oval/shared.xml | 13 +------ + .../oval/shared.xml | 13 +------ + .../oval/shared.xml | 13 +------ + .../oval/shared.xml | 13 +------ + .../oval/shared.xml | 10 +---- + .../mount_option_var_tmp_bind/oval/shared.xml | 10 +---- + .../disable_users_coredumps/oval/shared.xml | 6 +-- + .../umask_for_daemons/oval/shared.xml | 8 +--- + .../sysctl_kernel_exec_shield/oval/shared.xml | 10 +---- + .../oval/shared.xml | 12 +----- + .../grub2_enable_selinux/oval/shared.xml | 8 +--- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../selinux_policytype/oval/shared.xml | 6 +-- + .../selinux/selinux_state/oval/shared.xml | 6 +-- + .../gnome/dconf_db_up_to_date/oval/shared.xml | 11 +----- + .../enable_dconf_user_profile/oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../dconf_gnome_login_retries/oval/shared.xml | 11 +----- + .../oval/shared.xml | 14 +------ + .../oval/shared.xml | 14 +------ + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 13 +------ + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 6 +-- + .../configure_crypto_policy/oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../ssh_client_rekey_limit/oval/shared.xml | 6 +-- + .../integrity/disable_prelink/oval/shared.xml | 8 +--- + .../install_antivirus/oval/shared.xml | 8 +--- + .../install_hids/oval/shared.xml | 10 +---- + .../install_mcafee_antivirus/oval/shared.xml | 8 +--- + .../install_mcafee_cma_rt/oval/shared.xml | 8 +--- + .../oval/shared.xml | 8 +--- + .../install_mcafee_hbss_accm/oval/shared.xml | 8 +--- + .../install_mcafee_hbss_hips/oval/shared.xml | 10 +---- + .../install_mcafee_hbss_pa/oval/shared.xml | 8 +--- + .../enable_dracut_fips_module/oval/shared.xml | 6 +-- + .../fips/enable_fips_mode/oval/shared.xml | 6 +-- + .../etc_system_fips_exists/oval/shared.xml | 6 +-- + .../grub2_enable_fips_mode/oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../oval/shared.xml | 6 +-- + .../aide/aide_build_database/oval/shared.xml | 11 +----- + .../oval/shared.xml | 14 +------ + .../aide_scan_notification/oval/shared.xml | 13 +------ + .../aide/aide_use_fips_hashes/oval/shared.xml | 12 +----- + .../aide/aide_verify_acls/oval/shared.xml | 10 +---- + .../oval/shared.xml | 10 +---- + .../rpm_verify_hashes/oval/shared.xml | 12 +----- + .../rpm_verify_ownership/oval/shared.xml | 13 +------ + .../rpm_verify_permissions/oval/shared.xml | 14 +------ + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 14 +------ + .../sudo/sudo_remove_nopasswd/oval/shared.xml | 14 +------ + .../oval/shared.xml | 13 +------ + .../sudo/sudo_vdsm_nopasswd/oval/shared.xml | 10 +---- + .../oval/shared.xml | 13 +------ + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 10 +---- + .../oval/shared.xml | 15 +------- + .../oval/shared.xml | 11 +----- + .../oval/shared.xml | 12 +----- + .../oval/shared.xml | 8 +--- + .../oval/shared.xml | 9 +---- + .../templates/template_OVAL_accounts_password | 6 +-- + ...template_OVAL_audit_rules_dac_modification | 6 +-- + ...late_OVAL_audit_rules_file_deletion_events | 6 +-- + .../template_OVAL_audit_rules_login_events | 6 +-- + .../template_OVAL_audit_rules_path_syscall | 6 +-- + ...plate_OVAL_audit_rules_privileged_commands | 6 +-- + ...audit_rules_unsuccessful_file_modification | 6 +-- + ...les_unsuccessful_file_modification_o_creat | 6 +-- + ...successful_file_modification_o_trunc_write | 6 +-- + ..._unsuccessful_file_modification_rule_order | 7 +--- + ...te_OVAL_audit_rules_usergroup_modification | 6 +-- + .../template_OVAL_bls_entries_option | 6 +-- + .../templates/template_OVAL_file_groupowner | 6 +-- + shared/templates/template_OVAL_file_owner | 6 +-- + .../templates/template_OVAL_file_permissions | 8 +--- + .../template_OVAL_grub2_bootloader_argument | 6 +-- + .../template_OVAL_kernel_module_disabled | 6 +-- + shared/templates/template_OVAL_mount | 8 +--- + shared/templates/template_OVAL_mount_option | 6 +-- + ...plate_OVAL_mount_option_remote_filesystems | 6 +-- + ...ate_OVAL_mount_option_removable_partitions | 6 +-- + .../templates/template_OVAL_package_installed | 8 +--- + .../templates/template_OVAL_package_removed | 8 +--- + shared/templates/template_OVAL_permissions | 6 +-- + shared/templates/template_OVAL_sebool | 6 +-- + .../templates/template_OVAL_service_disabled | 32 ++-------------- + .../templates/template_OVAL_service_enabled | 16 +------- + shared/templates/template_OVAL_sysctl | 38 ++----------------- + shared/templates/template_OVAL_timer_enabled | 14 +------ + shared/templates/template_OVAL_yamlfile_value | 9 +---- + .../template_OVAL_zipl_bls_entries_option | 6 +-- + 332 files changed, 419 insertions(+), 2659 deletions(-) + +diff --git a/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/oval/shared.xml b/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/oval/shared.xml +index 75cebc26f6..f106cf36e7 100644 +--- a/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/oval/shared.xml ++++ b/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/oval/shared.xml +@@ -1,14 +1,7 @@ + + +- +- Check that no unauthenticated repository is authorized by configuration +- +- multi_platform_debian +- multi_platform_ubuntu +- +- Accessing a repository should be +- allowed only when the repository is authenticated. +- ++ {{{ oval_metadata("Accessing a repository should be ++ allowed only when the repository is authenticated.") }}} + + + +- +- Only official, up-to-date distribution repositories should be used +- +- multi_platform_debian +- +- Official distribution repositories contain up-to-date distribution security and functional patches. +- ++ {{{ oval_metadata("Official distribution repositories contain up-to-date distribution security and functional patches.") }}} + + + +diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_client/sysconfig_networking_bootproto_ifcfg/oval/shared.xml b/linux_os/guide/services/dhcp/disabling_dhcp_client/sysconfig_networking_bootproto_ifcfg/oval/shared.xml +index 0f0b0dafb0..0aa1c552b6 100644 +--- a/linux_os/guide/services/dhcp/disabling_dhcp_client/sysconfig_networking_bootproto_ifcfg/oval/shared.xml ++++ b/linux_os/guide/services/dhcp/disabling_dhcp_client/sysconfig_networking_bootproto_ifcfg/oval/shared.xml +@@ -1,14 +1,8 @@ + + +- +- Disable DHCP Client +- +- multi_platform_rhel +- +- DHCP configuration should be static for all +- interfaces. +- ++ {{{ oval_metadata("DHCP configuration should be static for all ++ interfaces.") }}} + + + +diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions/oval/shared.xml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions/oval/shared.xml +index 2d0e17526c..f4e6dcf41c 100644 +--- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions/oval/shared.xml ++++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions/oval/shared.xml +@@ -1,16 +1,9 @@ + + +- +- Banner for FTP Users +- +- multi_platform_fedora +- multi_platform_rhel +- +- To trace malicious activity facilitated by the FTP ++ {{{ oval_metadata("To trace malicious activity facilitated by the FTP + service, it must be configured to ensure that all commands sent to + the FTP server are logged using the verbose vsftpd log format. +- +- ++ ") }}} + + + +diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/oval/shared.xml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/oval/shared.xml +index bf03738752..8fff18e6c8 100644 +--- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/oval/shared.xml ++++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/oval/shared.xml +@@ -1,15 +1,7 @@ + + +- +- Banner for FTP Users +- +- multi_platform_fedora +- multi_platform_rhel +- multi_platform_sle +- +- This setting will cause the system greeting banner to be +- used for FTP connections as well. +- ++ {{{ oval_metadata("This setting will cause the system greeting banner to be ++ used for FTP connections as well.") }}} + + + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_etc_httpd_conf/oval/shared.xml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_etc_httpd_conf/oval/shared.xml +index 81b4f1e8fe..a9c6dd196e 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_etc_httpd_conf/oval/shared.xml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_etc_httpd_conf/oval/shared.xml +@@ -1,12 +1,6 @@ + + +- +- Directory /etc/httpd/conf/ Permissions +- +- multi_platform_rhel +- +- Directory permissions for /etc/httpd/conf/ should be set to 0750 (or stronger). +- ++ {{{ oval_metadata("Directory permissions for /etc/httpd/conf/ should be set to 0750 (or stronger).") }}} + + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_var_log_httpd/oval/shared.xml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_var_log_httpd/oval/shared.xml +index db638c6ba4..898aabfe88 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_var_log_httpd/oval/shared.xml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_var_log_httpd/oval/shared.xml +@@ -1,12 +1,6 @@ + + +- +- Directory /var/log/httpd/ Permissions +- +- multi_platform_rhel +- +- Directory permissions for /var/log/httpd should be set to 0700 (or stronger). +- ++ {{{ oval_metadata("Directory permissions for /var/log/httpd should be set to 0700 (or stronger).") }}} + + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/oval/shared.xml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/oval/shared.xml +index f6fa344b55..96c028daf0 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/oval/shared.xml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/oval/shared.xml +@@ -1,13 +1,7 @@ + + +- +- Verify Permissions On Apache Web Server Configuration Files +- +- multi_platform_rhel +- +- The /etc/httpd/conf.d/* files should have the appropriate permissions (0640 or stronger). +- ++ {{{ oval_metadata("The /etc/httpd/conf.d/* files should have the appropriate permissions (0640 or stronger).") }}} + + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_files/oval/shared.xml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_files/oval/shared.xml +index a549c187f1..577ae42def 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_files/oval/shared.xml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_files/oval/shared.xml +@@ -1,13 +1,7 @@ + + +- +- Verify Permissions On Apache Web Server Configuration Files +- +- multi_platform_rhel +- +- The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger). +- ++ {{{ oval_metadata("The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).") }}} + + +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_modules_files/oval/shared.xml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_modules_files/oval/shared.xml +index c72889b14b..a2854f3bea 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_modules_files/oval/shared.xml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_modules_files/oval/shared.xml +@@ -1,13 +1,7 @@ + + +- +- Verify Permissions On Apache Web Server Configuration Files +- +- multi_platform_rhel +- +- The /etc/httpd/conf.modules.d/* files should have the appropriate permissions (0640 or stronger). +- ++ {{{ oval_metadata("The /etc/httpd/conf.modules.d/* files should have the appropriate permissions (0640 or stronger).") }}} + + +diff --git a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_disable_plaintext_auth/oval/shared.xml b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_disable_plaintext_auth/oval/shared.xml +index 2bae115d3e..030b4de700 100644 +--- a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_disable_plaintext_auth/oval/shared.xml ++++ b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_disable_plaintext_auth/oval/shared.xml +@@ -1,13 +1,7 @@ + + +- +- Disable Plaintext Authentication in Dovecot +- +- multi_platform_rhel +- +- Plaintext authentication of mail clients should be disabled. +- ++ {{{ oval_metadata("Plaintext authentication of mail clients should be disabled.") }}} + + + +diff --git a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_enable_ssl/oval/shared.xml b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_enable_ssl/oval/shared.xml +index 7d8e89758c..b4af606d62 100644 +--- a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_enable_ssl/oval/shared.xml ++++ b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_enable_ssl/oval/shared.xml +@@ -1,12 +1,6 @@ + + +- +- Enable SSL in Dovecot +- +- multi_platform_rhel +- +- SSL capabilities should be enabled for the mail server. +- ++ {{{ oval_metadata("SSL capabilities should be enabled for the mail server.") }}} + + + +diff --git a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/oval/shared.xml b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/oval/shared.xml +index f0634c2cf2..eeef72b1f4 100644 +--- a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/oval/shared.xml ++++ b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/oval/shared.xml +@@ -1,15 +1,6 @@ + + +- +- Restrict Kerberos operation by removing keytab files +- +- Oracle Linux 8 +- Red Hat Enterprise Linux 8 +- Red Hat Virtualization 4 +- multi_platform_fedora +- +- Check that there is no Kerberos keytab file present in /etc +- ++ {{{ oval_metadata("Check that there is no Kerberos keytab file present in /etc") }}} + + +diff --git a/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/oval/shared.xml b/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/oval/shared.xml +index bb78b92d1a..50cae9f066 100644 +--- a/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/oval/shared.xml ++++ b/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/oval/shared.xml +@@ -1,14 +1,6 @@ + + +- +- Enable the LDAP Client For Use in Authconfig +- +- Red Hat Enterprise Linux 7 +- Red Hat Enterprise Linux 8 +- multi_platform_rhv +- +- Enable LDAP in authconfig. +- ++ {{{ oval_metadata("Enable LDAP in authconfig.") }}} + + +diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/oval/shared.xml b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/oval/shared.xml +index ea8f6087bb..169c3e6b48 100644 +--- a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/oval/shared.xml ++++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/oval/shared.xml +@@ -1,13 +1,6 @@ + + +- +- Configure LDAP to Use TLS for All Transactions +- +- Red Hat Virtualization 4 +- multi_platform_rhel +- +- Require the use of TLS for ldap clients. +- ++ {{{ oval_metadata("Require the use of TLS for ldap clients.") }}} + {{%- if product == "rhel6" -%}} + + + +- +- Configure LDAP CA Certificate Path +- +- multi_platform_rhel +- +- Require the use of TLS for ldap clients. +- ++ {{{ oval_metadata("Require the use of TLS for ldap clients.") }}} + {{%- if product == "rhel6" -%}} + + + +- +- Ensure root has a mail alias +- +- Red Hat Virtualization 4 +- multi_platform_sle +- +- Check if root has the correct mail alias. +- ++ {{{ oval_metadata("Check if root has the correct mail alias.") }}} + + + +diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/oval/shared.xml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/oval/shared.xml +index d61285a21b..d9d5a58e29 100644 +--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/oval/shared.xml ++++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/oval/shared.xml +@@ -1,13 +1,6 @@ + + +- +- Postfix network listening should be disabled +- +- multi_platform_rhel +- multi_platform_fedora +- +- Postfix network listening should be disabled +- ++ {{{ oval_metadata("Postfix network listening should be disabled") }}} + + + +diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_banner/oval/shared.xml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_banner/oval/shared.xml +index a2ffff2e7f..57fd0b4918 100644 +--- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_banner/oval/shared.xml ++++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_banner/oval/shared.xml +@@ -1,12 +1,6 @@ + + +- +- Configure Postfix Against Unnecessary Release of Information +- +- multi_platform_rhel +- +- Protect against unnecessary release of information. +- ++ {{{ oval_metadata("Protect against unnecessary release of information.") }}} + + + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/no_insecure_locks_exports/oval/shared.xml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/no_insecure_locks_exports/oval/shared.xml +index d50d5d2529..f5d5946983 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/no_insecure_locks_exports/oval/shared.xml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/no_insecure_locks_exports/oval/shared.xml +@@ -1,13 +1,7 @@ + + +- +- Ensure insecure_locks is disabled +- +- multi_platform_all +- +- Allowing insecure file locking could allow for sensitive +- data to be viewed or edited by an unauthorized user. +- ++ {{{ oval_metadata("Allowing insecure file locking could allow for sensitive ++ data to be viewed or edited by an unauthorized user.") }}} + + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/oval/shared.xml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/oval/shared.xml +index 5a83a5d778..21e1ea9db7 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/oval/shared.xml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/oval/shared.xml +@@ -1,16 +1,7 @@ + + +- +- Use Kerberos Security on All Exports +- +- Red Hat Enterprise Linux 7 +- Red Hat Enterprise Linux 8 +- Red Hat Virtualization 4 +- multi_platform_ol +- +- Using Kerberos Security allows to cryptography authenticate a +- valid user to an NFS share. +- ++ {{{ oval_metadata("Using Kerberos Security allows to cryptography authenticate a ++ valid user to an NFS share.") }}} + + +diff --git a/linux_os/guide/services/ntp/chronyd_client_only/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_client_only/oval/shared.xml +index 809472f2a9..edac2e92d8 100644 +--- a/linux_os/guide/services/ntp/chronyd_client_only/oval/shared.xml ++++ b/linux_os/guide/services/ntp/chronyd_client_only/oval/shared.xml +@@ -1,11 +1,7 @@ + + +- +- Disable chrony daemon from acting as server +- {{{- oval_affected(products) }}} +- Configure the port setting in /etc/chrony.conf to disable +- server operation. +- ++ {{{ oval_metadata("Configure the port setting in /etc/chrony.conf to disable ++ server operation.") }}} + + + +diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/oval/shared.xml +index dcf8d0e952..f5101c4734 100644 +--- a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/oval/shared.xml ++++ b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/oval/shared.xml +@@ -1,11 +1,7 @@ + + +- +- Disable network management of chrony daemon +- {{{- oval_affected(products) }}} +- Configure the cmdport setting in /etc/chrony.conf to disable +- chronyc management connections over network. +- ++ {{{ oval_metadata("Configure the cmdport setting in /etc/chrony.conf to disable ++ chronyc management connections over network.") }}} + + + +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml +index 303624a538..aa292392ac 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml +@@ -1,11 +1,7 @@ + + +- +- Configure Time Service Maxpoll Interval +- {{{- oval_affected(products) }}} +- Configure the maxpoll setting in /etc/ntp.conf or chrony.conf +- to continuously poll the time source servers. +- ++ {{{ oval_metadata("Configure the maxpoll setting in /etc/ntp.conf or chrony.conf ++ to continuously poll the time source servers.") }}} + + + +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/oval/shared.xml +index 0c9d589c5e..13de3f2bd5 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/oval/shared.xml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/oval/shared.xml +@@ -1,10 +1,6 @@ + + +- +- Specify Multiple Remote chronyd Or ntpd NTP Servers for Time Data +- {{{- oval_affected(products) }}} +- Multiple remote chronyd or ntpd NTP Servers for time synchronization should be specified (and dependencies are met) +- ++ {{{ oval_metadata("Multiple remote chronyd or ntpd NTP Servers for time synchronization should be specified (and dependencies are met)") }}} + + + +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/oval/shared.xml +index 8eb5bb8c11..d8aebe036c 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/oval/shared.xml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/oval/shared.xml +@@ -1,10 +1,6 @@ + + +- +- Specify Remote NTP chronyd Or ntpd Server for Time Data +- {{{- oval_affected(products) }}} +- A remote chronyd or ntpd NTP Server for time synchronization should be specified (and dependencies are met) +- ++ {{{ oval_metadata("A remote chronyd or ntpd NTP Server for time synchronization should be specified (and dependencies are met)") }}} + + + +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml +index 31cde36bc9..b243755bd5 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml +@@ -1,11 +1,7 @@ + + +- +- Specify a Remote NTP Server for Time Data +- {{{- oval_affected(products) }}} +- A remote NTP Server for time synchronization should be +- specified (and dependencies are met) +- ++ {{{ oval_metadata("A remote NTP Server for time synchronization should be ++ specified (and dependencies are met)") }}} + + + +diff --git a/linux_os/guide/services/ntp/ntpd_configure_restrictions/oval/shared.xml b/linux_os/guide/services/ntp/ntpd_configure_restrictions/oval/shared.xml +index 1c8bf51a25..d381f36bf2 100644 +--- a/linux_os/guide/services/ntp/ntpd_configure_restrictions/oval/shared.xml ++++ b/linux_os/guide/services/ntp/ntpd_configure_restrictions/oval/shared.xml +@@ -1,10 +1,6 @@ + + +- +- Specify server restrictions for ntpd +- {{{- oval_affected(products) }}} +- Certain restrictions are imposed on ntp servers configured to be used by ntpd +- ++ {{{ oval_metadata("Certain restrictions are imposed on ntp servers configured to be used by ntpd") }}} + + + +diff --git a/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/oval/shared.xml b/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/oval/shared.xml +index 9a232f5b93..b9506264fd 100644 +--- a/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/oval/shared.xml ++++ b/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/oval/shared.xml +@@ -1,10 +1,6 @@ + + +- +- Configure ntpd To Run As ntp User +- {{{- oval_affected(products) }}} +- Ensure ntpd is configured to run correctly under the ntp user. +- ++ {{{ oval_metadata("Ensure ntpd is configured to run correctly under the ntp user.") }}} + + + +diff --git a/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/oval/shared.xml b/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/oval/shared.xml +index 57bc1b51c7..44b33d0e63 100644 +--- a/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/oval/shared.xml ++++ b/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/oval/shared.xml +@@ -1,10 +1,6 @@ + + +- +- Specify Multiple Remote ntpd NTP Server for Time Data +- {{{- oval_affected(products) }}} +- Multiple ntpd NTP Servers for time synchronization should be specified. +- ++ {{{ oval_metadata("Multiple ntpd NTP Servers for time synchronization should be specified.") }}} + + + +diff --git a/linux_os/guide/services/ntp/ntpd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/ntpd_specify_remote_server/oval/shared.xml +index 1b2826a530..74c63f17f9 100644 +--- a/linux_os/guide/services/ntp/ntpd_specify_remote_server/oval/shared.xml ++++ b/linux_os/guide/services/ntp/ntpd_specify_remote_server/oval/shared.xml +@@ -1,11 +1,7 @@ + + +- +- Specify a Remote ntpd NTP Server for Time Data +- {{{- oval_affected(products) }}} +- A remote ntpd NTP Server for time synchronization should be +- specified (and dependencies are met) +- ++ {{{ oval_metadata("A remote ntpd NTP Server for time synchronization should be ++ specified (and dependencies are met)") }}} + + + +diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/oval/shared.xml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/oval/shared.xml +index 6ee887c924..b7929a547c 100644 +--- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/oval/shared.xml ++++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/oval/shared.xml +@@ -1,10 +1,6 @@ + + +- +- Service chronyd Or Service ntpd Enabled +- {{{- oval_affected(products) }}} +- At least one of the chronyd or ntpd services should be enabled if possible. +- ++ {{{ oval_metadata("At least one of the chronyd or ntpd services should be enabled if possible.") }}} + + + +diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/oval/shared.xml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/oval/shared.xml +index 8628848e01..0a4ba2387f 100644 +--- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/oval/shared.xml ++++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/oval/shared.xml +@@ -1,16 +1,6 @@ + + +- +- No shosts.equiv file deployed on the system +- +- Red Hat Virtualization 4 +- multi_platform_rhel +- multi_platform_sle +- multi_platform_wrlinux +- multi_platform_ol +- +- There should not be any shosts.equiv files on the system. +- ++ {{{ oval_metadata("There should not be any shosts.equiv files on the system.") }}} + + + +diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/oval/shared.xml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/oval/shared.xml +index 4c6fdf78ba..eb809631ec 100644 +--- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/oval/shared.xml ++++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/oval/shared.xml +@@ -1,14 +1,6 @@ + + +- +- No Legacy .rhosts Or hosts.equiv Files +- +- Red Hat Virtualization 4 +- multi_platform_ol +- multi_platform_rhel +- +- There should not be any .rhosts or hosts.equiv files on the system. +- ++ {{{ oval_metadata("There should not be any .rhosts or hosts.equiv files on the system.") }}} + + + +diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/oval/shared.xml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/oval/shared.xml +index 652f898d7f..4c2bf7ea40 100644 +--- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/oval/shared.xml ++++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/oval/shared.xml +@@ -1,16 +1,6 @@ + + +- +- No .shosts file deployed on the system +- +- Red Hat Virtualization 4 +- multi_platform_rhel +- multi_platform_sle +- multi_platform_wrlinux +- multi_platform_ol +- +- There should not be any .shosts files on the system. +- ++ {{{ oval_metadata("There should not be any .shosts files on the system.") }}} + + + +diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml +index 2268a49467..af7e511cd9 100644 +--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml ++++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml +@@ -1,15 +1,6 @@ + + +- +- TFTP Daemon Uses Secure Mode +- +- Red Hat Virtualization 4 +- multi_platform_rhel +- multi_platform_wrlinux +- multi_platform_ol +- +- The TFTP daemon should use secure mode. +- ++ {{{ oval_metadata("The TFTP daemon should use secure mode.") }}} + + + +diff --git a/linux_os/guide/services/printing/configure_printing/cups_disable_browsing/oval/shared.xml b/linux_os/guide/services/printing/configure_printing/cups_disable_browsing/oval/shared.xml +index 0756b3ae09..de2057aa62 100644 +--- a/linux_os/guide/services/printing/configure_printing/cups_disable_browsing/oval/shared.xml ++++ b/linux_os/guide/services/printing/configure_printing/cups_disable_browsing/oval/shared.xml +@@ -1,17 +1,11 @@ + + +- +- Disable Printer Browsing Entirely if Possible +- +- multi_platform_rhel +- +- The CUPS print service can be configured to broadcast a list ++ {{{ oval_metadata("The CUPS print service can be configured to broadcast a list + of available printers to the network. Other machines on the network, also + running the CUPS print service, can be configured to listen to these + broadcasts and add and configure these printers for immediate use. By + disabling this browsing capability, the machine will no longer generate +- or receive such broadcasts. +- ++ or receive such broadcasts.") }}} + + +diff --git a/linux_os/guide/services/printing/configure_printing/cups_disable_printserver/oval/shared.xml b/linux_os/guide/services/printing/configure_printing/cups_disable_printserver/oval/shared.xml +index cd4573070b..f2ecdda6ba 100644 +--- a/linux_os/guide/services/printing/configure_printing/cups_disable_printserver/oval/shared.xml ++++ b/linux_os/guide/services/printing/configure_printing/cups_disable_printserver/oval/shared.xml +@@ -1,18 +1,12 @@ + + +- +- Disable Printer Server if Possible +- +- multi_platform_rhel +- +- By default, locally configured printers will not be shared ++ {{{ oval_metadata("By default, locally configured printers will not be shared + over the network, but if this functionality has somehow been enabled, + these recommendations will disable it again. Be sure to disable outgoing + printer list broadcasts, or remote users will still be able to see the + locally configured printers, even if they cannot actually print to them. + To limit print serving to a particular set of users, use the Policy +- directive. +- ++ directive.") }}} + + + +diff --git a/linux_os/guide/services/smb/configuring_samba/mount_option_smb_client_signing/oval/shared.xml b/linux_os/guide/services/smb/configuring_samba/mount_option_smb_client_signing/oval/shared.xml +index dd4450b67f..390997b2b6 100644 +--- a/linux_os/guide/services/smb/configuring_samba/mount_option_smb_client_signing/oval/shared.xml ++++ b/linux_os/guide/services/smb/configuring_samba/mount_option_smb_client_signing/oval/shared.xml +@@ -1,18 +1,11 @@ + + +- +- Require Client SMB Packet Signing, if using +- mount.cifs +- +- multi_platform_all +- +- Require packet signing of clients who mount ++ {{{ oval_metadata("Require packet signing of clients who mount + Samba shares using the mount.cifs program (e.g., those who + specify shares in /etc/fstab). To do so, ensure that signing + options (either sec=krb5i or sec=ntlmv2i) are +- used. +- ++ used.") }}} + + + +diff --git a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/oval/shared.xml b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/oval/shared.xml +index dd5864187d..f3c1446c69 100644 +--- a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/oval/shared.xml ++++ b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/oval/shared.xml +@@ -1,14 +1,8 @@ + + +- +- Require Client SMB Packet Signing in smb.conf +- +- multi_platform_rhel +- +- Require samba clients which use smb.conf, such as smbclient, ++ {{{ oval_metadata("Require samba clients which use smb.conf, such as smbclient, + to use packet signing. A Samba client should only communicate with +- servers who can support SMB packet signing. +- ++ servers who can support SMB packet signing.") }}} + + +diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml +index b617c7339d..370640e313 100644 +--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml ++++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml +@@ -1,12 +1,6 @@ + + +- +- SNMP default communities disabled +- +- multi_platform_all +- +- SNMP default communities must be removed. +- ++ {{{ oval_metadata("SNMP default communities must be removed.") }}} + + + +diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/oval/shared.xml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/oval/shared.xml +index 7fa6b27548..e3b6f83528 100644 +--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/oval/shared.xml ++++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/oval/shared.xml +@@ -1,12 +1,6 @@ + + +- +- SNMP use newer protocols +- +- multi_platform_all +- +- SNMP version 1 and 2c must not be enabled. +- ++ {{{ oval_metadata("SNMP version 1 and 2c must not be enabled.") }}} + + + +diff --git a/linux_os/guide/services/ssh/firewalld_sshd_disabled/oval/shared.xml b/linux_os/guide/services/ssh/firewalld_sshd_disabled/oval/shared.xml +index 7c415c9997..a66bb7ffee 100644 +--- a/linux_os/guide/services/ssh/firewalld_sshd_disabled/oval/shared.xml ++++ b/linux_os/guide/services/ssh/firewalld_sshd_disabled/oval/shared.xml +@@ -1,14 +1,7 @@ + + +- +- Disallow inbound firewall access to the SSH Server port +- +- Red Hat Enterprise Linux 7 +- Red Hat Enterprise Linux 8 +- +- If inbound SSH access is not needed, the firewall should disallow or reject access to +- the SSH port (22). +- ++ {{{ oval_metadata("If inbound SSH access is not needed, the firewall should disallow or reject access to ++ the SSH port (22).") }}} + + + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +index 25f1d1e449..f5d46088cf 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +@@ -1,17 +1,7 @@ + + +- +- Allow inbound firewall access to the SSH Server port +- +- Red Hat Enterprise Linux 7 +- Red Hat Enterprise Linux 8 +- Red Hat Virtualization 4 +- multi_platform_ol +- multi_platform_wrlinux +- +- If inbound SSH access is needed, the firewall should allow access to +- the SSH port (22). +- ++ {{{ oval_metadata("If inbound SSH access is needed, the firewall should allow access to ++ the SSH port (22).") }}} + + + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml +index e1a4ee4448..c118581718 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml +@@ -1,10 +1,6 @@ + + +- +- Ensure Only Protocol 2 Connections Allowed +- {{{- oval_affected(products) }}} +- The OpenSSH daemon should be running protocol 2. +- ++ {{{ oval_metadata("The OpenSSH daemon should be running protocol 2.") }}} + + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml +index f0875a91aa..e4bb15b5e4 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml +@@ -1,10 +1,6 @@ + + +- +- Disable Compression Or Set Compression to delayed +- {{{- oval_affected(products) }}} +- SSH should either have compression disabled or set to delayed. +- ++ {{{ oval_metadata("SSH should either have compression disabled or set to delayed.") }}} + + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/oval/shared.xml +index fa028e6bdd..3dc50bdb3e 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/oval/shared.xml +@@ -1,11 +1,7 @@ + + +- +- Disable SSH Support for Rhosts RSA Authentication +- {{{- oval_affected(products) }}} +- SSH can allow authentication through the obsolete rsh command +- through the use of the authenticating user's SSH keys. This should be disabled. +- ++ {{{ oval_metadata("SSH can allow authentication through the obsolete rsh command ++ through the use of the authenticating user's SSH keys. This should be disabled.") }}} + + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +index 47796e5332..f49d9ab527 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +@@ -3,11 +3,7 @@ + + + +- +- {{{ rule_title }}} +- {{{- oval_affected(products) }}} +- Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}' +- ++ {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in '" + filepath + "'") }}} + + {{{- application_not_required_or_requirement_unset() }}} + {{{- application_required_or_requirement_unset() }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml +index 25b28e4e7b..6ee3e2fb36 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml +@@ -1,13 +1,7 @@ + + +- +- Set OpenSSH Idle Timeout Interval +- +- multi_platform_all +- +- The SSH idle timeout interval should be set to an +- appropriate value. +- ++ {{{ oval_metadata("The SSH idle timeout interval should be set to an ++ appropriate value.") }}} + + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml +index 26e8c4f1a5..15c4fd7ee2 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml +@@ -1,13 +1,7 @@ + + +- +- Set ClientAliveCountMax for User Logins +- +- multi_platform_all +- +- The SSH ClientAliveCountMax should be set to an appropriate +- value (and dependencies are met) +- ++ {{{ oval_metadata("The SSH ClientAliveCountMax should be set to an appropriate ++ value (and dependencies are met)") }}} + + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml +index a8eaabd87b..3eec8552e7 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml +@@ -1,13 +1,7 @@ + + +- +- Set OpenSSH authentication attempt limit (MaxAuthTries) +- +- multi_platform_all +- +- The SSH MaxAuthTries should be set to an +- appropriate value. +- ++ {{{ oval_metadata("The SSH MaxAuthTries should be set to an ++ appropriate value.") }}} + + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml +index 3b2ae7c4b4..14b7a99523 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml +@@ -1,13 +1,7 @@ + + +- +- Set OpenSSH MaxSessions +- +- multi_platform_all +- +- The SSH number of max sessions should be set to an +- appropriate value. +- ++ {{{ oval_metadata("The SSH number of max sessions should be set to an ++ appropriate value.") }}} + + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml +index c3a6c7d1aa..33b492fdd3 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml +@@ -1,15 +1,6 @@ + + +- +- Use Only Approved Ciphers +- +- multi_platform_wrlinux +- Red Hat Enterprise Linux 6 +- Red Hat Enterprise Linux 7 +- Oracle Linux 7 +- +- Limit the ciphers to those which are FIPS-approved. +- ++ {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.") }}} + + + + +- +- Use Only FIPS MACs +- +- multi_platform_wrlinux +- Red Hat Enterprise Linux 6 +- Red Hat Enterprise Linux 7 +- multi_platform_sle12 +- Oracle Linux 7 +- +- Limit the Message Authentication Codes (MACs) to those which are FIPS-approved. +- ++ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}} + + + + +- +- Rule title of sshd_use_priv_separation +- +- multi_platform_all +- +- Ensure 'UsePrivilegeSeparation' is configured with value 'sandbox' in '/etc/ssh/sshd_config' +- ++ {{{ oval_metadata("Ensure 'UsePrivilegeSeparation' is configured with value 'sandbox' in '/etc/ssh/sshd_config'") }}} + + +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/oval/shared.xml +index 0cb88868a3..4d29beab91 100644 +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/oval/shared.xml ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/oval/shared.xml +@@ -1,14 +1,6 @@ + + +- +- Configure SSSD LDAP Backend Client CA Certificate Location +- +- multi_platform_wrlinux +- multi_platform_rhel +- multi_platform_ol +- +- Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. +- ++ {{{ oval_metadata("Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions.") }}} + + + +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml +index ed502062e4..abd61fc01f 100644 +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml +@@ -1,10 +1,6 @@ + + +- +- Configure SSSD LDAP Backend to Use TLS For All Transactions +- {{{- oval_affected(products) }}} +- LDAP should be used for authentication and use STARTTLS +- ++ {{{ oval_metadata("LDAP should be used for authentication and use STARTTLS") }}} + + + +diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/oval/shared.xml b/linux_os/guide/services/sssd/sssd_enable_pam_services/oval/shared.xml +index 7af72709f2..79e73aa1b9 100644 +--- a/linux_os/guide/services/sssd/sssd_enable_pam_services/oval/shared.xml ++++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/oval/shared.xml +@@ -1,11 +1,7 @@ + + +- +- Configure PAM in SSSD Services +- {{{- oval_affected(products) }}} +- SSSD should be configured to run SSSD PAM services. +- +- ++ {{{ oval_metadata("SSSD should be configured to run SSSD PAM services. ++ ") }}} + + +diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml b/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml +index ed56989551..0484c805b9 100644 +--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml ++++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml +@@ -1,17 +1,7 @@ + + +- +- Enable Smartcards in SSSD +- +- Red Hat Enterprise Linux 7 +- Red Hat Enterprise Linux 8 +- multi_platform_fedora +- multi_platform_rhv +- multi_platform_ol +- +- SSSD should be configured to authenticate access to the system +- using smart cards. +- ++ {{{ oval_metadata("SSSD should be configured to authenticate access to the system ++ using smart cards.") }}} + + + +diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/oval/shared.xml b/linux_os/guide/services/sssd/sssd_memcache_timeout/oval/shared.xml +index 16fa2e6121..30b13f2f14 100644 +--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/oval/shared.xml ++++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/oval/shared.xml +@@ -1,15 +1,6 @@ + + +- +- Configure SSSD's Memory Cache to Expire +- +- Red Hat Virtualization 4 +- multi_platform_fedora +- multi_platform_ol +- multi_platform_rhel +- +- SSSD's memory cache should be configured to set to expire records after 1 day. +- ++ {{{ oval_metadata("SSSD's memory cache should be configured to set to expire records after 1 day.") }}} + + + +diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml +index 7aee37a031..e47ffff59d 100644 +--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml ++++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml +@@ -1,15 +1,6 @@ + + +- +- Configure SSSD to Expire Offline Credentials +- +- Red Hat Virtualization 4 +- multi_platform_fedora +- multi_platform_ol +- multi_platform_rhel +- +- SSSD should be configured to expire offline credentials after 1 day. +- ++ {{{ oval_metadata("SSSD should be configured to expire offline credentials after 1 day.") }}} + + + +diff --git a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/oval/shared.xml b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/oval/shared.xml +index 9b2b825c8f..2fb5937393 100644 +--- a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/oval/shared.xml ++++ b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/oval/shared.xml +@@ -1,10 +1,6 @@ + + +- +- Configure SSSD to run as user sssd +- {{{- oval_affected(products) }}} +- SSSD processes should be configured to run as user sssd, not root. +- ++ {{{ oval_metadata("SSSD processes should be configured to run as user sssd, not root.") }}} + + + +diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml +index c7d6abbc18..fd24dfef0d 100644 +--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml ++++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml +@@ -1,14 +1,6 @@ + + +- +- Configure SSSD to Expire SSH Known Hosts +- +- Red Hat Virtualization 4 +- multi_platform_fedora +- multi_platform_rhel +- +- SSSD should be configured to expire keys from known SSH hosts after 1 day. +- ++ {{{ oval_metadata("SSSD should be configured to expire keys from known SSH hosts after 1 day.") }}} + + + +diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid/oval/shared.xml b/linux_os/guide/services/usbguard/usbguard_allow_hid/oval/shared.xml +index 53026a6cab..b805071180 100644 +--- a/linux_os/guide/services/usbguard/usbguard_allow_hid/oval/shared.xml ++++ b/linux_os/guide/services/usbguard/usbguard_allow_hid/oval/shared.xml +@@ -1,14 +1,6 @@ + + +- +- Check that USB Human Interface Devices are allowed by USBGuard rules +- +- multi_platform_fedora +- Red Hat Enterprise Linux 8 +- Oracle Linux 8 +- +- Check that /etc/usbguard/rules.conf contains at least one non white space character empty and exists. +- ++ {{{ oval_metadata("Check that /etc/usbguard/rules.conf contains at least one non white space character empty and exists.") }}} + + + +diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/oval/shared.xml b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/oval/shared.xml +index dc159491c2..a3af17c3ae 100644 +--- a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/oval/shared.xml ++++ b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/oval/shared.xml +@@ -1,10 +1,6 @@ + + +- +- Check that USB human interface devices and hubs are allowed by USBGuard rules +- {{{- oval_affected(products) }}} +- Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists. +- ++ {{{ oval_metadata("Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists.") }}} + + + +diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hub/oval/shared.xml b/linux_os/guide/services/usbguard/usbguard_allow_hub/oval/shared.xml +index d251fdf1e9..fd0553a612 100644 +--- a/linux_os/guide/services/usbguard/usbguard_allow_hub/oval/shared.xml ++++ b/linux_os/guide/services/usbguard/usbguard_allow_hub/oval/shared.xml +@@ -1,14 +1,6 @@ + + +- +- Check that USB hubs are allowed by USBGuard rules +- +- multi_platform_fedora +- Red Hat Enterprise Linux 8 +- Oracle Linux 8 +- +- Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists. +- ++ {{{ oval_metadata("Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists.") }}} + + + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_setting/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_setting/oval/shared.xml +index e905e0f358..7bebeba664 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_setting/oval/shared.xml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_setting/oval/shared.xml +@@ -3,18 +3,7 @@ + {{%- else -%}} + + +- +- Disable X Windows Startup By Setting Default SystemD Target +- +- multi_platform_rhel +- multi_platform_fedora +- +- {{%- if init_system == "systemd" %}} +- Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target. +- {{%- else %}} +- Checks /etc/inittab to ensure that default runlevel is set to 3. +- {{%- endif %}} +- ++ {{{ oval_metadata("Checks /etc/inittab to ensure that default runlevel is set to 3.") }}} + {{%- if init_system == "systemd" %}} + + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml +index 97f51c3140..3b7ae2e0d3 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml +@@ -3,11 +3,7 @@ + {{%- else -%}} + + +- +- Disable X Windows Startup By Setting Default SystemD Target +- {{{- oval_affected(products) }}} +- Ensure that the default runlevel target is set to multi-user.target. +- ++ {{{ oval_metadata("Ensure that the default runlevel target is set to multi-user.target.") }}} + + + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml +index 032c65b340..1c4bb5178e 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml +@@ -1,10 +1,6 @@ + +
+ +From bd3d3f90681f505ceff934e9d4c4d618bbc07474 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 8 Sep 2020 13:26:06 +0200 +Subject: [PATCH 2/6] update oval + +--- + .../tftp/tftpd_uses_secure_mode/oval/shared.xml | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml +index 363b499afa..9f42fcd043 100644 +--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml ++++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml +@@ -17,10 +17,18 @@ +
+ + ++ + + + /etc/xinetd.d/tftp +- ^[\s]*server_args[\s]+=.*[\s]+\-s[\s]+.+$ ++ ^[\s]*server_args[\s]+=[\s]+.*?-s[\s]+([/\.\w]+).*$ + 1 + ++ ++ ++ ++ ++ ++ + + +From 2a1e67365de4ea7b78ace2fb730b7192d9cb8a43 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 8 Sep 2020 13:26:26 +0200 +Subject: [PATCH 3/6] update bash remediation + +--- + .../tftp/tftpd_uses_secure_mode/bash/shared.sh | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh + +diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh +new file mode 100644 +index 0000000000..491d8e90d6 +--- /dev/null ++++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,WRLinux 1019 ++ ++. /usr/share/scap-security-guide/remediation_functions ++ ++{{{ bash_instantiate_variables ("tftpd_secure_directory") }}} ++ ++if grep -q 'server_args' /etc/xinetd.d/tftp; then ++ sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $tftpd_secure_directory \3;" /etc/xinetd.d/tftp ++else ++ echo "server_args = -s $tftpd_secure_directory" >> /etc/xinetd.d/tftp ++fi ++ ++ + +From 649880f746bd80cb3e6a9ae3908ce422e03c1690 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 8 Sep 2020 13:26:43 +0200 +Subject: [PATCH 4/6] add tests + +--- + .../tftp/tftpd_uses_secure_mode/tests/correct.pass.sh | 9 +++++++++ + .../tftpd_uses_secure_mode/tests/line_missing.fail.sh | 7 +++++++ + .../tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh | 9 +++++++++ + 3 files changed, 25 insertions(+) + create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh + create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh + create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh + +diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh +new file mode 100644 +index 0000000000..392e68740f +--- /dev/null ++++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++yum -y install tftp-server ++ ++if grep -q 'server_args' /etc/xinetd.d/tftp; then ++ sed -i 's/.*server_args.*/server_args = -s \/var\/lib\/tftpboot/' /etc/xinetd.d/tftp ++else ++ echo "server_args = -s /var/lib/tftpboot" >> /etc/xinetd.d/tftp ++fi +diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh +new file mode 100644 +index 0000000000..a342248240 +--- /dev/null ++++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++yum -y install tftp-server ++ ++if grep -q 'server_args' /etc/xinetd.d/tftp; then ++ sed -i '/.*server_args.*/d' /etc/xinetd.d/tftp ++fi +diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh +new file mode 100644 +index 0000000000..d9a9b4b622 +--- /dev/null ++++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++yum -y install tftp-server ++ ++if grep -q 'server_args' /etc/xinetd.d/tftp; then ++ sed -i 's/.*server_args.*/server_args = --something/' /etc/xinetd.d/tftp ++else ++ echo "server_args = --something" >> /etc/xinetd.d/tftp ++fi + +From 57554f1ba9fb7464c808f00d4bd26475451243b9 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 8 Sep 2020 13:27:03 +0200 +Subject: [PATCH 5/6] add ansible remediation + +--- + .../tftpd_uses_secure_mode/ansible/shared.yml | 31 +++++++++++++++++++ + 1 file changed, 31 insertions(+) + create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml + +diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml +new file mode 100644 +index 0000000000..9f5bdea58e +--- /dev/null ++++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml +@@ -0,0 +1,31 @@ ++# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,WRLinux 1019 ++# reboot = false ++# complexity = low ++# strategy = configure ++# disruption = low ++ ++{{{ ansible_instantiate_variables("tftpd_secure_directory") }}} ++ ++- name: "Find out if the file exists and contains the line configuring server arguments" ++ find: ++ path: "/etc/xinetd.d" ++ patterns: "tftp" ++ contains: '^[\s]+server_args.*$' ++ register: tftpd_secure_config_line ++ ++- name: "Ensure that TFTP server is configured to start with secure directory" ++ lineinfile: ++ path: "/etc/xinetd.d/tftp" ++ regexp: '^[\s]*(server_args[\s]+=[\s]+.*?)(-s[\s]+[/\.\w]+)*(.*)$' ++ line: '\1 -s {{ tftpd_secure_directory }} \3' ++ state: present ++ backrefs: true ++ when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched > 0 ++ ++- name: "Insert correct config line to start TFTP server with secure directory" ++ lineinfile: ++ path: "/etc/xinetd.d/tftp" ++ line: "server_args = -s {{ tftpd_secure_directory }}" ++ state: present ++ create: true ++ when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched == 0 + +From df97d24f0cfd1a182925d1ddf0d72a02caa943bf Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 9 Sep 2020 09:36:25 +0200 +Subject: [PATCH 6/6] rename variable + +--- + .../obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml | 6 +++--- + .../obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh | 6 +++--- + .../obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml | 4 ++-- + .../services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml | 4 ++-- + ..._secure_directory.var => var_tftpd_secure_directory.var} | 0 + 5 files changed, 10 insertions(+), 10 deletions(-) + rename linux_os/guide/services/obsolete/tftp/{tftpd_secure_directory.var => var_tftpd_secure_directory.var} (100%) + +diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml +index 9f5bdea58e..604491357e 100644 +--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml ++++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml +@@ -4,7 +4,7 @@ + # strategy = configure + # disruption = low + +-{{{ ansible_instantiate_variables("tftpd_secure_directory") }}} ++{{{ ansible_instantiate_variables("var_tftpd_secure_directory") }}} + + - name: "Find out if the file exists and contains the line configuring server arguments" + find: +@@ -17,7 +17,7 @@ + lineinfile: + path: "/etc/xinetd.d/tftp" + regexp: '^[\s]*(server_args[\s]+=[\s]+.*?)(-s[\s]+[/\.\w]+)*(.*)$' +- line: '\1 -s {{ tftpd_secure_directory }} \3' ++ line: '\1 -s {{ var_tftpd_secure_directory }} \3' + state: present + backrefs: true + when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched > 0 +@@ -25,7 +25,7 @@ + - name: "Insert correct config line to start TFTP server with secure directory" + lineinfile: + path: "/etc/xinetd.d/tftp" +- line: "server_args = -s {{ tftpd_secure_directory }}" ++ line: "server_args = -s {{ var_tftpd_secure_directory }}" + state: present + create: true + when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched == 0 +diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh +index 491d8e90d6..3f0881a320 100644 +--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh ++++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh +@@ -3,12 +3,12 @@ + + . /usr/share/scap-security-guide/remediation_functions + +-{{{ bash_instantiate_variables ("tftpd_secure_directory") }}} ++{{{ bash_instantiate_variables ("var_tftpd_secure_directory") }}} + + if grep -q 'server_args' /etc/xinetd.d/tftp; then +- sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $tftpd_secure_directory \3;" /etc/xinetd.d/tftp ++ sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $var_tftpd_secure_directory \3;" /etc/xinetd.d/tftp + else +- echo "server_args = -s $tftpd_secure_directory" >> /etc/xinetd.d/tftp ++ echo "server_args = -s $var_tftpd_secure_directory" >> /etc/xinetd.d/tftp + fi + + +diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml +index 9f42fcd043..2268a49467 100644 +--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml ++++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml +@@ -27,8 +27,8 @@ + + + ++ var_ref="var_tftpd_secure_directory" /> + + +- ++ + +diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml +index 10b8ab3a2b..002e78535e 100644 +--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml ++++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml +@@ -9,7 +9,7 @@ description: |- + to change its root directory at startup. To do so, ensure + /etc/xinetd.d/tftp includes -s as a command line argument, as shown in + the following example: +-
server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}
++
server_args = -s {{{ sub_var_value("var_tftpd_secure_directory") }}}
+ + rationale: |- + Using the -s option causes the TFTP service to only serve files from the +@@ -55,4 +55,4 @@ ocil: |- + The output should indicate the server_args variable is configured + with the -s flag, matching the example below: +
$ grep "server_args" /etc/xinetd.d/tftp
+-    server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}
++ server_args = -s {{{ sub_var_value("var_tftpd_secure_directory") }}} +diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var b/linux_os/guide/services/obsolete/tftp/var_tftpd_secure_directory.var +similarity index 100% +rename from linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var +rename to linux_os/guide/services/obsolete/tftp/var_tftpd_secure_directory.var diff --git a/SOURCES/scap-security-guide-0.1.53-value_macros-PR_6048.patch b/SOURCES/scap-security-guide-0.1.53-value_macros-PR_6048.patch new file mode 100644 index 0000000..560b25c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.53-value_macros-PR_6048.patch @@ -0,0 +1,3147 @@ +From da0a661b8a5754feecab58a577783faa918172bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 4 Sep 2020 12:04:27 +0200 +Subject: [PATCH 1/3] Replace XCCDF value substitution code by a macro. + +The macro hides the actual implementation of the substitution, +it "just works", and it opens ways how to support variables +even outside of the SCAP content, where there is no scanner +to do the acutal substitution. + +Renamed the macro to xccdf_value, kept the old one for backward compatibility. +--- + .../rule.yml | 8 ++++---- + .../rule.yml | 2 +- + .../keystone/keystone_lockout_duration/rule.yml | 2 +- + .../keystone_lockout_failure_attempts/rule.yml | 2 +- + .../rule.yml | 2 +- + .../container_keystone_lockout_duration/rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 4 ++-- + .../httpd_enable_loglevel/rule.yml | 4 ++-- + .../postfix_client_configure_mail_alias/rule.yml | 2 +- + .../postfix_client_configure_relayhost/rule.yml | 4 ++-- + .../postfix_network_listening_disabled/rule.yml | 4 ++-- + .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 6 +++--- + .../ssh_server/sshd_disable_compression/rule.yml | 2 +- + .../ssh/ssh_server/sshd_rekey_limit/rule.yml | 4 ++-- + .../ssh_server/sshd_set_idle_timeout/rule.yml | 4 ++-- + .../ssh/ssh_server/sshd_set_keepalive/rule.yml | 4 ++-- + .../ssh_server/sshd_set_max_auth_tries/rule.yml | 4 ++-- + .../ssh_server/sshd_set_max_sessions/rule.yml | 4 ++-- + .../sshd_use_approved_ciphers/rule.yml | 2 +- + .../ssh_server/sshd_use_approved_macs/rule.yml | 2 +- + .../ssh_server/sshd_use_priv_separation/rule.yml | 4 ++-- + .../services/sssd/sssd_memcache_timeout/rule.yml | 8 ++++---- + .../sssd/sssd_ssh_known_hosts_timeout/rule.yml | 8 ++++---- + .../accounts_password_pam_unix_remember/rule.yml | 8 ++++---- + .../rule.yml | 6 +++--- + .../rule.yml | 4 ++-- + .../rule.yml | 6 +++--- + .../rule.yml | 4 ++-- + .../rule.yml | 2 +- + .../rule.yml | 6 +++--- + .../rule.yml | 4 ++-- + .../rule.yml | 4 ++-- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../accounts_password_pam_difok/rule.yml | 2 +- + .../rule.yml | 4 ++-- + .../accounts_password_pam_maxrepeat/rule.yml | 4 ++-- + .../accounts_password_pam_minclass/rule.yml | 2 +- + .../accounts_password_pam_minlen/rule.yml | 4 ++-- + .../accounts_password_pam_ocredit/rule.yml | 2 +- + .../accounts_password_pam_retry/rule.yml | 2 +- + .../configure_opensc_card_drivers/rule.yml | 8 ++++---- + .../force_opensc_card_drivers/rule.yml | 8 ++++---- + .../account_disable_post_pw_expiration/rule.yml | 6 +++--- + .../accounts_maximum_age_login_defs/rule.yml | 4 ++-- + .../accounts_minimum_age_login_defs/rule.yml | 4 ++-- + .../accounts_password_minlen_login_defs/rule.yml | 4 ++-- + .../rule.yml | 4 ++-- + .../accounts_logon_fail_delay/rule.yml | 4 ++-- + .../rule.yml | 4 ++-- + .../accounts-session/accounts_tmout/rule.yml | 4 ++-- + .../accounts_umask_etc_bashrc/rule.yml | 6 +++--- + .../accounts_umask_etc_csh_cshrc/rule.yml | 4 ++-- + .../accounts_umask_etc_login_defs/rule.yml | 4 ++-- + .../accounts_umask_etc_profile/rule.yml | 4 ++-- + .../rule.yml | 4 ++-- + .../rule.yml | 4 ++-- + .../auditd_data_retention_flush/rule.yml | 2 +- + .../auditd_data_retention_max_log_file/rule.yml | 2 +- + .../auditd_data_retention_num_logs/rule.yml | 2 +- + .../rsyslog_files_groupownership/rule.yml | 8 ++++---- + .../rsyslog_files_ownership/rule.yml | 8 ++++---- + .../rsyslog_remote_loghost/rule.yml | 16 ++++++++-------- + .../rule.yml | 4 ++-- + .../daemon_umask/umask_for_daemons/rule.yml | 4 ++-- + .../system/selinux/selinux_policytype/rule.yml | 6 +++--- + .../guide/system/selinux/selinux_state/rule.yml | 6 +++--- + .../dconf_gnome_screensaver_idle_delay/rule.yml | 2 +- + .../dconf_gnome_screensaver_lock_delay/rule.yml | 6 +++--- + .../gconf_gnome_screensaver_idle_delay/rule.yml | 6 +++--- + .../rule.yml | 6 +++--- + .../crypto/configure_crypto_policy/rule.yml | 6 +++--- + .../crypto/ssh_client_rekey_limit/rule.yml | 6 +++--- + shared/macros.jinja | 7 ++++++- + 75 files changed, 168 insertions(+), 163 deletions(-) + +diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml +index 74da1f4c8b..91bd3ab560 100644 +--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml ++++ b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml +@@ -11,13 +11,13 @@ description: |- + {{%- if product == "ocp4" %}} + file /etc/kubernetes/kubernetes.conf + on the kubelet node(s) and set the below parameter: +-
streamingConnectionIdleTimeout: 
++
streamingConnectionIdleTimeout: {{{ xccdf_value("var_streaming_connection_timeouts") }}}
+ {{% else %}} + file /etc/origin/node/node-config.yaml + on the kubelet node(s) and set the below parameter: +
kubeletArguments:
+       streaming-connection-idle-timeout:
+-      - ''
++ - '{{{ xccdf_value("var_streaming_connection_timeouts") }}}' + {{%- endif %}} + + rationale: |- +@@ -33,10 +33,10 @@ ocil: |- + Run the following command on the kubelet node(s): + {{%- if product == "ocp4" %}} +
$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubernetes.conf
+- The output should return . ++ The output should return {{{ xccdf_value("var_streaming_connection_timeouts") }}}. + {{% else %}} +
$ sudo grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml
+- The output should return . ++ The output should return {{{ xccdf_value("var_streaming_connection_timeouts") }}}. + {{%- endif %}} + + identifiers: +diff --git a/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml b/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml +index 6f8a7c9474..5a06f2984f 100644 +--- a/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml ++++ b/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml +@@ -32,4 +32,4 @@ ocil: |- +
$ grep disable_user_account_days_inactive /etc/keystone/keystone.conf
+
+ If properly configured, the output should be: +-
disable_user_account_days_inactive = 
++
disable_user_account_days_inactive = {{{ xccdf_value("var_keystone_disable_user_account_days_inactive") }}}
+diff --git a/applications/openstack/keystone/keystone_lockout_duration/rule.yml b/applications/openstack/keystone/keystone_lockout_duration/rule.yml +index 30a823e0fe..50057c14d1 100644 +--- a/applications/openstack/keystone/keystone_lockout_duration/rule.yml ++++ b/applications/openstack/keystone/keystone_lockout_duration/rule.yml +@@ -38,4 +38,4 @@ ocil: |- +
$ grep lockout_duration /etc/keystone/keystone.conf
+
+ If properly configured, the output should be: +-
lockout_duration=
++
lockout_duration={{{ xccdf_value("var_keystone_lockout_failure_duration") }}}
+diff --git a/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml b/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml +index e77fb2d0c1..4927fb0abe 100644 +--- a/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml ++++ b/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml +@@ -33,4 +33,4 @@ ocil: |- +
$ grep lockout_failure_attempts /etc/keystone/keystone.conf
+
+ If properly configured, the output should be: +-
lockout_failure_attempts=
++
lockout_failure_attempts={{{ xccdf_value("var_keystone_lockout_failure_attempts") }}}
+diff --git a/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml b/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml +index 9f98073edc..8bd564e66a 100644 +--- a/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml ++++ b/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml +@@ -31,4 +31,4 @@ ocil: |- +
$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
+
+ If properly configured, the output should be: +-
disable_user_account_days_inactive = 
++
disable_user_account_days_inactive = {{{ xccdf_value("var_keystone_disable_user_account_days_inactive") }}}
+diff --git a/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml b/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml +index 98f33106c0..1c469e3e4f 100644 +--- a/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml ++++ b/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml +@@ -37,4 +37,4 @@ ocil: |- +
$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
+
+ If properly configured, the output should be: +-
lockout_duration=
++
lockout_duration={{{ xccdf_value("var_keystone_lockout_failure_duration") }}}
+diff --git a/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml b/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml +index d9de1aebf6..8d48304685 100644 +--- a/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml ++++ b/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml +@@ -32,4 +32,4 @@ ocil: |- +
$ grep lockout_failure_attempts /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
+
+ If properly configured, the output should be: +-
lockout_failure_attempts=
++
lockout_failure_attempts={{{ xccdf_value("var_keystone_lockout_failure_attempts") }}}
+diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml +index aaf7e21583..3a9b317b75 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml +@@ -6,9 +6,9 @@ title: 'Configure The Number of Allowed Simultaneous Requests' + + description: |- + The MaxKeepAliveRequests directive should be set and configured to +- or greater by setting the following ++ {{{ xccdf_value("var_max_keepalive_requests") }}} or greater by setting the following + in /etc/httpd/conf/httpd.conf: +-
MaxKeepAliveRequests 
++
MaxKeepAliveRequests {{{ xccdf_value("var_max_keepalive_requests") }}}
+ + rationale: |- + Resource exhaustion can occur when an unlimited number of concurrent requests +diff --git a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml +index 112039a2d8..e8bb96b214 100644 +--- a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml ++++ b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml +@@ -5,9 +5,9 @@ prodtype: rhel7,rhel8 + title: 'Enable HTTPD LogLevel' + + description: |- +- LogLevel should be enabled and set to . ++ LogLevel should be enabled and set to {{{ xccdf_value("var_httpd_loglevel") }}}. + Add or edit the following in /etc/httpd/conf/httpd.conf: +-
LogLevel 
++
LogLevel {{{ xccdf_value("var_httpd_loglevel") }}}
+ + rationale: |- + The server error logs are invaluable because they can also be used to identify +diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +index 0650606bad..b86f6e7c98 100644 +--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml ++++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +@@ -4,7 +4,7 @@ title: 'Configure System to Forward All Mail For The Root Account' + + description: |- + Set up an alias for root that forwards to a monitored email address: +-
$ sudo echo "root: " >> /etc/aliases
++    
$ sudo echo "root: {{{ xccdf_value("var_postfix_root_mail_alias") }}}" >> /etc/aliases
+     $ sudo newaliases
+ + rationale: |- +diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml +index 0b4e2d2322..0faafeb0c2 100644 +--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml ++++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml +@@ -6,7 +6,7 @@ description: |- + Set up a relay host that will act as a gateway for all outbound email. + Edit the file /etc/postfix/main.cf to ensure that only the following + relayhost line appears: +-
relayhost = 
++
relayhost = {{{ xccdf_value("var_postfix_relayhost") }}}
+ + rationale: |- + A central outbound email location ensures messages sent from any network host +@@ -20,4 +20,4 @@ ocil_clause: 'it is not' + ocil: |- + Run the following command to ensure postfix routes mail to this system: +
$ grep relayhost /etc/postfix/main.cf
+- If properly configured, the output should show only . ++ If properly configured, the output should show only {{{ xccdf_value("var_postfix_relayhost") }}}. +diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml +index 8deb83a2da..cba179b8d7 100644 +--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml ++++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml +@@ -7,7 +7,7 @@ title: 'Disable Postfix Network Listening' + description: |- + Edit the file /etc/postfix/main.cf to ensure that only the following + inet_interfaces line appears: +-
inet_interfaces = 
++
inet_interfaces = {{{ xccdf_value("var_postfix_inet_interfaces") }}}
+ + + rationale: |- +@@ -41,4 +41,4 @@ ocil_clause: 'it does not' + ocil: |- + Run the following command to ensure postfix accepts mail messages from only the local system: +
$ grep inet_interfaces /etc/postfix/main.cf
+- If properly configured, the output should show only . ++ If properly configured, the output should show only {{{ xccdf_value("var_postfix_inet_interfaces") }}}. +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +index ba3772a5af..d5f8b9125e 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +@@ -6,11 +6,11 @@ title: 'Configure Time Service Maxpoll Interval' + + description: |- + The maxpoll should be configured to +- in /etc/ntp.conf or ++ {{{ xccdf_value("var_time_service_set_maxpoll") }}} in /etc/ntp.conf or + /etc/chrony.conf to continuously poll time servers. To configure + maxpoll in /etc/ntp.conf or /etc/chrony.conf + add the following: +-
maxpoll 
++
maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}
+ + rationale: |- + Inaccurate time stamps make it more difficult to correlate +@@ -46,4 +46,4 @@ ocil: |- + To verify that maxpoll has been set properly, perform the following: +
$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf
+ The output should return +-
maxpoll 
. ++
maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}
. +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +index e63866bb8b..fe7e67c1c2 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +@@ -9,7 +9,7 @@ description: |- + it should be disabled. To disable compression or delay compression until after + a user has successfully authenticated, add or correct the following line in the + /etc/ssh/sshd_config file: +-
Compression 
++
Compression {{{ xccdf_value("var_sshd_disable_compression") }}}
+ + rationale: |- + If compression is allowed in an SSH connection prior to authentication, +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml +index ce191e48e7..d7941f9c0e 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml +@@ -7,7 +7,7 @@ description: |- + the session key of the is renegotiated, both in terms of + amount of data that may be transmitted and the time + elapsed. To decrease the default limits, put line +- RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}} to file /etc/ssh/sshd_config. ++ RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}} to file /etc/ssh/sshd_config. + + rationale: |- + By decreasing the limit based on the amount of data and enabling +@@ -30,4 +30,4 @@ ocil: |- + following command: +
$ sudo grep RekeyLimit /etc/ssh/sshd_config
+ If configured properly, output should be +-
RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}
++
RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +index 250addfe2f..5149de069d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +@@ -8,7 +8,7 @@ description: |- +

+ To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as + follows: +-
ClientAliveInterval 
++
ClientAliveInterval {{{ xccdf_value("sshd_idle_timeout_value") }}}
+

+ The timeout interval is given in seconds. For example, have a timeout + of 10 minutes, set interval to 600. +@@ -61,4 +61,4 @@ ocil: |- + Run the following command to see what the timeout interval is: +
$ sudo grep ClientAliveInterval /etc/ssh/sshd_config
+ If properly configured, the output should be: +-
ClientAliveInterval 
++
ClientAliveInterval {{{ xccdf_value("sshd_idle_timeout_value") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +index 95628aac85..5354ff5b0c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +@@ -5,7 +5,7 @@ title: 'Set SSH Client Alive Max Count' + description: |- + To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, + edit /etc/ssh/sshd_config as follows: +-
ClientAliveCountMax 
++
ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}
+ + rationale: |- + This ensures a user login will be terminated as soon as the ClientAliveInterval +@@ -48,4 +48,4 @@ ocil: |- + To ensure the SSH idle timeout will occur when the ClientAliveInterval is set, run the following command: +
$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config
+ If properly configured, output should be: +-
ClientAliveCountMax 
++
ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +index 037bb1603d..d6e1f30b19 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +@@ -6,7 +6,7 @@ description: |- + The MaxAuthTries parameter specifies the maximum number of authentication attempts + permitted per connection. Once the number of failures reaches half this value, additional failures are logged. + to set MaxAUthTries edit /etc/ssh/sshd_config as follows: +-
MaxAuthTries 
++
MaxAuthTries {{{ xccdf_value("sshd_max_auth_tries_value") }}}
+ + rationale: |- + Setting the MaxAuthTries parameter to a low number will minimize the risk of successful +@@ -31,4 +31,4 @@ ocil: |- + To ensure the MaxAuthTries parameter is set, run the following command: +
$ sudo grep MaxAuthTries /etc/ssh/sshd_config
+ If properly configured, output should be: +-
MaxAuthTries 
++
MaxAuthTries {{{ xccdf_value("sshd_max_auth_tries_value") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml +index 3f74e662de..2782b71905 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml +@@ -5,7 +5,7 @@ title: 'Set SSH MaxSessions limit' + description: |- + The MaxSessions parameter specifies the maximum number of open sessions permitted + from a given connection. To set MaxSessions edit +- /etc/ssh/sshd_config as follows:
MaxSessions 
++ /etc/ssh/sshd_config as follows:
MaxSessions {{{ xccdf_value("var_sshd_max_sessions") }}}
+ + rationale: |- + To protect a system from denial of service due to a large number of concurrent +@@ -27,4 +27,4 @@ ocil: |- + Run the following command to see what the max sessions number is: +
$ sudo grep MaxSessions /etc/ssh/sshd_config
+ If properly configured, the output should be: +-
MaxSessions 
++
MaxSessions {{{ xccdf_value("var_sshd_max_sessions") }}}
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +index 985bbd0b8b..c2204193dc 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +@@ -31,7 +31,7 @@ description: |- + {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}} + {{% endif %}} + {{% endif %}} +- The rule is parametrized to use the following ciphers: {{{ sub_var_value("sshd_approved_ciphers") }}}. ++ The rule is parametrized to use the following ciphers: {{{ xccdf_value("sshd_approved_ciphers") }}}. + + rationale: |- + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +index 4b563de550..b7adaca34b 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +@@ -32,7 +32,7 @@ description: |- + {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}} + {{% endif %}} + {{% endif %}} +- The rule is parametrized to use the following MACs: {{{ sub_var_value("sshd_approved_macs") }}}. ++ The rule is parametrized to use the following MACs: {{{ xccdf_value("sshd_approved_macs") }}}. + + rationale: |- + DoD Information Systems are required to use FIPS-approved cryptographic hash +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml +index 60813a75a2..14d1acfd22 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml +@@ -6,7 +6,7 @@ description: |- + When enabled, SSH will create an unprivileged child process that + has the privilege of the authenticated user. To enable privilege separation in + SSH, add or correct the following line in the /etc/ssh/sshd_config file: +-
UsePrivilegeSeparation 
++
UsePrivilegeSeparation {{{ xccdf_value("var_sshd_priv_separation") }}}
+ + rationale: |- + SSH daemon privilege separation causes the SSH process to drop root privileges +@@ -41,4 +41,4 @@ ocil: |- + To check if UsePrivilegeSeparation is enabled or set correctly, run the + following command: +
$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config
+- If configured properly, output should be . ++ If configured properly, output should be {{{ xccdf_value("var_sshd_priv_separation") }}}. +diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml +index 00cda4f144..35ec8c497c 100644 +--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml ++++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml +@@ -6,14 +6,14 @@ title: 'Configure SSSD''s Memory Cache to Expire' + + description: |- + SSSD's memory cache should be configured to set to expire records after +- seconds. ++ {{{ xccdf_value("var_sssd_memcache_timeout") }}} seconds. + To configure SSSD to expire memory cache, set memcache_timeout to +- under the ++ {{{ xccdf_value("var_sssd_memcache_timeout") }}} under the + [nss] section in /etc/sssd/sssd.conf. + + For example: +
[nss]
+-    memcache_timeout = 
++    memcache_timeout = {{{ xccdf_value("var_sssd_memcache_timeout") }}}
+     
+ + rationale: |- +@@ -46,4 +46,4 @@ ocil_clause: 'it does not exist or is not configured properly' + ocil: |- + To verify that SSSD's in-memory cache expires after a day, run the following command: +
$ sudo grep memcache_timeout /etc/sssd/sssd.conf
+- If configured properly, output should be
memcache_timeout = 
. ++ If configured properly, output should be
memcache_timeout = {{{ xccdf_value("var_sssd_memcache_timeout") }}}
. +diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml +index ce83991f57..00f1f3b485 100644 +--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml ++++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml +@@ -6,12 +6,12 @@ title: 'Configure SSSD to Expire SSH Known Hosts' + + description: |- + SSSD should be configured to expire keys from known SSH hosts after +- seconds. ++ {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}} seconds. + To configure SSSD to known SSH hosts, set ssh_known_hosts_timeout +- to under the ++ to {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}} under the + [ssh] section in /etc/sssd/sssd.conf. For example: +
[ssh]
+-    ssh_known_hosts_timeout = 
++    ssh_known_hosts_timeout = {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}
+     
+ + rationale: |- +@@ -44,4 +44,4 @@ ocil: |- + To verify that SSSD expires known SSH host keys, run the following command: +
$ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf
+ If configured properly, output should be +-
ssh_known_hosts_timeout = 
++
ssh_known_hosts_timeout = {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}
+diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +index 7c7b14860c..f6857da463 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +@@ -9,14 +9,14 @@ description: |- + accomplished by using the remember option for the pam_unix + or pam_pwhistory PAM modules. +

+- In the file /etc/pam.d/system-auth, append remember= ++ In the file /etc/pam.d/system-auth, append remember={{{ xccdf_value("var_password_pam_unix_remember") }}} + to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: +
    +
  • for the pam_unix.so case: +-
    password sufficient pam_unix.so ...existing_options... remember=
    ++
    password sufficient pam_unix.so ...existing_options... remember={{{ xccdf_value("var_password_pam_unix_remember") }}}
    +
  • +
  • for the pam_pwhistory.so case: +-
    password requisite pam_pwhistory.so ...existing_options... remember=
    ++
    password requisite pam_pwhistory.so ...existing_options... remember={{{ xccdf_value("var_password_pam_unix_remember") }}}
    +
  • +
+ The DoD STIG requirement is 5 passwords. +@@ -56,6 +56,6 @@ ocil: |- + To verify the password reuse setting is compliant, run the following command: +
$ grep remember /etc/pam.d/system-auth
+ The output should show the following at the end of the line: +-
remember=
++
remember={{{ xccdf_value("var_password_pam_unix_remember") }}}
+ + platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +index 8eeb24a9c5..15eba70d6a 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +@@ -11,9 +11,9 @@ description: |- +

+
    +
  • add the following line immediately before the pam_unix.so statement in the AUTH section: +-
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • ++
    auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
    +
  • add the following line immediately after the pam_unix.so statement in the AUTH section: +-
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • ++
    auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
    +
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: +
    account required pam_faillock.so
  • +
+@@ -56,6 +56,6 @@ ocil_clause: 'that is not the case' + ocil: |- + To ensure the failed password attempt policy is configured correctly, run the following command: +
$ grep pam_faillock /etc/pam.d/system-auth
+- The output should show deny=. ++ The output should show deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}}. + + platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +index 6f49ea9850..1780a66251 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +@@ -13,10 +13,10 @@ description: |- +
    +
  • Modify the following line in the AUTH section to add + even_deny_root: +-
    auth required pam_faillock.so preauth silent even_deny_root deny= unlock_time= fail_interval=
  • ++
    auth required pam_faillock.so preauth silent even_deny_root deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
    +
  • Modify the following line in the AUTH section to add + even_deny_root: +-
    auth [default=die] pam_faillock.so authfail even_deny_root deny= unlock_time= fail_interval=
    ++
    auth [default=die] pam_faillock.so authfail even_deny_root deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
    +
  • +
+ +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +index f891d8e600..708e98e7f3 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +@@ -14,11 +14,11 @@ description: |- +
    +
  • Add the following line immediately before the + pam_unix.so statement in the AUTH section: +-
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
    ++
    auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
    +
  • +
  • Add the following line immediately after the + pam_unix.so statement in the AUTH section: +-
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
    ++    
    auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
    +     
    +
  • +
  • Add the following line immediately before the +@@ -63,7 +63,7 @@ ocil: |- + To ensure the failed password attempt policy is configured correctly, + run the following command: +
    $ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
    +- For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is or greater. ++ For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is {{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}} or greater. + If the fail_interval parameter is not set, the default setting + of 900 seconds is acceptable. + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +index c3c7fa1ccc..b992cf93bd 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +@@ -11,9 +11,9 @@ description: |- +

    +
      +
    • add the following line immediately before the pam_unix.so statement in the AUTH section: +-
      auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
    • ++
      auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
      +
    • add the following line immediately after the pam_unix.so statement in the AUTH section: +-
      auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
    • ++
      auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
      +
    • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: +
      account required pam_faillock.so
    • +
    +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml +index fde8c8a188..168960bd4e 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml +@@ -7,7 +7,7 @@ title: 'Set Password Strength Minimum Different Characters' + description: |- + The pam_cracklib module's difok parameter controls requirements for + usage of different characters during a password change. +- Add difok= after pam_cracklib.so to require differing ++ Add difok={{{ xccdf_value("var_password_pam_difok") }}} after pam_cracklib.so to require differing + characters when changing passwords. The DoD requirement is 4. + + rationale: |- +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml +index 8171db26bd..8865b29f36 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml +@@ -7,9 +7,9 @@ title: 'Set Password to Maximum of Three Consecutive Repeating Characters' + description: |- + The pam_cracklib module's maxrepeat parameter controls requirements for + consecutive repeating characters. When set to a positive number, it will reject passwords +- which contain more than that number of consecutive characters. Add maxrepeat= +- after pam_cracklib.so to prevent a run of ( + 1) or more identical characters:
    +-
    password required pam_cracklib.so maxrepeat=
    ++ which contain more than that number of consecutive characters. Add maxrepeat={{{ xccdf_value("var_password_pam_maxrepeat") }}} ++ after pam_cracklib.so to prevent a run of ({{{ xccdf_value("var_password_pam_maxrepeat") }}} + 1) or more identical characters:
    ++
    password required pam_cracklib.so maxrepeat={{{ xccdf_value("var_password_pam_maxrepeat") }}}
    + + rationale: 'Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml +index 9723f28793..3c87a58cc6 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml +@@ -17,8 +17,8 @@ description: |- + * Digits + * Special characters (for example, punctuation) +
+- Add minclass= after pam_cracklib.so entry into the +- /etc/pam.d/system-auth file in order to require differing categories of ++ Add minclass={{{ xccdf_value("var_password_pam_minclass") }}} after pam_cracklib.so entry into the ++ /etc/pam.d/system-auth file in order to require {{{ xccdf_value("var_password_pam_minclass") }}} differing categories of + characters when changing passwords. + For example to require at least three character classes to be used in password, use minclass=3. + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml +index cb902bccd7..1088af68ee 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml +@@ -6,7 +6,7 @@ title: 'Set Password Minimum Length' + + description: |- + The pam_cracklib module's minlen parameter controls requirements for +- minimum characters required in a password. Add minlen= ++ minimum characters required in a password. Add minlen={{{ xccdf_value("var_password_pam_minlen") }}} + after pam_pwquality to set minimum password length requirements. + + rationale: |- +@@ -38,4 +38,4 @@ ocil_clause: 'minlen is not found or not set to the required value (or higher)' + ocil: |- + To check how many characters are required in a password, run the following command: +
$ grep cracklib /etc/pam.d/system-auth
+- Your output should contain minlen= ++ Your output should contain minlen={{{ xccdf_value("var_password_pam_minlen") }}} +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml +index 9c6d8a5b31..f8cb083106 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml +@@ -9,7 +9,7 @@ description: |- + usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to + contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional + length credit for each special character. +- Add ocredit= after pam_cracklib.so to require use of a special character in passwords. ++ Add ocredit={{{ xccdf_value("var_password_pam_ocredit") }}} after pam_cracklib.so to require use of a special character in passwords. + + rationale: |- + Requiring a minimum number of special characters makes password guessing attacks +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml +index e0555d7224..cc1a9f72c7 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml +@@ -9,7 +9,7 @@ description: |- +

+ Edit the pam_cracklib.so statement in + /etc/pam.d/system-auth to show +- retry=, or a lower value ++ retry={{{ xccdf_value("var_password_pam_retry") }}}, or a lower value + if site policy is more restrictive. +

+ The DoD requirement is a maximum of 3 prompts per session. +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml +index 965b10a57a..fb64b61520 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml +@@ -9,7 +9,7 @@ description: |- + in a password that must not be present in and old password during a password change. +

+ Modify the difok setting in /etc/security/pwquality.conf +- to equal to require differing characters ++ to equal {{{ xccdf_value("var_password_pam_difok") }}} to require differing characters + when changing passwords. + + rationale: |- +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml +index 0d59eefef9..d449c97950 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml +@@ -8,8 +8,8 @@ description: |- + The pam_pwquality module's maxclassrepeat parameter controls requirements for + consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords + which contain more than that number of consecutive characters from the same character class. Modify the +- maxclassrepeat setting in /etc/security/pwquality.conf to equal +- to prevent a run of ( + 1) or more identical characters. ++ maxclassrepeat setting in /etc/security/pwquality.conf to equal {{{ xccdf_value("var_password_pam_maxclassrepeat") }}} ++ to prevent a run of ({{{ xccdf_value("var_password_pam_maxclassrepeat") }}} + 1) or more identical characters. + + rationale: |- + Use of a complex password helps to increase the time and resources required to comrpomise the password. +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml +index 59637552ae..cb2755b255 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml +@@ -8,8 +8,8 @@ description: |- + The pam_pwquality module's maxrepeat parameter controls requirements for + consecutive repeating characters. When set to a positive number, it will reject passwords + which contain more than that number of consecutive characters. Modify the maxrepeat setting +- in /etc/security/pwquality.conf to equal to prevent a +- run of ( + 1) or more identical characters. ++ in /etc/security/pwquality.conf to equal {{{ xccdf_value("var_password_pam_maxrepeat") }}} to prevent a ++ run of ({{{ xccdf_value("var_password_pam_maxrepeat") }}} + 1) or more identical characters. + + rationale: |- + Use of a complex password helps to increase the time and resources required to compromise the password. +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +index 7dc06b20e9..c6ac4e654b 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +@@ -19,7 +19,7 @@ description: |- + * Special characters (for example, punctuation) + + Modify the minclass setting in /etc/security/pwquality.conf entry +- to require ++ to require {{{ xccdf_value("var_password_pam_minclass") }}} + differing categories of characters when changing passwords. + + rationale: |- +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +index c507413b67..0c1066a550 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +@@ -6,7 +6,7 @@ title: 'Ensure PAM Enforces Password Requirements - Minimum Length' + + description: |- + The pam_pwquality module's minlen parameter controls requirements for +- minimum characters required in a password. Add minlen= ++ minimum characters required in a password. Add minlen={{{ xccdf_value("var_password_pam_minlen") }}} + after pam_pwquality to set minimum password length requirements. + + rationale: |- +@@ -49,7 +49,7 @@ ocil_clause: 'minlen is not found, or not equal to or greater than the required + ocil: |- + To check how many characters are required in a password, run the following command: +
$ grep minlen /etc/security/pwquality.conf
+- Your output should contain minlen = ++ Your output should contain minlen = {{{ xccdf_value("var_password_pam_minlen") }}} + + platform: pam + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +index b9b93d69b1..cbc1ca50ee 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +@@ -10,7 +10,7 @@ description: |- + any password will be required to contain that many special characters. + When set to a positive number, pam_pwquality will grant +1 + additional length credit for each special character. Modify the ocredit setting +- in /etc/security/pwquality.conf to equal ++ in /etc/security/pwquality.conf to equal {{{ xccdf_value("var_password_pam_ocredit") }}} + to require use of a special character in passwords. + + rationale: |- +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +index a64ee575a1..6b1534adde 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +@@ -7,7 +7,7 @@ title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts + description: |- + To configure the number of retry prompts that are permitted per-session: + Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to +- show retry=, or a lower value if ++ show retry={{{ xccdf_value("var_password_pam_retry") }}}, or a lower value if + site policy is more restrictive. + The DoD requirement is a maximum of 3 prompts per session. + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml +index 57958bce13..476cffcd62 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml +@@ -8,13 +8,13 @@ description: |- + The OpenSC smart card tool can auto-detect smart card drivers; however, + setting the smart card drivers in use by your organization helps to prevent + users from using unauthorized smart cards. The default smart card driver for this +- profile is . ++ profile is {{{ xccdf_value("var_smartcard_drivers") }}}. + To configure the OpenSC driver, edit the /etc/opensc-ARCH.conf (where + ARCH is the architecture of your operating system) file. Look for a + line similar to: +
# card_drivers = old, internal;
+ and change it to: +-
card_drivers = ;
++
card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};
+ + rationale: |- + Smart card login provides two-factor authentication stronger than +@@ -45,9 +45,9 @@ references: + ocil_clause: 'the smart card driver is not configured correctly' + + ocil: |- +- To verify that is configured ++ To verify that {{{ xccdf_value("var_smartcard_drivers") }}} is configured + as the smart card driver, run the following command changing ARCH for + the architecture of your operating system: +
$ grep card_drivers /etc/opensc-ARCH
+ The output should return something similar to: +-
card_drivers = ;
++
card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};
+diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml +index ad65316007..261698320c 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml +@@ -9,13 +9,13 @@ description: |- + forcing the smart card driver in use by your organization, opensc will no longer + autodetect or use other drivers unless specified. This helps to prevent + users from using unauthorized smart cards. The default smart card driver for this +- profile is . ++ profile is {{{ xccdf_value("var_smartcard_drivers") }}}. + To force the OpenSC driver, edit the /etc/opensc-ARCH.conf (where + ARCH is the architecture of your operating system) file. Look for a line + similar to: +
# force_card_driver = customcos;
+ and change it to: +-
force_card_driver = ;
++
force_card_driver = {{{ xccdf_value("var_smartcard_drivers") }}};
+ + rationale: |- + Smart card login provides two-factor authentication stronger than +@@ -46,9 +46,9 @@ references: + ocil_clause: 'the smart card driver is not configured correctly' + + ocil: |- +- To verify that is configured ++ To verify that {{{ xccdf_value("var_smartcard_drivers") }}} is configured + as the smart card driver, run the following command changing ARCH for + the architecture of your operating system: +
$ grep force_card_driver /etc/opensc-ARCH
+ The output should return something similar to: +-
force_card_drivers = ;
++
force_card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +index 45c199ad4a..cfa59edd38 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +@@ -9,9 +9,9 @@ description: |- + signifies inactivity) until an account is permanently disabled, add or correct + the following lines in /etc/default/useradd, substituting + NUM_DAYS appropriately: +-
INACTIVE=
++
INACTIVE={{{ xccdf_value("var_account_disable_post_pw_expiration") }}}
+ A value of 35 is recommended; however, this profile expects that the value is set to +- . ++ {{{ xccdf_value("var_account_disable_post_pw_expiration") }}}. + If a password is currently on the + verge of expiration, then 35 days remain until the account is automatically + disabled. However, if the password will not expire for another 60 days, then 95 +@@ -63,6 +63,6 @@ ocil: |- + The output should indicate the INACTIVE configuration option is set + to an appropriate integer as shown in the example below: +
$ grep "INACTIVE" /etc/default/useradd
+-    INACTIVE=
++ INACTIVE={{{ xccdf_value("var_account_disable_post_pw_expiration") }}} + + platform: login_defs +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +index 0619423d0c..ccf95260dc 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +@@ -6,10 +6,10 @@ description: |- + To specify password maximum age for new accounts, + edit the file /etc/login.defs + and add or correct the following line: +-
PASS_MAX_DAYS 
++
PASS_MAX_DAYS {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}
+ A value of 180 days is sufficient for many environments. + The DoD requirement is 60. +- The profile requirement is . ++ The profile requirement is {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}. + + rationale: |- + Any password, no matter how complex, can eventually be cracked. Therefore, passwords +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +index 543e88e822..ceca9550a7 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +@@ -6,10 +6,10 @@ description: |- + To specify password minimum age for new accounts, + edit the file /etc/login.defs + and add or correct the following line: +-
PASS_MIN_DAYS 
++
PASS_MIN_DAYS {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}
+ A value of 1 day is considered sufficient for many + environments. The DoD requirement is 1. +- The profile requirement is . ++ The profile requirement is {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}. + + rationale: |- + Enforcing a minimum password lifetime helps to prevent repeated password +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +index 2f18ce638a..39864bb79d 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +@@ -5,12 +5,12 @@ title: 'Set Password Minimum Length in login.defs' + description: |- + To specify password length requirements for new accounts, edit the file + /etc/login.defs and add or correct the following line: +-
PASS_MIN_LEN 
++
PASS_MIN_LEN {{{ xccdf_value("var_accounts_password_minlen_login_defs") }}}
+

+ The DoD requirement is 15. + The FISMA requirement is 12. + The profile requirement is +- . ++ {{{ xccdf_value("var_accounts_password_minlen_login_defs") }}}. + If a program consults /etc/login.defs and also another PAM module + (such as pam_pwquality) during a password change operation, then + the most restrictive must be satisfied. See PAM section for more +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +index 1048b7c143..3ba2a7049f 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +@@ -7,9 +7,9 @@ description: |- + expiration that a warning will be issued to users, + edit the file /etc/login.defs and add or correct + the following line: +-
PASS_WARN_AGE 
++
PASS_WARN_AGE {{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}}
+ The DoD requirement is 7. +- The profile requirement is . ++ The profile requirement is {{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}}. + + rationale: |- + Setting the password warning age enables users to +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +index 9a359b22c5..08f81100f4 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +@@ -5,7 +5,7 @@ title: 'Ensure the Logon Failure Delay is Set Correctly in login.defs' + description: |- + To ensure the logon failure delay controlled by /etc/login.defs is set properly, + add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows: +-
FAIL_DELAY 
++
FAIL_DELAY {{{ xccdf_value("var_accounts_fail_delay") }}}
+ + rationale: |- + Increasing the time between a failed authentication attempt and re-prompting to +@@ -37,6 +37,6 @@ ocil: |- +
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
+ All output must show the value of FAIL_DELAY set as shown in the below: +
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
+-    FAIL_DELAY 
++ FAIL_DELAY {{{ xccdf_value("var_accounts_fail_delay") }}} + + platform: login_defs +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +index 3486578e66..2fc9427ce3 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +@@ -8,7 +8,7 @@ description: |- + concurrent sessions by a single user via multiple accounts. To set the number of concurrent + sessions per user add the following line in /etc/security/limits.conf or + a file under /etc/security/limits.d/: +-
* hard maxlogins 
++
* hard maxlogins {{{ xccdf_value("var_accounts_max_concurrent_login_sessions") }}}
+ + rationale: |- + Limiting simultaneous user logins can insulate the system from denial of service +@@ -46,6 +46,6 @@ ocil: |- + configured for all users on the system: +
# grep "maxlogins" /etc/security/limits.conf
+ You should receive output similar to the following: +-
*\t\thard\tmaxlogins\t
++
*\t\thard\tmaxlogins\t{{{ xccdf_value("var_accounts_max_concurrent_login_sessions") }}}
+ + platform: pam +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +index 6e21f653c7..eb64b12e51 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +@@ -8,7 +8,7 @@ description: |- + Setting the TMOUT option in /etc/profile ensures that + all user sessions will terminate based on inactivity. The TMOUT + setting in /etc/profile should read as follows: +-
TMOUT=
++
TMOUT={{{ xccdf_value("var_accounts_tmout") }}}
+ + rationale: |- + Terminating an idle session within a short time period reduces +@@ -48,4 +48,4 @@ ocil: |- + on the system: +
$ sudo grep TMOUT /etc/profile
+ The output should return the following: +-
TMOUT=
++
TMOUT={{{ xccdf_value("var_accounts_tmout") }}}
+diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +index 391a2bcc42..e9beb8f4bd 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +@@ -8,7 +8,7 @@ description: |- + To ensure the default umask for users of the Bash shell is set properly, + add or correct the umask setting in /etc/bashrc to read + as follows: +-
umask 
++
umask {{{ xccdf_value("var_accounts_user_umask") }}}
+ + rationale: |- + The umask value influences the permissions assigned to files when they are created. +@@ -44,5 +44,5 @@ ocil: |- +
# grep "umask" /etc/bashrc
+ All output must show the value of umask set as shown below: +
# grep "umask" /etc/bashrc
+-    umask 
+-    umask 
++ umask {{{ xccdf_value("var_accounts_user_umask") }}} ++ umask {{{ xccdf_value("var_accounts_user_umask") }}} +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml +index 5b8bc81ab3..347e881d5e 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml +@@ -7,7 +7,7 @@ title: 'Ensure the Default C Shell Umask is Set Correctly' + description: |- + To ensure the default umask for users of the C shell is set properly, + add or correct the umask setting in /etc/csh.cshrc to read as follows: +-
umask 
++
umask {{{ xccdf_value("var_accounts_user_umask") }}}
+ + rationale: |- + The umask value influences the permissions assigned to files when they are created. +@@ -42,4 +42,4 @@ ocil: |- +
# grep "umask" /etc/csh.cshrc
+ All output must show the value of umask set as shown in the below: +
# grep "umask" /etc/csh.cshrc
+-    umask 
++ umask {{{ xccdf_value("var_accounts_user_umask") }}} +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +index ecb2dfb1f1..088e9ce2a8 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +@@ -5,7 +5,7 @@ title: 'Ensure the Default Umask is Set Correctly in login.defs' + description: |- + To ensure the default umask controlled by /etc/login.defs is set properly, + add or correct the UMASK setting in /etc/login.defs to read as follows: +-
UMASK 
++
UMASK {{{ xccdf_value("var_accounts_user_umask") }}}
+ + rationale: |- + The umask value influences the permissions assigned to files when they are created. +@@ -42,6 +42,6 @@ ocil: |- +
# grep -i "UMASK" /etc/login.defs
+ All output must show the value of umask set as shown in the below: +
# grep -i "UMASK" /etc/login.defs
+-    umask 
++ umask {{{ xccdf_value("var_accounts_user_umask") }}} + + platform: login_defs +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml +index bf48d81899..43ab898b5d 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml +@@ -5,7 +5,7 @@ title: 'Ensure the Default Umask is Set Correctly in /etc/profile' + description: |- + To ensure the default umask controlled by /etc/profile is set properly, + add or correct the umask setting in /etc/profile to read as follows: +-
umask 
++
umask {{{ xccdf_value("var_accounts_user_umask") }}}
+ + rationale: |- + The umask value influences the permissions assigned to files when they are created. +@@ -42,4 +42,4 @@ ocil: |- +
# grep "umask" /etc/profile
+ All output must show the value of umask set as shown in the below: +
# grep "umask" /etc/profile
+-    umask 
++ umask {{{ xccdf_value("var_accounts_user_umask") }}} +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml +index c317700e71..c19af71bb5 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml +@@ -16,7 +16,7 @@ description: |- + + with an IP address or hostname of the system that the audispd plugin should + send audit records to. For example +-
remote_server = 
++
remote_server = {{{ xccdf_value("var_audispd_remote_server") }}}
+ + rationale: |- + Information stored in one location is vulnerable to accidental or incidental +@@ -48,5 +48,5 @@ ocil: |- +
$ sudo grep -i remote_server /etc/audisp/audisp-remote.conf
+ {{% endif %}} + The output should return something similar to +-
remote_server = 
++
remote_server = {{{ xccdf_value("var_audispd_remote_server") }}}
+ +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +index a071e6dda5..66de6e73a5 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +@@ -7,7 +7,7 @@ description: |- + a designated account in certain situations. Add or correct the following line + in /etc/audit/auditd.conf to ensure that administrators are notified + via email for those situations: +-
action_mail_acct = 
++
action_mail_acct = {{{ xccdf_value("var_auditd_action_mail_acct") }}}
+ + rationale: |- + Email sent to the root account is typically aliased to the +@@ -49,5 +49,5 @@ ocil: |- + Inspect /etc/audit/auditd.conf and locate the following line to + determine if the system is configured to send email to an + account when it needs to notify an administrator: +-
action_mail_acct = 
++
action_mail_acct = {{{ xccdf_value("var_auditd_action_mail_acct") }}}
+ +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml +index b4038d13bd..1db8b82dda 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml +@@ -9,7 +9,7 @@ description: |- + synchronously write audit event data to disk. Add or correct the following + line in /etc/audit/auditd.conf to ensure that audit event data is + fully synchronized with the log files on the disk: +-
flush = 
++
flush = {{{ xccdf_value("var_auditd_flush") }}}
+ + rationale: |- + Audit data should be synchronously written to disk to ensure +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml +index 73107df695..1bdafa9215 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml +@@ -6,7 +6,7 @@ description: |- + Determine the amount of audit data (in megabytes) + which should be retained in each log file. Edit the file + /etc/audit/auditd.conf. Add or modify the following line, substituting +- the correct value of for STOREMB: ++ the correct value of {{{ xccdf_value("var_auditd_max_log_file") }}} for STOREMB: +
max_log_file = STOREMB
+ Set the value to 6 (MB) or higher for general-purpose systems. + Larger values, of course, +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml +index 01bb0ad7a2..34e2a2b60f 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml +@@ -6,7 +6,7 @@ description: |- + Determine how many log files + auditd should retain when it rotates logs. + Edit the file /etc/audit/auditd.conf. Add or modify the following +- line, substituting NUMLOGS with the correct value of : ++ line, substituting NUMLOGS with the correct value of {{{ xccdf_value("var_auditd_num_logs") }}}: +
num_logs = NUMLOGS
+ Set the value to 5 for general-purpose systems. + Note that values less than 2 result in no log rotation. +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml +index 3331f5188a..74a87bb659 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml +@@ -4,15 +4,15 @@ title: 'Ensure Log Files Are Owned By Appropriate Group' + + description: |- + The group-owner of all log files written by +- rsyslog should be . ++ rsyslog should be {{{ xccdf_value("file_groupowner_logfiles_value") }}}. + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + For each log file LOGFILE referenced in /etc/rsyslog.conf, + run the following command to inspect the file's group owner: +
$ ls -l LOGFILE
+- If the owner is not , run the following command to ++ If the owner is not {{{ xccdf_value("file_groupowner_logfiles_value") }}}, run the following command to + correct this: +-
$ sudo chgrp  LOGFILE
++
$ sudo chgrp {{{ xccdf_value("file_groupowner_logfiles_value") }}} LOGFILE
+ + rationale: |- + The log files generated by rsyslog contain valuable information regarding system +@@ -43,7 +43,7 @@ references: + ocil_clause: 'the group-owner is not correct' + + ocil: |- +- The group-owner of all log files written by rsyslog should be . ++ The group-owner of all log files written by rsyslog should be {{{ xccdf_value("file_groupowner_logfiles_value") }}}. + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + To see the group-owner of a given log file, run the following command: +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml +index a034c0a193..506b6457ca 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml +@@ -4,15 +4,15 @@ title: 'Ensure Log Files Are Owned By Appropriate User' + + description: |- + The owner of all log files written by +- rsyslog should be . ++ rsyslog should be {{{ xccdf_value("file_owner_logfiles_value") }}}. + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + For each log file LOGFILE referenced in /etc/rsyslog.conf, + run the following command to inspect the file's owner: +
$ ls -l LOGFILE
+- If the owner is not , run the following command to ++ If the owner is not {{{ xccdf_value("file_owner_logfiles_value") }}}, run the following command to + correct this: +-
$ sudo chown  LOGFILE
++
$ sudo chown {{{ xccdf_value("file_owner_logfiles_value") }}} LOGFILE
+ + rationale: |- + The log files generated by rsyslog contain valuable information regarding system +@@ -43,7 +43,7 @@ references: + ocil_clause: 'the owner is not correct' + + ocil: |- +- The owner of all log files written by rsyslog should be . ++ The owner of all log files written by rsyslog should be {{{ xccdf_value("file_owner_logfiles_value") }}}. + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + To see the owner of a given log file, run the following command: +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +index 642bf1ee0e..c27707569f 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +@@ -10,21 +10,21 @@ description: |- + Along with these other directives, the system can be configured + to forward its logs to a particular log server by + adding or correcting one of the following lines, +- substituting appropriately. ++ substituting {{{ xccdf_value("rsyslog_remote_loghost_address") }}} appropriately. + The choice of protocol depends on the environment of the system; + although TCP and RELP provide more reliable message delivery, + they may not be supported in all environments. +
+ To use UDP for log message delivery: +-
*.* @
++
*.* @{{{ xccdf_value("rsyslog_remote_loghost_address") }}}
+
+ To use TCP for log message delivery: +-
*.* @@
++
*.* @@{{{ xccdf_value("rsyslog_remote_loghost_address") }}}
+
+ To use RELP for log message delivery: +-
*.* :omrelp:
++
*.* :omrelp:{{{ xccdf_value("rsyslog_remote_loghost_address") }}}
+
+- There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. ++ There must be a resolvable DNS CNAME or Alias record set to "{{{ xccdf_value("rsyslog_remote_loghost_address") }}}" for logs to be sent correctly to the centralized logging utility. + + rationale: |- + A log server (loghost) receives syslog messages from one or more +@@ -67,8 +67,8 @@ ocil: |- + To ensure logs are sent to a remote host, examine the file + /etc/rsyslog.conf. + If using UDP, a line similar to the following should be present: +-
 *.* @
++
 *.* @{{{ xccdf_value("rsyslog_remote_loghost_address") }}}
+ If using TCP, a line similar to the following should be present: +-
 *.* @@
++
 *.* @@{{{ xccdf_value("rsyslog_remote_loghost_address") }}}
+ If using RELP, a line similar to the following should be present: +-
 *.* :omrelp:
++
 *.* :omrelp:{{{ xccdf_value("rsyslog_remote_loghost_address") }}}
+diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml +index 7e96bbd35d..e68faf00ca 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml +@@ -15,7 +15,7 @@ description: |- + Set the system to implement rate-limiting measures by adding the following line to + /etc/sysctl.conf or a configuration file in the /etc/sysctl.d/ directory + (or modify the line to have the required value): +-
net.ipv4.tcp_invalid_ratelimit = 
++
net.ipv4.tcp_invalid_ratelimit = {{{ xccdf_value("sysctl_net_ipv4_tcp_invalid_ratelimit_value") }}}
+ Issue the following command to make the changes take effect: +
# sysctl --system
+ +@@ -51,7 +51,7 @@ ocil: |- + on impacted network interfaces, run the following command: +
# grep 'net.ipv4.tcp_invalid_ratelimit' /etc/sysctl.conf /etc/sysctl.d/*
+ The command should output the following line: +-
/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = 
++
/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = {{{ xccdf_value("sysctl_net_ipv4_tcp_invalid_ratelimit_value") }}}
+ The file where the line has been found can differ, but it must be either /etc/sysctl.conf + or a file located under the /etc/sysctl.d/ directory. + +diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml +index a14fc555af..64c6c3668d 100644 +--- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml +@@ -11,7 +11,7 @@ description: |- + a umask of 077 in their own init scripts. By default, the umask of + 022 is set which prevents creation of group- or world-writable files. + To set the umask for daemons expected by the profile, edit the following line: +-
umask 
++
umask {{{ xccdf_value("var_umask_for_daemons") }}}
+ + rationale: |- + The umask influences the permissions assigned to files created by a +@@ -40,7 +40,7 @@ ocil_clause: 'it does not' + ocil: |- + To check the value of the umask, run the following command: +
$ grep umask /etc/init.d/functions
+- The output should show . ++ The output should show {{{ xccdf_value("var_umask_for_daemons") }}}. + + warnings: + - functionality: |- +diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +index bbc6b3a992..d861f5f9e2 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +@@ -9,7 +9,7 @@ description: |- + general-purpose desktops and servers, as well as systems in many other roles. + To configure the system to use this policy, add or correct the following line + in /etc/selinux/config: +-
SELINUXTYPE=
++
SELINUXTYPE={{{ xccdf_value("var_selinux_policy_name") }}}
+ Other policies, such as mls, provide additional security labeling + and greater confinement but are not compatible with many general-purpose + use cases. +@@ -23,7 +23,7 @@ rationale: |- + temporarily place non-production systems in permissive mode. In such + temporary cases, SELinux policies should be developed, and once work + is completed, the system should be reconfigured to +- . ++ {{{ xccdf_value("var_selinux_policy_name") }}}. + + severity: high + +@@ -57,4 +57,4 @@ ocil_clause: 'it does not' + + ocil: |- + Check the file /etc/selinux/config and ensure the following line appears: +-
SELINUXTYPE=
++
SELINUXTYPE={{{ xccdf_value("var_selinux_policy_name") }}}
+diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml +index 2c90aadbd1..66c5fd65f8 100644 +--- a/linux_os/guide/system/selinux/selinux_state/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_state/rule.yml +@@ -5,10 +5,10 @@ prodtype: fedora,rhcos4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,sle15,wrlinux1019 + title: 'Ensure SELinux State is Enforcing' + + description: |- +- The SELinux state should be set to at ++ The SELinux state should be set to {{{ xccdf_value("var_selinux_state") }}} at + system boot time. In the file /etc/selinux/config, add or correct the + following line to configure the system to boot into enforcing mode: +-
SELINUX=
++
SELINUX={{{ xccdf_value("var_selinux_state") }}}
+ + rationale: |- + Setting the SELinux state to enforcing ensures SELinux is able to confine +@@ -49,4 +49,4 @@ ocil_clause: 'SELINUX is not set to enforcing' + + ocil: |- + Check the file /etc/selinux/config and ensure the following line appears: +-
SELINUX=
++
SELINUX={{{ xccdf_value("var_selinux_state") }}}
+diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +index d2feba00b4..bec17bc68b 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +@@ -54,7 +54,7 @@ ocil_clause: 'idle-delay is not equal to or less than the expected value' + ocil: |- + To check the current idle time-out value, run the following command: +
$ gsettings get org.gnome.desktop.session idle-delay
+- If properly configured, the output should be 'uint32 '. ++ If properly configured, the output should be 'uint32 {{{ xccdf_value("inactivity_timeout_value") }}}'. + To ensure that users cannot change the screensaver inactivity timeout setting, run the following: +
$ grep idle-delay /etc/dconf/db/local.d/locks/*
+ If properly configured, the output should be /org/gnome/desktop/session/idle-delay +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +index c0a8de72c9..d8a596554c 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +@@ -6,10 +6,10 @@ title: 'Set GNOME3 Screensaver Lock Delay After Activation Period' + + description: |- + To activate the locking delay of the screensaver in the GNOME3 desktop when +- the screensaver is activated, add or set lock-delay to uint32 in ++ the screensaver is activated, add or set lock-delay to uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}} in + /etc/dconf/db/local.d/00-security-settings. For example: +
[org/gnome/desktop/screensaver]
+-    lock-delay=uint32 
++    lock-delay=uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}}
+     
+ Once the setting has been added, add a lock to + /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +@@ -48,7 +48,7 @@ ocil_clause: 'the screensaver lock delay is missing, or is set to a value greate + ocil: |- + To check that the screen locks immediately when activated, run the following command: +
$ gsettings get org.gnome.desktop.screensaver lock-delay
+- If properly configured, the output should be 'uint32 '. ++ If properly configured, the output should be 'uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}}'. +

+ To ensure that users cannot change how long until the the screensaver locks, run the following: +
$ grep lock-delay /etc/dconf/db/local.d/locks/*
+diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml +index 34eb02abf7..5525337fc6 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml +@@ -4,12 +4,12 @@ title: 'Set GNOME Login Inactivity Timeout' + + description: |- + Run the following command to set the idle time-out value for +- inactivity in the GNOME desktop to minutes: ++ inactivity in the GNOME desktop to {{{ xccdf_value("inactivity_timeout_value") }}} minutes: +
$ sudo gconftool-2 \
+       --direct \
+       --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+       --type int \
+-      --set /desktop/gnome/session/idle_delay 
++ --set /desktop/gnome/session/idle_delay {{{ xccdf_value("inactivity_timeout_value") }}} + + rationale: |- + Setting the idle delay controls when the +@@ -39,4 +39,4 @@ ocil_clause: 'it is not' + ocil: |- + To check the current idle time-out value, run the following command: +
$ gconftool-2 -g /desktop/gnome/session/idle_delay
+- If properly configured, the output should be . ++ If properly configured, the output should be {{{ xccdf_value("inactivity_timeout_value") }}}. +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml +index 99eaf236f7..17fffec0ed 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml +@@ -4,12 +4,12 @@ title: 'Set GNOME Login Maximum Allowed Inactivity' + + description: |- + Run the following command to set the maximum allowed period of inactivity for an +- inactive user in the GNOME desktop to minutes: ++ inactive user in the GNOME desktop to {{{ xccdf_value("inactivity_timeout_value") }}} minutes: +
$ sudo gconftool-2 \
+       --direct \
+       --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+       --type int \
+-      --set /desktop/gnome/session/max_idle_time 
++ --set /desktop/gnome/session/max_idle_time {{{ xccdf_value("inactivity_timeout_value") }}} + + rationale: |- + Terminating an idle session within a short time period reduces the window of +@@ -23,4 +23,4 @@ ocil_clause: 'it is not' + ocil: |- + To check the current idle time-out value, run the following command: +
$ gconftool-2 -g /desktop/gnome/session/max_idle_time
+- If properly configured, the output should be . ++ If properly configured, the output should be {{{ xccdf_value("idle_timeout_value") }}}. +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +index 0f9a919b16..243f079cc3 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +@@ -5,9 +5,9 @@ prodtype: fedora,rhcos4,ol8,rhel8,rhv4 + title: 'Configure System Cryptography Policy' + + description: |- +- To configure the system cryptography policy to use ciphers only from the ++ To configure the system cryptography policy to use ciphers only from the {{{ xccdf_value("var_system_crypto_policy") }}} + policy, run the following command: +-
$ sudo update-crypto-policies --set 
++
$ sudo update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}
+ The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. + Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. + +@@ -34,7 +34,7 @@ ocil: |- + To verify that cryptography policy has been configured correctly, run the + following command: +
$ update-crypto-policies --show
+- The output should return
. ++ The output should return
{{{ xccdf_value("var_system_crypto_policy") }}}
. + Run the command to check if the policy is correctly applied: +
$ update-crypto-policies --is-applied
+ The output should be
The configured policy is applied
. +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +index 89725a33c3..735a68b264 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +@@ -9,7 +9,7 @@ description: |- + the session key is renegotiated, both in terms of + amount of data that may be transmitted and the time + elapsed. To decrease the default limits, put line +- RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}} to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. ++ RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}} to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. + Make sure that there is no other RekeyLimit configuration preceding + the include directive in the main config file + /etc/ssh/ssh_config. Check also other files in +@@ -37,8 +37,8 @@ ocil: |- + To check if RekeyLimit is set correctly, run the following command:
$
+     sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf
If configured + properly, output should be
/etc/ssh/ssh_config.d/02-rekey-limit.conf:
+-    RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
+-    sub_var_value("var_ssh_client_rekey_limit_time") }}}
Check also the ++ RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} ++ {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}} Check also the + main configuration file with the following command:
sudo grep
+     RekeyLimit /etc/ssh/ssh_config
The command should not return any + output. +diff --git a/shared/macros.jinja b/shared/macros.jinja +index c3bfcaff2f..e670423a9e 100644 +--- a/shared/macros.jinja ++++ b/shared/macros.jinja +@@ -5,7 +5,7 @@ ocil_clause: "the required value is not set" + + {{% macro openshift_cluster_setting(endpoint) -%}} + This rule's check operates on the cluster configuration dump. +-Therefore, you need to use a tool that can query the OCP API, retreive the {{{ endpoint }}} API endpoint to the local {{{ sub_var_value("ocp_data_root") }}}/{{{ endpoint.lstrip("/") }}} file. ++Therefore, you need to use a tool that can query the OCP API, retreive the {{{ endpoint }}} API endpoint to the local {{{ xccdf_value("ocp_data_root") }}}/{{{ endpoint.lstrip("/") }}} file. + {{%- endmacro %}} + + +@@ -42,6 +42,11 @@ ocil_clause: "the {{{ option }}} is not present in the output line, or there is + + + {{% macro sub_var_value(varname) -%}} ++{{{ xccdf_value(varname) }}} ++{{%- endmacro %}} ++ ++ ++{{% macro xccdf_value(varname) -%}} + + {{%- endmacro %}} + + +From b3d3c2619b44e391f96a1741ac3f116cf6e1b6c7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 4 Sep 2020 12:21:18 +0200 +Subject: [PATCH 2/3] Replaced XCCDF value instantiation in Bash by a macro + call. + +The former populate ... mechanism is not Bash, it is a special trick perforemd by our build system. +This trick is confusing, its support in the build system is implemented as a complex code, and +it doesnt support multiple values per remediation intuitively. + +This makes the build system involvement explicit, and it opens possibilities to perform implementation +changes without breaking backward compatibility. +--- + .../postfix_client_configure_mail_alias/bash/shared.sh | 2 +- + .../services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh | 2 +- + .../ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh | 2 +- + .../ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh | 2 +- + .../services/ntp/chronyd_specify_remote_server/bash/shared.sh | 2 +- + .../ssh/ssh_server/sshd_disable_compression/bash/shared.sh | 2 +- + .../ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh | 2 +- + .../services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh | 2 +- + .../ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh | 2 +- + .../ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh | 2 +- + .../ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh | 2 +- + .../ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh | 2 +- + .../ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh | 2 +- + .../sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh | 1 - + .../guide/services/sssd/sssd_memcache_timeout/bash/shared.sh | 2 +- + .../services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh | 2 +- + .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh | 2 +- + .../accounts/accounts-banners/banner_etc_motd/bash/shared.sh | 2 +- + .../dconf_gnome_login_banner_text/bash/shared.sh | 2 +- + .../gconf_gdm_set_login_banner_text/bash/rhel6.sh | 2 +- + .../accounts_password_pam_unix_remember/bash/shared.sh | 2 +- + .../accounts_passwords_pam_faillock_deny/bash/shared.sh | 2 +- + .../accounts_passwords_pam_faillock_interval/bash/shared.sh | 2 +- + .../accounts_passwords_pam_faillock_unlock_time/bash/shared.sh | 2 +- + .../accounts_password_pam_retry/bash/shared.sh | 2 +- + .../configure_opensc_card_drivers/bash/shared.sh | 2 +- + .../smart_card_login/force_opensc_card_drivers/bash/shared.sh | 2 +- + .../account_disable_post_pw_expiration/bash/shared.sh | 2 +- + .../accounts_maximum_age_login_defs/bash/shared.sh | 2 +- + .../accounts_minimum_age_login_defs/bash/fedora.sh | 2 +- + .../accounts_minimum_age_login_defs/bash/rhel6.sh | 2 +- + .../accounts_minimum_age_login_defs/bash/shared.sh | 2 +- + .../accounts_password_minlen_login_defs/bash/shared.sh | 2 +- + .../accounts_password_warn_age_login_defs/bash/fedora.sh | 2 +- + .../accounts_password_warn_age_login_defs/bash/rhel6.sh | 2 +- + .../accounts_password_warn_age_login_defs/bash/shared.sh | 2 +- + .../accounts_password_warn_age_login_defs/bash/wrlinux.sh | 2 +- + .../accounts-session/accounts_logon_fail_delay/bash/shared.sh | 2 +- + .../accounts_max_concurrent_login_sessions/bash/shared.sh | 2 +- + .../accounts/accounts-session/accounts_tmout/bash/shared.sh | 2 +- + .../user_umask/accounts_umask_etc_bashrc/bash/shared.sh | 2 +- + .../user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh | 2 +- + .../user_umask/accounts_umask_etc_login_defs/bash/shared.sh | 2 +- + .../user_umask/accounts_umask_etc_profile/bash/shared.sh | 2 +- + .../auditd_audispd_configure_remote_server/bash/shared.sh | 2 +- + .../auditd_data_disk_error_action/bash/shared.sh | 2 +- + .../auditd_data_disk_full_action/bash/shared.sh | 2 +- + .../auditd_data_retention_action_mail_acct/bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + .../auditd_data_retention_flush/bash/shared.sh | 2 +- + .../auditd_data_retention_max_log_file/bash/shared.sh | 2 +- + .../auditd_data_retention_max_log_file_action/bash/shared.sh | 2 +- + .../auditd_data_retention_num_logs/bash/shared.sh | 2 +- + .../auditd_data_retention_space_left/bash/shared.sh | 2 +- + .../auditd_data_retention_space_left_action/bash/shared.sh | 2 +- + .../rsyslog_remote_loghost/bash/shared.sh | 2 +- + .../configure_firewalld_ports/bash/shared.sh | 2 +- + .../restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh | 2 +- + .../restrictions/daemon_umask/umask_for_daemons/bash/shared.sh | 2 +- + linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh | 2 +- + linux_os/guide/system/selinux/selinux_state/bash/shared.sh | 2 +- + .../dconf_gnome_screensaver_idle_delay/bash/shared.sh | 2 +- + .../dconf_gnome_screensaver_lock_delay/bash/shared.sh | 2 +- + .../gconf_gnome_screensaver_idle_delay/bash/rhel6.sh | 2 +- + .../integrity/crypto/configure_crypto_policy/bash/shared.sh | 2 +- + .../sap_host/accounts_authorized_local_users/bash/shared.sh | 2 +- + .../bash/shared.sh | 2 +- + shared/templates/template_BASH_accounts_password | 2 +- + .../templates/template_BASH_mount_option_removable_partitions | 2 +- + shared/templates/template_BASH_sebool | 2 +- + shared/templates/template_BASH_sysctl | 2 +- + 71 files changed, 70 insertions(+), 71 deletions(-) + +diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh +index 12f7b5d693..5324e1c382 100644 +--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh ++++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Virtualization 4,multi_platform_sle + . /usr/share/scap-security-guide/remediation_functions +-populate var_postfix_root_mail_alias ++{{{ bash_instantiate_variables("var_postfix_root_mail_alias") }}} + + replace_or_append '/etc/aliases' '^root' "$var_postfix_root_mail_alias" '@CCENUM@' '%s: %s' + +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh +index 56db8f5d17..b23deffb09 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol + . /usr/share/scap-security-guide/remediation_functions +-populate var_time_service_set_maxpoll ++{{{ bash_instantiate_variables("var_time_service_set_maxpoll") }}} + + + config_file="/etc/ntp.conf" +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh +index 2297f4fb5a..9add69d367 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol + . /usr/share/scap-security-guide/remediation_functions +-populate var_multiple_time_servers ++{{{ bash_instantiate_variables("var_multiple_time_servers") }}} + + config_file="/etc/ntp.conf" + /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh +index c11c443785..0a3f63640c 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol + . /usr/share/scap-security-guide/remediation_functions +-populate var_multiple_time_servers ++{{{ bash_instantiate_variables("var_multiple_time_servers") }}} + + config_file="/etc/ntp.conf" + /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +index e566219788..571a339d48 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = multi_platform_all + . /usr/share/scap-security-guide/remediation_functions +-populate var_multiple_time_servers ++{{{ bash_instantiate_variables("var_multiple_time_servers") }}} + + config_file="/etc/chrony.conf" + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh +index 396445b908..408c97d45a 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh +@@ -3,6 +3,6 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate var_sshd_disable_compression ++{{{ bash_instantiate_variables("var_sshd_disable_compression") }}} + + replace_or_append '/etc/ssh/sshd_config' '^Compression' "$var_sshd_disable_compression" '@CCENUM@' '%s %s' +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh +index 06dfd3492a..0ff698a54c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh +@@ -1,5 +1,5 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle + . /usr/share/scap-security-guide/remediation_functions +-populate sshd_idle_timeout_value ++{{{ bash_instantiate_variables("sshd_idle_timeout_value") }}} + + replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value '@CCENUM@' '%s %s' +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh +index cbfb0f367e..f0be6ea6ce 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh +@@ -3,6 +3,6 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate var_sshd_set_keepalive ++{{{ bash_instantiate_variables("var_sshd_set_keepalive") }}} + + {{{ bash_sshd_config_set(parameter="ClientAliveCountMax", value="$var_sshd_set_keepalive") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh +index eebe07158c..2451c164cb 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh +@@ -3,6 +3,6 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate sshd_max_auth_tries_value ++{{{ bash_instantiate_variables("sshd_max_auth_tries_value") }}} + + {{{ bash_sshd_config_set(parameter="MaxAuthTries", value="$sshd_max_auth_tries_value") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh +index fc0a1d8b42..2fecde6a96 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh +@@ -7,6 +7,6 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate var_sshd_max_sessions ++{{{ bash_instantiate_variables("var_sshd_max_sessions") }}} + + {{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh +index 6d3bb06047..5facd9aa14 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh +@@ -3,6 +3,6 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate sshd_approved_ciphers ++{{{ bash_instantiate_variables("sshd_approved_ciphers") }}} + + replace_or_append '/etc/ssh/sshd_config' '^Ciphers' "$sshd_approved_ciphers" '@CCENUM@' '%s %s' +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh +index 2972022b52..ec475c186d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh +@@ -3,6 +3,6 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate sshd_approved_macs ++{{{ bash_instantiate_variables("sshd_approved_macs") }}} + + replace_or_append '/etc/ssh/sshd_config' '^MACs' "$sshd_approved_macs" '@CCENUM@' '%s %s' +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh +index bf702ac80c..62180a1f83 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh +@@ -6,6 +6,6 @@ + + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions +-populate var_sshd_priv_separation ++{{{ bash_instantiate_variables("var_sshd_priv_separation") }}} + + {{{ bash_sshd_config_set(parameter="UsePrivilegeSeparation", value="$var_sshd_priv_separation") }}} +diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh +index f390b7be88..8bc689dae9 100644 +--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh ++++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh +@@ -3,7 +3,7 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate var_sssd_memcache_timeout ++{{{ bash_instantiate_variables("var_sssd_memcache_timeout") }}} + + SSSD_CONF="/etc/sssd/sssd.conf" + MEMCACHE_TIMEOUT_REGEX="[[:space:]]*\[nss]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" +diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh +index 4d1a14efdf..e957d1c689 100644 +--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh ++++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh +@@ -3,7 +3,7 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate var_sssd_ssh_known_hosts_timeout ++{{{ bash_instantiate_variables("var_sssd_ssh_known_hosts_timeout") }}} + + SSSD_CONF="/etc/sssd/sssd.conf" + SSH_KNOWN_HOSTS_TIMEOUT_REGEX="[[:space:]]*\[ssh]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +index 30449d5e9d..f6d5f1603b 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + . /usr/share/scap-security-guide/remediation_functions +-populate login_banner_text ++{{{ bash_instantiate_variables("login_banner_text") }}} + + # Multiple regexes transform the banner regex into a usable banner + # 0 - Remove anchors around the banner text +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh +index d731063b5a..4a3844a7eb 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + . /usr/share/scap-security-guide/remediation_functions +-populate login_banner_text ++{{{ bash_instantiate_variables("login_banner_text") }}} + + # Multiple regexes transform the banner regex into a usable banner + # 0 - Remove anchors around the banner text +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +index 85ddd893c6..0f60c14e36 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol + . /usr/share/scap-security-guide/remediation_functions +-populate login_banner_text ++{{{ bash_instantiate_variables("login_banner_text") }}} + + # Multiple regexes transform the banner regex into a usable banner + # 0 - Remove anchors around the banner text +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh +index d24dacb81c..15a5d79ebf 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 6 + . /usr/share/scap-security-guide/remediation_functions +-populate login_banner_text ++{{{ bash_instantiate_variables("login_banner_text") }}} + + # Install GConf2 package if not installed + if ! rpm -q GConf2; then +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh +index 1456d0f371..e0dabe67e0 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + . /usr/share/scap-security-guide/remediation_functions +-populate var_password_pam_unix_remember ++{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}} + + AUTH_FILES[0]="/etc/pam.d/system-auth" + AUTH_FILES[1]="/etc/pam.d/password-auth" +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh +index 58ea0f37af..3157d341cb 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh +@@ -1,5 +1,5 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_passwords_pam_faillock_deny ++{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}} + + {{{ bash_set_faillock_option("deny", "$var_accounts_passwords_pam_faillock_deny") }}} +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh +index b03dd30d13..87310288c1 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh +@@ -3,6 +3,6 @@ + # include our remediation functions library + . /usr/share/scap-security-guide/remediation_functions + +-populate var_accounts_passwords_pam_faillock_fail_interval ++{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}} + + {{{ bash_set_faillock_option("fail_interval", "$var_accounts_passwords_pam_faillock_fail_interval") }}} +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh +index daaab487f6..7e36721d5f 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh +@@ -1,5 +1,5 @@ + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_passwords_pam_faillock_unlock_time ++{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}} + + {{{ bash_set_faillock_option("unlock_time", "$var_accounts_passwords_pam_faillock_unlock_time") }}} +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh +index a4e1c47a89..f69152b225 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_wrlinux + . /usr/share/scap-security-guide/remediation_functions +-populate var_password_pam_retry ++{{{ bash_instantiate_variables("var_password_pam_retry") }}} + + if grep -q "retry=" /etc/pam.d/system-auth ; then + sed -i --follow-symlinks "s/\(retry *= *\).*/\1$var_password_pam_retry/" /etc/pam.d/system-auth +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh +index 5a63a4258d..4e80be4faf 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh +@@ -5,7 +5,7 @@ + # disruption = low + + . /usr/share/scap-security-guide/remediation_functions +-populate var_smartcard_drivers ++{{{ bash_instantiate_variables("var_smartcard_drivers") }}} + + OPENSC_TOOL="/usr/bin/opensc-tool" + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh +index 421ec55598..7c763a8778 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh +@@ -5,7 +5,7 @@ + # disruption = low + + . /usr/share/scap-security-guide/remediation_functions +-populate var_smartcard_drivers ++{{{ bash_instantiate_variables("var_smartcard_drivers") }}} + + OPENSC_TOOL="/usr/bin/opensc-tool" + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh +index 299a519e24..c8c2a90e4c 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh +@@ -1,5 +1,5 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + . /usr/share/scap-security-guide/remediation_functions +-populate var_account_disable_post_pw_expiration ++{{{ bash_instantiate_variables("var_account_disable_post_pw_expiration") }}} + + replace_or_append '/etc/default/useradd' '^INACTIVE' "$var_account_disable_post_pw_expiration" '@CCENUM@' '%s=%s' +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh +index 9c61548d3a..135eb49d78 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_fedora + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_maximum_age_login_defs ++{{{ bash_instantiate_variables("var_accounts_maximum_age_login_defs") }}} + + grep -q ^PASS_MAX_DAYS /etc/login.defs && \ + sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh +index ad2d515949..b9c6aade42 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh +@@ -1,7 +1,7 @@ + # platform = multi_platform_fedora + . /usr/share/scap-security-guide/remediation_functions + declare var_accounts_minimum_age_login_defs +-populate var_accounts_minimum_age_login_defs ++{{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}} + + grep -q ^PASS_MIN_DAYS /etc/login.defs && \ + sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh +index 4221a32e15..8e28c756bf 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 6 + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_minimum_age_login_defs ++{{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}} + + grep -q ^PASS_MIN_DAYS /etc/login.defs && \ + sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh +index 403a40ccb2..870b5b1c7c 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_minimum_age_login_defs ++{{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}} + + grep -q ^PASS_MIN_DAYS /etc/login.defs && \ + sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh +index 688cf2d04f..eb4121394c 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh +@@ -1,7 +1,7 @@ + # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel + . /usr/share/scap-security-guide/remediation_functions + declare var_accounts_password_minlen_login_defs +-populate var_accounts_password_minlen_login_defs ++{{{ bash_instantiate_variables("var_accounts_password_minlen_login_defs") }}} + + grep -q ^PASS_MIN_LEN /etc/login.defs && \ + sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh +index 8289cbffd8..98a6381af4 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh +@@ -1,7 +1,7 @@ + # platform = multi_platform_fedora + . /usr/share/scap-security-guide/remediation_functions + declare var_accounts_password_warn_age_login_defs +-populate var_accounts_password_warn_age_login_defs ++{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}} + + grep -q ^PASS_WARN_AGE /etc/login.defs && \ + sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh +index 155a12d534..922158064b 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 6 + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_password_warn_age_login_defs ++{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}} + + grep -q ^PASS_WARN_AGE /etc/login.defs && \ + sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE $var_accounts_password_warn_age_login_defs/g" /etc/login.defs +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh +index eaf461d0cd..800eecc802 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_password_warn_age_login_defs ++{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}} + + grep -q ^PASS_WARN_AGE /etc/login.defs && \ + sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE $var_accounts_password_warn_age_login_defs/g" /etc/login.defs +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh +index 8f3524312c..fed1c7bafa 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh +@@ -1,7 +1,7 @@ + # platform = multi_platform_wrlinux + . /usr/share/scap-security-guide/remediation_functions + declare var_accounts_password_warn_age_login_defs +-populate var_accounts_password_warn_age_login_defs ++{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}} + + grep -q ^PASS_WARN_AGE /etc/login.defs && \ + sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh +index 2a06038be4..a8a77c12b8 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh +@@ -4,6 +4,6 @@ + . /usr/share/scap-security-guide/remediation_functions + + # Set variables +-populate var_accounts_fail_delay ++{{{ bash_instantiate_variables("var_accounts_fail_delay") }}} + + replace_or_append '/etc/login.defs' '^FAIL_DELAY' "$var_accounts_fail_delay" '@CCENUM@' '%s %s' +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh +index 0d2f103b31..65066e77ce 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_max_concurrent_login_sessions ++{{{ bash_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}} + + if grep -q '^[^#]*\' /etc/security/limits.d/*.conf; then + sed -i "/^[^#]*\/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh +index 93c34fb59f..31b2872628 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_wrlinux + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_tmout ++{{{ bash_instantiate_variables("var_accounts_tmout") }}} + + if grep --silent ^TMOUT /etc/profile ; then + sed -i "s/^TMOUT.*/TMOUT=$var_accounts_tmout/g" /etc/profile +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh +index c707ec31c7..a83016964e 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_user_umask ++{{{ bash_instantiate_variables("var_accounts_user_umask") }}} + + grep -q umask /etc/bashrc && \ + sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh +index 0289a93c96..716dede405 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_user_umask ++{{{ bash_instantiate_variables("var_accounts_user_umask") }}} + + grep -q umask /etc/csh.cshrc && \ + sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh +index 0fcc273705..f74cbfe5af 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh +@@ -1,5 +1,5 @@ + # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_user_umask ++{{{ bash_instantiate_variables("var_accounts_user_umask") }}} + + replace_or_append '/etc/login.defs' '^UMASK' "$var_accounts_user_umask" '@CCENUM@' '%s %s' +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh +index 198cba5772..12acd6e90f 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_user_umask ++{{{ bash_instantiate_variables("var_accounts_user_umask") }}} + + grep -q umask /etc/profile && \ + sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh +index 517f384f22..0e3d32fd36 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux + . /usr/share/scap-security-guide/remediation_functions +-populate var_audispd_remote_server ++{{{ bash_instantiate_variables("var_audispd_remote_server") }}} + + {{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}} + AUDITCONFIG=/etc/audit/audisp-remote.conf +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh +index 6b953f8d96..2b17ddd89b 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Virtualization 4,multi_platform_rhel + . /usr/share/scap-security-guide/remediation_functions +-populate var_auditd_disk_error_action ++{{{ bash_instantiate_variables("var_auditd_disk_error_action") }}} + + # + # If disk_error_action present in /etc/audit/auditd.conf, change value +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh +index 3092d92076..adc4c21e5f 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh +@@ -3,6 +3,6 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate var_auditd_disk_full_action ++{{{ bash_instantiate_variables("var_auditd_disk_full_action") }}} + + replace_or_append /etc/audit/auditd.conf '^disk_full_action' "$var_auditd_disk_full_action" "@CCENUM@" +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh +index b81a26fef3..ab056b0e54 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux + . /usr/share/scap-security-guide/remediation_functions +-populate var_auditd_action_mail_acct ++{{{ bash_instantiate_variables("var_auditd_action_mail_acct") }}} + + AUDITCONFIG=/etc/audit/auditd.conf + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh +index c9435c91ec..0c23a906ea 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh +@@ -1,7 +1,7 @@ + # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux + . /usr/share/scap-security-guide/remediation_functions + +-populate var_auditd_admin_space_left_action ++{{{ bash_instantiate_variables("var_auditd_admin_space_left_action") }}} + + AUDITCONFIG=/etc/audit/auditd.conf + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh +index 17dea67b36..efe151c683 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel + . /usr/share/scap-security-guide/remediation_functions +-populate var_auditd_flush ++{{{ bash_instantiate_variables("var_auditd_flush") }}} + + AUDITCONFIG=/etc/audit/auditd.conf + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh +index d1e044e5b6..9f40589027 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel + . /usr/share/scap-security-guide/remediation_functions +-populate var_auditd_max_log_file ++{{{ bash_instantiate_variables("var_auditd_max_log_file") }}} + + AUDITCONFIG=/etc/audit/auditd.conf + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh +index 1b51d54b5d..42f987dde4 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel + . /usr/share/scap-security-guide/remediation_functions +-populate var_auditd_max_log_file_action ++{{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}} + + AUDITCONFIG=/etc/audit/auditd.conf + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh +index 6d671e1b8d..797c28a0f8 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = multi_platform_all + . /usr/share/scap-security-guide/remediation_functions +-populate var_auditd_num_logs ++{{{ bash_instantiate_variables("var_auditd_num_logs") }}} + + AUDITCONFIG=/etc/audit/auditd.conf + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh +index 8dc69e8313..77e622c1ac 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol + . /usr/share/scap-security-guide/remediation_functions +-populate var_auditd_space_left ++{{{ bash_instantiate_variables("var_auditd_space_left") }}} + + grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ + sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \ +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh +index e5f45efcf2..1d2b211cdf 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel + . /usr/share/scap-security-guide/remediation_functions +-populate var_auditd_space_left_action ++{{{ bash_instantiate_variables("var_auditd_space_left_action") }}} + + # + # If space_left_action present in /etc/audit/auditd.conf, change value +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh +index 2557815651..836f0af279 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh +@@ -2,6 +2,6 @@ + + . /usr/share/scap-security-guide/remediation_functions + +-populate rsyslog_remote_loghost_address ++{{{ bash_instantiate_variables("rsyslog_remote_loghost_address") }}} + + replace_or_append '/etc/rsyslog.conf' '^\*\.\*' "@@$rsyslog_remote_loghost_address" '@CCENUM@' '%s %s' +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh +index fcf387e592..0a698d3c9f 100644 +--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh +@@ -8,7 +8,7 @@ + + {{{ bash_package_install("firewalld") }}} + +-populate firewalld_sshd_zone ++{{{ bash_instantiate_variables("firewalld_sshd_zone") }}} + + # This assumes that firewalld_sshd_zone is one of the pre-defined zones + if [ ! -f /etc/firewalld/zones/${firewalld_sshd_zone}.xml ]; then +diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh +index 947872bb21..1a15167ab0 100644 +--- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh ++++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 6 + . /usr/share/scap-security-guide/remediation_functions +-populate var_umask_for_daemons ++{{{ bash_instantiate_variables("var_umask_for_daemons") }}} + + grep -q ^umask /etc/init.d/functions && \ + sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions +diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh +index 175e10c24c..f689f4b2a1 100644 +--- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh ++++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8 + . /usr/share/scap-security-guide/remediation_functions +-populate var_umask_for_daemons ++{{{ bash_instantiate_variables("var_umask_for_daemons") }}} + + grep -q ^umask /etc/init.d/functions && \ + sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions +diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +index b4f79c97f9..d84c8acc3f 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh +@@ -7,6 +7,6 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate var_selinux_policy_name ++{{{ bash_instantiate_variables("var_selinux_policy_name") }}} + + {{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}} +diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +index 645a7acab4..ad53e52aac 100644 +--- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh ++++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh +@@ -7,7 +7,7 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate var_selinux_state ++{{{ bash_instantiate_variables("var_selinux_state") }}} + + {{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}} + +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh +index ef8af07aa0..ab0462e53f 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol + . /usr/share/scap-security-guide/remediation_functions +-populate inactivity_timeout_value ++{{{ bash_instantiate_variables("inactivity_timeout_value") }}} + + {{{ bash_dconf_settings("org/gnome/desktop/session", "idle-delay", "uint32 ${inactivity_timeout_value}", "local.d", "00-security-settings") }}} + {{{ bash_dconf_lock("org/gnome/desktop/session", "idle-delay", "local.d", "00-security-settings-lock") }}} +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh +index 124c14737e..5c37b1d913 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol + . /usr/share/scap-security-guide/remediation_functions +-populate var_screensaver_lock_delay ++{{{ bash_instantiate_variables("var_screensaver_lock_delay") }}} + + {{{ bash_dconf_settings("org/gnome/desktop/screensaver", "lock-delay", "uint32 ${var_screensaver_lock_delay}", "local.d", "00-security-settings") }}} + {{{ bash_dconf_lock("org/gnome/desktop/screensaver", "lock-delay", "local.d", "00-security-settings-lock") }}} +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh +index e1947f3df0..77b8a647ca 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh +@@ -1,6 +1,6 @@ + # platform = Red Hat Enterprise Linux 6 + . /usr/share/scap-security-guide/remediation_functions +-populate inactivity_timeout_value ++{{{ bash_instantiate_variables("inactivity_timeout_value") }}} + + # Install GConf2 package if not installed + if ! rpm -q GConf2; then +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh +index fb3ed9fe76..d37f1263d2 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh +@@ -3,7 +3,7 @@ + # include remediation functions library + . /usr/share/scap-security-guide/remediation_functions + +-populate var_system_crypto_policy ++{{{ bash_instantiate_variables("var_system_crypto_policy") }}} + + stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null) + rc=$? +diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh +index 80193ae1e5..c342acf36d 100644 +--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh ++++ b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = multi_platform_ol + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_authorized_local_users_regex ++{{{ bash_instantiate_variables("var_accounts_authorized_local_users_regex") }}} + + # never delete the root user + default_os_user="root" +diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh +index c361e4c766..9d444d297d 100644 +--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh ++++ b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = multi_platform_ol + . /usr/share/scap-security-guide/remediation_functions +-populate var_accounts_authorized_local_users_regex ++{{{ bash_instantiate_variables("var_accounts_authorized_local_users_regex") }}} + + # never delete the root user + default_os_user="root" +diff --git a/shared/templates/template_BASH_accounts_password b/shared/templates/template_BASH_accounts_password +index 688185365c..2de2652881 100644 +--- a/shared/templates/template_BASH_accounts_password ++++ b/shared/templates/template_BASH_accounts_password +@@ -4,7 +4,7 @@ + # complexity = low + # disruption = low + . /usr/share/scap-security-guide/remediation_functions +-populate var_password_pam_{{{ VARIABLE }}} ++{{{ bash_instantiate_variables("var_password_pam_" + VARIABLE) }}} + + {{% if product == "rhel6" %}} + {{# There is no package libpwquality for RHEL6 #}} +diff --git a/shared/templates/template_BASH_mount_option_removable_partitions b/shared/templates/template_BASH_mount_option_removable_partitions +index 5293bffc1a..5b0e8161c6 100644 +--- a/shared/templates/template_BASH_mount_option_removable_partitions ++++ b/shared/templates/template_BASH_mount_option_removable_partitions +@@ -4,7 +4,7 @@ + # Include source function library. + . /usr/share/scap-security-guide/remediation_functions + +-populate var_removable_partition ++{{{ bash_instantiate_variables("var_removable_partition") }}} + + device_regex="^\s*$var_removable_partition\s\+" + mount_option="{{{ MOUNTOPTION }}}" +diff --git a/shared/templates/template_BASH_sebool b/shared/templates/template_BASH_sebool +index 96b71ba726..e9aab9d981 100644 +--- a/shared/templates/template_BASH_sebool ++++ b/shared/templates/template_BASH_sebool +@@ -9,7 +9,7 @@ + {{% if SEBOOL_BOOL %}} + setsebool -P {{{ SEBOOLID }}} {{{ SEBOOL_BOOL }}} + {{% else %}} +-populate var_{{{ SEBOOLID }}} ++{{{ bash_instantiate_variables("var_" + SEBOOLID) }}} + + setsebool -P {{{ SEBOOLID }}} $var_{{{ SEBOOLID }}} + {{% endif %}} +diff --git a/shared/templates/template_BASH_sysctl b/shared/templates/template_BASH_sysctl +index 4ee57967dc..a87d63d038 100644 +--- a/shared/templates/template_BASH_sysctl ++++ b/shared/templates/template_BASH_sysctl +@@ -5,7 +5,7 @@ + # disruption = medium + . /usr/share/scap-security-guide/remediation_functions + {{%- if SYSCTLVAL == "" %}} +-populate sysctl_{{{ SYSCTLID }}}_value ++{{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} + + # + # Set runtime for {{{ SYSCTLVAR }}} + +From 359c54f7b59ad70a9ce9a1053a28ee91ec4a6fa2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 4 Sep 2020 12:30:45 +0200 +Subject: [PATCH 3/3] Replaced XCCDF value instantiation in Ansible by a macro + call. + +The former - (xccdf-var ...) mechanism is not Ansible, and jinja is well-established +in our project as an interface between user input and final content. +--- + .../postfix_network_listening_disabled/ansible/shared.yml | 2 +- + .../ntp/chronyd_specify_remote_server/ansible/shared.yml | 2 +- + .../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 2 +- + .../ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml | 2 +- + .../ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml | 2 +- + .../ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml | 2 +- + .../ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml | 2 +- + .../ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml | 2 +- + .../ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml | 2 +- + .../services/sssd/sssd_memcache_timeout/ansible/shared.yml | 2 +- + .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 2 +- + .../accounts-banners/banner_etc_issue/ansible/shared.yml | 2 +- + .../accounts-banners/banner_etc_motd/ansible/shared.yml | 2 +- + .../dconf_gnome_login_banner_text/ansible/shared.yml | 2 +- + .../accounts_password_pam_unix_remember/ansible/shared.yml | 2 +- + .../accounts_passwords_pam_faillock_deny/ansible/shared.yml | 2 +- + .../accounts_passwords_pam_faillock_interval/ansible/shared.yml | 2 +- + .../ansible/shared.yml | 2 +- + .../accounts_password_pam_retry/ansible/shared.yml | 2 +- + .../configure_opensc_card_drivers/ansible/shared.yml | 2 +- + .../force_opensc_card_drivers/ansible/shared.yml | 2 +- + .../account_disable_post_pw_expiration/ansible/shared.yml | 2 +- + .../accounts_maximum_age_login_defs/ansible/shared.yml | 2 +- + .../accounts_minimum_age_login_defs/ansible/shared.yml | 2 +- + .../accounts_password_minlen_login_defs/ansible/shared.yml | 2 +- + .../accounts_password_warn_age_login_defs/ansible/shared.yml | 2 +- + .../accounts_logon_fail_delay/ansible/shared.yml | 2 +- + .../accounts/accounts-session/accounts_tmout/ansible/shared.yml | 2 +- + .../user_umask/accounts_umask_etc_bashrc/ansible/shared.yml | 2 +- + .../user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml | 2 +- + .../user_umask/accounts_umask_etc_login_defs/ansible/shared.yml | 2 +- + .../user_umask/accounts_umask_etc_profile/ansible/shared.yml | 2 +- + .../auditd_audispd_configure_remote_server/ansible/shared.yml | 2 +- + .../auditd_data_disk_error_action/ansible/shared.yml | 2 +- + .../auditd_data_disk_full_action/ansible/shared.yml | 2 +- + .../auditd_data_retention_action_mail_acct/ansible/shared.yml | 2 +- + .../ansible/shared.yml | 2 +- + .../auditd_data_retention_flush/ansible/shared.yml | 2 +- + .../auditd_data_retention_max_log_file/ansible/shared.yml | 2 +- + .../ansible/shared.yml | 2 +- + .../auditd_data_retention_num_logs/ansible/shared.yml | 2 +- + .../auditd_data_retention_space_left/ansible/shared.yml | 2 +- + .../auditd_data_retention_space_left_action/ansible/shared.yml | 2 +- + .../rsyslog_remote_loghost/ansible/shared.yml | 2 +- + .../dconf_gnome_screensaver_idle_delay/ansible/shared.yml | 2 +- + .../integrity/crypto/configure_crypto_policy/ansible/shared.yml | 2 +- + .../template_ANSIBLE_mount_option_removable_partitions | 2 +- + 47 files changed, 47 insertions(+), 47 deletions(-) + +diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml +index f3d2af7614..e1c9d00d20 100644 +--- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml ++++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_postfix_inet_interfaces) ++{{{ ansible_instantiate_variables("var_postfix_inet_interfaces") }}} + + - name: "Gather list of packages" + package_facts: +diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml +index 0c812bdc2a..37cc359263 100644 +--- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml ++++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = configure + # complexity = low + # disruption = low +-- (xccdf-var var_multiple_time_servers) ++{{{ ansible_instantiate_variables("var_multiple_time_servers") }}} + + - name: "Detect if chrony is already configured with pools or servers" + find: +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml +index 3985d03542..2553a4d2e5 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml +@@ -11,7 +11,7 @@ + with_items: + - firewalld + +-- (xccdf-var sshd_listening_port) ++{{{ ansible_instantiate_variables("sshd_listening_port") }}} + + - name: Enable SSHD in firewalld (custom port) + firewalld: +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml +index affc65e2f5..2fdc9a2f22 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml +@@ -3,6 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var sshd_idle_timeout_value) ++{{{ ansible_instantiate_variables("sshd_idle_timeout_value") }}} + + {{{ ansible_sshd_set(parameter="ClientAliveInterval", value="{{ sshd_idle_timeout_value }}") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml +index 52600fd46e..9ce28bafc7 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml +@@ -3,6 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_sshd_set_keepalive) ++{{{ ansible_instantiate_variables("var_sshd_set_keepalive") }}} + + {{{ ansible_sshd_set(parameter="ClientAliveCountMax", value="{{ var_sshd_set_keepalive }}") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml +index 28f3ef0cd2..16e3130240 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml +@@ -3,6 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var sshd_max_auth_tries_value) ++{{{ ansible_instantiate_variables("sshd_max_auth_tries_value") }}} + + {{{ ansible_sshd_set(parameter="MaxAuthTries", value="{{ sshd_max_auth_tries_value }}") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml +index 6612c6a485..3f8b6f6013 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml +@@ -3,6 +3,6 @@ + # strategy = configure + # complexity = low + # disruption = low +-- (xccdf-var var_sshd_max_sessions) ++{{{ ansible_instantiate_variables("var_sshd_max_sessions") }}} + + {{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions }}") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml +index 1ec8f045e8..89ac2df9db 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml +@@ -3,6 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var sshd_approved_ciphers) ++{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}} + + {{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml +index 1a09a3197c..1a9b6990e9 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml +@@ -3,6 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var sshd_approved_macs) ++{{{ ansible_instantiate_variables("sshd_approved_macs") }}} + + {{{ ansible_sshd_set(parameter="MACs", value="{{ sshd_approved_macs }}") }}} +diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +index a2213508a1..dd89d1f443 100644 +--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml ++++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = unknown + # complexity = low + # disruption = medium +-- (xccdf-var var_sssd_memcache_timeout) ++{{{ ansible_instantiate_variables("var_sssd_memcache_timeout") }}} + + - name: "Test for domain group" + command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf +diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +index ea487c60b3..5bbe0ecef8 100644 +--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml ++++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = unknown + # complexity = low + # disruption = medium +-- (xccdf-var var_sssd_ssh_known_hosts_timeout) ++{{{ ansible_instantiate_variables("var_sssd_ssh_known_hosts_timeout") }}} + + - name: "Test for domain group" + command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +index 21f0925268..f3a0c85ea5 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = unknown + # complexity = low + # disruption = medium +-- (xccdf-var login_banner_text) ++{{{ ansible_instantiate_variables("login_banner_text") }}} + + - name: "{{{ rule_title }}} - remove incorrect banner" + file: +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml +index dfc1c519b7..15eb3cc1cb 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = unknown + # complexity = low + # disruption = medium +-- (xccdf-var login_banner_text) ++{{{ ansible_instantiate_variables("login_banner_text") }}} + + - name: "{{{ rule_title }}} - remove incorrect banner" + file: +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +index 40cce05fbc..993916287c 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = unknown + # complexity = low + # disruption = medium +-- (xccdf-var login_banner_text) ++{{{ ansible_instantiate_variables("login_banner_text") }}} + + - name: "{{{ rule_title }}}" + file: +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml +index 4198e524e8..75787c429d 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = configure + # complexity = low + # disruption = medium +-- (xccdf-var var_password_pam_unix_remember) ++{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}} + + - name: "Do not allow users to reuse recent passwords - system-auth (change)" + replace: +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml +index d2b08c0e14..0622ae769c 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_accounts_passwords_pam_faillock_deny) ++{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}} + + - name: Add auth pam_faillock preauth deny before pam_unix.so + pamd: +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml +index 7961a9eb54..96adcef63d 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_accounts_passwords_pam_faillock_fail_interval) ++{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}} + + - name: Add auth pam_faillock preauth fail_interval before pam_unix.so + pamd: +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml +index 9b49e56ba8..db44ce4f63 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_accounts_passwords_pam_faillock_unlock_time) ++{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}} + + - name: Add auth pam_faillock preauth unlock_time before pam_unix.so + pamd: +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml +index 6795f08939..ab351a26e5 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = configure + # complexity = low + # disruption = medium +-- (xccdf-var var_password_pam_retry) ++{{{ ansible_instantiate_variables("var_password_pam_retry") }}} + + - name: "Set Password Retry Prompts Permitted Per-Session - system-auth (change)" + replace: +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml +index 904d62c517..376027543b 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = configure + # complexity = low + # disruption = low +-- (xccdf-var var_smartcard_drivers) ++{{{ ansible_instantiate_variables("var_smartcard_drivers") }}} + + - name: Check existence of opensc conf + stat: +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml +index 13058a7ad6..f05423c0cb 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = configure + # complexity = low + # disruption = low +-- (xccdf-var var_smartcard_drivers) ++{{{ ansible_instantiate_variables("var_smartcard_drivers") }}} + + - name: Check existence of opensc conf + stat: +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml +index fe4826baed..11a6bc5467 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_account_disable_post_pw_expiration) ++{{{ ansible_instantiate_variables("var_account_disable_post_pw_expiration") }}} + + - name: Set Account Expiration Following Inactivity + lineinfile: +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml +index 452ff3bb41..a85f9fc6fa 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_accounts_maximum_age_login_defs) ++{{{ ansible_instantiate_variables("var_accounts_maximum_age_login_defs") }}} + + - name: Set Password Maximum Age + lineinfile: +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml +index 5c94bc8028..e394f26d7a 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_accounts_minimum_age_login_defs) ++{{{ ansible_instantiate_variables("var_accounts_minimum_age_login_defs") }}} + + - name: Set Password Minimum Age + lineinfile: +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml +index 247aee3bff..eee37bda68 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_accounts_password_minlen_login_defs) ++{{{ ansible_instantiate_variables("var_accounts_password_minlen_login_defs") }}} + + - name: "Set Password Minimum Length in login.defs" + lineinfile: +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml +index b5eb75ecf9..1091f8c854 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_accounts_password_warn_age_login_defs) ++{{{ ansible_instantiate_variables("var_accounts_password_warn_age_login_defs") }}} + + - name: "Set Password Warning Age" + lineinfile: +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml +index d3e4742c79..0b45abb25d 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # reboot = true +-- (xccdf-var var_accounts_fail_delay) ++{{{ ansible_instantiate_variables("var_accounts_fail_delay") }}} + + - name: Set accounts logon fail delay + lineinfile: +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml +index d17154b57e..2c3049006d 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml +@@ -3,6 +3,6 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_accounts_tmout) ++{{{ ansible_instantiate_variables("var_accounts_tmout") }}} + + {{{ ansible_etc_profile_set(parameter='TMOUT', value='{{ var_accounts_tmout }}') }}} +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml +index 43e03834a4..0255963a14 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_accounts_user_umask) ++{{{ ansible_instantiate_variables("var_accounts_user_umask") }}} + + - name: Set user umask in /etc/bashrc + replace: +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml +index 7c6b465f83..fa956cff6a 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_accounts_user_umask) ++{{{ ansible_instantiate_variables("var_accounts_user_umask") }}} + + - name: Set user umask in /etc/csh.cshrc + replace: +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml +index 449364f304..309b68a58f 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_accounts_user_umask) ++{{{ ansible_instantiate_variables("var_accounts_user_umask") }}} + + - name: Ensure the Default UMASK is Set Correctly + lineinfile: +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml +index 1b7d188c9e..fe12edac8b 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_accounts_user_umask) ++{{{ ansible_instantiate_variables("var_accounts_user_umask") }}} + + - name: Set user umask in /etc/profile + replace: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml +index 3296b9deb2..b3f245c998 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = configure + # complexity = low + # disruption = low +-- (xccdf-var var_audispd_remote_server) ++{{{ ansible_instantiate_variables("var_audispd_remote_server") }}} + + {{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}} + {{% set audisp_config_file_path = "/etc/audit/audisp-remote.conf" %}} +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml +index beba66af07..06f4a10c6f 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_auditd_disk_error_action) ++{{{ ansible_instantiate_variables("var_auditd_disk_error_action") }}} + + - name: Configure auditd Disk Error Action on Disk Error + lineinfile: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml +index 2b72085912..60b1e912ce 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_auditd_disk_full_action) ++{{{ ansible_instantiate_variables("var_auditd_disk_full_action") }}} + + - name: Configure auditd Disk Full Action when Disk Space Is Full + lineinfile: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml +index 6a6d0ce4a4..48fe7aced4 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_auditd_action_mail_acct) ++{{{ ansible_instantiate_variables("var_auditd_action_mail_acct") }}} + + - name: Configure auditd mail_acct Action on Low Disk Space + lineinfile: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml +index ff63a15de8..93d076fa6f 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_auditd_admin_space_left_action) ++{{{ ansible_instantiate_variables("var_auditd_admin_space_left_action") }}} + + - name: Configure auditd admin_space_left Action on Low Disk Space + lineinfile: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml +index 4a5f45c14b..f909e5ec22 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_auditd_flush) ++{{{ ansible_instantiate_variables("var_auditd_flush") }}} + + - name: Configure auditd Flush Priority + lineinfile: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml +index d497d27e20..65c77aa3cd 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_auditd_max_log_file) ++{{{ ansible_instantiate_variables("var_auditd_max_log_file") }}} + + - name: Configure auditd Max Log File Size + lineinfile: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml +index 48df854986..595959e029 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_auditd_max_log_file_action) ++{{{ ansible_instantiate_variables("var_auditd_max_log_file_action") }}} + + - name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size + lineinfile: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml +index 8dfa5ce0cd..6fe9e0145e 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_auditd_num_logs) ++{{{ ansible_instantiate_variables("var_auditd_num_logs") }}} + + - name: Configure auditd Number of Logs Retained + lineinfile: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml +index f4af7a6aa9..6db7ffbd34 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_auditd_space_left) ++{{{ ansible_instantiate_variables("var_auditd_space_left") }}} + + - name: Configure auditd space_left on Low Disk Space + lineinfile: +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml +index 5b4a101a1c..04062e34a6 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_auditd_space_left_action) ++{{{ ansible_instantiate_variables("var_auditd_space_left_action") }}} + + - name: Configure auditd space_left Action on Low Disk Space + lineinfile: +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml +index 316171df9b..407e1be3ab 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var rsyslog_remote_loghost_address) ++{{{ ansible_instantiate_variables("rsyslog_remote_loghost_address") }}} + + - name: "Set rsyslog remote loghost" + lineinfile: +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml +index e8a802d48c..81270d1adb 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = unknown + # complexity = low + # disruption = medium +-- (xccdf-var inactivity_timeout_value) ++{{{ ansible_instantiate_variables("inactivity_timeout_value") }}} + + - name: "Set GNOME3 Screensaver Inactivity Timeout" + ini_file: +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml +index 9d3f9c0c65..09b6dbc855 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- (xccdf-var var_system_crypto_policy) ++{{{ ansible_instantiate_variables("var_system_crypto_policy") }}} + + - name: "{{{ rule_title }}}" + lineinfile: +diff --git a/shared/templates/template_ANSIBLE_mount_option_removable_partitions b/shared/templates/template_ANSIBLE_mount_option_removable_partitions +index 374499261d..346f5fe3de 100644 +--- a/shared/templates/template_ANSIBLE_mount_option_removable_partitions ++++ b/shared/templates/template_ANSIBLE_mount_option_removable_partitions +@@ -3,7 +3,7 @@ + # strategy = configure + # complexity = low + # disruption = high +-- (xccdf-var var_removable_partition) ++{{{ ansible_instantiate_variables("var_removable_partition") }}} + + - name: Ensure permission {{{ MOUNTOPTION }}} are set on var_removable_partition + lineinfile: diff --git a/SOURCES/scap-security-guide-0.1.54-add_dir_perms_world_writable_system_owned_group-PR_6421.patch b/SOURCES/scap-security-guide-0.1.54-add_dir_perms_world_writable_system_owned_group-PR_6421.patch new file mode 100644 index 0000000..0ae8796 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-add_dir_perms_world_writable_system_owned_group-PR_6421.patch @@ -0,0 +1,182 @@ +From c11311736558613b13ae051a2908c31eee0b6a43 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 25 Nov 2020 16:52:14 +0100 +Subject: [PATCH] Add new rule dir_perms_world_writable_system_owned_group. + +Change old STIG reference ID from dir_perms_world_writable_system_owned +because this rule actually checks for UID and not the GID as it was +expected. +--- + .../oval/shared.xml | 10 ++--- + .../rule.yml | 8 ++-- + .../oval/shared.xml | 22 +++++++++ + .../rule.yml | 45 +++++++++++++++++++ + rhel7/profiles/stig.profile | 1 + + shared/references/cce-redhat-avail.txt | 1 - + 6 files changed, 77 insertions(+), 10 deletions(-) + create mode 100644 linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml + create mode 100644 linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml + +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml +index eae7e654a2..8b03bfe0ec 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml +@@ -6,16 +6,16 @@ + + + +- +- ++ ++ + +- ++ + + / + +- state_gid_is_user_and_world_writable ++ state_uid_is_user_and_world_writable + +- ++ + {{{ auid }}} + true + +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml +index 100b22943..5271903fe 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml +@@ -7,10 +7,10 @@ title: 'Ensure All World-Writable Directories Are Owned by a System Account' + description: |- + All directories in local partitions which are + world-writable should be owned by root or another +- system account. If any world-writable directories are not ++ system account. If any world-writable directories are not + owned by a system account, this should be investigated. + Following this, the files should be deleted or assigned to an +- appropriate group. ++ appropriate owner. + + rationale: |- + Allowing a user account to own a world-writable directory is +@@ -25,14 +25,14 @@ identifiers: + cce@rhel7: CCE-80136-5 + + references: +- stigid@ol7: OL07-00-021030 ++ stigid@ol7: OL07-00-021031 + stigid@rhel6: RHEL-06-000337 + srg@rhel6: SRG-OS-999999 + disa: CCI-000366 + nist: CM-6(a),AC-6(1) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 +- stigid@rhel7: RHEL-07-021030 ++ stigid@rhel7: RHEL-07-021031 + isa-62443-2013: 'SR 2.1,SR 5.2' + isa-62443-2009: 4.3.3.7.3 + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml +new file mode 100644 +index 0000000000..3ac40ecb2d +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml +@@ -0,0 +1,22 @@ ++ ++ ++ {{{ oval_metadata("All world writable directories should be group owned by a system user.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ / ++ ++ state_gid_is_user_and_world_writable ++ ++ ++ {{{ auid }}} ++ true ++ ++ +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml +new file mode 100644 +index 0000000000..1e3c60b7e3 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml +@@ -0,0 +1,45 @@ ++documentation_complete: true ++ ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++ ++title: 'Ensure All World-Writable Directories Are Group Owned by a System Account' ++ ++description: |- ++ All directories in local partitions which are ++ world-writable should be group owned by root or another ++ system account. If any world-writable directories are not ++ group owned by a system account, this should be investigated. ++ Following this, the files should be deleted or assigned to an ++ appropriate group. ++ ++rationale: |- ++ Allowing a user account to group own a world-writable directory is ++ undesirable because it allows the owner of that directory to remove ++ or replace any files that may be placed in the directory by other ++ users. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: CCE-83923-3 ++ ++references: ++ stigid@ol7: OL07-00-021030 ++ disa: CCI-000366 ++ nist: CM-6(a),AC-6(1) ++ nist-csf: PR.AC-4,PR.DS-5 ++ srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel7: RHEL-07-021030 ++ isa-62443-2013: 'SR 2.1,SR 5.2' ++ isa-62443-2009: 4.3.3.7.3 ++ cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 ++ iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 ++ cis-csc: 12,13,14,15,16,18,3,5 ++ ++ocil_clause: 'there is output' ++ ++ocil: |- ++ The following command will discover and print world-writable directories that ++ are not group owned by a system account, given the assumption that only system ++ accounts have a gid lower than 500. Run it once for each local partition PART: ++
$ sudo find PART -xdev -type d -perm -0002 -gid +499 -print
+diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index 4698785a49..a16e990202 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -155,6 +155,7 @@ selections: + - mount_option_nosuid_removable_partitions + - mount_option_nosuid_remote_filesystems + - dir_perms_world_writable_system_owned ++ - dir_perms_world_writable_system_owned_group + - accounts_umask_interactive_users + - rsyslog_cron_logging + - file_owner_cron_allow +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index c38943b07c..c5d1ff963f 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -473,7 +473,6 @@ CCE-83919-1 + CCE-83920-9 + CCE-83921-7 + CCE-83922-5 +-CCE-83923-3 + CCE-83924-1 + CCE-83925-8 + CCE-83926-6 diff --git a/SOURCES/scap-security-guide-0.1.54-fix-bash_dconf_settings-macro-PR_6364.patch b/SOURCES/scap-security-guide-0.1.54-fix-bash_dconf_settings-macro-PR_6364.patch new file mode 100644 index 0000000..9b52226 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-fix-bash_dconf_settings-macro-PR_6364.patch @@ -0,0 +1,34 @@ +From 1c0f141f863736b2c5c47d6d9f20b75c8cbf8318 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 10 Nov 2020 18:10:17 +0100 +Subject: [PATCH] Fix bash_dconf_settings to grep whole keyword alike. + +--- + .../dconf_gnome_disable_automount/tests/wrong_value.fail.sh | 3 +++ + shared/macros-bash.jinja | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh +index 35c6e417ad..0272781515 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh +@@ -5,3 +5,6 @@ + + install_dconf_and_gdm_if_needed + clean_dconf_settings ++ ++add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings" ++add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "local.d" "00-security-settings" +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index ee48bec12d..0add877cbc 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -181,7 +181,7 @@ then + printf '%s=%s\n' "{{{ key }}}" "{{{ value }}}" >> ${DCONFFILE} + else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "{{{ value }}}")" +- if grep -q "^\\s*{{{ key }}}" "${SETTINGSFILES[@]}" ++ if grep -q "^\\s*{{{ key }}}\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*{{{ key }}}\\s*=\\s*.*/{{{ key }}}=${escaped_value}/g" "${SETTINGSFILES[@]}" + else diff --git a/SOURCES/scap-security-guide-0.1.54-select_xwindows_runlevel_target_stig-PR_6420.patch b/SOURCES/scap-security-guide-0.1.54-select_xwindows_runlevel_target_stig-PR_6420.patch new file mode 100644 index 0000000..8b2c416 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-select_xwindows_runlevel_target_stig-PR_6420.patch @@ -0,0 +1,21 @@ +From 3224a958477cda26e302bcc310ffac755938948a Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 25 Nov 2020 12:29:04 +0100 +Subject: [PATCH] Add xwindows_runlevel_target to RHEL7 STIG profile. + +--- + rhel7/profiles/stig.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index 0d723117a5..4698785a49 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -287,6 +287,7 @@ selections: + - sshd_enable_x11_forwarding + - tftpd_uses_secure_mode + - package_xorg-x11-server-common_removed ++ - xwindows_runlevel_target + - sysctl_net_ipv4_ip_forward + - mount_option_krb_sec_remote_filesystems + - snmpd_not_default_password diff --git a/SOURCES/scap-security-guide-0.1.54-split-dconf-automount-rule-PR_5961.patch b/SOURCES/scap-security-guide-0.1.54-split-dconf-automount-rule-PR_5961.patch new file mode 100644 index 0000000..e6aa9a3 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-split-dconf-automount-rule-PR_5961.patch @@ -0,0 +1,1010 @@ +From bf1b010001f16a428a0e3401347df0a37ce52e90 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 6 Aug 2020 15:43:31 +0200 +Subject: [PATCH 1/8] Break dconf_gnome_disable_automount down into three + separate rules. + +--- + .../tests/empty.fail.sh | 9 +++ + .../ansible/shared.yml | 31 ---------- + .../bash/shared.sh | 4 -- + .../oval/shared.xml | 60 +------------------ + .../dconf_gnome_disable_automount/rule.yml | 25 +++----- + .../tests/correct_value.pass.sh | 11 ++++ + .../ansible/shared.yml | 19 ++++++ + .../bash/shared.sh | 5 ++ + .../oval/shared.xml | 50 ++++++++++++++++ + .../rule.yml | 57 ++++++++++++++++++ + .../tests/correct_value.pass.sh | 12 ++++ + .../tests/wrong_value.fail.sh | 7 +++ + .../ansible/shared.yml | 20 +++++++ + .../bash/shared.sh | 5 ++ + .../oval/shared.xml | 50 ++++++++++++++++ + .../dconf_gnome_disable_autorun/rule.yml | 57 ++++++++++++++++++ + .../tests/correct_value.pass.sh | 10 ++++ + .../tests/wrong_value.fail.sh | 7 +++ + shared/references/cce-redhat-avail.txt | 4 -- + 19 files changed, 328 insertions(+), 115 deletions(-) + create mode 100644 linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh +new file mode 100644 +index 0000000000..cb84c5262b +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ncp ++ ++source $SHARED/dconf_test_functions.sh ++ ++install_dconf_and_gdm_if_needed ++ ++clean_dconf_settings ++ +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml +index c13d706df3..eeb7b8f301 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml +@@ -17,34 +17,3 @@ + regexp: '^/org/gnome/desktop/media-handling/automount' + line: '/org/gnome/desktop/media-handling/automount' + create: yes +- +-- name: "Disable GNOME3 Automounting - automount-open" +- ini_file: +- dest: /etc/dconf/db/local.d/00-security-settings +- section: org/gnome/desktop/media-handling +- option: automount-open +- value: "false" +- create: yes +- +-- name: "Prevent user modification of GNOME3 Automounting - automount-open" +- lineinfile: +- path: /etc/dconf/db/local.d/locks/00-security-settings-lock +- regexp: '^/org/gnome/desktop/media-handling/automount-open' +- line: '/org/gnome/desktop/media-handling/automount-open' +- create: yes +- +-- name: "Disable GNOME3 Automounting - autorun-never" +- ini_file: +- dest: /etc/dconf/db/local.d/00-security-settings +- section: org/gnome/desktop/media-handling +- option: autorun-never +- value: "true" +- create: yes +- +-- name: "Prevent user modification of GNOME3 Automounting - autorun-never" +- lineinfile: +- path: /etc/dconf/db/local.d/locks/00-security-settings-lock +- regexp: '^/org/gnome/desktop/media-handling/autorun-never' +- line: '/org/gnome/desktop/media-handling/autorun-never' +- create: yes +- +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh +index aa7c692c87..5a52153613 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh +@@ -2,8 +2,4 @@ + + + {{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount", "false", "local.d", "00-security-settings") }}} +-{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", "local.d", "00-security-settings") }}} +-{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", "local.d", "00-security-settings") }}} + {{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount", "local.d", "00-security-settings-lock") }}} +-{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", "local.d", "00-security-settings-lock") }}} +-{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", "local.d", "00-security-settings-lock") }}} +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml +index fb359a2278..c05b1d8e1b 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml +@@ -1,19 +1,15 @@ + +- ++ + {{{ oval_metadata("The system's default desktop environment, GNOME3, will mount + devices and removable media (such as DVDs, CDs and USB flash drives) + whenever they are inserted into the system. Disable automount and autorun + within GNOME3.") }}} + + +- ++ + + +- +- + +- +- + + + +@@ -43,56 +39,4 @@ + ^/org/gnome/desktop/media-handling/automount$ + 1 +
+- +- +- +- +- +- /etc/dconf/db/local.d/ +- ^.*$ +- ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$ +- 1 +- +- +- +- +- +- +- /etc/dconf/db/local.d/locks/ +- ^.*$ +- ^/org/gnome/desktop/media-handling/automount-open$ +- 1 +- +- +- +- +- +- +- /etc/dconf/db/local.d/ +- ^.*$ +- ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$ +- 1 +- +- +- +- +- +- +- /etc/dconf/db/local.d/locks/ +- ^.*$ +- ^/org/gnome/desktop/media-handling/autorun-never$ +- 1 +- + +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml +index 551f6cacdf..b7e7192bc0 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml +@@ -7,20 +7,15 @@ title: 'Disable GNOME3 Automounting' + description: |- + The system's default desktop environment, GNOME3, will mount + devices and removable media (such as DVDs, CDs and USB flash drives) whenever +- they are inserted into the system. To disable automount and autorun within GNOME3, add or set +- automount to false, automount-open to false, and +- autorun-never to true in /etc/dconf/db/local.d/00-security-settings. ++ they are inserted into the system. To disable automount within GNOME3, add or set ++ automount to false in /etc/dconf/db/local.d/00-security-settings. + For example: +
[org/gnome/desktop/media-handling]
+-    automount=false
+-    automount-open=false
+-    autorun-never=true
++ automount=false + Once the settings have been added, add a lock to + /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. + For example: +-
/org/gnome/desktop/media-handling/automount
+-    /org/gnome/desktop/media-handling/automount-open
+-    /org/gnome/desktop/media-handling/autorun-never
++
/org/gnome/desktop/media-handling/automount
+ After the settings have been set, run dconf update. + + rationale: |- +@@ -48,16 +43,10 @@ ocil_clause: 'GNOME automounting is not disabled' + + ocil: |- + These settings can be verified by running the following: +-
$ gsettings get org.gnome.desktop.media-handling automount
+-    $ gsettings get org.gnome.desktop.media-handling automount-open
+-    $ gsettings get org.gnome.desktop.media-handling autorun-never
++
$ gsettings get org.gnome.desktop.media-handling automount
+ If properly configured, the output for automount should be false. +- If properly configured, the output for automount-openshould be false. +- If properly configured, the output for autorun-never should be true. +- To ensure that users cannot enable automount and autorun in GNOME3, run the following: +-
$ grep 'automount\|autorun' /etc/dconf/db/local.d/locks/*
++ To ensure that users cannot enable automount in GNOME3, run the following: ++
$ grep 'automount' /etc/dconf/db/local.d/locks/*
+ If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount +- If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/auto-open +- If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never + + platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh +new file mode 100644 +index 0000000000..685f5925c5 +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++. $SHARED/dconf_test_functions.sh ++ ++yum -y install dconf ++clean_dconf_settings ++ ++add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "local.d" "00-security-settings" ++add_dconf_lock "org/gnome/desktop/media-handling" "automount" "local.d" "00-security-settings" ++ +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml +new file mode 100644 +index 0000000000..680d148347 +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml +@@ -0,0 +1,19 @@ ++# platform = multi_platform_rhel,multi_platform_fedora ++# reboot = false ++# strategy = unknown ++# complexity = low ++# disruption = medium ++- name: "Disable GNOME3 Automounting - automount-open" ++ ini_file: ++ dest: /etc/dconf/db/local.d/00-security-settings ++ section: org/gnome/desktop/media-handling ++ option: automount-open ++ value: "false" ++ create: yes ++ ++- name: "Prevent user modification of GNOME3 Automounting - automount-open" ++ lineinfile: ++ path: /etc/dconf/db/local.d/locks/00-security-settings-lock ++ regexp: '^/org/gnome/desktop/media-handling/automount-open' ++ line: '/org/gnome/desktop/media-handling/automount-open' ++ create: yes +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh +new file mode 100644 +index 0000000000..7a1497507b +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh +@@ -0,0 +1,5 @@ ++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora ++ ++ ++{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", "local.d", "00-security-settings") }}} ++{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", "local.d", "00-security-settings-lock") }}} +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml +new file mode 100644 +index 0000000000..84264fa8f4 +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml +@@ -0,0 +1,50 @@ ++ ++ ++ ++ Disable GNOME3 automount-open ++ ++ Red Hat Enterprise Linux 7 ++ Red Hat Enterprise Linux 8 ++ multi_platform_fedora ++ ++ The system's default desktop environment, GNOME3, will mount ++ devices and removable media (such as DVDs, CDs and USB flash drives) ++ whenever they are inserted into the system. Disable automount-open ++ within GNOME3. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/dconf/db/local.d/ ++ ^.*$ ++ ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/dconf/db/local.d/locks/ ++ ^.*$ ++ ^/org/gnome/desktop/media-handling/automount-open$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml +new file mode 100644 +index 0000000000..07ce263102 +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml +@@ -0,0 +1,57 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel7,rhel8 ++ ++title: 'Disable GNOME3 Automount Opening' ++ ++description: |- ++ The system's default desktop environment, GNOME3, will mount ++ devices and removable media (such as DVDs, CDs and USB flash drives) whenever ++ they are inserted into the system. To disable automount-open within GNOME3, add or set ++ automount-open to false in /etc/dconf/db/local.d/00-security-settings. ++ For example: ++
[org/gnome/desktop/media-handling]
++    automount-open=false
++ Once the settings have been added, add a lock to ++ /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. ++ For example: ++
/org/gnome/desktop/media-handling/automount-open
++ After the settings have been set, run dconf update. ++ ++rationale: |- ++ Disabling automatic mounting in GNOME3 can prevent ++ the introduction of malware via removable media. ++ It will, however, also prevent desktop users from legitimate use ++ of removable media. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: CCE-83692-4 ++ cce@rhel8: CCE-83693-2 ++ ++references: ++ cui: 3.1.7 ++ nist: CM-7(a),CM-7(b),CM-6(a) ++ nist-csf: PR.AC-3,PR.AC-6 ++ isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.4,SR 1.5,SR 1.9,SR 2.1,SR 2.6' ++ isa-62443-2009: 4.3.3.2.2,4.3.3.5.2,4.3.3.6.6,4.3.3.7.2,4.3.3.7.4 ++ cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03 ++ iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1 ++ cis-csc: 12,16 ++ stig@rhel7: RHEL-07-020111 ++ disa: CCI-001958 ++ srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227 ++ ++ ++ocil_clause: 'GNOME automounting is not disabled' ++ ++ocil: |- ++ These settings can be verified by running the following: ++
$ gsettings get org.gnome.desktop.media-handling automount-open
++ If properly configured, the output for automount-openshould be false. ++ To ensure that users cannot enable automount opening in GNOME3, run the following: ++
$ grep 'automount-open' /etc/dconf/db/local.d/locks/*
++ If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh +new file mode 100644 +index 0000000000..b9995bf679 +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++. $SHARED/dconf_test_functions.sh ++ ++yum -y install dconf ++clean_dconf_settings ++ ++add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings" ++add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "local.d" "00-security-settings" ++ ++ +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh +new file mode 100644 +index 0000000000..33a439cbb6 +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++. $SHARED/dconf_test_functions.sh ++ ++yum -y install dconf ++clean_dconf_settings +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml +new file mode 100644 +index 0000000000..036246e3be +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml +@@ -0,0 +1,20 @@ ++# platform = multi_platform_rhel,multi_platform_fedora ++# reboot = false ++# strategy = unknown ++# complexity = low ++# disruption = medium ++- name: "Disable GNOME3 Automounting - autorun-never" ++ ini_file: ++ dest: /etc/dconf/db/local.d/00-security-settings ++ section: org/gnome/desktop/media-handling ++ option: autorun-never ++ value: "true" ++ create: yes ++ ++- name: "Prevent user modification of GNOME3 Automounting - autorun-never" ++ lineinfile: ++ path: /etc/dconf/db/local.d/locks/00-security-settings-lock ++ regexp: '^/org/gnome/desktop/media-handling/autorun-never' ++ line: '/org/gnome/desktop/media-handling/autorun-never' ++ create: yes ++ +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh +new file mode 100644 +index 0000000000..4c3bcb9547 +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh +@@ -0,0 +1,5 @@ ++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora ++ ++ ++{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", "local.d", "00-security-settings") }}} ++{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", "local.d", "00-security-settings-lock") }}} +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml +new file mode 100644 +index 0000000000..4c9840c644 +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml +@@ -0,0 +1,50 @@ ++ ++ ++ ++ Disable GNOME3 Automounting ++ ++ Red Hat Enterprise Linux 7 ++ Red Hat Enterprise Linux 8 ++ multi_platform_fedora ++ ++ The system's default desktop environment, GNOME3, will mount ++ devices and removable media (such as DVDs, CDs and USB flash drives) ++ whenever they are inserted into the system. Disable automount and autorun ++ within GNOME3. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/dconf/db/local.d/ ++ ^.*$ ++ ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/dconf/db/local.d/locks/ ++ ^.*$ ++ ^/org/gnome/desktop/media-handling/autorun-never$ ++ 1 ++ ++ +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml +new file mode 100644 +index 0000000000..92fa209fb5 +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml +@@ -0,0 +1,57 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel7,rhel8 ++ ++title: 'Disable GNOME3 Automount running' ++ ++description: |- ++ The system's default desktop environment, GNOME3, will mount ++ devices and removable media (such as DVDs, CDs and USB flash drives) whenever ++ they are inserted into the system. To disable autorun-never within GNOME3, add or set ++ autorun-never to true in /etc/dconf/db/local.d/00-security-settings. ++ For example: ++
[org/gnome/desktop/media-handling]
++    autorun-never=true
++ Once the settings have been added, add a lock to ++ /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. ++ For example: ++
/org/gnome/desktop/media-handling/autorun-never
++ After the settings have been set, run dconf update. ++ ++rationale: |- ++ Disabling automatic mount running in GNOME3 can prevent ++ the introduction of malware via removable media. ++ It will, however, also prevent desktop users from legitimate use ++ of removable media. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: CCE-83741-9 ++ cce@rhel8: CCE-83742-7 ++ ++references: ++ cui: 3.1.7 ++ nist: CM-7(a),CM-7(b),CM-6(a) ++ nist-csf: PR.AC-3,PR.AC-6 ++ isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.4,SR 1.5,SR 1.9,SR 2.1,SR 2.6' ++ isa-62443-2009: 4.3.3.2.2,4.3.3.5.2,4.3.3.6.6,4.3.3.7.2,4.3.3.7.4 ++ cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03 ++ iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1 ++ cis-csc: 12,16 ++ stig@rhel7: RHEL-07-020111 ++ disa: CCI-001958 ++ srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227 ++ ++ ++ocil_clause: 'GNOME autorun is not disabled' ++ ++ocil: |- ++ These settings can be verified by running the following: ++
$ gsettings get org.gnome.desktop.media-handling autorun-never
++ If properly configured, the output for autorun-nevershould be true. ++ To ensure that users cannot enable autorun in GNOME3, run the following: ++
$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*
++ If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never ++ ++platform: machine +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh +new file mode 100644 +index 0000000000..8688fc864a +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++. $SHARED/dconf_test_functions.sh ++ ++yum -y install dconf ++clean_dconf_settings ++ ++add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "local.d" "00-security-settings" ++add_dconf_lock "org/gnome/desktop/media-handling" "autorun-never" "local.d" "00-security-settings" +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh +new file mode 100644 +index 0000000000..33a439cbb6 +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++. $SHARED/dconf_test_functions.sh ++ ++yum -y install dconf ++clean_dconf_settings +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index c012e605a9..6c0ea9893b 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -293,8 +293,6 @@ CCE-83688-2 + CCE-83689-0 + CCE-83690-8 + CCE-83691-6 +-CCE-83692-4 +-CCE-83693-2 + CCE-83694-0 + CCE-83695-7 + CCE-83696-5 +@@ -333,8 +331,6 @@ CCE-83735-1 + CCE-83736-9 + CCE-83739-3 + CCE-83740-1 +-CCE-83741-9 +-CCE-83742-7 + CCE-83743-5 + CCE-83744-3 + CCE-83745-0 + +From cfdaf607bcc61551032a9b2a48d4ea68c15775a9 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 6 Aug 2020 15:54:22 +0200 +Subject: [PATCH 2/8] Update RHEL7 STIG profile with new rules. + +- dconf_gnome_disable_automount_open +- dconf_gnome_disable_autorun +--- + rhel7/profiles/stig.profile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index f9f3e94e2a..0d723117a5 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -77,6 +77,9 @@ selections: + - dconf_gnome_screensaver_idle_activation_locked + - dconf_gnome_screensaver_lock_delay + - dconf_gnome_disable_ctrlaltdel_reboot ++ - dconf_gnome_disable_automount ++ - dconf_gnome_disable_automount_open ++ - dconf_gnome_disable_autorun + - accounts_password_pam_ucredit + - accounts_password_pam_lcredit + - accounts_password_pam_dcredit + +From 52d1ac84f72e071a1de46a940d3a4e4cf52d807d Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 6 Aug 2020 15:55:25 +0200 +Subject: [PATCH 3/8] Update RHEL7 NCP profile with new rules. + +- dconf_gnome_disable_automount_open +- dconf_gnome_disable_autorun +--- + rhel7/profiles/ncp.profile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/rhel7/profiles/ncp.profile b/rhel7/profiles/ncp.profile +index 7de1c7bb42..cf1ccc4612 100644 +--- a/rhel7/profiles/ncp.profile ++++ b/rhel7/profiles/ncp.profile +@@ -317,6 +317,8 @@ selections: + - dconf_db_up_to_date + - dconf_gnome_banner_enabled + - dconf_gnome_disable_automount ++ - dconf_gnome_disable_automount_open ++ - dconf_gnome_disable_autorun + - dconf_gnome_disable_ctrlaltdel_reboot + - dconf_gnome_disable_geolocation + - dconf_gnome_disable_restart_shutdown + +From 929054cec387203c53c3e3df166b09e6aa02023b Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 18 Aug 2020 16:44:29 +0200 +Subject: [PATCH 4/8] Use bash function to install required testing packages. + +dconf and gdm packages are required make checks applicable. +--- + .../tests/correct_value.pass.sh | 2 +- + .../tests/wrong_value.fail.sh | 7 +++++++ + .../tests/correct_value.pass.sh | 2 +- + .../tests/wrong_value.fail.sh | 2 +- + .../tests/correct_value.pass.sh | 2 +- + .../dconf_gnome_disable_autorun/tests/wrong_value.fail.sh | 2 +- + 6 files changed, 12 insertions(+), 5 deletions(-) + create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh +index 685f5925c5..6aeeeee8ee 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh +@@ -3,7 +3,7 @@ + + . $SHARED/dconf_test_functions.sh + +-yum -y install dconf ++install_dconf_and_gdm_if_needed + clean_dconf_settings + + add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "local.d" "00-security-settings" +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh +new file mode 100644 +index 0000000000..35c6e417ad +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_stig ++ ++. $SHARED/dconf_test_functions.sh ++ ++install_dconf_and_gdm_if_needed ++clean_dconf_settings +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh +index b9995bf679..77c49a861b 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh +@@ -3,7 +3,7 @@ + + . $SHARED/dconf_test_functions.sh + +-yum -y install dconf ++install_dconf_and_gdm_if_needed + clean_dconf_settings + + add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings" +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh +index 33a439cbb6..35c6e417ad 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh +@@ -3,5 +3,5 @@ + + . $SHARED/dconf_test_functions.sh + +-yum -y install dconf ++install_dconf_and_gdm_if_needed + clean_dconf_settings +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh +index 8688fc864a..0c30c00a3d 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh +@@ -3,7 +3,7 @@ + + . $SHARED/dconf_test_functions.sh + +-yum -y install dconf ++install_dconf_and_gdm_if_needed + clean_dconf_settings + + add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "local.d" "00-security-settings" +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh +index 33a439cbb6..35c6e417ad 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh +@@ -3,5 +3,5 @@ + + . $SHARED/dconf_test_functions.sh + +-yum -y install dconf ++install_dconf_and_gdm_if_needed + clean_dconf_settings + +From 8eccb4a33a38043224e3ef7d6b591fcaa7c0a8c5 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 21 Sep 2020 16:25:41 +0200 +Subject: [PATCH 5/8] Escape bracket character in dconf automount rules + regexes. + +--- + .../dconf_gnome_disable_automount/oval/shared.xml | 2 +- + .../dconf_gnome_disable_automount_open/oval/shared.xml | 2 +- + .../dconf_gnome_disable_autorun/oval/shared.xml | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml +index c05b1d8e1b..8024311b23 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml +@@ -23,7 +23,7 @@ + version="1"> + /etc/dconf/db/local.d/ + ^.*$ +- ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount=false$ ++ ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount=false$ + 1 + + +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml +index 84264fa8f4..3230efca62 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml +@@ -31,7 +31,7 @@ + version="1"> + /etc/dconf/db/local.d/ + ^.*$ +- ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$ ++ ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount-open=false$ + 1 + + +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml +index 4c9840c644..a7f54a7f19 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml +@@ -31,7 +31,7 @@ + version="1"> + /etc/dconf/db/local.d/ + ^.*$ +- ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$ ++ ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?autorun-never=true$ + 1 + + + +From ff380dc7ccab82d40b0c94a782901f439c76b89a Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 21 Sep 2020 16:49:23 +0200 +Subject: [PATCH 6/8] Use oval_metadata macro in some dconf gnome rules. + +Reduce boilerplate code by using jinja macro. +--- + .../oval/shared.xml | 3 +-- + .../oval/shared.xml | 15 +++------------ + .../dconf_gnome_disable_autorun/oval/shared.xml | 17 ++++------------- + 3 files changed, 8 insertions(+), 27 deletions(-) + +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml +index 8024311b23..7cc031206c 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml +@@ -2,8 +2,7 @@ + + {{{ oval_metadata("The system's default desktop environment, GNOME3, will mount + devices and removable media (such as DVDs, CDs and USB flash drives) +- whenever they are inserted into the system. Disable automount and autorun +- within GNOME3.") }}} ++ whenever they are inserted into the system. Disable automount within GNOME3.", title="Disable GNOME3 automount") }}} + + + +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml +index 3230efca62..1d2cda88ba 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml +@@ -1,17 +1,8 @@ + + +- +- Disable GNOME3 automount-open +- +- Red Hat Enterprise Linux 7 +- Red Hat Enterprise Linux 8 +- multi_platform_fedora +- +- The system's default desktop environment, GNOME3, will mount +- devices and removable media (such as DVDs, CDs and USB flash drives) +- whenever they are inserted into the system. Disable automount-open +- within GNOME3. +- ++ {{{ oval_metadata("The system's default desktop environment, GNOME3, will mount ++ devices and removable media (such as DVDs, CDs and USB flash drives) ++ whenever they are inserted into the system. Disable automount-open within GNOME3.", title="Disable GNOME3 automount-open") }}} + + + +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml +index a7f54a7f19..6299881f45 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml +@@ -1,20 +1,11 @@ + + +- +- Disable GNOME3 Automounting +- +- Red Hat Enterprise Linux 7 +- Red Hat Enterprise Linux 8 +- multi_platform_fedora +- +- The system's default desktop environment, GNOME3, will mount +- devices and removable media (such as DVDs, CDs and USB flash drives) +- whenever they are inserted into the system. Disable automount and autorun +- within GNOME3. +- ++ {{{ oval_metadata("The system's default desktop environment, GNOME3, will mount ++ devices and removable media (such as DVDs, CDs and USB flash drives) ++ whenever they are inserted into the system. Disable autorun within GNOME3.", title="Disable GNOME3 autorun") }}} + + +- ++ + + + + +From 90c9b3d5e6796ec5c309af2a8b9e1d6fca1be263 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 21 Sep 2020 16:57:24 +0200 +Subject: [PATCH 7/8] Fix ansible remediation for dconf gnome disable mount + rules. + +--- + .../dconf_gnome_disable_automount/ansible/shared.yml | 1 + + .../dconf_gnome_disable_automount_open/ansible/shared.yml | 1 + + .../dconf_gnome_disable_autorun/ansible/shared.yml | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml +index eeb7b8f301..964ba02a4f 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml +@@ -10,6 +10,7 @@ + option: automount + value: "false" + create: yes ++ no_extra_spaces: yes + + - name: "Prevent user modification of GNOME3 Automounting - automount" + lineinfile: +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml +index 680d148347..65a6a0784b 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml +@@ -10,6 +10,7 @@ + option: automount-open + value: "false" + create: yes ++ no_extra_spaces: yes + + - name: "Prevent user modification of GNOME3 Automounting - automount-open" + lineinfile: +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml +index 036246e3be..7f5394f13a 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml +@@ -10,6 +10,7 @@ + option: autorun-never + value: "true" + create: yes ++ no_extra_spaces: yes + + - name: "Prevent user modification of GNOME3 Automounting - autorun-never" + lineinfile: + +From ea3110c04b78c2d7bc3bae9977b4d4a19386e259 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 4 Nov 2020 09:52:08 +0100 +Subject: [PATCH 8/8] Deduplicate STIG ID in gnome automount rules. + +--- + .../dconf_gnome_disable_automount_open/rule.yml | 1 - + .../gnome_media_settings/dconf_gnome_disable_autorun/rule.yml | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml +index 07ce263102..f76241a48d 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml +@@ -39,7 +39,6 @@ references: + cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03 + iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1 + cis-csc: 12,16 +- stig@rhel7: RHEL-07-020111 + disa: CCI-001958 + srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227 + +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml +index 92fa209fb5..943b444ceb 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml +@@ -39,7 +39,6 @@ references: + cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03 + iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1 + cis-csc: 12,16 +- stig@rhel7: RHEL-07-020111 + disa: CCI-001958 + srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227 + diff --git a/SOURCES/scap-security-guide-0.1.54-update_RHEL_07_910055-PR_6430.patch b/SOURCES/scap-security-guide-0.1.54-update_RHEL_07_910055-PR_6430.patch new file mode 100644 index 0000000..b2092d3 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-update_RHEL_07_910055-PR_6430.patch @@ -0,0 +1,90 @@ +From 25dcc59ebea297789ee89cfe0263ec8575455da7 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 26 Nov 2020 15:45:10 +0100 +Subject: [PATCH 1/2] Update RHEL7 STIG profile with /var/log/audit related + rules. + +Add file_permissions_var_log_audit and file_ownership_var_log_audit to +RHEL7 STIG profile. +--- + .../file_ownership_var_log_audit/rule.yml | 1 + + .../file_permissions_var_log_audit/oval/shared.xml | 2 +- + .../file_permissions_var_log_audit/rule.yml | 1 + + rhel7/profiles/stig.profile | 2 ++ + 4 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +index 248ff3598..8a8c71520 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +@@ -21,6 +21,7 @@ identifiers: + + references: + stigid@ol7: OL07-00-910055 ++ stigid@rhel7: RHEL-07-910055 + stigid@rhel6: RHEL-06-000384 + srg@rhel6: SRG-OS-000057 + disa@rhel6: CCI-000166 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml +index 5941ea660f..1bb7dd453c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml +@@ -34,7 +34,7 @@ + + + +- ++ + true + true + true +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +index 6c265d68b..d6b36b647 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +@@ -24,6 +24,7 @@ identifiers: + + references: + stigid@ol7: OL07-00-910055 ++ stigid@rhel7: RHEL-07-910055 + disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314 + srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084 + stigid@rhel6: RHEL-06-000383 +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index 4698785a49..1d94e79964 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -313,3 +313,5 @@ selections: + - mount_option_dev_shm_nosuid + - audit_rules_privileged_commands_mount + - package_MFEhiplsm_installed ++ - file_ownership_var_log_audit ++ - file_permissions_var_log_audit + +From e83eaf0ff5a3e3a4cb7a3caac0410c4ad4813312 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 26 Nov 2020 15:57:29 +0100 +Subject: [PATCH 2/2] Remove unrelated fix content from + file_permissions_var_log_audit bash. + +--- + .../file_permissions_var_log_audit/bash/shared.sh | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh +index 3175a18a23..d6c45867e5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh +@@ -9,12 +9,7 @@ if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then + chmod 0600 /var/log/audit/audit.log + chmod 0400 /var/log/audit/audit.log.* + fi +- +- chmod 0640 /etc/audit/audit* +- chmod 0640 /etc/audit/rules.d/* + else + chmod 0600 /var/log/audit/audit.log + chmod 0400 /var/log/audit/audit.log.* +- chmod 0640 /etc/audit/audit* +- chmod 0640 /etc/audit/rules.d/* + fi diff --git a/SOURCES/scap-security-guide-0.1.54-update_grub2_enable_fips_mode-PR_6418.patch b/SOURCES/scap-security-guide-0.1.54-update_grub2_enable_fips_mode-PR_6418.patch new file mode 100644 index 0000000..24052bc --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-update_grub2_enable_fips_mode-PR_6418.patch @@ -0,0 +1,35 @@ +From 48e3c05ea2bdf769700aa1059293e61122cc3798 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 25 Nov 2020 12:27:50 +0100 +Subject: [PATCH] Add test to grub2_enable_fips_mode to check if + /etc/system-fips exists. + +--- + .../software/integrity/fips/etc_system_fips_exists/rule.yml | 2 +- + .../integrity/fips/grub2_enable_fips_mode/oval/shared.xml | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml +index 2bc0abb631..7b2076df40 100644 +--- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol8,rhel8,rhv4 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 + + title: Ensure '/etc/system-fips' exists + +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml +index dcd668d97c..31997d844e 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml +@@ -6,6 +6,7 @@ + + + ++ + + + diff --git a/SOURCES/scap-security-guide-0.1.54-update_stig_reference-PR_6422.patch b/SOURCES/scap-security-guide-0.1.54-update_stig_reference-PR_6422.patch new file mode 100644 index 0000000..c730a7d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-update_stig_reference-PR_6422.patch @@ -0,0 +1,10052 @@ +From e32e21b9e2577b047d8dc12d27dda0f1fd7359b4 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 25 Nov 2020 17:03:34 +0100 +Subject: [PATCH] Update RHEL7 STIG benchmark reference from v2r8 to v3r1. + +--- + .../disa-stig-rhel7-v2r8-xccdf-manual.xml | 4989 ---------------- + .../disa-stig-rhel7-v3r1-xccdf-manual.xml | 5037 +++++++++++++++++ + 2 files changed, 5037 insertions(+), 4989 deletions(-) + delete mode 100644 shared/references/disa-stig-rhel7-v2r8-xccdf-manual.xml + create mode 100644 shared/references/disa-stig-rhel7-v3r1-xccdf-manual.xml + +diff --git a/shared/references/disa-stig-rhel7-v2r8-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v2r8-xccdf-manual.xml +deleted file mode 100644 +index 01fb97e10d..0000000000 +--- a/shared/references/disa-stig-rhel7-v2r8-xccdf-manual.xml ++++ /dev/null +@@ -1,4989 +0,0 @@ +-acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 8 Benchmark Date: 24 Jul 20202I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. ++ ++Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71849SV-86473CCI-001494CCI-001496CCI-002165CCI-002235Run the following command to determine which package owns the file: ++ ++# rpm -qf <filename> ++ ++Reset the user and group ownership of files within a package with the following command: ++ ++#rpm --setugids <packagename> ++ ++ ++Reset the permissions of files within a package with the following command: ++ ++#rpm --setperms <packagename>Verify the file permissions, ownership, and group membership of system files and commands match the vendor values. ++ ++Check the default file permissions, ownership, and group membership of system files and commands with the following command: ++ ++# for i in `rpm -Va | egrep -i '^\.[M|U|G|.]{8}' | cut -d " " -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d " " -f 1,5,6,7 | grep $i;done;done ++ ++/var/log/gdm 040755 root root ++/etc/audisp/audisp-remote.conf 0100640 root root ++/usr/bin/passwd 0104755 root root ++ ++For each file returned, verify the current permissions, ownership, and group membership: ++# ls -la <filename> ++ ++-rw-------. 1 root root 133 Jan 11 13:25 /etc/audisp/audisp-remote.conf ++ ++If the file is more permissive than the default permissions, this is a finding. ++ ++If the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding. ++ ++If the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-07-010030The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. ++ ++System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. ++ ++The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: ++ ++"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. ++ ++By using this IS (which includes any device attached to this IS), you consent to the following conditions: ++ ++-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. ++ ++-At any time, the USG may inspect and seize data stored on this IS. ++ ++-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. ++ ++-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. ++ ++-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." ++ ++ ++Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86483V-71859CCI-000048Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. ++ ++Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command: ++ ++# touch /etc/dconf/db/local.d/01-banner-message ++ ++Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": ++ ++[org/gnome/login-screen] ++banner-message-enable=true ++ ++Update the system databases: ++ ++# dconf update ++ ++Users must log out and back in again before the system-wide settings take effect.Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. ++ ++Check to see if the operating system displays a banner at the logon screen with the following command: ++ ++# grep banner-message-enable /etc/dconf/db/local.d/* ++banner-message-enable=true ++ ++If "banner-message-enable" is set to "false" or is missing, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-07-010040The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. ++ ++System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. ++ ++The banner must be formatted in accordance with applicable DoD policy. ++ ++"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. ++ ++By using this IS (which includes any device attached to this IS), you consent to the following conditions: ++ ++-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. ++ ++-At any time, the USG may inspect and seize data stored on this IS. ++ ++-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. ++ ++-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. ++ ++-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." ++ ++Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86485V-71861CCI-000048Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the system. ++ ++Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable. ++ ++Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command: ++ ++# touch /etc/dconf/db/local.d/01-banner-message ++ ++Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": ++ ++[org/gnome/login-screen] ++ ++banner-message-enable=true ++ ++banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ' ++ ++Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface. ++ ++Run the following command to update the database: ++# dconf updateVerify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. ++ ++Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable. ++ ++Check that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text with the command: ++ ++# grep banner-message-text /etc/dconf/db/local.d/* ++banner-message-text= ++'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ' ++ ++Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface. ++ ++If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-07-010050The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. ++ ++System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. ++ ++The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: ++ ++"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. ++ ++By using this IS (which includes any device attached to this IS), you consent to the following conditions: ++ ++-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. ++ ++-At any time, the USG may inspect and seize data stored on this IS. ++ ++-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. ++ ++-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. ++ ++-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." ++ ++Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86487V-71863CCI-000048Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the command line by editing the "/etc/issue" file. ++ ++Replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is: ++"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. ++ ++By using this IS (which includes any device attached to this IS), you consent to the following conditions: ++ ++-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. ++ ++-At any time, the USG may inspect and seize data stored on this IS. ++ ++-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. ++ ++-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. ++ ++-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon. ++ ++Check to see if the operating system displays a banner at the command line logon screen with the following command: ++ ++# more /etc/issue ++ ++The command should return the following text: ++"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. ++ ++By using this IS (which includes any device attached to this IS), you consent to the following conditions: ++ ++-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. ++ ++-At any time, the USG may inspect and seize data stored on this IS. ++ ++-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. ++ ++-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. ++ ++-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." ++ ++If the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. ++ ++If the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-07-010060The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. ++ ++The session lock is implemented at the point where session activity can be determined. ++ ++Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. ++ ++Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86515V-71891CCI-000056Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures. ++ ++Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following example: ++ ++# touch /etc/dconf/db/local.d/00-screensaver ++ ++Edit the "[org/gnome/desktop/screensaver]" section of the database file and add or update the following lines: ++ ++# Set this to true to lock the screen when the screensaver activates ++lock-enabled=true ++ ++Update the system databases: ++ ++# dconf update ++ ++Users must log out and back in again before the system-wide settings take effect. Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. ++ ++Check to see if the screen lock is enabled with the following command: ++ ++# grep -i lock-enabled /etc/dconf/db/local.d/* ++lock-enabled=true ++ ++If the "lock-enabled" setting is missing or is not set to "true", this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-010061The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.<VulnDiscussion>To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system. ++ ++Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. ++ ++Satisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-77819SV-92515CCI-001948CCI-001953CCI-001954Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. ++ ++Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: ++ ++Note: The example is using the database local for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. ++ ++# touch /etc/dconf/db/local.d/00-defaults ++ ++Edit "[org/gnome/login-screen]" and add or update the following line: ++enable-smartcard-authentication=true ++ ++Update the system databases: ++# dconf updateVerify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. ++ ++Determine which profile the system database is using with the following command: ++ ++# grep system-db /etc/dconf/profile/user ++ ++system-db:local ++ ++Note: The example is using the database local for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than local is being used. ++ ++# grep enable-smartcard-authentication /etc/dconf/db/local.d/* ++ ++enable-smartcard-authentication=true ++ ++If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010070The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. ++ ++The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86517V-71893CCI-000057Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. ++ ++Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: ++ ++# touch /etc/dconf/db/local.d/00-screensaver ++ ++Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines: ++ ++[org/gnome/desktop/session] ++# Set the lock time out to 900 seconds before the session is considered idle ++idle-delay=uint32 900 ++ ++You must include the "uint32" along with the integer key values as shown. ++ ++Update the system databases: ++ ++# dconf update ++ ++Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. ++ ++Check to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command: ++ ++# grep -i idle-delay /etc/dconf/db/local.d/* ++idle-delay=uint32 900 ++ ++If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010081The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. ++ ++The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87807V-73155CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. ++ ++Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: ++ ++Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. ++ ++# touch /etc/dconf/db/local.d/locks/session ++ ++Add the setting to lock the screensaver lock delay: ++ ++/org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. ++ ++Determine which profile the system database is using with the following command: ++# grep system-db /etc/dconf/profile/user ++ ++system-db:local ++ ++Check for the lock delay setting with the following command: ++ ++Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. ++ ++# grep -i lock-delay /etc/dconf/db/local.d/locks/* ++ ++/org/gnome/desktop/screensaver/lock-delay ++ ++If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010082The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. ++ ++The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87809V-73157CCI-000057Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces. ++ ++Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: ++ ++Note: The example below is using the database "local" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory. ++ ++# touch /etc/dconf/db/local.d/locks/session ++ ++Add the setting to lock the session idle delay: ++ ++/org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. ++ ++Determine which profile the system database is using with the following command: ++# grep system-db /etc/dconf/profile/user ++ ++system-db:local ++ ++Check for the session idle delay setting with the following command: ++ ++Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. ++ ++# grep -i idle-delay /etc/dconf/db/local.d/locks/* ++ ++/org/gnome/desktop/session/idle-delay ++ ++If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010100The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. ++ ++The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86523V-71899CCI-000057Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. ++ ++Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: ++ ++# touch /etc/dconf/db/local.d/00-screensaver ++ ++Add the setting to enable screensaver locking after 15 minutes of inactivity: ++ ++[org/gnome/desktop/screensaver] ++ ++idle-activation-enabled=true ++ ++Update the system databases: ++ ++# dconf update ++ ++Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console. ++ ++Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable. ++ ++Check for the session lock settings with the following commands: ++ ++# grep -i idle-activation-enabled /etc/dconf/db/local.d/* ++ ++idle-activation-enabled=true ++ ++If "idle-activation-enabled" is not set to "true", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010101The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. ++ ++The session lock is implemented at the point where session activity can be determined. ++ ++The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78997SV-93703CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. ++ ++Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: ++ ++Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. ++ ++# touch /etc/dconf/db/local.d/locks/session ++ ++Add the setting to lock the screensaver idle-activation-enabled setting: ++ ++/org/gnome/desktop/screensaver/idle-activation-enabledVerify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. ++ ++Determine which profile the system database is using with the following command: ++# grep system-db /etc/dconf/profile/user ++ ++system-db:local ++ ++Check for the idle-activation-enabled setting with the following command: ++ ++Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. ++ ++# grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/* ++ ++/org/gnome/desktop/screensaver/idle-activation-enabled ++ ++If the command does not return a result, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010110The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. ++ ++The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86525V-71901CCI-000057Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. ++ ++Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: ++ ++# touch /etc/dconf/db/local.d/00-screensaver ++ ++Add the setting to enable session locking when a screensaver is activated: ++ ++[org/gnome/desktop/screensaver] ++lock-delay=uint32 5 ++ ++The "uint32" must be included along with the integer key values as shown. ++ ++Update the system databases: ++ ++# dconf update ++ ++Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. ++ ++If GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command: ++ ++# grep -i lock-delay /etc/dconf/db/local.d/* ++lock-delay=uint32 5 ++ ++If the "lock-delay" setting is missing, or is not set to "5" or less, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-07-010118The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.<VulnDiscussion>Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95715V-81003CCI-000192Configure PAM to utilize /etc/pam.d/system-auth when changing passwords. ++ ++Add the following line to "/etc/pam.d/passwd" (or modify the line to have the required value): ++ ++password substack system-authVerify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords: ++ ++# cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth ++password substack system-auth ++ ++If no results are returned, the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-07-010119The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87811V-73159CCI-000192Configure the operating system to use "pwquality" to enforce password complexity rules. ++ ++Add the following line to "/etc/pam.d/system-auth" (or modify the line to have the required value): ++ ++password required pam_pwquality.so retry=3 ++ ++Note: The value of "retry" should be between "1" and "3".Verify the operating system uses "pwquality" to enforce the password complexity rules. ++ ++Check for the use of "pwquality" with the following command: ++ ++# cat /etc/pam.d/system-auth | grep pam_pwquality ++ ++password required pam_pwquality.so retry=3 ++ ++If the command does not return an uncommented line containing the value "pam_pwquality.so", this is a finding. ++ ++If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-07-010120The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++ ++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86527V-71903CCI-000192Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the "ucredit" option. ++ ++Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): ++ ++ucredit = -1Note: The value to require a number of upper-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". ++ ++Check the value for "ucredit" in "/etc/security/pwquality.conf" with the following command: ++ ++# grep ucredit /etc/security/pwquality.conf ++ucredit = -1 ++ ++If the value of "ucredit" is not set to a negative value, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>RHEL-07-010130The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++ ++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71905SV-86529CCI-000193Configure the system to require at least one lower-case character when creating or changing a password. ++ ++Add or modify the following line ++in "/etc/security/pwquality.conf": ++ ++lcredit = -1Note: The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". ++ ++Check the value for "lcredit" in "/etc/security/pwquality.conf" with the following command: ++ ++# grep lcredit /etc/security/pwquality.conf ++lcredit = -1 ++ ++If the value of "lcredit" is not set to a negative value, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>RHEL-07-010140The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++ ++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71907SV-86531CCI-000194Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option. ++ ++Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): ++ ++dcredit = -1Note: The value to require a number of numeric characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". ++ ++Check the value for "dcredit" in "/etc/security/pwquality.conf" with the following command: ++ ++# grep dcredit /etc/security/pwquality.conf ++dcredit = -1 ++ ++If the value of "dcredit" is not set to a negative value, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-07-010150The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++ ++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86533V-71909CCI-001619Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the "ocredit" option. ++ ++Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): ++ ++ocredit = -1Verify the operating system enforces password complexity by requiring that at least one special character be used. ++ ++Note: The value to require a number of special characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". ++ ++Check the value for "ocredit" in "/etc/security/pwquality.conf" with the following command: ++ ++# grep ocredit /etc/security/pwquality.conf ++ocredit=-1 ++ ++If the value of "ocredit" is not set to a negative value, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010160The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++ ++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71911SV-86535CCI-000195Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the "difok" option. ++ ++Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): ++ ++difok = 8The "difok" option sets the number of characters in a password that must not be present in the old password. ++ ++Check for the value of the "difok" option in "/etc/security/pwquality.conf" with the following command: ++ ++# grep difok /etc/security/pwquality.conf ++difok = 8 ++ ++If the value of "difok" is set to less than "8", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010170The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++ ++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71913SV-86537CCI-000195Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option. ++ ++Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): ++ ++minclass = 4The "minclass" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others). ++ ++Check for the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: ++ ++# grep minclass /etc/security/pwquality.conf ++minclass = 4 ++ ++If the value of "minclass" is set to less than "4", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010180The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++ ++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71915SV-86539CCI-000195Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option. ++ ++Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): ++ ++maxrepeat = 3The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. ++ ++Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: ++ ++# grep maxrepeat /etc/security/pwquality.conf ++maxrepeat = 3 ++ ++If the value of "maxrepeat" is set to more than "3", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010190The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. ++ ++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71917SV-86541CCI-000195Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option. ++ ++Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value): ++ ++maxclassrepeat = 4The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password. ++ ++Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: ++ ++# grep maxclassrepeat /etc/security/pwquality.conf ++maxclassrepeat = 4 ++ ++If the value of "maxclassrepeat" is set to more than "4", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010200The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71919SV-86543CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. ++ ++Add the following line in "/etc/pam.d/system-auth": ++pam_unix.so sha512 shadow try_first_pass use_authtok ++ ++Add the following line in "/etc/pam.d/password-auth": ++pam_unix.so sha512 shadow try_first_pass use_authtok ++ ++Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. ++ ++Check that the system is configured to create SHA512 hashed passwords with the following command: ++ ++# grep password /etc/pam.d/system-auth /etc/pam.d/password-auth ++ ++Outcome should look like following: ++/etc/pam.d/system-auth-ac:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok ++/etc/pam.d/password-auth:password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok ++ ++If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010210The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71921SV-86545CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. ++ ++Add or update the following line in "/etc/login.defs": ++ ++ENCRYPT_METHOD SHA512Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. ++ ++Check that the system is configured to create SHA512 hashed passwords with the following command: ++ ++# grep -i encrypt /etc/login.defs ++ENCRYPT_METHOD SHA512 ++ ++If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010220The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71923SV-86547CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. ++ ++Add or update the following line in "/etc/libuser.conf" in the [defaults] section: ++ ++crypt_style = sha512Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is "SHA512". ++ ++Check that the system is configured to create "SHA512" hashed passwords with the following command: ++ ++# grep -i sha512 /etc/libuser.conf ++ ++crypt_style = sha512 ++ ++If the "crypt_style" variable is not set to "sha512", is not in the defaults section, is commented out, or does not exist, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-07-010230The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71925SV-86549CCI-000198Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime. ++ ++Add the following line in "/etc/login.defs" (or modify the line to have the required value): ++ ++PASS_MIN_DAYS 1Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts. ++ ++Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: ++ ++# grep -i pass_min_days /etc/login.defs ++PASS_MIN_DAYS 1 ++ ++If the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-07-010240The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71927SV-86551CCI-000198Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: ++ ++# chage -m 1 [user]Check whether the minimum time period between password changes for each user account is one day or greater. ++ ++# awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow ++ ++If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>RHEL-07-010250The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86553V-71929CCI-000199Configure the operating system to enforce a 60-day maximum password lifetime restriction. ++ ++Add the following line in "/etc/login.defs" (or modify the line to have the required value): ++ ++PASS_MAX_DAYS 60If passwords are not being used for authentication, this is Not Applicable. ++ ++Verify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts. ++ ++Check for the value of "PASS_MAX_DAYS" in "/etc/login.defs" with the following command: ++ ++# grep -i pass_max_days /etc/login.defs ++PASS_MAX_DAYS 60 ++ ++If the "PASS_MAX_DAYS" parameter value is not 60 or less, or is commented out, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>RHEL-07-010260The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86555V-71931CCI-000199Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction. ++ ++# chage -M 60 [user]Check whether the maximum time period for existing passwords is restricted to 60 days. ++ ++# awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow ++ ++If any results are returned that are not associated with a system account, this is a finding. ++SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>RHEL-07-010270The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86557V-71933CCI-000200Configure the operating system to prohibit password reuse for a minimum of five generations. ++ ++Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value): ++ ++password requisite pam_pwhistory.so use_authtok remember=5 retry=3 ++ ++Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.Verify the operating system prohibits password reuse for a minimum of five generations. ++ ++Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command: ++ ++# grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth ++ ++password requisite pam_pwhistory.so use_authtok remember=5 retry=3 ++ ++If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-07-010280The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. ++ ++Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86559V-71935CCI-000205Configure operating system to enforce a minimum 15-character password length. ++ ++Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): ++ ++minlen = 15Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password. ++ ++Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command: ++ ++# grep minlen /etc/security/pwquality.conf ++minlen = 15 ++ ++If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010290The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71937SV-86561CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. ++ ++Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords. ++ ++Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.To verify that null passwords cannot be used, run the following command: ++ ++# grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth ++ ++If this produces any output, it may be possible to log on with accounts with empty passwords. ++ ++If null passwords can be used, this is a finding.SRG-OS-000106-GPOS-00053<GroupDescription></GroupDescription>RHEL-07-010300The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86563V-71939CCI-000766To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": ++ ++PermitEmptyPasswords no ++ ++The SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command: ++ ++# grep -i PermitEmptyPasswords /etc/ssh/sshd_config ++PermitEmptyPasswords no ++ ++If no line, a commented line, or a line indicating the value "no" is returned, the required value is set. ++ ++If the required value is not set, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>RHEL-07-010310The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. ++ ++Operating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86565V-71941CCI-000795Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires. ++ ++Add the following line to "/etc/default/useradd" (or modify the line to have the required value): ++ ++INACTIVE=0If passwords are not being used for authentication, this is Not Applicable. ++ ++Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command: ++ ++# grep -i inactive /etc/default/useradd ++INACTIVE=0 ++ ++If the value is not set to "0", is commented out, or is not defined, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010320The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. ++ ++Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71943SV-86567CCI-000044CCI-002236CCI-002237CCI-002238Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made. ++ ++Modify the first three lines of the auth section and the first line of the account section of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: ++ ++auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 ++auth sufficient pam_unix.so try_first_pass ++auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 ++account required pam_faillock.so ++ ++Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command: ++ ++# grep pam_faillock.so /etc/pam.d/password-auth ++ ++auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 ++auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 ++account required pam_faillock.so ++ ++If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. ++ ++If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. ++ ++If the "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. ++ ++If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. ++ ++Note: The maximum configurable value for "unlock_time" is "604800". ++ ++If any line referencing the "pam_faillock.so" module is commented out, this is a finding. ++ ++# grep pam_faillock.so /etc/pam.d/system-auth ++ ++auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 ++auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 ++account required pam_faillock.so ++ ++If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. ++ ++If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. ++ ++If the "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. ++ ++If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module or is missing from these lines, this is a finding. ++ ++Note: The maximum configurable value for "unlock_time" is "604800". ++ ++If any line referencing the "pam_faillock.so" module is commented out, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010330The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. ++ ++Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71945SV-86569CCI-002238Configure the operating system to lock automatically the root account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. ++ ++Modify the first three lines of the auth section and the first line of the account section of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: ++ ++auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 ++auth sufficient pam_unix.so try_first_pass ++auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 ++account required pam_faillock.so ++ ++Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.Verify the operating system automatically locks the root account until it is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. ++ ++# grep pam_faillock.so /etc/pam.d/password-auth ++auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 ++auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 ++account required pam_faillock.so ++ ++If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding. ++ ++# grep pam_faillock.so /etc/pam.d/system-auth ++auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 ++auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 ++account required pam_faillock.so ++ ++If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010340The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. ++ ++When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. ++ ++Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71947SV-86571CCI-002038Configure the operating system to require users to supply a password for privilege escalation. ++ ++Check the configuration of the "/etc/sudoers" file with the following command: ++# visudo ++ ++Remove any occurrences of "NOPASSWD" tags in the file. ++ ++Check the configuration of the /etc/sudoers.d/* files with the following command: ++# grep -i nopasswd /etc/sudoers.d/* ++ ++Remove any occurrences of "NOPASSWD" tags in the file.Verify the operating system requires users to supply a password for privilege escalation. ++ ++Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command: ++ ++# grep -i nopasswd /etc/sudoers /etc/sudoers.d/* ++ ++If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010350The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. ++ ++When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. ++ ++Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71949SV-86573CCI-002038Configure the operating system to require users to reauthenticate for privilege escalation. ++ ++Check the configuration of the "/etc/sudoers" file with the following command: ++ ++# visudo ++Remove any occurrences of "!authenticate" tags in the file. ++ ++Check the configuration of the "/etc/sudoers.d/*" files with the following command: ++ ++# grep -i authenticate /etc/sudoers /etc/sudoers.d/* ++Remove any occurrences of "!authenticate" tags in the file(s).Verify the operating system requires users to reauthenticate for privilege escalation. ++ ++Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command: ++ ++# grep -i authenticate /etc/sudoers /etc/sudoers.d/* ++ ++If any uncommented line is found with a "!authenticate" tag, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>RHEL-07-010430The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. ++ ++Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86575V-71951CCI-000366Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. ++ ++Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or greater: ++ ++FAIL_DELAY 4Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt. ++ ++Check the value of the "fail_delay" parameter in the "/etc/login.defs" file with the following command: ++ ++# grep -i fail_delay /etc/login.defs ++FAIL_DELAY 4 ++ ++If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010440The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71953SV-86577CCI-000366Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. ++ ++Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false": ++ ++[daemon] ++AutomaticLoginEnable=falseVerify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. ++ ++Check for the value of the "AutomaticLoginEnable" in the "/etc/gdm/custom.conf" file with the following command: ++ ++# grep -i automaticloginenable /etc/gdm/custom.conf ++AutomaticLoginEnable=false ++ ++If the value of "AutomaticLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010450The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71955SV-86579CCI-000366Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. ++ ++Add or edit the line for the "TimedLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false": ++ ++[daemon] ++TimedLoginEnable=falseVerify the operating system does not allow an unrestricted logon to the system via a graphical user interface. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. ++ ++Check for the value of the "TimedLoginEnable" parameter in "/etc/gdm/custom.conf" file with the following command: ++ ++# grep -i timedloginenable /etc/gdm/custom.conf ++TimedLoginEnable=false ++ ++If the value of "TimedLoginEnable" is not set to "false", this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010460The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86581V-71957CCI-000366Configure the operating system to not allow users to override environment variables to the SSH daemon. ++ ++Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "PermitUserEnvironment" keyword and set the value to "no": ++ ++PermitUserEnvironment no ++ ++The SSH service must be restarted for changes to take effect.Verify the operating system does not allow users to override environment variables to the SSH daemon. ++ ++Check for the value of the "PermitUserEnvironment" keyword with the following command: ++ ++# grep -i permituserenvironment /etc/ssh/sshd_config ++PermitUserEnvironment no ++ ++If the "PermitUserEnvironment" keyword is not set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>RHEL-07-010470The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86583V-71959CCI-000366Configure the operating system to not allow a non-certificate trusted host SSH logon to the system. ++ ++Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "HostbasedAuthentication" keyword and set the value to "no": ++ ++HostbasedAuthentication no ++ ++The SSH service must be restarted for changes to take effect.Verify the operating system does not allow a non-certificate trusted host SSH logon to the system. ++ ++Check for the value of the "HostbasedAuthentication" keyword with the following command: ++ ++# grep -i hostbasedauthentication /etc/ssh/sshd_config ++HostbasedAuthentication no ++ ++If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010480Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86585V-71961CCI-000213Configure the system to encrypt the boot password for root. ++ ++Generate an encrypted grub2 password for root with the following command: ++ ++Note: The hash generated is an example. ++ ++# grub2-mkpasswd-pbkdf2 ++ ++Enter Password: ++Reenter Password: ++PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45 ++ ++Edit "/etc/grub.d/40_custom" and add the following lines below the comments: ++ ++# vi /etc/grub.d/40_custom ++ ++set superusers="root" ++ ++password_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command} ++ ++Generate a new "grub.conf" file with the new password with the following commands: ++ ++# grub2-mkconfig --output=/tmp/grub2.cfg ++# mv /tmp/grub2.cfg /boot/grub2/grub.cfgFor systems that use UEFI, this is Not Applicable. ++For systems that are running RHEL 7.2 or newer, this is Not Applicable. ++ ++Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command: ++ ++# grep -i password_pbkdf2 /boot/grub2/grub.cfg ++ ++password_pbkdf2 [superusers-account] [password-hash] ++ ++If the root password entry does not begin with "password_pbkdf2", this is a finding. ++ ++If the "superusers-account" is not set to "root", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010481The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-92519V-77823CCI-000213Configure the operating system to require authentication upon booting into single-user and maintenance modes. ++ ++Add or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" to include "/usr/sbin/sulogin": ++ ++ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"Verify the operating system must require authentication upon booting into single-user and maintenance modes. ++ ++Check that the operating system requires authentication upon booting into single-user mode with the following command: ++ ++# grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin ++ ++ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" ++ ++If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010482Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-81005SV-95717CCI-000213Configure the system to encrypt the boot password for root. ++ ++Generate an encrypted grub2 password for root with the following command: ++ ++Note: The hash generated is an example. ++ ++# grub2-setpassword ++Enter password: ++Confirm password: ++ ++Edit the /boot/grub2/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: ++ ++set superusers="root" ++export superusersFor systems that use UEFI, this is Not Applicable. ++ ++For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. ++ ++Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command: ++ ++# grep -iw grub2_password /boot/grub2/user.cfg ++GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] ++ ++If the root password does not begin with "grub.pbkdf2.sha512", this is a finding. ++ ++Verify that the "root" account is set as the "superusers": ++ ++# grep -iw "superusers" /boot/grub2/grub.cfg ++ set superusers="root" ++ export superusers ++ ++If "superusers" is not set to "root", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010490Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86587V-71963CCI-000213Configure the system to encrypt the boot password for root. ++ ++Generate an encrypted grub2 password for root with the following command: ++ ++Note: The hash generated is an example. ++ ++# grub2-mkpasswd-pbkdf2 ++ ++Enter Password: ++Reenter Password: ++PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45 ++ ++Edit "/etc/grub.d/40_custom" and add the following lines below the comments: ++ ++# vi /etc/grub.d/40_custom ++ ++set superusers="root" ++ ++password_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command} ++ ++Generate a new "grub.conf" file with the new password with the following commands: ++ ++# grub2-mkconfig --output=/tmp/grub2.cfg ++# mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfgFor systems that use BIOS, this is Not Applicable. ++For systems that are running RHEL 7.2 or newer, this is Not Applicable. ++ ++Check to see if an encrypted root password is set. On systems that use UEFI, use the following command: ++ ++# grep -i password /boot/efi/EFI/redhat/grub.cfg ++ ++password_pbkdf2 [superusers-account] [password-hash] ++ ++If the root password entry does not begin with "password_pbkdf2", this is a finding. ++ ++If the "superusers-account" is not set to "root", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010491Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95719V-81007CCI-000213Configure the system to encrypt the boot password for root. ++ ++Generate an encrypted grub2 password for root with the following command: ++ ++Note: The hash generated is an example. ++ ++# grub2-setpassword ++Enter password: ++Confirm password: ++ ++Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: ++ ++set superusers="root" ++export superusersFor systems that use BIOS, this is Not Applicable. ++ ++For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. ++ ++Check to see if an encrypted root password is set. On systems that use UEFI, use the following command: ++ ++# grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg ++GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] ++ ++If the root password does not begin with "grub.pbkdf2.sha512", this is a finding. ++ ++Verify that the "root" account is set as the "superusers": ++ ++# grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg ++ set superusers="root" ++ export superusers ++ ++If "superusers" is not set to "root", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-010500The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. ++ ++Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: ++ ++1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; ++ ++and ++ ++2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. ++ ++Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86589V-71965CCI-000766Configure the operating system to require individuals to be authenticated with a multifactor authenticator. ++ ++Enable smartcard logons with the following commands: ++ ++# authconfig --enablesmartcard --smartcardaction=0 --update ++# authconfig --enablerequiresmartcard -update ++ ++Modify the "/etc/pam_pkcs11/pkcs11_eventmgr.conf" file to uncomment the following line: ++ ++#/usr/X11R6/bin/xscreensaver-command -lock ++ ++Modify the "/etc/pam_pkcs11/pam_pkcs11.conf" file to use the cackey module if required.Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication. ++ ++Check to see if smartcard authentication is enforced on the system: ++ ++# authconfig --test | grep "pam_pkcs11 is enabled" ++ ++If no results are returned, this is a finding. ++ ++# authconfig --test | grep "smartcard removal action" ++ ++If "smartcard removal action" is blank, this is a finding. ++ ++# authconfig --test | grep "smartcard module" ++ ++If "smartcard module" is blank, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-07-020000The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++ ++Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). ++ ++The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. ++ ++If a privileged user were to log on using this service, the privileged user password could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86591V-71967CCI-000381Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command: ++ ++# yum remove rsh-serverCheck to see if the rsh-server package is installed with the following command: ++ ++# yum list installed rsh-server ++ ++If the rsh-server package is installed, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-07-020010The Red Hat Enterprise Linux operating system must not have the ypserv package installed.<VulnDiscussion>Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86593V-71969CCI-000381Configure the operating system to disable non-essential capabilities by removing the "ypserv" package from the system with the following command: ++ ++# yum remove ypservThe NIS service provides an unencrypted authentication service that does not provide for the confidentiality and integrity of user passwords or the remote session. ++ ++Check to see if the "ypserve" package is installed with the following command: ++ ++# yum list installed ypserv ++ ++If the "ypserv" package is installed, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020020The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. ++ ++Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86595V-71971CCI-002165CCI-002235Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. ++ ++Use the following command to map a new user to the "sysadm_u" role: ++ ++#semanage login -a -s sysadm_u <username> ++ ++Use the following command to map an existing user to the "sysadm_u" role: ++ ++#semanage login -m -s sysadm_u <username> ++ ++Use the following command to map a new user to the "staff_u" role: ++ ++#semanage login -a -s staff_u <username> ++ ++Use the following command to map an existing user to the "staff_u" role: ++ ++#semanage login -m -s staff_u <username> ++ ++Use the following command to map a new user to the "user_u" role: ++ ++# semanage login -a -s user_u <username> ++ ++Use the following command to map an existing user to the "user_u" role: ++ ++# semanage login -m -s user_u <username>Note: Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required. ++ ++Verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. ++ ++Get a list of authorized users (other than System Administrator and guest accounts) for the system. ++ ++Check the list against the system by using the following command: ++ ++# semanage login -l | more ++ ++Login Name SELinux User MLS/MCS Range Service ++__default__ user_u s0-s0:c0.c1023 * ++root unconfined_u s0-s0:c0.c1023 * ++system_u system_u s0-s0:c0.c1023 * ++joe staff_u s0-s0:c0.c1023 * ++ ++All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization. ++ ++All authorized non-administrative users must be mapped to the "user_u" role. ++ ++If they are not mapped in this way, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020030The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. ++ ++Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86597V-71973CCI-001744Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: ++ ++# more /etc/cron.daily/aide ++#!/bin/bash ++ ++/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.milVerify the operating system routinely checks the baseline configuration for unauthorized changes. ++ ++Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week. ++ ++Check to see if AIDE is installed on the system with the following command: ++ ++# yum list installed aide ++ ++If AIDE is not installed, ask the SA how file integrity checks are performed on the system. ++ ++Check for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence. ++ ++Check the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command: ++ ++# ls -al /etc/cron.* | grep aide ++-rwxr-xr-x 1 root root 29 Nov 22 2015 aide ++ ++# grep aide /etc/crontab /var/spool/cron/root ++/etc/crontab: 30 04 * * * root /usr/sbin/aide --check ++/var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check ++ ++If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020040The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. ++ ++Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71975SV-86599CCI-001744Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. ++ ++The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. ++ ++# more /etc/cron.daily/aide ++ ++/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.milVerify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner. ++ ++Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert. ++ ++Check to see if AIDE is installed on the system with the following command: ++ ++# yum list installed aide ++ ++If AIDE is not installed, ask the SA how file integrity checks are performed on the system. ++ ++Check for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence. ++ ++Check the cron directories for a "crontab" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command: ++ ++# ls -al /etc/cron.* | grep aide ++-rwxr-xr-x 1 root root 32 Jul 1 2011 aide ++ ++# grep aide /etc/crontab /var/spool/cron/root ++/etc/crontab: 30 04 * * * root /usr/sbin/aide --check ++/var/spool/cron/root: 30 04 * * * /usr/sbin/aide --check ++ ++AIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example: ++ ++# more /etc/cron.daily/aide ++#!/bin/bash ++ ++/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil ++ ++If the file integrity application does not notify designated personnel of changes, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-020050The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. ++ ++Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. ++ ++Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71977SV-86601CCI-001749Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the "/etc/yum.conf" file: ++ ++gpgcheck=1Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. ++ ++Check that yum verifies the signature of packages from a repository prior to install with the following command: ++ ++# grep gpgcheck /etc/yum.conf ++gpgcheck=1 ++ ++If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. ++ ++If there is no process to validate certificates that is approved by the organization, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-020060The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. ++ ++Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. ++ ++Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71979SV-86603CCI-001749Configure the operating system to verify the signature of local packages prior to install by setting the following option in the "/etc/yum.conf" file: ++ ++localpkg_gpgcheck=1Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. ++ ++Check that yum verifies the signature of local packages prior to install with the following command: ++ ++# grep localpkg_gpgcheck /etc/yum.conf ++localpkg_gpgcheck=1 ++ ++If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. ++ ++If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020100The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.<VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. ++ ++Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71983SV-86607CCI-000778CCI-000366CCI-001958Configure the operating system to disable the ability to use the USB Storage kernel module. ++ ++Create a file under "/etc/modprobe.d" with the following command: ++ ++# touch /etc/modprobe.d/usb-storage.conf ++ ++Add the following line to the created file: ++ ++install usb-storage /bin/true ++ ++Configure the operating system to disable the ability to use USB mass storage devices. ++ ++# vi /etc/modprobe.d/blacklist.conf ++ ++Add or update the line: ++ ++blacklist usb-storageVerify the operating system disables the ability to load the USB Storage kernel module. ++ ++# grep -r usb-storage /etc/modprobe.d/* | grep -i "/bin/true" | grep -v "^#" ++ ++install usb-storage /bin/true ++ ++If the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. ++ ++Verify the operating system disables the ability to use USB mass storage devices. ++ ++Check to see if USB mass storage is disabled with the following command: ++ ++# grep usb-storage /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#" ++blacklist usb-storage ++ ++If the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>RHEL-07-020101The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.<VulnDiscussion>Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-77821SV-92517CCI-001958Configure the operating system to disable the ability to use the DCCP kernel module. ++ ++Create a file under "/etc/modprobe.d" with the following command: ++ ++# touch /etc/modprobe.d/dccp.conf ++ ++Add the following line to the created file: ++ ++install dccp /bin/true ++ ++Ensure that the DCCP module is blacklisted: ++ ++# vi /etc/modprobe.d/blacklist.conf ++ ++Add or update the line: ++ ++blacklist dccpVerify the operating system disables the ability to load the DCCP kernel module. ++ ++# grep -r dccp /etc/modprobe.d/* | grep -i "/bin/true" | grep -v "^#" ++ ++install dccp /bin/true ++ ++If the command does not return any output, or the line is commented out, and use of DCCP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. ++ ++Verify the operating system disables the ability to use the DCCP kernel module. ++ ++Check to see if the DCCP kernel module is disabled with the following command: ++ ++# grep -i dccp /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#" ++ ++blacklist dccp ++ ++If the command does not return any output or the output is not "blacklist dccp", and use of the dccp kernel module is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020110The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. ++ ++Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71985SV-86609CCI-000366CCI-000778CCI-001958Configure the operating system to disable the ability to automount devices. ++ ++Turn off the automount service with the following commands: ++ ++# systemctl stop autofs ++# systemctl disable autofs ++ ++If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.Verify the operating system disables the ability to automount devices. ++ ++Check to see if automounter service is active with the following command: ++ ++# systemctl status autofs ++autofs.service - Automounts filesystems on demand ++ Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) ++ Active: inactive (dead) ++ ++If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>RHEL-07-020200The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71987SV-86611CCI-002617Configure the operating system to remove all software components after updated versions have been installed. ++ ++Set the "clean_requirements_on_remove" option to "1" in the "/etc/yum.conf" file: ++ ++clean_requirements_on_remove=1Verify the operating system removes all software components after updated versions have been installed. ++ ++Check if yum is configured to remove unneeded packages with the following command: ++ ++# grep -i clean_requirements_on_remove /etc/yum.conf ++clean_requirements_on_remove=1 ++ ++If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020210The Red Hat Enterprise Linux operating system must enable SELinux.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. ++ ++This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71989SV-86613CCI-002696CCI-002165Configure the operating system to verify correct operation of all security functions. ++ ++Set the "SELinux" status and the "Enforcing" mode by modifying the "/etc/selinux/config" file to have the following line: ++ ++SELINUX=enforcing ++ ++A reboot is required for the changes to take effect.Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required. ++ ++Verify the operating system verifies correct operation of all security functions. ++ ++Check if "SELinux" is active and in "Enforcing" mode with the following command: ++ ++# getenforce ++Enforcing ++ ++If "SELinux" is not active and not in "Enforcing" mode, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020220The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. ++ ++This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71991SV-86615CCI-002696CCI-002165Configure the operating system to verify correct operation of all security functions. ++ ++Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/config" file to have the following line: ++ ++SELINUXTYPE=targeted ++ ++A reboot is required for the changes to take effect.Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required. ++ ++Verify the operating system verifies correct operation of all security functions. ++ ++Check if "SELinux" is active and is enforcing the targeted policy with the following command: ++ ++# sestatus ++ ++SELinux status: enabled ++ ++SELinuxfs mount: /selinux ++ ++SELinux root directory: /etc/selinux ++ ++Loaded policy name: targeted ++ ++Current mode: enforcing ++ ++Mode from config file: enforcing ++ ++Policy MLS status: enabled ++ ++Policy deny_unknown status: allowed ++ ++Max kernel policy version: 28 ++ ++If the "Loaded policy name" is not set to "targeted", this is a finding. ++ ++Verify that the /etc/selinux/config file is configured to the "SELINUXTYPE" to "targeted": ++ ++# grep -i "selinuxtype" /etc/selinux/config | grep -v '^#' ++ ++SELINUXTYPE = targeted ++ ++If no results are returned or "SELINUXTYPE" is not set to "targeted", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020230The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86617V-71993CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command: ++ ++# systemctl mask ctrl-alt-del.targetVerify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. ++ ++Check that the ctrl-alt-del.target is masked and not active with the following command: ++ ++# systemctl status ctrl-alt-del.target ++ ++ctrl-alt-del.target ++Loaded: masked (/dev/null; bad) ++Active: inactive (dead) ++ ++If the ctrl-alt-del.target is not masked, this is a finding. ++ ++If the ctrl-alt-del.target is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020231The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-94843SV-104673CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the following command: ++ ++# touch /etc/dconf/db/local.d/00-disable-CAD ++ ++Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface: ++ ++[org/gnome/settings-daemon/plugins/media-keys] ++logout=''Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable. ++ ++Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. ++ ++Check that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following command: ++ ++# grep logout /etc/dconf/db/local.d/* ++ ++logout='' ++ ++If "logout" is not set to use two single quotations, or is missing, this is a finding.SRG-OS-000480-GPOS-00228<GroupDescription></GroupDescription>RHEL-07-020240The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.<VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86619V-71995CCI-000366Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. ++ ++Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077": ++ ++UMASK 077Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files. ++ ++Check for the value of the "UMASK" parameter in "/etc/login.defs" file with the following command: ++ ++Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I. ++ ++# grep -i umask /etc/login.defs ++UMASK 077 ++ ++If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020250The Red Hat Enterprise Linux operating system must be a vendor supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. ++ ++Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86621V-71997CCI-000366Upgrade to a supported version of the operating system.Verify the version of the operating system is vendor supported. ++ ++Check the version of the operating system with the following command: ++ ++# cat /etc/redhat-release ++ ++Red Hat Enterprise Linux Server release 7.4 (Maipo) ++ ++Current End of Extended Update Support for RHEL 7.6 is 31 October 2020. ++ ++Current End of Extended Update Support for RHEL 7.7 is 31 August 2021. ++ ++Current End of Maintenance Support for RHEL 7.8 is 31 October 2020. ++ ++Current End of Maintenance Support for RHEL 7.9 is 30 April 2021. ++ ++If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020260The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86623V-71999CCI-000366Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). ++ ++Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. ++ ++Check that the available package security updates have been installed on the system with the following command: ++ ++# yum history list | more ++Loaded plugins: langpacks, product-id, subscription-manager ++ID | Command line | Date and time | Action(s) | Altered ++------------------------------------------------------------------------------- ++ 70 | install aide | 2016-05-05 10:58 | Install | 1 ++ 69 | update -y | 2016-05-04 14:34 | Update | 18 EE ++ 68 | install vlc | 2016-04-21 17:12 | Install | 21 ++ 67 | update -y | 2016-04-21 17:04 | Update | 7 EE ++ 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE ++ ++If package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. ++ ++Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. ++ ++If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020270The Red Hat Enterprise Linux operating system must not have unnecessary accounts.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86625V-72001CCI-000366Configure the system so all accounts on the system are assigned to an active system, application, or user account. ++ ++Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. ++ ++Document all authorized accounts on the system.Verify all accounts on the system are assigned to an active system, application, or user account. ++ ++Obtain the list of authorized system accounts from the Information System Security Officer (ISSO). ++ ++Check the system accounts on the system with the following command: ++ ++# more /etc/passwd ++root:x:0:0:root:/root:/bin/bash ++bin:x:1:1:bin:/bin:/sbin/nologin ++daemon:x:2:2:daemon:/sbin:/sbin/nologin ++sync:x:5:0:sync:/sbin:/bin/sync ++shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown ++halt:x:7:0:halt:/sbin:/sbin/halt ++games:x:12:100:games:/usr/games:/sbin/nologin ++gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ++ ++Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. ++ ++If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-020300The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.<VulnDiscussion>If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86627V-72003CCI-000764Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group".Verify all GIDs referenced in the "/etc/passwd" file are defined in the "/etc/group" file. ++ ++Check that all referenced GIDs exist with the following command: ++ ++# pwck -r ++ ++If GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020310The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.<VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86629V-72005CCI-000366Change the UID of any account on the system, other than root, that has a UID of "0". ++ ++If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.Check the system for duplicate UID "0" assignments with the following command: ++ ++# awk -F: '$3 == 0 {print $1}' /etc/passwd ++ ++If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020320The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.<VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86631V-72007CCI-002165Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the "chown" command: ++ ++# chown <user> <file>Verify all files and directories on the system have a valid owner. ++ ++Check the owner of all files and directories with the following command: ++ ++Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. ++ ++# find / -fstype xfs -nouser ++ ++If any files on the system do not have an assigned owner, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020330The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.<VulnDiscussion>Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72009SV-86633CCI-002165Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command: ++ ++# chgrp <group> <file>Verify all files and directories on the system have a valid group. ++ ++Check the owner of all files and directories with the following command: ++ ++Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. ++ ++# find / -fstype xfs -nogroup ++ ++If any files on the system do not have an assigned group, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020610The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72013SV-86637CCI-000366Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. ++ ++CREATE_HOME yesVerify all local interactive users on the system are assigned a home directory upon creation. ++ ++Check to see if the system is configured to create home directories for local interactive users with the following command: ++ ++# grep -i create_home /etc/login.defs ++CREATE_HOME yes ++ ++If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020620The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. ++ ++In addition, if a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72015SV-86639CCI-000366Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": ++ ++Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users" assigned in "/etc/passwd". ++ ++# mkdir /home/smithj ++# chown smithj /home/smithj ++# chgrp users /home/smithj ++# chmod 0750 /home/smithjVerify local interactive users on the system have a home directory assigned and the directory exists. ++ ++Check the home directory assignment for all local interactive non-privileged users on the system with the following command: ++ ++# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-9][0-9]{3}" ++ ++smithj:1001:/home/smithj ++ ++Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. ++ ++Check that all referenced home directories exist with the following command: ++ ++# pwck -r ++user 'smithj': directory '/home/smithj' does not exist ++ ++If any home directories referenced in "/etc/passwd" are returned as not defined, or if any interactive users do not have a home directory assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020630The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.<VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72017SV-86641CCI-000366Change the mode of interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command: ++ ++Note: The example will be for the user "smithj". ++ ++# chmod 0750 /home/smithjVerify the assigned home directory of all local interactive users has a mode of "0750" or less permissive. ++ ++Check the home directory assignment for all non-privileged users on the system with the following command: ++ ++Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. ++ ++# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6) ++-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj ++ ++If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020640The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.<VulnDiscussion>If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72019SV-86643CCI-000366Change the owner of a local interactive user's home directories to that owner. To change the owner of a local interactive user's home directory, use the following command: ++ ++Note: The example will be for the user smithj, who has a home directory of "/home/smithj". ++ ++# chown smithj /home/smithjVerify the assigned home directory of all local interactive users on the system exists. ++ ++Check the home directory assignment for all local interactive users on the system with the following command: ++ ++# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6) ++ ++-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj ++ ++If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020650The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86645V-72021CCI-000366Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: ++ ++Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. ++ ++# chgrp users /home/smithjVerify the assigned home directory of all local interactive users is group-owned by that user's primary GID. ++ ++Check the home directory assignment for all local interactive users on the system with the following command: ++ ++# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6) ++ ++-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj ++ ++Check the user's primary group with the following command: ++ ++# grep users /etc/group ++ ++users:x:250:smithj,jonesj,jacksons ++ ++If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020660The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory.<VulnDiscussion>If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86647V-72023CCI-000366Change the owner of a local interactive user's files and directories to that owner. To change the owner of a local interactive user's files and directories, use the following command: ++ ++Note: The example will be for the user smithj, who has a home directory of "/home/smithj". ++ ++# chown smithj /home/smithj/<file or directory>Verify all files and directories in a local interactive user's home directory are owned by the user. ++ ++Check the owner of all files and directories in a local interactive user's home directory with the following command: ++ ++Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". ++ ++# ls -lLR /home/smithj ++-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1 ++-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2 ++-rw-r--r-- 1 smithj smithj 231 Mar 5 17:06 file3 ++ ++If any files are found with an owner different than the home directory user, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020670The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.<VulnDiscussion>If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72025SV-86649CCI-000366Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command: ++ ++Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group. ++ ++# chgrp users /home/smithj/<file>Verify all files and directories in a local interactive user home directory are group-owned by a group the user is a member of. ++ ++Check the group owner of all files and directories in a local interactive user's home directory with the following command: ++ ++Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". ++ ++# ls -lLR /<home directory>/<users home directory>/ ++-rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1 ++-rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2 ++-rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3 ++ ++If any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command: ++ ++# grep smithj /etc/group ++sa:x:100:juan,shelley,bob,smithj ++smithj:x:521:smithj ++ ++If the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020680The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.<VulnDiscussion>If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72027SV-86651CCI-000366Set the mode on files and directories in the local interactive user home directory with the following command: ++ ++Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group. ++ ++# chmod 0750 /home/smithj/<file>Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of "0750". ++ ++Check the mode of all non-initialization files in a local interactive user home directory with the following command: ++ ++Files that begin with a "." are excluded from this requirement. ++ ++Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". ++ ++# ls -lLR /home/smithj ++-rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1 ++-rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2 ++-rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3 ++ ++If any files are found with a mode more permissive than "0750", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020690The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86653V-72029CCI-000366Set the owner of the local initialization files for interactive users to either the directory owner or root with the following command: ++ ++Note: The example will be for the smithj user, who has a home directory of "/home/smithj". ++ ++# chown smithj /home/smithj/.[^.]*Verify the local initialization files of all local interactive users are owned by that user. ++ ++Check the home directory assignment for all non-privileged users on the system with the following command: ++ ++Note: The example will be for the smithj user, who has a home directory of "/home/smithj". ++ ++# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}" ++smithj:1000:/home/smithj ++ ++Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. ++ ++Check the owner of all local interactive user's initialization files with the following command: ++ ++# ls -al /home/smithj/.[^.]* | more ++ ++-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile ++-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login ++-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something ++ ++If all local interactive user's initialization files are not owned by that user or root, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020700The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.<VulnDiscussion>Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86655V-72031CCI-000366Change the group owner of a local interactive user's files to the group found in "/etc/passwd" for the user. To change the group owner of a local interactive user's home directory, use the following command: ++ ++Note: The example will be for the user smithj, who has a home directory of "/home/smithj", and has a primary group of users. ++ ++# chgrp users /home/smithj/.[^.]*Verify the local initialization files of all local interactive users are group-owned by that user's primary Group Identifier (GID). ++ ++Check the home directory assignment for all non-privileged users on the system with the following command: ++ ++Note: The example will be for the smithj user, who has a home directory of "/home/smithj" and a primary group of "users". ++ ++# cut -d: -f 1,4,6 /etc/passwd | egrep ":[1-4][0-9]{3}" ++smithj:1000:/home/smithj ++ ++# grep 1000 /etc/group ++users:x:1000:smithj,jonesj,jacksons ++ ++Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. ++ ++Check the group owner of all local interactive user's initialization files with the following command: ++ ++# ls -al /home/smithj/.[^.]* | more ++ ++-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile ++-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login ++-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something ++ ++If all local interactive user's initialization files are not group-owned by that user's primary GID, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020710The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86657V-72033CCI-000366Set the mode of the local initialization files to "0740" with the following command: ++ ++Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj". ++ ++# chmod 0740 /home/smithj/.[^.]*Verify that all local initialization files have a mode of "0740" or less permissive. ++ ++Check the mode on all local initialization files with the following command: ++ ++Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj". ++ ++# ls -al /home/smithj/.[^.]* | more ++ ++-rwxr----- 1 smithj users 896 Mar 10 2011 .profile ++-rwxr----- 1 smithj users 497 Jan 6 2007 .login ++-rwxr----- 1 smithj users 886 Jan 6 2007 .something ++ ++If any local initialization files have a mode more permissive than "0740", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020720The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72035SV-86659CCI-000366Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. ++ ++If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the users' home directory. ++ ++Check the executable search path statement for all local interactive user initialization files in the users' home directory with the following commands: ++ ++Note: The example will be for the smithj user, which has a home directory of "/home/smithj". ++ ++# grep -i path /home/smithj/.* ++/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin ++/home/smithj/.bash_profile:export PATH ++ ++If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020730The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.<VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86661V-72037CCI-000366Set the mode on files being executed by the local initialization files with the following command: ++ ++# chmod 0755 <file>Verify that local initialization files do not execute world-writable programs. ++ ++Check the system for world-writable files with the following command: ++ ++# find / -xdev -perm -002 -type f -exec ls -ld {} \; | more ++ ++For all files listed, check for their presence in the local initialization files with the following commands: ++ ++Note: The example will be for a system that is configured to create users' home directories in the "/home" directory. ++ ++# grep <file> /home/*/.* ++ ++If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020900The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.<VulnDiscussion>If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86663V-72039CCI-000318CCI-001814CCI-001813CCI-000368CCI-001812Run the following command to determine which package owns the device file: ++ ++# rpm -qf <filename> ++ ++The package can be reinstalled from a yum repository using the command: ++ ++# sudo yum reinstall <packagename> ++ ++Alternatively, the package can be reinstalled from trusted media using the command: ++ ++# sudo rpm -Uvh <packagename>Verify that all system device files are correctly labeled to prevent unauthorized modification. ++ ++List all device files on the system that are incorrectly labeled with the following commands: ++ ++Note: Device files are normally found under "/dev", but applications may place device files in other directories and may necessitate a search of the entire system. ++ ++#find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" ++ ++#find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n" ++ ++Note: There are device files, such as "/dev/vmci", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the "device_t" label to operate. These device files are not a finding. ++ ++If there is output from either of these commands, other than already noted, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021000The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.<VulnDiscussion>The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86665V-72041CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories.Verify file systems that contain user home directories are mounted with the "nosuid" option. ++ ++Find the file system(s) that contain the user home directories with the following command: ++ ++Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system. ++ ++# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}" ++smithj:1001:/home/smithj ++thomasr:1002:/home/thomasr ++ ++Check the file systems that are mounted at boot time with the following command: ++ ++# more /etc/fstab ++ ++UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2 ++ ++If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021010The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86667V-72043CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.Verify file systems that are used for removable media are mounted with the "nosuid" option. ++ ++Check the file systems that are mounted at boot time with the following command: ++ ++# more /etc/fstab ++ ++UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0 ++ ++If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021020The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86669V-72045CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.Verify file systems that are being NFS imported are configured with the "nosuid" option. ++ ++Find the file system(s) that contain the directories being exported with the following command: ++ ++# more /etc/fstab | grep nfs ++ ++UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0 ++ ++If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding. ++ ++Verify the NFS is mounted with the "nosuid" option: ++ ++# mount | grep nfs | grep nosuid ++If no results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021021The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).<VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87813V-73161CCI-000366Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.Verify file systems that are being NFS imported are configured with the "noexec" option. ++ ++Find the file system(s) that contain the directories being imported with the following command: ++ ++# more /etc/fstab | grep nfs ++ ++UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0 ++ ++If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. ++ ++Verify the NFS is mounted with the "noexec"option: ++ ++# mount | grep nfs | grep noexec ++If no results are returned and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-07-021024The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.<VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ++ ++The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. ++ ++The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95725V-81013CCI-001764Configure the system so that /dev/shm is mounted with the "nodev", "nosuid", and "noexec" options by adding /modifying the /etc/fstab with the following line: ++ ++tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0Verify that the "nodev","nosuid", and "noexec" options are configured for /dev/shm: ++ ++# cat /etc/fstab | grep /dev/shm ++ ++tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 ++ ++If results are returned and the "nodev", "nosuid", or "noexec" options are missing, this is a finding. ++ ++Verify "/dev/shm" is mounted with the "nodev", "nosuid", and "noexec" options: ++ ++# mount | grep /dev/shm ++ ++tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) ++ ++If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021030The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory has the sticky bit set and is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. ++ ++The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72047SV-86671CCI-000366All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not group-owned by a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition [PART]: ++ ++# find [PART] -xdev -type d -perm -0002 -gid +999 -print ++ ++If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021040The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.<VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72049SV-86673CCI-000318CCI-000368CCI-001813CCI-001812CCI-001814Remove the umask statement from all local interactive user's initialization files. ++ ++If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables.Verify that the default umask for all local interactive users is "077". ++ ++Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file. ++ ++Check all local interactive user initialization files for interactive users with the following command: ++ ++Note: The example is for a system that is configured to create users home directories in the "/home" directory. ++ ++# grep -i umask /home/*/.* ++ ++If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021100The Red Hat Enterprise Linux operating system must have cron logging implemented.<VulnDiscussion>Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72051SV-86675CCI-000366Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory: ++ ++cron.* /var/log/cron.logVerify that "rsyslog" is configured to log cron events. ++ ++Check the configuration of "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files for the cron facility with the following command: ++ ++Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. ++ ++# grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf ++cron.* /var/log/cron.log ++ ++If the command does not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. ++ ++Look for the following entry: ++ ++*.* /var/log/messages ++ ++If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021110The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.<VulnDiscussion>If the owner of the "cron.allow" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72053SV-86677CCI-000366Set the owner on the "/etc/cron.allow" file to root with the following command: ++ ++# chown root /etc/cron.allowVerify that the "cron.allow" file is owned by root. ++ ++Check the owner of the "cron.allow" file with the following command: ++ ++# ls -al /etc/cron.allow ++-rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow ++ ++If the "cron.allow" file exists and has an owner other than root, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021120The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.<VulnDiscussion>If the group owner of the "cron.allow" file is not set to root, sensitive information could be viewed or edited by unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86679V-72055CCI-000366Set the group owner on the "/etc/cron.allow" file to root with the following command: ++ ++# chgrp root /etc/cron.allowVerify that the "cron.allow" file is group-owned by root. ++ ++Check the group owner of the "cron.allow" file with the following command: ++ ++# ls -al /etc/cron.allow ++-rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow ++ ++If the "cron.allow" file exists and has a group owner other than root, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021300The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86681V-72057CCI-000366If kernel core dumps are not required, disable the "kdump" service with the following command: ++ ++# systemctl disable kdump.service ++ ++If kernel core dumps are required, document the need with the ISSO.Verify that kernel core dumps are disabled unless needed. ++ ++Check the status of the "kdump" service with the following command: ++ ++# systemctl status kdump.service ++kdump.service - Crash recovery kernel arming ++ Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled) ++ Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago ++ Main PID: 1130 (code=exited, status=0/SUCCESS) ++kernel arming. ++ ++If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). ++ ++If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021310The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72059SV-86683CCI-000366Migrate the "/home" directory onto a separate file system/partition.Verify that a separate file system/partition has been created for non-privileged local interactive user home directories. ++ ++Check the home directory assignment for all non-privileged users (those with a UID greater than 1000) on the system with the following command: ++ ++#cut -d: -f 1,3,6,7 /etc/passwd | egrep ":[1-4][0-9]{3}" | tr ":" "\t" ++ ++adamsj /home/adamsj /bin/bash ++jacksonm /home/jacksonm /bin/bash ++smithj /home/smithj /bin/bash ++ ++The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, /home) and users' shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users. ++ ++Check that a file system/partition has been created for the non-privileged interactive users with the following command: ++ ++Note: The partition of /home is used in the example. ++ ++# grep /home /etc/fstab ++UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2 ++ ++If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021320The Red Hat Enterprise Linux operating system must use a separate file system for /var.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72061SV-86685CCI-000366Migrate the "/var" path onto a separate file system.Verify that a separate file system/partition has been created for "/var". ++ ++Check that a file system/partition has been created for "/var" with the following command: ++ ++# grep /var /etc/fstab ++UUID=c274f65f /var ext4 noatime,nobarrier 1 2 ++ ++If a separate entry for "/var" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021330The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86687V-72063CCI-000366Migrate the system audit data path onto a separate file system.Determine if the operating system is configured to have the "/var/log/audit" path is on a separate file system. ++ ++# grep /var/log/audit /etc/fstab ++ ++If no result is returned, or the operating system is not configured to have "/var/log/audit" on a separate file system, this is a finding. ++ ++Verify that "/var/log/audit" is mounted on a separate file system: ++ ++# mount | grep "/var/log/audit" ++ ++If no result is returned, or "/var/log/audit" is not on a separate file system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021340The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86689V-72065CCI-000366Start the "tmp.mount" service with the following command: ++ ++# systemctl enable tmp.mount ++ ++OR ++ ++Edit the "/etc/fstab" file and ensure the "/tmp" directory is defined in the fstab with a device and mount point.Verify that a separate file system/partition has been created for "/tmp". ++ ++Check that a file system/partition has been created for "/tmp" with the following command: ++ ++# systemctl is-enabled tmp.mount ++enabled ++ ++If the "tmp.mount" service is not enabled, check to see if "/tmp" is defined in the fstab with a device and mount point: ++ ++# grep -i /tmp /etc/fstab ++UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp ext4 rw,relatime,discard,data=ordered,nosuid,noexec, 0 0 ++ ++If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding. SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-021350The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. ++ ++Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86691V-72067CCI-001199CCI-000068CCI-002450CCI-002476Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package. ++ ++To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. ++ ++Configure the operating system to implement DoD-approved encryption by following the steps below: ++ ++The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key. ++ ++Install the dracut-fips package with the following command: ++ ++# yum install dracut-fips ++ ++Recreate the "initramfs" file with the following command: ++ ++Note: This command will overwrite the existing "initramfs" file. ++ ++# dracut -f ++ ++Modify the kernel command line of the current kernel in the "grub.cfg" file by adding the following option to the GRUB_CMDLINE_LINUX key in the "/etc/default/grub" file and then rebuild the "grub.cfg" file: ++ ++fips=1 ++ ++Changes to "/etc/default/grub" require rebuilding the "grub.cfg" file as follows: ++ ++On BIOS-based machines, use the following command: ++ ++# grub2-mkconfig -o /boot/grub2/grub.cfg ++ ++On UEFI-based machines, use the following command: ++ ++# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg ++ ++If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition of /boot or /boot/efi> must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command: ++ ++# df /boot ++Filesystem 1K-blocks Used Available Use% Mounted on ++/dev/sda1 495844 53780 416464 12% /boot ++ ++To ensure the "boot=" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command: ++ ++# blkid /dev/sda1 ++/dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4" ++ ++For the example above, append the following string to the kernel command line: ++ ++boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797 ++ ++If the file /etc/system-fips does not exists, recreate it: ++ ++# touch /etc/ system-fips ++ ++Reboot the system for the changes to take effect.Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions. ++ ++Check to see if the "dracut-fips" package is installed with the following command: ++ ++# yum list installed dracut-fips ++ ++dracut-fips-033-360.el7_2.x86_64.rpm ++ ++If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command: ++ ++Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines. ++ ++# grep fips /boot/grub2/grub.cfg ++/vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet ++ ++If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command: ++ ++# cat /proc/sys/crypto/fips_enabled ++1 ++ ++If a "dracut-fips" package is not installed, the kernel command line does not have a fips entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding. ++ ++Verify the file /etc/system-fips exists. ++ ++# ls -l /etc/system-fips ++ ++If this file does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021600The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86693V-72069CCI-000366Configure the file integrity tool to check file and directory ACLs. ++ ++If AIDE is installed, ensure the "acl" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify ACLs. ++ ++Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command: ++ ++# yum list installed aide ++ ++If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. ++ ++If there is no application installed to perform file integrity checks, this is a finding. ++ ++Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. ++ ++Use the following command to determine if the file is in another location: ++ ++# find / -name aide.conf ++ ++Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists. ++ ++An example rule that includes the "acl" rule is below: ++ ++All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux ++/bin All # apply the custom rule to the files in bin ++/sbin All # apply the same custom rule to the files in sbin ++ ++If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021610The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86695V-72071CCI-000366Configure the file integrity tool to check file and directory extended attributes. ++ ++If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify extended attributes. ++ ++Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command: ++ ++# yum list installed aide ++ ++If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. ++ ++If there is no application installed to perform file integrity checks, this is a finding. ++ ++Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. ++ ++Use the following command to determine if the file is in another location: ++ ++# find / -name aide.conf ++ ++Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists. ++ ++An example rule that includes the "xattrs" rule follows: ++ ++All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux ++/bin All # apply the custom rule to the files in bin ++/sbin All # apply the same custom rule to the files in sbin ++ ++If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021620The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.<VulnDiscussion>File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. ++ ++Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86697V-72073CCI-000366Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. ++ ++If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. ++ ++Check to see if AIDE is installed on the system with the following command: ++ ++# yum list installed aide ++ ++If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. ++ ++If there is no application installed to perform file integrity checks, this is a finding. ++ ++Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. ++ ++Use the following command to determine if the file is in another location: ++ ++# find / -name aide.conf ++ ++Check the "aide.conf" file to determine if the "sha512" rule has been added to the rule list being applied to the files and directories selection lists. ++ ++An example rule that includes the "sha512" rule follows: ++ ++All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux ++/bin All # apply the custom rule to the files in bin ++/sbin All # apply the same custom rule to the files in sbin ++ ++If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-021700The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86699V-72075CCI-000368CCI-000318CCI-001813CCI-001814CCI-001812Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media. ++ ++Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines. ++ ++Check for the existence of alternate boot loader configuration files with the following command: ++ ++# find / -name grub.cfg ++/boot/grub2/grub.cfg ++ ++If a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. ++ ++Check that the grub configuration file has the set root command in each menu entry with the following commands: ++ ++# grep -c menuentry /boot/grub2/grub.cfg ++1 ++# grep 'set root' /boot/grub2/grub.cfg ++set root=(hd0,1) ++ ++If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-07-021710The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. ++ ++Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). ++ ++Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86701V-72077CCI-000381Configure the operating system to disable non-essential capabilities by removing the telnet-server package from the system with the following command: ++ ++# yum remove telnet-serverVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. ++ ++The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session. ++ ++If a privileged user were to log on using this service, the privileged user password could be compromised. ++ ++Check to see if the telnet-server package is installed with the following command: ++ ++# yum list installed telnet-server ++ ++If the telnet-server package is installed, this is a finding.SRG-OS-000038-GPOS-00016<GroupDescription></GroupDescription>RHEL-07-030000The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.<VulnDiscussion>Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. ++ ++Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. ++ ++Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. ++ ++Satisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86703V-72079CCI-000131CCI-000126Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred. ++ ++Enable the auditd service with the following command: ++ ++# systemctl start auditd.serviceVerify the operating system produces audit records containing information to establish when (date and time) the events occurred. ++ ++Check to see if auditing is active by issuing the following command: ++ ++# systemctl is-active auditd.service ++active ++ ++If the "auditd" status is not active, this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>RHEL-07-030010The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. ++ ++Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. ++ ++This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. ++ ++Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86705V-72081CCI-000139Configure the operating system to shut down in the event of an audit processing failure. ++ ++Add or correct the option to shut down the operating system with the following command: ++ ++# auditctl -f 2 ++ ++Edit the "/etc/audit/rules.d/audit.rules" file and add the following line: ++ ++-f 2 ++ ++If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command: ++ ++# auditctl -f 1 ++ ++Edit the "/etc/audit/rules.d/audit.rules" file and add the following line: ++ ++-f 1 ++ ++Kernel log monitoring must also be configured to properly alert designated staff. ++ ++The audit daemon must be restarted for the changes to take effect.Confirm the audit configuration regarding how auditing processing failures are handled. ++ ++Check to see what level "auditctl" is set to with following command: ++ ++# auditctl -s | grep -i "fail" ++ ++failure 2 ++ ++Note: If the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. If the value of "failure" is set to "1", the system is configured to only send information to the kernel log regarding the failure. ++ ++If the "failure" setting is set to any value other than "1" or "2", this is a finding. ++ ++If the "failure" setting is not set, this should be upgraded to a CAT I finding. ++ ++If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030201The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. ++ ++Off-loading is a common process in information systems with limited audit storage capacity. ++ ++One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. Without the configuration of the "au-remote" plugin, the audisp-remote daemon will not off load the logs from the system being audited. ++ ++Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95729V-81017CCI-001851Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values: ++ ++direction = out ++path = /sbin/audisp-remote ++type = always ++ ++The audit daemon must be restarted for changes to take effect: ++ ++# service auditd restartVerify the "au-remote" plugin is configured to always off-load audit logs using the audisp-remote daemon: ++ ++# cat /etc/audisp/plugins.d/au-remote.conf | grep -v "^#" ++ ++active = yes ++direction = out ++path = /sbin/audisp-remote ++type = always ++format = string ++ ++If "active" is not set to "yes", "direction" is not set to "out", "path" is not set to "/sbin/audisp-remote", "type" is not set to "always", or any of the lines are commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media. ++ ++If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030210The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. ++ ++Off-loading is a common process in information systems with limited audit storage capacity. ++ ++One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When the remote buffer is full, audit logs will not be collected and sent to the central log server. ++ ++Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-81019SV-95731CCI-001851Edit the /etc/audisp/audispd.conf file and add or update the "overflow_action" option: ++ ++overflow_action = syslog ++ ++The audit daemon must be restarted for changes to take effect: ++ ++# service auditd restartVerify the audisp daemon is configured to take an appropriate action when the internal queue is full: ++ ++# grep "overflow_action" /etc/audisp/audispd.conf ++ ++overflow_action = syslog ++ ++If the "overflow_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate what action that system takes when the internal queue is full. ++ ++If there is no evidence the system is configured to off-load audit logs to a different system or storage media or, if the configuration does not take appropriate action when the internal queue is full, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030211The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. ++ ++Off-loading is a common process in information systems with limited audit storage capacity. ++ ++One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. ++ ++Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95733V-81021CCI-001851Edit the /etc/audisp/audispd.conf file and add or update the "name_format" option: ++ ++name_format = hostname ++ ++The audit daemon must be restarted for changes to take effect: ++ ++# service auditd restartVerify the audisp daemon is configured to label all off-loaded audit logs: ++ ++# grep "name_format" /etc/audisp/audispd.conf ++ ++name_format = hostname ++ ++If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate if the logs are labeled appropriately. ++ ++If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030300The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. ++ ++Off-loading is a common process in information systems with limited audit storage capacity. ++ ++Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72083SV-86707CCI-001851Configure the operating system to off-load audit records onto a different system or media from the system being audited. ++ ++Set the remote server option in "/etc/audisp/audisp-remote.conf" with the IP address of the log aggregation server.Verify the operating system off-loads audit records onto a different system or media from the system being audited. ++ ++To determine the remote server that the records are being sent to, use the following command: ++ ++# grep -i remote_server /etc/audisp/audisp-remote.conf ++remote_server = 10.0.21.1 ++ ++If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. ++ ++If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030310The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. ++ ++Off-loading is a common process in information systems with limited audit storage capacity. ++ ++Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72085SV-86709CCI-001851Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. ++ ++Uncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set it with the following line: ++ ++enable_krb5 = yesVerify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited. ++ ++To determine if the transfer is encrypted, use the following command: ++ ++# grep -i enable_krb5 /etc/audisp/audisp-remote.conf ++enable_krb5 = yes ++ ++If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. ++ ++If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030320The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. ++One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72087SV-86711CCI-001851Configure the action the operating system takes if the disk the audit records are written to becomes full. ++ ++Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line: ++ ++disk_full_action = singleVerify the action the operating system takes if the disk the audit records are written to becomes full. ++ ++To determine the action that takes place if the disk is full on the remote server, use the following command: ++ ++# grep -i disk_full_action /etc/audisp/audisp-remote.conf ++disk_full_action = single ++ ++If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken when the disk is full on the remote server. ++ ++If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action when the disk is full on the remote server, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030321The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.<VulnDiscussion>Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. ++One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73163SV-87815CCI-001851Configure the action the operating system takes if there is an error sending audit records to a remote system. ++ ++Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt". ++ ++network_failure_action = syslogVerify the action the operating system takes if there is an error sending audit records to a remote system. ++ ++Check the action that takes place if there is an error sending audit records to a remote system with the following command: ++ ++# grep -i network_failure_action /etc/audisp/audisp-remote.conf ++network_failure_action = syslog ++ ++If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken if there is an error sending audit records to the remote system. ++ ++If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030330The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72089SV-86713CCI-001855Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. ++ ++Check the system configuration to determine the partition the audit records are being written to: ++ ++# grep -iw log_file /etc/audit/auditd.conf ++ ++Determine the size of the partition that audit records are written to (with the example being "/var/log/audit/"): ++ ++# df -h /var/log/audit/ ++ ++Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. ++ ++Check the system configuration to determine the partition the audit records are being written to with the following command: ++ ++# grep -iw log_file /etc/audit/auditd.conf ++log_file = /var/log/audit/audit.log ++ ++Check the size of the partition that audit records are written to (with the example being "/var/log/audit/"): ++ ++# df -h /var/log/audit/ ++0.9G /var/log/audit ++ ++If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command: ++ ++# du -sh <partition> ++1.8G /var ++ ++Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached: ++ ++# grep -iw space_left /etc/audit/auditd.conf ++space_left = 225 ++ ++If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030340The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72091SV-86715CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. ++ ++Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". ++ ++space_left_action = emailVerify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. ++ ++Check what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command: ++ ++# grep -i space_left_action /etc/audit/auditd.conf ++space_left_action = email ++ ++If the value of the "space_left_action" keyword is not set to "email", this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030350The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72093SV-86717CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. ++ ++Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. ++ ++action_mail_acct = rootVerify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. ++ ++Check what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command: ++ ++# grep -i action_mail_acct /etc/audit/auditd.conf ++action_mail_acct = root ++ ++If the value of the "action_mail_acct" keyword is not set to "root" and other accounts for security personnel, this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>RHEL-07-030360The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72095SV-86719CCI-002234Configure the operating system to audit the execution of privileged functions. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid ++-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid ++-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid ++-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system audits the execution of privileged functions using the following command: ++ ++# grep -iw execve /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid ++-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid ++-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid ++-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid ++ ++ ++If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. ++ ++If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030370The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72097SV-86721CCI-000172CCI-000126Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chown" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw chown /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "chown" syscall, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030380The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72099SV-86723CCI-000126CCI-000172Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchown" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw fchown /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "fchown" syscall, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030390The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72101SV-86725CCI-000172CCI-000126Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lchown" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw lchown /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "lchown" syscall, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030400The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72103SV-86727CCI-000126CCI-000172Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchownat" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw fchownat /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "fchownat" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030410The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86729V-72105CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chmod" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chmod" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep -iw chmod /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "chmod" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030420The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86731V-72107CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep -iw fchmod /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "fchmod" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030430The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86733V-72109CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep -iw fchmodat /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "fchmodat" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030440The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86735V-72111CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw setxattr /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "setxattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030450The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86737V-72113CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw fsetxattr /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "fsetxattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030460The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72115SV-86739CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw lsetxattr /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "lsetxattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030470The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72117SV-86741CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw removexattr /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "removexattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030480The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86743V-72119CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw fremovexattr /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "fremovexattr" syscall, this is a finding.SRG-OS-000458-GPOS-00203<GroupDescription></GroupDescription>RHEL-07-030490The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72121SV-86745CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw lremovexattr /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod ++ ++If both the "b32" and "b64" audit rules are not defined for the "lremovexattr" syscall, this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030500The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86747V-72123CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "creat" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules: ++ ++-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "creat" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw creat /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++If both the "b32" and "b64" audit rules are not defined for the "creat" syscall, this is a finding. ++ ++If the output does not produce rules containing "-F exit=-EPERM", this is a finding. ++ ++If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030510The Red Hat Enterprise Linux operating system must audit all uses of the open syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86749V-72125CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw open /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++If both the "b32" and "b64" audit rules are not defined for the "open" syscall, this is a finding. ++ ++If the output does not produce rules containing "-F exit=-EPERM", this is a finding. ++ ++If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030520The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72127SV-86751CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "openat" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "openat" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw openat /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++If both the "b32" and "b64" audit rules are not defined for the "openat" syscall, this is a finding. ++ ++If the output does not produce rules containing "-F exit=-EPERM", this is a finding. ++ ++If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030530The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72129SV-86753CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw open_by_handle_at /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++If both the "b32" and "b64" audit rules are not defined for the "open_by_handle_at" syscall, this is a finding. ++ ++If the output does not produce rules containing "-F exit=-EPERM", this is a finding. ++ ++If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030540The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72131SV-86755CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "truncate" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "truncate" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw truncate /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++If both the "b32" and "b64" audit rules are not defined for the "truncate" syscall, this is a finding. ++ ++If the output does not produce rules containing "-F exit=-EPERM", this is a finding. ++ ++If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>RHEL-07-030550The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72133SV-86757CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw ftruncate /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access ++ ++-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access ++ ++If both the "b32" and "b64" audit rules are not defined for the "ftruncate" syscall, this is a finding. ++ ++If the output does not produce rules containing "-F exit=-EPERM", this is a finding. ++ ++If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030560The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86759V-72135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "semanage" command occur. ++ ++Check the file system rule in "/etc/audit/audit.rules" with the following command: ++ ++# grep -i /usr/sbin/semanage /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030570The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72137SV-86761CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setsebool" command occur. ++ ++Check the file system rule in "/etc/audit/audit.rules" with the following command: ++ ++# grep -i /usr/sbin/setsebool /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030580The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72139SV-86763CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chcon" command occur. ++ ++Check the file system rule in "/etc/audit/audit.rules" with the following command: ++ ++# grep -i /usr/bin/chcon /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030590The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72141SV-86765CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setfiles" command occur. ++ ++Check the file system rule in "/etc/audit/audit.rules" with the following command: ++ ++# grep -iw /usr/sbin/setfiles /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030610The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72145SV-86769CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when unsuccessful account access events occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-w /var/run/faillock -p wa -k logins ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when unsuccessful account access events occur. ++ ++Check the file system rule in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -i /var/run/faillock /etc/audit/audit.rules ++ ++-w /var/run/faillock -p wa -k logins ++ ++If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030620The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72147SV-86771CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when successful account access events occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-w /var/log/lastlog -p wa -k logins ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful account access events occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -i /var/log/lastlog /etc/audit/audit.rules ++ ++-w /var/log/lastlog -p wa -k logins ++ ++If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030630The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72149SV-86773CCI-000172CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -k privileged-passwd ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur. ++ ++Check the file system rule in "/etc/audit/audit.rules" with the following command: ++ ++# grep -i /usr/bin/passwd /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -k privileged-passwd ++ ++If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030640The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72151SV-86775CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -k privileged-passwd ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. ++ ++Check the file system rule in "/etc/audit/audit.rules" with the following command: ++ ++# grep -iw /usr/sbin/unix_chkpwd /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -k privileged-passwd ++ ++If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030650The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72153SV-86777CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -k privileged-passwd ++ ++The audit daemon must be restarted for the changes to take effect. Verify the operating system generates audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. ++ ++Check the file system rule in "/etc/audit/audit.rules" with the following command: ++ ++# grep -i /usr/bin/gpasswd /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -k privileged-passwd ++ ++If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030660The Red Hat Enterprise Linux operating system must audit all uses of the chage command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86779V-72155CCI-000172CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -k privileged-passwd ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chage" command occur. ++ ++Check the file system rule in "/etc/audit/audit.rules" with the following command: ++ ++# grep -i /usr/bin/chage /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -k privileged-passwd ++ ++If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030670The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86781V-72157CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -k privileged-passwd ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "userhelper" command occur. ++ ++Check the file system rule in "/etc/audit/audit.rules" with the following command: ++ ++# grep -i /usr/sbin/userhelper /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -k privileged-passwd ++ ++If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030680The Red Hat Enterprise Linux operating system must audit all uses of the su command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72159SV-86783CCI-000172CCI-000135CCI-000130CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur. ++ ++Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": ++ ++# grep -iw /usr/bin/su /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030690The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86785V-72161CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudo" command occur. ++ ++Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": ++ ++# grep -iw /usr/bin/sudo /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030700The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86787V-72163CCI-000172CCI-000135CCI-000130CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-w /etc/sudoers -p wa -k privileged-actions ++ ++-w /etc/sudoers.d/ -p wa -k privileged-actions ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. ++ ++Check for modification of the following files being audited by performing the following commands to check the file system rules in "/etc/audit/audit.rules": ++ ++# grep -i "/etc/sudoers" /etc/audit/audit.rules ++ ++-w /etc/sudoers -p wa -k privileged-actions ++ ++# grep -i "/etc/sudoers.d/" /etc/audit/audit.rules ++ ++-w /etc/sudoers.d/ -p wa -k privileged-actions ++ ++If the commands do not return output that match the examples, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030710The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86789V-72165CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "newgrp" command occur. ++ ++Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": ++ ++# grep -i /usr/bin/newgrp /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030720The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86791V-72167CCI-000172CCI-000130CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chsh" command occur. ++ ++Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": ++ ++# grep -i /usr/bin/chsh /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -k privileged-priv_change ++ ++If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030740The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86795V-72171CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount ++-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount ++-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -k privileged-mount ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. ++ ++Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": ++ ++# grep -iw "mount" /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount ++-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount ++-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -k privileged-mount ++ ++If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding. ++ ++If all uses of the "mount" command are not being audited, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030750The Red Hat Enterprise Linux operating system must audit all uses of the umount command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72173SV-86797CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -k privileged-mount ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur. ++ ++Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": ++ ++# grep -iw "/usr/bin/umount" /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -k privileged-mount ++ ++If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030760The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72175SV-86799CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -k privileged-postfix ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur. ++ ++Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": ++ ++# grep -iw /usr/sbin/postdrop /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -k privileged-postfix ++ ++If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030770The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72177SV-86801CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -k privileged-postfix ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. ++ ++Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": ++ ++# grep -iw /usr/sbin/postqueue /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -k privileged-postfix ++ ++If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030780The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72179SV-86803CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -k privileged-ssh ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. ++ ++Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": ++ ++# grep -iw /usr/libexec/openssh/ssh-keysign /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -k privileged-ssh ++ ++If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030800The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. ++ ++At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72183SV-86807CCI-000172CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -k privileged-cron ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. ++ ++Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": ++ ++# grep -iw /usr/bin/crontab /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -k privileged-cron ++ ++If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>RHEL-07-030810The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72185SV-86809CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -k privileged-pam ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. ++ ++Check the auditing rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep -iw "/usr/sbin/pam_timestamp_check" /etc/audit/audit.rules ++ ++-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -k privileged-pam ++ ++If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030819The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78999SV-93705CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S create_module -k module-change ++ ++-a always,exit -F arch=b64 -S create_module -k module-change ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. ++ ++Check the auditing rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep -iw create_module /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S create_module -k module-change ++ ++-a always,exit -F arch=b64 -S create_module -k module-change ++ ++If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030820The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72187SV-86811CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "init_module" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S init_module -k module-change ++ ++-a always,exit -F arch=b64 -S init_module -k module-change ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "init_module" syscall occur. ++ ++Check the auditing rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep -iw init_module /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S init_module -k module-change ++ ++-a always,exit -F arch=b64 -S init_module -k module-change ++ ++If both the "b32" and "b64" audit rules are not defined for the "init_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030821The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-79001SV-93707CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "finit_module" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S finit_module -k module-change ++ ++-a always,exit -F arch=b64 -S finit_module -k module-change ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "finit_module" syscall occur. ++ ++Check the auditing rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep -iw finit_module /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S finit_module -k module-change ++ ++-a always,exit -F arch=b64 -S finit_module -k module-change ++ ++If both the "b32" and "b64" audit rules are not defined for the "finit_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030830The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72189SV-86813CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. ++ ++Add or update the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S delete_module -k module-change ++ ++-a always,exit -F arch=b64 -S delete_module -k module-change ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. ++ ++Check the auditing rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep -iw delete_module /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S delete_module -k module-change ++ ++-a always,exit -F arch=b64 -S delete_module -k module-change ++ ++If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030840The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86815V-72191CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "kmod" command occur. ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-w /usr/bin/kmod -p x -F auid!=unset -k module-change ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "kmod" command occur. ++ ++Check the auditing rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep -iw kmod /etc/audit/audit.rules ++ ++-w /usr/bin/kmod -p x -F auid!=unset -k module-change ++ ++If the command does not return any output, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030870The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter). ++ ++Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86821V-72197CCI-000172CCI-000018CCI-002130CCI-001403Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". ++ ++Add or update the following rule "/etc/audit/rules.d/audit.rules": ++ ++-w /etc/passwd -p wa -k identity ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". ++ ++Check the auditing rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep /etc/passwd /etc/audit/audit.rules ++ ++-w /etc/passwd -p wa -k identity ++ ++If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030871The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87817V-73165CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-w /etc/group -p wa -k identity ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". ++ ++Check the auditing rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep /etc/group /etc/audit/audit.rules ++ ++-w /etc/group -p wa -k identity ++ ++If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030872The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87819V-73167CCI-000172CCI-000018CCI-002130CCI-001403Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". ++ ++Add or update the following rule in "/etc/audit/rules.d/audit.rules": ++ ++-w /etc/gshadow -p wa -k identity ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". ++ ++Check the auditing rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep /etc/gshadow /etc/audit/audit.rules ++ ++-w /etc/gshadow -p wa -k identity ++ ++If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030873The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87823V-73171CCI-000018CCI-000172CCI-001403CCI-002130Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. ++ ++Add or update the following file system rule in "/etc/audit/rules.d/audit.rules": ++ ++-w /etc/shadow -p wa -k identity ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. ++ ++Check the auditing rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep /etc/shadow /etc/audit/audit.rules ++ ++-w /etc/shadow -p wa -k identity ++ ++If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-07-030874The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. ++ ++Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87825V-73173CCI-000018CCI-000172CCI-002130CCI-001403Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. ++ ++Add or update the following file system rule in "/etc/audit/rules.d/audit.rules": ++ ++-w /etc/security/opasswd -p wa -k identity ++ ++The audit daemon must be restarted for the changes to take effect: ++# systemctl restart auditdVerify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. ++ ++Check the auditing rules in "/etc/audit/audit.rules" with the following command: ++ ++# grep /etc/security/opasswd /etc/audit/audit.rules ++ ++-w /etc/security/opasswd -p wa -k identity ++ ++If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030880The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86823V-72199CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rename" syscall occur. ++ ++Add the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k delete ++ ++-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k delete ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rename" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw rename /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k delete ++ ++-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k delete ++ ++If both the "b32" and "b64" audit rules are not defined for the "rename" syscall, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030890The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86825V-72201CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "renameat" syscall occur. ++ ++Add the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -k delete ++ ++-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -k delete ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "renameat" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw renameat /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -k delete ++ ++-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -k delete ++ ++If both the "b32" and "b64" audit rules are not defined for the "renameat" syscall, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030900The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72203SV-86827CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur. ++ ++Add the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -k delete ++ ++-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -k delete ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw rmdir /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -k delete ++ ++-a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -k delete ++ ++If both the "b32" and "b64" audit rules are not defined for the "rmdir" syscall, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030910The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72205SV-86829CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlink" syscall occur. ++ ++Add the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -k delete ++ ++-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -k delete ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlink" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw unlink /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -k delete ++ ++-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -k delete ++ ++If both the "b32" and "b64" audit rules are not defined for the "unlink" syscall, this is a finding.SRG-OS-000466-GPOS-00210<GroupDescription></GroupDescription>RHEL-07-030920The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall.<VulnDiscussion>If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. ++ ++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. ++ ++Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72207SV-86831CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur. ++ ++Add the following rules in "/etc/audit/rules.d/audit.rules": ++ ++-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -k delete ++ ++-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -k delete ++ ++The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur. ++ ++Check the file system rules in "/etc/audit/audit.rules" with the following commands: ++ ++# grep -iw unlinkat /etc/audit/audit.rules ++ ++-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -k delete ++ ++-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -k delete ++ ++If both the "b32" and "b64" audit rules are not defined for the "unlinkat" syscall, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-031000The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.<VulnDiscussion>Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86833V-72209CCI-000366Modify the "/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation system: ++*.* @@<log aggregation system name>Verify "rsyslog" is configured to send all messages to a log aggregation server. ++ ++Check the configuration of "rsyslog" with the following command: ++ ++Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf". ++ ++# grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf ++*.* @@logagg.site.mil ++ ++If there are no lines in the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files that contain the "@" or "@@" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all "rsyslog" output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. ++ ++If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-031010The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.<VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service. ++ ++If the system is intended to be a log aggregation server its use must be documented with the ISSO.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86835V-72211CCI-000318CCI-001812CCI-001813CCI-001814CCI-000368Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp", "ModLoad imudp", and "ModLoad imrelp" configuration lines, or document the system as being used for log aggregation.Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server. ++ ++Check the configuration of "rsyslog" with the following command: ++ ++# grep imtcp /etc/rsyslog.conf ++$ModLoad imtcp ++# grep imudp /etc/rsyslog.conf ++$ModLoad imudp ++# grep imrelp /etc/rsyslog.conf ++$ModLoad imrelp ++ ++If any of the above modules are being loaded in the "/etc/rsyslog.conf" file, ask to see the documentation for the system being used for log aggregation. ++ ++If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.SRG-OS-000027-GPOS-00008<GroupDescription></GroupDescription>RHEL-07-040000The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.<VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. ++ ++This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72217SV-86841CCI-000054Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types. ++ ++Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/ : ++ ++* hard maxlogins 10Verify the operating system limits the number of concurrent sessions to "10" for all accounts and/or account types by issuing the following command: ++ ++# grep "maxlogins" /etc/security/limits.conf /etc/security/limits.d/*.conf ++ ++* hard maxlogins 10 ++ ++This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. ++ ++If the "maxlogins" item is missing, commented out, or the value is not set to "10" or less for all domains that have the "maxlogins" item assigned, this is a finding.SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>RHEL-07-040100The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. ++ ++Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. ++ ++To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. ++ ++Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72219SV-86843CCI-000382CCI-002314Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL.Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited. ++ ++Check which services are currently active with the following command: ++ ++# firewall-cmd --list-all ++public (default, active) ++ interfaces: enp0s3 ++ sources: ++ services: dhcpv6-client dns http https ldaps rpc-bind ssh ++ ports: ++ masquerade: no ++ forward-ports: ++ icmp-blocks: ++ rich rules: ++ ++Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. ++ ++If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-040110The Red Hat Enterprise Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. ++ ++Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. ++ ++FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. ++ ++Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86845V-72221CCI-000366CCI-000803CCI-000068Configure SSH to use FIPS 140-2 approved cryptographic algorithms. ++ ++Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). ++ ++Ciphers aes128-ctr,aes192-ctr,aes256-ctr ++ ++The SSH service must be restarted for changes to take effect.Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. ++ ++Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes. ++ ++The location of the "sshd_config" file may vary if a different daemon is in use. ++ ++Inspect the "Ciphers" configuration with the following command: ++ ++# grep -i ciphers /etc/ssh/sshd_config ++Ciphers aes128-ctr,aes192-ctr,aes256-ctr ++ ++If any ciphers other than "aes128-ctr", "aes192-ctr", or "aes256-ctr" are listed, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-07-040160The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. ++ ++Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. ++ ++Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72223SV-86847CCI-001133CCI-002361Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. ++ ++Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as: ++ ++#!/bin/bash ++ ++TMOUT=900 ++readonly TMOUT ++export TMOUTVerify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity. ++ ++Check the value of the system inactivity timeout with the following command: ++ ++# grep -i tmout /etc/profile.d/* ++ ++etc/profile.d/tmout.sh:TMOUT=900 ++ ++/etc/profile.d/tmout.sh:readonly TMOUT ++ ++/etc/profile.d/tmout.sh:export TMOUT ++ ++If "TMOUT" is not set to "900" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-07-040170The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. ++ ++System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. ++ ++The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: ++ ++"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. ++ ++By using this IS (which includes any device attached to this IS), you consent to the following conditions: ++ ++-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. ++ ++-At any time, the USG may inspect and seize data stored on this IS. ++ ++-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. ++ ++-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. ++ ++-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." ++ ++Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86849V-72225CCI-000048CCI-000050CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh. ++ ++Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is: ++ ++banner /etc/issue ++ ++Either create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is: ++ ++"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. ++ ++By using this IS (which includes any device attached to this IS), you consent to the following conditions: ++ ++-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. ++ ++-At any time, the USG may inspect and seize data stored on this IS. ++ ++-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. ++ ++-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. ++ ++-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." ++ ++The SSH service must be restarted for changes to take effect.Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. ++ ++Check for the location of the banner file being used with the following command: ++ ++# grep -i banner /etc/ssh/sshd_config ++ ++banner /etc/issue ++ ++This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue"). ++ ++If the line is commented out, this is a finding. ++ ++View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner: ++ ++"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. ++ ++By using this IS (which includes any device attached to this IS), you consent to the following conditions: ++ ++-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. ++ ++-At any time, the USG may inspect and seize data stored on this IS. ++ ++-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. ++ ++-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. ++ ++-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." ++ ++If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. ++ ++If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040180The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. ++ ++Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72227SV-86851CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions. ++ ++Add or modify the following line in "/etc/sssd/sssd.conf": ++ ++ldap_id_use_start_tls = trueIf LDAP is not being utilized, this requirement is Not Applicable. ++ ++Verify the operating system implements cryptography to protect the integrity of remote LDAP authentication sessions. ++ ++To determine if LDAP is being used for authentication, use the following command: ++ ++# systemctl status sssd.service ++sssd.service - System Security Services Daemon ++Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) ++Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago ++ ++If the "sssd.service" is "active", then LDAP is being used. ++ ++Determine the "id_provider" the LDAP is currently using: ++ ++# grep -i "id_provider" /etc/sssd/sssd.conf ++ ++id_provider = ad ++ ++If "id_provider" is set to "ad", this is Not Applicable. ++ ++Ensure that LDAP is configured to use TLS by using the following command: ++ ++# grep -i "start_tls" /etc/sssd/sssd.conf ++ldap_id_use_start_tls = true ++ ++If the "ldap_id_use_start_tls" option is not "true", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040190The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. ++ ++Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72229SV-86853CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions. ++ ++Add or modify the following line in "/etc/sssd/sssd.conf": ++ ++ldap_tls_reqcert = demandIf LDAP is not being utilized, this requirement is Not Applicable. ++ ++Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions. ++ ++To determine if LDAP is being used for authentication, use the following command: ++ ++# systemctl status sssd.service ++sssd.service - System Security Services Daemon ++Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) ++Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago ++ ++If the "sssd.service" is "active", then LDAP is being used. ++ ++Determine the "id_provider" the LDAP is currently using: ++ ++# grep -i "id_provider" /etc/sssd/sssd.conf ++ ++id_provider = ad ++ ++If "id_provider" is set to "ad", this is Not Applicable. ++ ++Verify the sssd service is configured to require the use of certificates: ++ ++# grep -i tls_reqcert /etc/sssd/sssd.conf ++ldap_tls_reqcert = demand ++ ++If the "ldap_tls_reqcert" setting is missing, commented out, or does not exist, this is a finding. ++ ++If the "ldap_tls_reqcert" setting is not set to "demand" or "hard", this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040200The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. ++ ++Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86855V-72231CCI-001453Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions. ++ ++Add or modify the following line in "/etc/sssd/sssd.conf": ++ ++ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crtIf LDAP is not being utilized, this requirement is Not Applicable. ++ ++Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions. ++ ++To determine if LDAP is being used for authentication, use the following command: ++ ++# systemctl status sssd.service ++sssd.service - System Security Services Daemon ++Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) ++Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago ++ ++If the "sssd.service" is "active", then LDAP is being used. ++ ++Determine the "id_provider" that the LDAP is currently using: ++ ++# grep -i "id_provider" /etc/sssd/sssd.conf ++ ++id_provider = ad ++ ++If "id_provider" is set to "ad", this is Not Applicable. ++ ++Check the path to the X.509 certificate for peer authentication with the following command: ++ ++# grep -i tls_cacert /etc/sssd/sssd.conf ++ ++ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ++ ++Verify the "ldap_tls_cacert" option points to a file that contains the trusted CA certificate. ++ ++If this file does not exist, or the option is commented out or missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040201The Red Hat Enterprise Linux operating system must implement virtual address space randomization.<VulnDiscussion>Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-92521V-77825CCI-000366Configure the operating system implement virtual address space randomization. ++ ++Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value): ++ ++kernel.randomize_va_space = 2 ++ ++Issue the following command to make the changes take effect: ++ ++# sysctl --systemVerify the operating system implements virtual address space randomization. ++ ++# grep kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/* ++ ++kernel.randomize_va_space = 2 ++ ++If "kernel.randomize_va_space" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "2", this is a finding. ++ ++Check that the operating system implements virtual address space randomization with the following command: ++ ++# /sbin/sysctl -a | grep kernel.randomize_va_space ++ ++kernel.randomize_va_space = 2 ++ ++If "kernel.randomize_va_space" does not have a value of "2", this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040300The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. ++ ++This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. ++ ++Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. ++ ++Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86857V-72233CCI-002418CCI-002420CCI-002421CCI-002422Install SSH packages onto the host with the following commands: ++ ++# yum install openssh-server.x86_64Check to see if sshd is installed with the following command: ++ ++# yum list installed \*ssh\* ++libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1 ++openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1 ++openssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1 ++ ++If the "SSH server" package is not installed, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040310The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. ++ ++This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. ++ ++Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. ++ ++Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS-000423-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86859V-72235CCI-002421CCI-002422CCI-002418CCI-002420Configure the SSH service to automatically start after reboot with the following command: ++ ++# systemctl enable sshd.serviceVerify SSH is loaded and active with the following command: ++ ++# systemctl status sshd ++sshd.service - OpenSSH server daemon ++Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled) ++Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago ++Main PID: 1348 (sshd) ++CGroup: /system.slice/sshd.service ++1053 /usr/sbin/sshd -D ++ ++If "sshd" does not show a status of "active" and "running", this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-07-040320The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. ++ ++Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. ++ ++Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86861V-72237CCI-001133CCI-002361Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown. ++ ++Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): ++ ++ClientAliveInterval 600 ++ ++The SSH service must be restarted for changes to take effect.Verify the operating system automatically terminates a user session after inactivity time-outs have expired. ++ ++Check for the value of the "ClientAliveInterval" keyword with the following command: ++ ++# grep -iw clientaliveinterval /etc/ssh/sshd_config ++ ++ClientAliveInterval 600 ++ ++If "ClientAliveInterval" is not configured, commented out, or has a value of "0", this is a finding. ++ ++If "ClientAliveInterval" has a value that is greater than "600" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040330The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72239SV-86863CCI-000366Configure the SSH daemon to not allow authentication using RSA rhosts authentication. ++ ++Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no": ++ ++RhostsRSAAuthentication no ++ ++The SSH service must be restarted for changes to take effect.Check the version of the operating system with the following command: ++ ++# cat /etc/redhat-release ++ ++If the release is 7.4 or newer this requirement is Not Applicable. ++ ++Verify the SSH daemon does not allow authentication using RSA rhosts authentication. ++ ++To determine how the SSH daemon's "RhostsRSAAuthentication" option is set, run the following command: ++ ++# grep RhostsRSAAuthentication /etc/ssh/sshd_config ++RhostsRSAAuthentication no ++ ++If the value is returned as "yes", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-07-040340The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity.<VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. ++ ++Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. ++ ++Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86865V-72241CCI-001133CCI-002361Configure the operating system to terminate automatically a user session after inactivity time-outs have expired or at shutdown. ++ ++Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): ++ ++ClientAliveCountMax 0 ++ ++The SSH service must be restarted for changes to take effect.Verify the operating system automatically terminates a user session after inactivity time-outs have expired. ++ ++Check for the value of the "ClientAliveCountMax" keyword with the following command: ++ ++# grep -i clientalivecount /etc/ssh/sshd_config ++ClientAliveCountMax 0 ++ ++If "ClientAliveCountMax" is not set to "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040350The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72243SV-86867CCI-000366Configure the SSH daemon to not allow authentication using known hosts authentication. ++ ++Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": ++ ++IgnoreRhosts yesVerify the SSH daemon does not allow authentication using known hosts authentication. ++ ++To determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command: ++ ++# grep -i IgnoreRhosts /etc/ssh/sshd_config ++ ++IgnoreRhosts yes ++ ++If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040360The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.<VulnDiscussion>Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72245SV-86869CCI-000366Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). ++ ++Modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following: ++ ++PrintLastLog yes ++ ++The SSH service must be restarted for changes to "sshd_config" to take effect.Verify SSH provides users with feedback on when account accesses last occurred. ++ ++Check that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command: ++ ++# grep -i printlastlog /etc/ssh/sshd_config ++PrintLastLog yes ++ ++If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040370The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.<VulnDiscussion>Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72247SV-86871CCI-000366Configure SSH to stop users from logging on remotely as the root user. ++ ++Edit the appropriate "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): ++ ++PermitRootLogin no ++ ++The SSH service must be restarted for changes to take effect.Verify remote access using SSH prevents users from logging on directly as root. ++ ++Check that SSH prevents users from logging on directly as root with the following command: ++ ++# grep -i permitrootlogin /etc/ssh/sshd_config ++PermitRootLogin no ++ ++If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040380The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72249SV-86873CCI-000366Configure the SSH daemon to not allow authentication using known hosts authentication. ++ ++Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": ++ ++IgnoreUserKnownHosts yes ++ ++The SSH service must be restarted for changes to take effect.Verify the SSH daemon does not allow authentication using known hosts authentication. ++ ++To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the following command: ++ ++# grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config ++ ++IgnoreUserKnownHosts yes ++ ++If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>RHEL-07-040390The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.<VulnDiscussion>SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. ++ ++Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72251SV-86875CCI-000197CCI-000366Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows: ++ ++Protocol 2 ++ ++The SSH service must be restarted for changes to take effect.Check the version of the operating system with the following command: ++ ++# cat /etc/redhat-release ++ ++If the release is 7.4 or newer this requirement is Not Applicable. ++ ++Verify the SSH daemon is configured to only use the SSHv2 protocol. ++ ++Check that the SSH daemon is configured to only use the SSHv2 protocol with the following command: ++ ++# grep -i protocol /etc/ssh/sshd_config ++Protocol 2 ++#Protocol 1,2 ++ ++If any protocol line other than "Protocol 2" is uncommented, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-07-040400The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.<VulnDiscussion>DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86877V-72253CCI-001453Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-256" and/or "hmac-sha2-512" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): ++ ++MACs hmac-sha2-256,hmac-sha2-512 ++ ++The SSH service must be restarted for changes to take effect.Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers. ++ ++Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes. ++ ++Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command: ++ ++# grep -i macs /etc/ssh/sshd_config ++MACs hmac-sha2-256,hmac-sha2-512 ++ ++If any ciphers other than "hmac-sha2-256" or "hmac-sha2-512" are listed or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040410The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.<VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72255SV-86879CCI-000366Note: SSH public key files may be found in other directories on the system depending on the installation. ++ ++Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: ++ ++# chmod 0644 /etc/ssh/*.key.pubVerify the SSH public host key files have mode "0644" or less permissive. ++ ++Note: SSH public key files may be found in other directories on the system depending on the installation. ++ ++The following command will find all SSH public key files on the system: ++ ++# find /etc/ssh -name '*.pub' -exec ls -lL {} \; ++ ++-rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub ++-rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub ++-rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub ++ ++If any file has a mode more permissive than "0644", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040420The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.<VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72257SV-86881CCI-000366Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command: ++ ++# chmod 0640 /path/to/file/ssh_host*key ++Verify the SSH private host key files have mode "0640" or less permissive. ++ ++The following command will find all SSH private key files on the system and list their modes: ++ ++# find / -name '*ssh_host*key' | xargs ls -lL ++ ++-rw-r----- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key ++-rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key ++-rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key ++ ++If any file has a mode more permissive than "0640", this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040430The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72259SV-86883CCI-000318CCI-000368CCI-001812CCI-001814CCI-001813Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": ++ ++GSSAPIAuthentication no ++ ++The SSH service must be restarted for changes to take effect. ++ ++If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.Verify the SSH daemon does not permit GSSAPI authentication unless approved. ++ ++Check that the SSH daemon does not permit GSSAPI authentication with the following command: ++ ++# grep -i gssapiauth /etc/ssh/sshd_config ++GSSAPIAuthentication no ++ ++If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040440The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.<VulnDiscussion>Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72261SV-86885CCI-000368CCI-000318CCI-001814CCI-001813CCI-001812Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": ++ ++KerberosAuthentication no ++ ++The SSH service must be restarted for changes to take effect. ++ ++If Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved. ++ ++Check that the SSH daemon does not permit Kerberos to authenticate passwords with the following command: ++ ++# grep -i kerberosauth /etc/ssh/sshd_config ++KerberosAuthentication no ++ ++If the "KerberosAuthentication" keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040450The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.<VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86887V-72263CCI-000366Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes": ++ ++StrictModes yes ++ ++The SSH service must be restarted for changes to take effect.Verify the SSH daemon performs strict mode checking of home directory configuration files. ++ ++The location of the "sshd_config" file may vary if a different daemon is in use. ++ ++Inspect the "sshd_config" file with the following command: ++ ++# grep -i strictmodes /etc/ssh/sshd_config ++ ++StrictModes yes ++ ++If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040460The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.<VulnDiscussion>SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86889V-72265CCI-000366Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes": ++ ++UsePrivilegeSeparation sandbox ++ ++The SSH service must be restarted for changes to take effect.Verify the SSH daemon performs privilege separation. ++ ++Check that the SSH daemon performs privilege separation with the following command: ++ ++# grep -i usepriv /etc/ssh/sshd_config ++ ++UsePrivilegeSeparation sandbox ++ ++If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040470The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86891V-72267CCI-000366Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no": ++ ++Compression no ++ ++The SSH service must be restarted for changes to take effect.Verify the SSH daemon performs compression after a user successfully authenticates. ++ ++Check that the SSH daemon performs compression after a user successfully authenticates with the following command: ++ ++# grep -i compression /etc/ssh/sshd_config ++Compression delayed ++ ++If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>RHEL-07-040500The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. ++ ++Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. ++ ++Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). ++ ++Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72269SV-86893CCI-002046CCI-001891Edit the "/etc/ntp.conf" or "/etc/chrony.conf" file and add or update an entry to define "maxpoll" to "10" as follows: ++ ++server 0.rhel.pool.ntp.org iburst maxpoll 10 ++ ++If NTP was running and "maxpoll" was updated, the NTP service must be restarted: ++ ++# systemctl restart ntpd ++ ++If NTP was not running, it must be started: ++ ++# systemctl start ntpd ++ ++If "chronyd" was running and "maxpoll" was updated, the service must be restarted: ++ ++# systemctl restart chronyd.service ++ ++If "chronyd" was not running, it must be started: ++ ++# systemctl start chronyd.serviceCheck to see if NTP is running in continuous mode: ++ ++# ps -ef | grep ntp ++ ++If NTP is not running, check to see if "chronyd" is running in continuous mode: ++ ++# ps -ef | grep chronyd ++ ++If NTP or "chronyd" is not running, this is a finding. ++ ++If the NTP process is found, then check the "ntp.conf" file for the "maxpoll" option setting: ++ ++# grep maxpoll /etc/ntp.conf ++ ++server 0.rhel.pool.ntp.org iburst maxpoll 10 ++ ++If the option is set to "17" or is not set, this is a finding. ++ ++If the file does not exist, check the "/etc/cron.daily" subdirectory for a crontab file controlling the execution of the "ntpd -q" command. ++ ++# grep -i "ntpd -q" /etc/cron.daily/* ++# ls -al /etc/cron.* | grep ntp ++ ++ntp ++ ++If a crontab file does not exist in the "/etc/cron.daily" that executes the "ntpd -q" command, this is a finding. ++ ++If the "chronyd" process is found, then check the "chrony.conf" file for the "maxpoll" option setting: ++ ++# grep maxpoll /etc/chrony.conf ++ ++server 0.rhel.pool.ntp.org iburst maxpoll 10 ++ ++If the option is not set or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040520The Red Hat Enterprise Linux operating system must enable an application firewall, if available.<VulnDiscussion>Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. ++ ++Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86897V-72273CCI-000366Ensure the operating system's application firewall is enabled. ++ ++Install the "firewalld" package, if it is not on the system, with the following command: ++ ++# yum install firewalld ++ ++Start the firewall via "systemctl" with the following command: ++ ++# systemctl start firewalldVerify the operating system enabled an application firewall. ++ ++Check to see if "firewalld" is installed with the following command: ++ ++# yum list installed firewalld ++firewalld-0.3.9-11.el7.noarch.rpm ++ ++If the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. ++ ++If an application firewall is not installed, this is a finding. ++ ++Check to see if the firewall is loaded and active with the following command: ++ ++# systemctl status firewalld ++firewalld.service - firewalld - dynamic firewall daemon ++ ++ Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) ++ Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago ++ ++If "firewalld" does not show a status of "loaded" and "active", this is a finding. ++ ++Check the state of the firewall: ++ ++# firewall-cmd --state ++running ++ ++If "firewalld" does not show a state of "running", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040530The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86899V-72275CCI-000366Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". ++ ++Add the following line to the top of "/etc/pam.d/postlogin": ++ ++session required pam_lastlog.so showfailedVerify users are provided with feedback on when account accesses last occurred. ++ ++Check that "pam_lastlog" is used and not silent with the following command: ++ ++# grep pam_lastlog /etc/pam.d/postlogin ++session required pam_lastlog.so showfailed ++ ++If "pam_lastlog" is missing from "/etc/pam.d/postlogin" file, or the silent option is present, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040540The Red Hat Enterprise Linux operating system must not contain .shosts files.<VulnDiscussion>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86901V-72277CCI-000366Remove any found ".shosts" files from the system. ++ ++# rm /[path]/[to]/[file]/.shostsVerify there are no ".shosts" files on the system. ++ ++Check the system for the existence of these files with the following command: ++ ++# find / -name '*.shosts' ++ ++If any ".shosts" files are found on the system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040550The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.<VulnDiscussion>The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86903V-72279CCI-000366Remove any found "shosts.equiv" files from the system. ++ ++# rm /[path]/[to]/[file]/shosts.equivVerify there are no "shosts.equiv" files on the system. ++ ++Check the system for the existence of these files with the following command: ++ ++# find / -name shosts.equiv ++ ++If any "shosts.equiv" files are found on the system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040600For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.<VulnDiscussion>To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86905V-72281CCI-000366Configure the operating system to use two or more name servers for DNS resolution. ++ ++Edit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows: ++ ++# echo -n > /etc/resolv.conf ++ ++And then make the file immutable with the following command: ++ ++# chattr +i /etc/resolv.conf ++ ++If the "/etc/resolv.conf" file must be mutable, the required configuration must be documented with the Information System Security Officer (ISSO) and the file must be verified by the system file integrity tool.Determine whether the system is using local or DNS name resolution with the following command: ++ ++# grep hosts /etc/nsswitch.conf ++hosts: files dns ++ ++If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. ++ ++Verify the "/etc/resolv.conf" file is empty with the following command: ++ ++# ls -al /etc/resolv.conf ++-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf ++ ++If local host authentication is being used and the "/etc/resolv.conf" file is not empty, this is a finding. ++ ++If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, verify the operating system is configured to use two or more name servers for DNS resolution. ++ ++Determine the name servers used by the system with the following command: ++ ++# grep nameserver /etc/resolv.conf ++nameserver 192.168.1.2 ++nameserver 192.168.1.3 ++ ++If less than two lines are returned that are not commented out, this is a finding. ++ ++Verify that the "/etc/resolv.conf" file is immutable with the following command: ++ ++# sudo lsattr /etc/resolv.conf ++ ++----i----------- /etc/resolv.conf ++ ++If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040610The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72283SV-86907CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): ++ ++net.ipv4.conf.all.accept_source_route = 0 ++ ++Issue the following command to make the changes take effect: ++ ++# sysctl -systemVerify the system does not accept IPv4 source-routed packets. ++ ++# grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* ++ ++net.ipv4.conf.all.accept_source_route = 0 ++ ++If " net.ipv4.conf.all.accept_source_route " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. ++ ++Check that the operating system implements the accept source route variable with the following command: ++ ++# /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route ++net.ipv4.conf.all.accept_source_route = 0 ++ ++If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040611The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92251SV-102353CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): ++ ++net.ipv4.conf.all.rp_filter = 1 ++ ++Issue the following command to make the changes take effect: ++ ++# sysctl --systemVerify the system uses a reverse-path filter for IPv4: ++ ++# grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/* ++net.ipv4.conf.all.rp_filter = 1 ++ ++If "net.ipv4.conf.all.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding. ++ ++Check that the operating system implements the accept source route variable with the following command: ++ ++# /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter ++net.ipv4.conf.all.rp_filter = 1 ++ ++If the returned line does not have a value of "1", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040612The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92253SV-102355CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): ++ ++net.ipv4.conf.default.rp_filter = 1 ++ ++Issue the following command to make the changes take effect: ++ ++# sysctl --systemVerify the system uses a reverse-path filter for IPv4: ++ ++# grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/* ++net.ipv4.conf.default.rp_filter = 1 ++ ++If "net.ipv4.conf.default.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding. ++ ++Check that the operating system implements the accept source route variable with the following command: ++ ++# /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter ++net.ipv4.conf.default.rp_filter = 1 ++ ++If the returned line does not have a value of "1", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040620The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72285SV-86909CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): ++ ++net.ipv4.conf.default.accept_source_route = 0 ++ ++Issue the following command to make the changes take effect: ++ ++# sysctl --systemVerify the system does not accept IPv4 source-routed packets by default. ++ ++# grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* ++net.ipv4.conf.default.accept_source_route = 0 ++ ++If " net.ipv4.conf.default.accept_source_route " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. ++ ++Check that the operating system implements the accept source route variable with the following command: ++ ++# /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route ++net.ipv4.conf.default.accept_source_route = 0 ++ ++If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040630The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72287SV-86911CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): ++ ++net.ipv4.icmp_echo_ignore_broadcasts = 1 ++ ++Issue the following command to make the changes take effect: ++ ++# sysctl --systemVerify the system does not respond to IPv4 ICMP echoes sent to a broadcast address. ++ ++# grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/* ++ ++If " net.ipv4.icmp_echo_ignore_broadcasts" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding. ++ ++Check that the operating system implements the "icmp_echo_ignore_broadcasts" variable with the following command: ++ ++# /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts ++net.ipv4.icmp_echo_ignore_broadcasts = 1 ++ ++If the returned line does not have a value of "1", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040640The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86913V-72289CCI-000366Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): ++ ++net.ipv4.conf.default.accept_redirects = 0 ++ ++Issue the following command to make the changes take effect: ++ ++# sysctl --systemVerify the system will not accept IPv4 ICMP redirect messages. ++ ++# grep 'net.ipv4.conf.default.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/* ++ ++If " net.ipv4.conf.default.accept_redirects " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. ++ ++Check that the operating system implements the value of the "accept_redirects" variables with the following command: ++ ++# /sbin/sysctl -a | grep 'net.ipv4.conf.default.accept_redirects' ++net.ipv4.conf.default.accept_redirects = 0 ++ ++If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040641The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87827V-73175CCI-000366Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): ++ ++net.ipv4.conf.all.accept_redirects = 0 ++ ++Issue the following command to make the changes take effect: ++ ++# sysctl --systemVerify the system ignores IPv4 ICMP redirect messages. ++ ++# grep 'net.ipv4.conf.all.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/* ++ ++If " net.ipv4.conf.all.accept_redirects " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. ++ ++Check that the operating system implements the "accept_redirects" variables with the following command: ++ ++# /sbin/sysctl -a | grep 'net.ipv4.conf.all.accept_redirects' ++ ++net.ipv4.conf.all.accept_redirects = 0 ++ ++If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040650The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72291SV-86915CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. ++ ++Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): ++ ++net.ipv4.conf.default.send_redirects = 0 ++ ++Issue the following command to make the changes take effect: ++ ++# sysctl --systemVerify the system does not allow interfaces to perform IPv4 ICMP redirects by default. ++ ++# grep 'net.ipv4.conf.default.send_redirects' /etc/sysctl.conf /etc/sysctl.d/* ++ ++If "net.ipv4.conf.default.send_redirects" is not configured in the "/etc/sysctl.conf" file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding. ++ ++Check that the operating system implements the "default send_redirects" variables with the following command: ++ ++# /sbin/sysctl -a | grep 'net.ipv4.conf.default.send_redirects' ++ ++net.ipv4.conf.default.send_redirects = 0 ++ ++If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040660The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72293SV-86917CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects. ++ ++Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): ++ ++net.ipv4.conf.all.send_redirects = 0 ++ ++Issue the following command to make the changes take effect: ++ ++# sysctl --systemVerify the system does not send IPv4 ICMP redirect messages. ++ ++# grep 'net.ipv4.conf.all.send_redirects' /etc/sysctl.conf /etc/sysctl.d/* ++ ++If "net.ipv4.conf.all.send_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding. ++ ++Check that the operating system implements the "all send_redirects" variables with the following command: ++ ++# /sbin/sysctl -a | grep 'net.ipv4.conf.all.send_redirects' ++ ++net.ipv4.conf.all.send_redirects = 0 ++ ++If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040670Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.<VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems. ++ ++If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72295SV-86919CCI-000366Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented. ++ ++Set the promiscuous mode of an interface to off with the following command: ++ ++#ip link set dev <devicename> multicast off promisc offVerify network interfaces are not in promiscuous mode unless approved by the ISSO and documented. ++ ++Check for the status with the following command: ++ ++# ip link | grep -i promisc ++ ++If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040680The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86921V-72297CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: ++ ++# postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'Verify the system is configured to prevent unrestricted mail relaying. ++ ++Determine if "postfix" is installed with the following commands: ++ ++# yum list installed postfix ++postfix-2.6.6-6.el7.x86_64.rpm ++ ++If postfix is not installed, this is Not Applicable. ++ ++If postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with the following command: ++ ++# postconf -n smtpd_client_restrictions ++smtpd_client_restrictions = permit_mynetworks, reject ++ ++If the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040690The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.<VulnDiscussion>The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86923V-72299CCI-000366Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command: ++ ++# yum remove vsftpdVerify an FTP server has not been installed on the system. ++ ++Check to see if an FTP server has been installed with the following commands: ++ ++# yum list installed vsftpd ++ ++ vsftpd-3.0.2.el7.x86_64.rpm ++ ++If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040700The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.<VulnDiscussion>If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86925V-72301CCI-000318CCI-001812CCI-001813CCI-001814CCI-000368Remove the TFTP package from the system with the following command: ++ ++# yum remove tftp-serverVerify a TFTP server has not been installed on the system. ++ ++Check to see if a TFTP server has been installed with the following command: ++ ++# yum list installed tftp-server ++tftp-server-0.49-9.el7.x86_64.rpm ++ ++If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040710The Red Hat Enterprise Linux operating system must be configured so that remote X connections for interactive users are encrypted.<VulnDiscussion>Open X displays allow an attacker to capture keystrokes and execute commands remotely.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86927V-72303CCI-000366Configure SSH to encrypt connections for interactive users. ++ ++Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): ++ ++X11Forwarding yes ++ ++The SSH service must be restarted for changes to take effect: ++ ++# systemctl restart sshdVerify remote X connections for interactive users are encrypted. ++ ++Check that remote X connections are encrypted with the following command: ++ ++# grep -i x11forwarding /etc/ssh/sshd_config | grep -v "^#" ++ ++X11Forwarding yes ++ ++If the "X11Forwarding" keyword is set to "no" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040720The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.<VulnDiscussion>Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86929V-72305CCI-000366Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value): ++ ++server_args = -s /var/lib/tftpbootVerify the TFTP daemon is configured to operate in secure mode. ++ ++Check to see if a TFTP server has been installed with the following commands: ++ ++# yum list installed tftp-server ++tftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms ++ ++If a TFTP server is not installed, this is Not Applicable. ++ ++If a TFTP server is installed, check for the server arguments with the following command: ++ ++# grep server_args /etc/xinetd.d/tftp ++server_args = -s /var/lib/tftpboot ++ ++If the "server_args" line does not have a "-s" option and a subdirectory is not assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040730The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved.<VulnDiscussion>Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86931V-72307CCI-000366Document the requirement for a graphical user interface with the ISSO or remove the related packages with the following commands: ++ ++# rpm -e xorg-x11-server-common ++ ++# systemctl set-default multi-user.targetVerify the system is configured to boot to the command line: ++ ++# systemctl get-default ++multi-user.target ++ ++If the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding. ++ ++Verify a graphical user interface is not installed: ++ ++# rpm -qa | grep xorg | grep server ++ ++Ask the System Administrator if use of a graphical user interface is an operational requirement. ++ ++If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding. ++SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040740The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86933V-72309CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): ++ ++net.ipv4.ip_forward = 0 ++ ++Issue the following command to make the changes take effect: ++ ++# sysctl --systemVerify the system is not performing packet forwarding, unless the system is a router. ++ ++# grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/* ++ ++net.ipv4.ip_forward = 0 ++ ++If "net.ipv4.ip_forward" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding. ++ ++Check that the operating system does not implement IP forwarding using the following command: ++ ++# /sbin/sysctl -a | grep net.ipv4.ip_forward ++net.ipv4.ip_forward = 0 ++ ++If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040750The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.<VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86935V-72311CCI-000366Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. ++ ++Ensure the "sec" option is defined as "krb5:krb5i:krb5p".Verify "AUTH_GSS" is being used to authenticate NFS mounts. ++ ++To check if the system is importing an NFS file system, look for any entries in the "/etc/fstab" file that have a file system type of "nfs" with the following command: ++ ++# cat /etc/fstab | grep nfs ++192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p ++ ++If the system is mounting file systems via NFS and has the sec option without the "krb5:krb5i:krb5p" settings, the "sec" option has the "sys" setting, or the "sec" option is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040800SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.<VulnDiscussion>Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86937V-72313CCI-000366If the "/etc/snmp/snmpd.conf" file exists, modify any lines that contain a community string value of "public" or "private" to another string value.Verify that a system using SNMP is not using default community strings. ++ ++Check to see if the "/etc/snmp/snmpd.conf" file exists with the following command: ++ ++# ls -al /etc/snmp/snmpd.conf ++ -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf ++ ++If the file does not exist, this is Not Applicable. ++ ++If the file does exist, check for the default community strings with the following commands: ++ ++# grep public /etc/snmp/snmpd.conf ++# grep private /etc/snmp/snmpd.conf ++ ++If either of these commands returns any output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040810The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.<VulnDiscussion>If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86939V-72315CCI-000366If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts. ++ ++If "firewalld" is not "active", enable "tcpwrappers" by configuring "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. ++ ++Verify the system's access control program is configured to grant or deny system access to specific hosts. ++ ++Check to see if "firewalld" is active with the following command: ++ ++# systemctl status firewalld ++firewalld.service - firewalld - dynamic firewall daemon ++Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) ++Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago ++ ++If "firewalld" is active, check to see if it is configured to grant or deny access to specific hosts or services with the following commands: ++ ++# firewall-cmd --get-default-zone ++public ++ ++# firewall-cmd --list-all --zone=public ++public (active) ++target: default ++icmp-block-inversion: no ++interfaces: eth0 ++sources: ++services: mdns ssh ++ports: ++protocols: ++masquerade: no ++forward-ports: ++icmp-blocks: ++ ++If "firewalld" is not active, determine whether "tcpwrappers" is being used by checking whether the "hosts.allow" and "hosts.deny" files are empty with the following commands: ++ ++# ls -al /etc/hosts.allow ++rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow ++ ++# ls -al /etc/hosts.deny ++-rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny ++ ++If "firewalld" and "tcpwrappers" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services. ++ ++If "firewalld" is active and is not configured to grant access to specific hosts or "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040820The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.<VulnDiscussion>IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72317SV-86941CCI-000366Remove all unapproved tunnels from the system, or document them with the ISSO.Verify the system does not have unauthorized IP tunnels configured. ++ ++Check to see if "libreswan" is installed with the following command: ++ ++# yum list installed libreswan ++libreswan.x86-64 3.20-5.el7_4 ++ ++If "libreswan" is installed, check to see if the "IPsec" service is active with the following command: ++ ++# systemctl status ipsec ++ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec ++Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) ++Active: inactive (dead) ++ ++If the "IPsec" service is active, check to see if any tunnels are configured in "/etc/ipsec.conf" and "/etc/ipsec.d/" with the following commands: ++ ++# grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf ++ ++If there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. ++ ++If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040830The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72319SV-86943CCI-000366Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): ++ ++net.ipv6.conf.all.accept_source_route = 0 ++ ++Issue the following command to make the changes take effect: ++ ++# sysctl --systemIf IPv6 is not enabled, the key will not exist, and this is Not Applicable. ++ ++Verify the system does not accept IPv6 source-routed packets. ++ ++# grep net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/* ++ ++net.ipv6.conf.all.accept_source_route = 0 ++ ++If "net.ipv6.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding. ++ ++Check that the operating system implements the accept source route variable with the following command: ++ ++# /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route ++net.ipv6.conf.all.accept_source_route = 0 ++ ++If the returned lines do not have a value of "0", this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-041001The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. ++ ++Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. ++ ++A privileged account is defined as an information system account with authorizations of a privileged user. ++ ++Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. ++ ++This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). ++ ++Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87041V-72417CCI-001948CCI-001953CCI-001954Configure the operating system to implement multifactor authentication by installing the required packages. ++ ++Install the pam_pkcs11 package with the following command: ++ ++# yum install pam_pkcs11Verify the operating system has the packages required for multifactor authentication installed. ++ ++Check for the presence of the packages required to support multifactor authentication with the following commands: ++ ++# yum list installed pam_pkcs11 ++pam_pkcs11-0.6.2-14.el7.noarch.rpm ++ ++If the "pam_pkcs11" package is not installed, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-041002The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. ++ ++Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. ++ ++A privileged account is defined as an information system account with authorizations of a privileged user. ++ ++Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. ++ ++This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). ++ ++Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72427SV-87051CCI-001953CCI-001948CCI-001954Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). ++ ++Modify all of the services lines in "/etc/sssd/sssd.conf" or in configuration files found under "/etc/sssd/conf.d" to include pam.Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). ++ ++Check the "/etc/sssd/sssd.conf" file for the authentication services that are being used with the following command: ++ ++# grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf ++ ++services = nss, pam ++ ++If the "pam" service is not present on all "services" lines, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>RHEL-07-041003The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. ++ ++Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. ++ ++A privileged account is defined as an information system account with authorizations of a privileged user. ++ ++Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. ++ ++This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). ++ ++Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72433SV-87057CCI-001954CCI-001948CCI-001953Configure the operating system to do certificate status checking for PKI authentication. ++ ++Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".Verify the operating system implements certificate status checking for PKI authentication. ++ ++Check to see if Online Certificate Status Protocol (OCSP) is enabled on the system with the following command: ++ ++# grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -v "^#" ++ ++cert_policy = ca, ocsp_on, signature; ++cert_policy = ca, ocsp_on, signature; ++cert_policy = ca, ocsp_on, signature; ++ ++There should be at least three lines returned. ++ ++If "ocsp_on" is not present in all uncommented "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.SRG-OS-000424-GPOS-00188<GroupDescription></GroupDescription>RHEL-07-041010The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled.<VulnDiscussion>The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73177SV-87829CCI-001443CCI-001444CCI-002418Configure the system to disable all wireless network interfaces with the following command: ++ ++#nmcli radio wifi offVerify that there are no wireless interfaces configured on the system. ++ ++This is N/A for systems that do not have wireless network adapters. ++ ++Check for the presence of active wireless interfaces with the following command: ++ ++# nmcli device ++DEVICE TYPE STATE ++eth0 ethernet connected ++wlp3s0 wifi disconnected ++lo loopback unmanaged ++ ++If a wireless interface is configured and its use on the system is not documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010020The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.<VulnDiscussion>Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection. ++ ++Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86479V-71855CCI-001749Run the following command to determine which package owns the file: ++ ++# rpm -qf <filename> ++ ++The package can be reinstalled from a yum repository using the command: ++ ++# sudo yum reinstall <packagename> ++ ++Alternatively, the package can be reinstalled from trusted media using the command: ++ ++# sudo rpm -Uvh <packagename>Verify the cryptographic hash of system files and commands match the vendor values. ++ ++Check the cryptographic hash of system files and commands with the following command: ++ ++Note: System configuration files (indicated by a "c" in the second column) are expected to change over time. Unusual modifications should be investigated through the system audit log. ++ ++# rpm -Va --noconfig | grep '^..5' ++ ++If there is any output from the command for system files or binaries, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020019The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.<VulnDiscussion>Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92255SV-102357CCI-001263Install and enable the latest McAfee HIPS package or McAfee ENSL.Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. ++ ++Procedure: ++Examine the system to determine if the Host Intrusion Prevention System (HIPS) is installed: ++ ++# rpm -qa | grep MFEhiplsm ++ ++Verify that the McAfee HIPS module is active on the system: ++ ++# ps -ef | grep -i “hipclient” ++ ++If the MFEhiplsm package is not installed, check for another intrusion detection system: ++ ++# find / -name <daemon name> ++ ++Where <daemon name> is the name of the primary application daemon to determine if the application is loaded on the system. ++ ++Determine if the application is active on the system: ++ ++# ps -ef | grep -i <daemon name> ++ ++If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding. ++ ++If no host-based intrusion detection system is installed and running on the system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-032000The Red Hat Enterprise Linux operating system must use a virus scan program.<VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. ++ ++The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis. ++ ++If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72213SV-86837CCI-001668Install an antivirus solution on the system.Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. ++ ++If there is no anti-virus solution installed on the system, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010062The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. ++ ++The session lock is implemented at the point where session activity can be determined. ++ ++The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78995SV-93701CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. ++ ++Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: ++ ++Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. ++ ++# touch /etc/dconf/db/local.d/locks/session ++ ++Add the setting to lock the screensaver lock-enabled setting: ++ ++/org/gnome/desktop/screensaver/lock-enabled ++Verify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. ++ ++Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. ++ ++Determine which profile the system database is using with the following command: ++# grep system-db /etc/dconf/profile/user ++ ++system-db:local ++ ++Check for the lock-enabled setting with the following command: ++ ++Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. ++ ++# grep -i lock-enabled /etc/dconf/db/local.d/locks/* ++ ++/org/gnome/desktop/screensaver/lock-enabled ++ ++If the command does not return a result, this is a finding. ++SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020111The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. ++ ++Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-100023SV-109127CCI-000778CCI-000366CCI-001958Configure the graphical user interface to disable the ability to automount devices. ++ ++Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. ++ ++Create or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following: ++ ++[org/gnome/desktop/media-handling] ++ ++automount=false ++ ++automount-open=false ++ ++autorun-never=true ++ ++Create or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following: ++/org/gnome/desktop/media-handling/automount ++ ++/org/gnome/desktop/media-handling/automount-open ++ ++/org/gnome/desktop/media-handling/autorun-never ++ ++Run the following command to update the database: ++ ++# dconf updateNote: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable. ++ ++Verify the operating system disables the ability to automount devices in a graphical user interface. ++ ++Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. ++ ++Check to see if automounter service is disabled with the following commands: ++# cat /etc/dconf/db/local.d/00-No-Automount ++ ++[org/gnome/desktop/media-handling] ++ ++automount=false ++ ++automount-open=false ++ ++autorun-never=true ++ ++If the output does not match the example above, this is a finding. ++ ++# cat /etc/dconf/db/local.d/locks/00-No-Automount ++ ++/org/gnome/desktop/media-handling/automount ++ ++/org/gnome/desktop/media-handling/automount-open ++ ++/org/gnome/desktop/media-handling/autorun-never ++ ++If the output does not match the example, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021031The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory has the sticky bit set and is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others. ++ ++The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]: ++ ++# find [PART] -xdev -type d -perm -0002 -uid +999 -print ++ ++If there is output, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>RHEL-07-910055The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.<VulnDiscussion>If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. ++ ++To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification. ++ ++Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. ++ ++Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000162CCI-000163CCI-000164CCI-001314Change the mode of the audit log files with the following command: ++ ++# chmod 0600 [audit_file] ++ ++Change the owner and group owner of the audit log files with the following command: ++ ++# chown root:root [audit_file]Verify the operating system audit records have proper permissions and ownership. ++ ++List the full permissions and ownership of the audit log files with the following command. ++ ++# ls -la /var/log/audit ++total 4512 ++drwx------. 2 root root 23 Apr 25 16:53 . ++drwxr-xr-x. 17 root root 4096 Aug 9 13:09 .. ++-rw-------. 1 root root 8675309 Aug 9 12:54 audit.log ++ ++Audit logs must be mode 0600 or less permissive. ++If any are more permissive, this is a finding. ++ ++The owner and group owner of all audit log files must both be "root". If any other owner or group owner is listed, this is a finding. +\ No newline at end of file diff --git a/SOURCES/scap-security-guide-0.1.54-update_stig_severity-PR_6417.patch b/SOURCES/scap-security-guide-0.1.54-update_stig_severity-PR_6417.patch new file mode 100644 index 0000000..b24a15b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-update_stig_severity-PR_6417.patch @@ -0,0 +1,39 @@ +diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +index bab42044b..547bd002d 100644 +--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml ++++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +@@ -18,7 +18,7 @@ rationale: |- + individual system users can be uniquely traced to those users so they + can be held accountable for their actions. + +-severity: high ++severity: medium + + requires: + - package_audit_installed +diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +index d861f5f9e..b57012df9 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +@@ -25,7 +25,7 @@ rationale: |- + is completed, the system should be reconfigured to + {{{ xccdf_value("var_selinux_policy_name") }}}. + +-severity: high ++severity: medium + + identifiers: + cce@rhel6: CCE-26875-5 +diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml +index 94ef78d57..d971c1d03 100644 +--- a/linux_os/guide/system/selinux/selinux_state/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_state/rule.yml +@@ -16,7 +16,7 @@ rationale: |- + prevent them from causing damage to the system or further elevating their + privileges. + +-severity: high ++severity: medium + + identifiers: + cce@rhel6: CCE-26969-6 diff --git a/SOURCES/scap-security-guide-0.1.54-update_stig_v3r1-PR_6438.patch b/SOURCES/scap-security-guide-0.1.54-update_stig_v3r1-PR_6438.patch new file mode 100644 index 0000000..fc27eab --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.54-update_stig_v3r1-PR_6438.patch @@ -0,0 +1,1284 @@ +From 19b8891116537d668a82c2ddaec83d05bece7126 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 27 Nov 2020 17:05:22 +0100 +Subject: [PATCH] Bump RHEL7 STIG version to V3R1 and update stig_overlay.xml. + +--- + rhel7/overlays/stig_overlay.xml | 554 ++++++++++++++++---------------- + rhel7/profiles/stig.profile | 4 +- + 2 files changed, 283 insertions(+), 275 deletions(-) + +diff --git a/rhel7/overlays/stig_overlay.xml b/rhel7/overlays/stig_overlay.xml +index 7cd955c977..66ca2bd0d0 100644 +--- a/rhel7/overlays/stig_overlay.xml ++++ b/rhel7/overlays/stig_overlay.xml +@@ -1,975 +1,983 @@ +- ++ + +- +- ++ ++ + + </overlay> + <overlay owner="disastig" ruleid="rpm_verify_hashes" ownerid="RHEL-07-010020" disa="1749" severity="high"> +- <VMSinfo VKey="71855" SVKey="86479" VRelease="4"/> ++ <VMSinfo VKey="214799" SVKey="214799r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values."/> + </overlay> + <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="RHEL-07-010030" disa="48" severity="medium"> +- <VMSinfo VKey="71859" SVKey="86483" VRelease="4"/> ++ <VMSinfo VKey="204393" SVKey="204393r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/> + </overlay> + <overlay owner="disastig" ruleid="dconf_gnome_login_banner_text" ownerid="RHEL-07-010040" disa="48" severity="medium"> +- <VMSinfo VKey="71861" SVKey="86485" VRelease="5"/> ++ <VMSinfo VKey="204394" SVKey="204394r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/> + </overlay> + <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="RHEL-07-010050" disa="48" severity="medium"> +- <VMSinfo VKey="71863" SVKey="86487" VRelease="3"/> ++ <VMSinfo VKey="204395" SVKey="204395r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon."/> + </overlay> + <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_enabled" ownerid="RHEL-07-010060" disa="56" severity="medium"> +- <VMSinfo VKey="71891" SVKey="86515" VRelease="6"/> ++ <VMSinfo VKey="204396" SVKey="204396r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures."/> + </overlay> + <overlay owner="disastig" ruleid="dconf_gnome_enable_smartcard_auth" ownerid="RHEL-07-010061" disa="1954" severity="medium"> +- <VMSinfo VKey="77819" SVKey="92515" VRelease="2"/> ++ <VMSinfo VKey="204397" SVKey="204397r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon."/> + </overlay> + <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_locked" ownerid="RHEL-07-010062" disa="57" severity="medium"> +- <VMSinfo VKey="78995" SVKey="93701" VRelease="3"/> ++ <VMSinfo VKey="214937" SVKey="214937r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface."/> + </overlay> + <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_delay" ownerid="RHEL-07-010070" disa="57" severity="medium"> +- <VMSinfo VKey="71893" SVKey="86517" VRelease="5"/> ++ <VMSinfo VKey="204398" SVKey="204398r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces."/> + </overlay> + <overlay owner="disastig" ruleid="dconf_gnome_screensaver_user_locks" ownerid="RHEL-07-010081" disa="57" severity="medium"> +- <VMSinfo VKey="73155" SVKey="87807" VRelease="4"/> ++ <VMSinfo VKey="204399" SVKey="204399r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface."/> + </overlay> + <overlay owner="disastig" ruleid="dconf_gnome_session_idle_user_locks" ownerid="RHEL-07-010082" disa="57" severity="medium"> +- <VMSinfo VKey="73157" SVKey="87809" VRelease="4"/> ++ <VMSinfo VKey="204400" SVKey="204400r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface."/> + </overlay> + <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_enabled" ownerid="RHEL-07-010100" disa="57" severity="medium"> +- <VMSinfo VKey="71899" SVKey="86523" VRelease="5"/> ++ <VMSinfo VKey="204402" SVKey="204402r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces."/> + </overlay> + <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_locked" ownerid="RHEL-07-010101" disa="57" severity="medium"> +- <VMSinfo VKey="78997" SVKey="93703" VRelease="2"/> ++ <VMSinfo VKey="204403" SVKey="204403r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface."/> + </overlay> + <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_delay" ownerid="RHEL-07-010110" disa="57" severity="medium"> +- <VMSinfo VKey="71901" SVKey="86525" VRelease="3"/> ++ <VMSinfo VKey="204404" SVKey="204404r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated."/> + </overlay> + <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-07-010118" disa="192" severity="medium"> +- <VMSinfo VKey="81003" SVKey="95715" VRelease="1"/> ++ <VMSinfo VKey="204405" SVKey="204405r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="RHEL-07-010119" disa="192" severity="medium"> +- <VMSinfo VKey="73159" SVKey="87811" VRelease="4"/> ++ <VMSinfo VKey="204406" SVKey="204406r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_password_pam_ucredit" ownerid="RHEL-07-010120" disa="192" severity="medium"> +- <VMSinfo VKey="71903" SVKey="86527" VRelease="3"/> ++ <VMSinfo VKey="204407" SVKey="204407r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_password_pam_lcredit" ownerid="RHEL-07-010130" disa="193" severity="medium"> +- <VMSinfo VKey="71905" SVKey="86529" VRelease="5"/> ++ <VMSinfo VKey="204408" SVKey="204408r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_password_pam_dcredit" ownerid="RHEL-07-010140" disa="194" severity="medium"> +- <VMSinfo VKey="71907" SVKey="86531" VRelease="3"/> ++ <VMSinfo VKey="204409" SVKey="204409r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_password_pam_ocredit" ownerid="RHEL-07-010150" disa="1619" severity="medium"> +- <VMSinfo VKey="71909" SVKey="86533" VRelease="2"/> ++ <VMSinfo VKey="204410" SVKey="204410r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_password_pam_difok" ownerid="RHEL-07-010160" disa="195" severity="medium"> +- <VMSinfo VKey="71911" SVKey="86535" VRelease="2"/> ++ <VMSinfo VKey="204411" SVKey="204411r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_password_pam_minclass" ownerid="RHEL-07-010170" disa="195" severity="medium"> +- <VMSinfo VKey="71913" SVKey="86537" VRelease="2"/> ++ <VMSinfo VKey="204412" SVKey="204412r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_password_pam_maxrepeat" ownerid="RHEL-07-010180" disa="195" severity="medium"> +- <VMSinfo VKey="71915" SVKey="86539" VRelease="3"/> ++ <VMSinfo VKey="204413" SVKey="204413r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_password_pam_maxclassrepeat" ownerid="RHEL-07-010190" disa="195" severity="medium"> +- <VMSinfo VKey="71917" SVKey="86541" VRelease="2"/> ++ <VMSinfo VKey="204414" SVKey="204414r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters."/> + </overlay> + <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="RHEL-07-010200" disa="196" severity="medium"> +- <VMSinfo VKey="71919" SVKey="86543" VRelease="3"/> ++ <VMSinfo VKey="204415" SVKey="204415r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords."/> + </overlay> + <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="RHEL-07-010210" disa="196" severity="medium"> +- <VMSinfo VKey="71921" SVKey="86545" VRelease="2"/> ++ <VMSinfo VKey="204416" SVKey="204416r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords."/> + </overlay> + <overlay owner="disastig" ruleid="set_password_hashing_algorithm_libuserconf" ownerid="RHEL-07-010220" disa="196" severity="medium"> +- <VMSinfo VKey="71923" SVKey="86547" VRelease="3"/> ++ <VMSinfo VKey="204417" SVKey="204417r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_minimum_age_login_defs" ownerid="RHEL-07-010230" disa="198" severity="medium"> +- <VMSinfo VKey="71925" SVKey="86549" VRelease="2"/> ++ <VMSinfo VKey="204418" SVKey="204418r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_password_set_min_life_existing" ownerid="RHEL-07-010240" disa="198" severity="medium"> +- <VMSinfo VKey="71927" SVKey="86551" VRelease="2"/> ++ <VMSinfo VKey="204419" SVKey="204419r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="RHEL-07-010250" disa="199" severity="medium"> +- <VMSinfo VKey="71929" SVKey="86553" VRelease="2"/> ++ <VMSinfo VKey="204420" SVKey="204420r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="RHEL-07-010260" disa="199" severity="medium"> +- <VMSinfo VKey="71931" SVKey="86555" VRelease="3"/> ++ <VMSinfo VKey="204421" SVKey="204421r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_password_pam_unix_remember" ownerid="RHEL-07-010270" disa="200" severity="medium"> +- <VMSinfo VKey="71933" SVKey="86557" VRelease="3"/> ++ <VMSinfo VKey="204422" SVKey="204422r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_password_pam_minlen" ownerid="RHEL-07-010280" disa="205" severity="medium"> +- <VMSinfo VKey="71935" SVKey="86559" VRelease="2"/> ++ <VMSinfo VKey="204423" SVKey="204423r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length."/> + </overlay> + <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="RHEL-07-010290" disa="366" severity="high"> +- <VMSinfo VKey="71937" SVKey="86561" VRelease="3"/> ++ <VMSinfo VKey="204424" SVKey="204424r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_disable_empty_passwords" ownerid="RHEL-07-010300" disa="766" severity="high"> +- <VMSinfo VKey="71939" SVKey="86563" VRelease="3"/> ++ <VMSinfo VKey="204425" SVKey="204425r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password."/> + </overlay> + <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="RHEL-07-010310" disa="795" severity="medium"> +- <VMSinfo VKey="71941" SVKey="86565" VRelease="2"/> ++ <VMSinfo VKey="204426" SVKey="204426r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires."/> + </overlay> +- <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_interval" ownerid="RHEL-07-010320" disa="2238" severity="medium"> +- <VMSinfo VKey="71943" SVKey="86567" VRelease="6"/> ++ <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_unlock_time" ownerid="RHEL-07-010320" disa="2238" severity="medium"> ++ <VMSinfo VKey="204427" SVKey="204427r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny_root" ownerid="RHEL-07-010330" disa="2238" severity="medium"> +- <VMSinfo VKey="71945" SVKey="86569" VRelease="4"/> ++ <VMSinfo VKey="204428" SVKey="204428r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."/> + </overlay> + <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="RHEL-07-010340" disa="2038" severity="medium"> +- <VMSinfo VKey="71947" SVKey="86571" VRelease="3"/> ++ <VMSinfo VKey="204429" SVKey="204429r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation."/> + </overlay> + <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="RHEL-07-010350" disa="2038" severity="medium"> +- <VMSinfo VKey="71949" SVKey="86573" VRelease="3"/> ++ <VMSinfo VKey="204430" SVKey="204430r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_logon_fail_delay" ownerid="RHEL-07-010430" disa="366" severity="medium"> +- <VMSinfo VKey="71951" SVKey="86575" VRelease="2"/> ++ <VMSinfo VKey="204431" SVKey="204431r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds."/> + </overlay> + <overlay owner="disastig" ruleid="gnome_gdm_disable_automatic_login" ownerid="RHEL-07-010440" disa="366" severity="high"> +- <VMSinfo VKey="71953" SVKey="86577" VRelease="2"/> ++ <VMSinfo VKey="204432" SVKey="204432r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface."/> + </overlay> + <overlay owner="disastig" ruleid="gnome_gdm_disable_guest_login" ownerid="RHEL-07-010450" disa="366" severity="high"> +- <VMSinfo VKey="71955" SVKey="86579" VRelease="3"/> ++ <VMSinfo VKey="204433" SVKey="204433r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_do_not_permit_user_env" ownerid="RHEL-07-010460" disa="366" severity="medium"> +- <VMSinfo VKey="71957" SVKey="86581" VRelease="3"/> ++ <VMSinfo VKey="204434" SVKey="204434r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables."/> + </overlay> + <overlay owner="disastig" ruleid="disable_host_auth" ownerid="RHEL-07-010470" disa="366" severity="medium"> +- <VMSinfo VKey="71959" SVKey="86583" VRelease="3"/> ++ <VMSinfo VKey="204435" SVKey="204435r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system."/> + </overlay> + <overlay owner="disastig" ruleid="grub2_admin_username" ownerid="RHEL-07-010480" disa="213" severity="high"> +- <VMSinfo VKey="71961" SVKey="86585" VRelease="6"/> ++ <VMSinfo VKey="204436" SVKey="204436r5059" VRelease="r505924"/> + <title text="Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/> + </overlay> +- <overlay owner="disastig" ruleid="require_singleuser_auth" ownerid="RHEL-07-010481" disa="213" severity="medium"> +- <VMSinfo VKey="77823" SVKey="92519" VRelease="2"/> ++ <overlay owner="disastig" ruleid="require_emergency_target_auth" ownerid="RHEL-07-010481" disa="213" severity="medium"> ++ <VMSinfo VKey="204437" SVKey="204437r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes."/> + </overlay> + <overlay owner="disastig" ruleid="grub2_password" ownerid="RHEL-07-010482" disa="213" severity="high"> +- <VMSinfo VKey="81005" SVKey="95717" VRelease="1"/> ++ <VMSinfo VKey="204438" SVKey="204438r5059" VRelease="r505924"/> + <title text="Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/> + </overlay> + <overlay owner="disastig" ruleid="grub2_uefi_admin_username" ownerid="RHEL-07-010490" disa="213" severity="high"> +- <VMSinfo VKey="71963" SVKey="86587" VRelease="4"/> ++ <VMSinfo VKey="204439" SVKey="204439r5059" VRelease="r505924"/> + <title text="Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/> + </overlay> + <overlay owner="disastig" ruleid="grub2_uefi_password" ownerid="RHEL-07-010491" disa="213" severity="high"> +- <VMSinfo VKey="81007" SVKey="95719" VRelease="1"/> ++ <VMSinfo VKey="204440" SVKey="204440r5059" VRelease="r505924"/> + <title text="Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/> + </overlay> + <overlay owner="disastig" ruleid="smartcard_auth" ownerid="RHEL-07-010500" disa="766" severity="medium"> +- <VMSinfo VKey="71965" SVKey="86589" VRelease="2"/> ++ <VMSinfo VKey="204441" SVKey="204441r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication."/> + </overlay> + <overlay owner="disastig" ruleid="package_rsh-server_removed" ownerid="RHEL-07-020000" disa="381" severity="high"> +- <VMSinfo VKey="71967" SVKey="86591" VRelease="2"/> ++ <VMSinfo VKey="204442" SVKey="204442r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not have the rsh-server package installed."/> + </overlay> + <overlay owner="disastig" ruleid="package_ypserv_removed" ownerid="RHEL-07-020010" disa="381" severity="high"> +- <VMSinfo VKey="71969" SVKey="86593" VRelease="2"/> ++ <VMSinfo VKey="204443" SVKey="204443r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not have the ypserv package installed."/> + </overlay> +- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-07-020019" disa="1263" severity="medium"> +- <VMSinfo VKey="92255" SVKey="102357" VRelease="r2"/> ++ <overlay owner="disastig" ruleid="package_MFEhiplsm_installed" ownerid="RHEL-07-020019" disa="1263" severity="medium"> ++ <VMSinfo VKey="214800" SVKey="214800r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed."/> + </overlay> + <overlay owner="disastig" ruleid="selinux_user_login_roles" ownerid="RHEL-07-020020" disa="2235" severity="medium"> +- <VMSinfo VKey="71971" SVKey="86595" VRelease="4"/> ++ <VMSinfo VKey="204444" SVKey="204444r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."/> + </overlay> + <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="RHEL-07-020030" disa="1744" severity="medium"> +- <VMSinfo VKey="71973" SVKey="86597" VRelease="2"/> ++ <VMSinfo VKey="204445" SVKey="204445r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly."/> + </overlay> + <overlay owner="disastig" ruleid="aide_scan_notification" ownerid="RHEL-07-020040" disa="1744" severity="medium"> +- <VMSinfo VKey="71975" SVKey="86599" VRelease="2"/> ++ <VMSinfo VKey="204446" SVKey="204446r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner."/> + </overlay> + <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="RHEL-07-020050" disa="1749" severity="high"> +- <VMSinfo VKey="71977" SVKey="86601" VRelease="2"/> ++ <VMSinfo VKey="204447" SVKey="204447r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/> + </overlay> + <overlay owner="disastig" ruleid="ensure_gpgcheck_local_packages" ownerid="RHEL-07-020060" disa="1749" severity="high"> +- <VMSinfo VKey="71979" SVKey="86603" VRelease="2"/> ++ <VMSinfo VKey="204448" SVKey="204448r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/> + </overlay> + <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020100" disa="1958" severity="medium"> +- <VMSinfo VKey="71983" SVKey="86607" VRelease="5"/> ++ <VMSinfo VKey="204449" SVKey="204449r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage."/> + </overlay> + <overlay owner="disastig" ruleid="kernel_module_dccp_disabled" ownerid="RHEL-07-020101" disa="1958" severity="medium"> +- <VMSinfo VKey="77821" SVKey="92517" VRelease="3"/> ++ <VMSinfo VKey="204450" SVKey="204450r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required."/> + </overlay> + <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="RHEL-07-020110" disa="1958" severity="medium"> +- <VMSinfo VKey="71985" SVKey="86609" VRelease="2"/> ++ <VMSinfo VKey="204451" SVKey="204451r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must disable the file system automounter unless required."/> + </overlay> + <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020111" disa="1958" severity="medium"> +- <VMSinfo VKey="100023" SVKey="109127" VRelease="r1"/> ++ <VMSinfo VKey="219059" SVKey="219059r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required."/> + </overlay> + <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="RHEL-07-020200" disa="2617" severity="low"> +- <VMSinfo VKey="71987" SVKey="86611" VRelease="2"/> ++ <VMSinfo VKey="204452" SVKey="204452r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed."/> + </overlay> +- <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-07-020210" disa="2696" severity="high"> +- <VMSinfo VKey="71989" SVKey="86613" VRelease="4"/> ++ <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-07-020210" disa="2165" severity="medium"> ++ <VMSinfo VKey="204453" SVKey="204453r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must enable SELinux."/> + </overlay> +- <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-07-020220" disa="2696" severity="high"> +- <VMSinfo VKey="71991" SVKey="86615" VRelease="6"/> ++ <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-07-020220" disa="2165" severity="medium"> ++ <VMSinfo VKey="204454" SVKey="204454r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy."/> + </overlay> + <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="RHEL-07-020230" disa="366" severity="high"> +- <VMSinfo VKey="71993" SVKey="86617" VRelease="5"/> ++ <VMSinfo VKey="204455" SVKey="204455r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line."/> + </overlay> + <overlay owner="disastig" ruleid="dconf_gnome_disable_ctrlaltdel_reboot" ownerid="RHEL-07-020231" disa="366" severity="high"> +- <VMSinfo VKey="94843" SVKey="104673" VRelease="r2"/> ++ <VMSinfo VKey="204456" SVKey="204456r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="RHEL-07-020240" disa="366" severity="medium"> +- <VMSinfo VKey="71995" SVKey="86619" VRelease="2"/> ++ <VMSinfo VKey="204457" SVKey="204457r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."/> + </overlay> + <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="RHEL-07-020250" disa="366" severity="high"> +- <VMSinfo VKey="71997" SVKey="86621" VRelease="6"/> ++ <VMSinfo VKey="204458" SVKey="204458r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be a vendor supported release."/> + </overlay> + <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="RHEL-07-020260" disa="366" severity="medium"> +- <VMSinfo VKey="71999" SVKey="86623" VRelease="4"/> ++ <VMSinfo VKey="204459" SVKey="204459r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="RHEL-07-020270" disa="366" severity="medium"> +- <VMSinfo VKey="72001" SVKey="86625" VRelease="2"/> ++ <VMSinfo VKey="204460" SVKey="204460r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not have unnecessary accounts."/> + </overlay> + <overlay owner="disastig" ruleid="gid_passwd_group_same" ownerid="RHEL-07-020300" disa="764" severity="low"> +- <VMSinfo VKey="72003" SVKey="86627" VRelease="2"/> ++ <VMSinfo VKey="204461" SVKey="204461r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_no_uid_except_zero" ownerid="RHEL-07-020310" disa="366" severity="high"> +- <VMSinfo VKey="72005" SVKey="86629" VRelease="2"/> ++ <VMSinfo VKey="204462" SVKey="204462r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system."/> + </overlay> + <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="RHEL-07-020320" disa="2165" severity="medium"> +- <VMSinfo VKey="72007" SVKey="86631" VRelease="3"/> ++ <VMSinfo VKey="204463" SVKey="204463r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner."/> + </overlay> + <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="RHEL-07-020330" disa="2165" severity="medium"> +- <VMSinfo VKey="72009" SVKey="86633" VRelease="3"/> ++ <VMSinfo VKey="204464" SVKey="204464r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="RHEL-07-020610" disa="366" severity="medium"> +- <VMSinfo VKey="72013" SVKey="86637" VRelease="2"/> ++ <VMSinfo VKey="204466" SVKey="204466r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="RHEL-07-020620" disa="366" severity="medium"> +- <VMSinfo VKey="72015" SVKey="86639" VRelease="3"/> ++ <VMSinfo VKey="204467" SVKey="204467r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file."/> + </overlay> + <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="RHEL-07-020630" disa="366" severity="medium"> +- <VMSinfo VKey="72017" SVKey="86641" VRelease="3"/> ++ <VMSinfo VKey="204468" SVKey="204468r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive."/> + </overlay> + <overlay owner="disastig" ruleid="file_ownership_home_directories" ownerid="RHEL-07-020640" disa="366" severity="medium"> +- <VMSinfo VKey="72019" SVKey="86643" VRelease="5"/> ++ <VMSinfo VKey="204469" SVKey="204469r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users."/> + </overlay> + <overlay owner="disastig" ruleid="file_groupownership_home_directories" ownerid="RHEL-07-020650" disa="366" severity="medium"> +- <VMSinfo VKey="72021" SVKey="86645" VRelease="5"/> ++ <VMSinfo VKey="204470" SVKey="204470r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_users_home_files_ownership" ownerid="RHEL-07-020660" disa="366" severity="medium"> +- <VMSinfo VKey="72023" SVKey="86647" VRelease="2"/> ++ <VMSinfo VKey="204471" SVKey="204471r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_users_home_files_groupownership" ownerid="RHEL-07-020670" disa="366" severity="medium"> +- <VMSinfo VKey="72025" SVKey="86649" VRelease="2"/> ++ <VMSinfo VKey="204472" SVKey="204472r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_users_home_files_permissions" ownerid="RHEL-07-020680" disa="366" severity="medium"> +- <VMSinfo VKey="72027" SVKey="86651" VRelease="2"/> ++ <VMSinfo VKey="204473" SVKey="204473r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_user_dot_user_ownership" ownerid="RHEL-07-020690" disa="366" severity="medium"> +- <VMSinfo VKey="72029" SVKey="86653" VRelease="4"/> ++ <VMSinfo VKey="204474" SVKey="204474r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_user_dot_group_ownership" ownerid="RHEL-07-020700" disa="366" severity="medium"> +- <VMSinfo VKey="72031" SVKey="86655" VRelease="4"/> ++ <VMSinfo VKey="204475" SVKey="204475r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root."/> + </overlay> + <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="RHEL-07-020710" disa="366" severity="medium"> +- <VMSinfo VKey="72033" SVKey="86657" VRelease="3"/> ++ <VMSinfo VKey="204476" SVKey="204476r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="RHEL-07-020720" disa="366" severity="medium"> +- <VMSinfo VKey="72035" SVKey="86659" VRelease="4"/> ++ <VMSinfo VKey="204477" SVKey="204477r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="RHEL-07-020730" disa="366" severity="medium"> +- <VMSinfo VKey="72037" SVKey="86661" VRelease="2"/> ++ <VMSinfo VKey="204478" SVKey="204478r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs."/> + </overlay> +- <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-07-020900" disa="1814" severity="medium"> +- <VMSinfo VKey="72039" SVKey="86663" VRelease="2"/> ++ <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-07-020900" disa="1812" severity="medium"> ++ <VMSinfo VKey="204479" SVKey="204479r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification."/> + </overlay> + <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="RHEL-07-021000" disa="366" severity="medium"> +- <VMSinfo VKey="72041" SVKey="86665" VRelease="4"/> ++ <VMSinfo VKey="204480" SVKey="204480r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed."/> + </overlay> + <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="RHEL-07-021010" disa="366" severity="medium"> +- <VMSinfo VKey="72043" SVKey="86667" VRelease="2"/> ++ <VMSinfo VKey="204481" SVKey="204481r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."/> + </overlay> + <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="RHEL-07-021020" disa="366" severity="medium"> +- <VMSinfo VKey="72045" SVKey="86669" VRelease="2"/> ++ <VMSinfo VKey="204482" SVKey="204482r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)."/> + </overlay> + <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="RHEL-07-021021" disa="366" severity="medium"> +- <VMSinfo VKey="73161" SVKey="87813" VRelease="2"/> ++ <VMSinfo VKey="204483" SVKey="204483r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)."/> + </overlay> + <overlay owner="disastig" ruleid="mount_option_dev_shm_noexec" ownerid="RHEL-07-021024" disa="1764" severity="low"> +- <VMSinfo VKey="81013" SVKey="95725" VRelease="3"/> ++ <VMSinfo VKey="204486" SVKey="204486r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options."/> + </overlay> +- <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned" ownerid="RHEL-07-021030" disa="366" severity="medium"> +- <VMSinfo VKey="72047" SVKey="86671" VRelease="4"/> ++ <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned_group" ownerid="RHEL-07-021030" disa="366" severity="medium"> ++ <VMSinfo VKey="204487" SVKey="204487r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group."/> + </overlay> ++ <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned" ownerid="RHEL-07-021031" disa="366" severity="medium"> ++ <VMSinfo VKey="228563" SVKey="228563r5059" VRelease="r505924"/> ++ <title text="The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user."/> ++ </overlay> + <overlay owner="disastig" ruleid="accounts_umask_interactive_users" ownerid="RHEL-07-021040" disa="1814" severity="medium"> +- <VMSinfo VKey="72049" SVKey="86673" VRelease="2"/> ++ <VMSinfo VKey="204488" SVKey="204488r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts."/> + </overlay> + <overlay owner="disastig" ruleid="rsyslog_cron_logging" ownerid="RHEL-07-021100" disa="366" severity="medium"> +- <VMSinfo VKey="72051" SVKey="86675" VRelease="2"/> ++ <VMSinfo VKey="204489" SVKey="204489r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must have cron logging implemented."/> + </overlay> + <overlay owner="disastig" ruleid="file_owner_cron_allow" ownerid="RHEL-07-021110" disa="366" severity="medium"> +- <VMSinfo VKey="72053" SVKey="86677" VRelease="3"/> ++ <VMSinfo VKey="204490" SVKey="204490r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root."/> + </overlay> + <overlay owner="disastig" ruleid="file_groupowner_cron_allow" ownerid="RHEL-07-021120" disa="366" severity="medium"> +- <VMSinfo VKey="72055" SVKey="86679" VRelease="2"/> ++ <VMSinfo VKey="204491" SVKey="204491r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root."/> + </overlay> + <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="RHEL-07-021300" disa="366" severity="medium"> +- <VMSinfo VKey="72057" SVKey="86681" VRelease="2"/> ++ <VMSinfo VKey="204492" SVKey="204492r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed."/> + </overlay> + <overlay owner="disastig" ruleid="partition_for_home" ownerid="RHEL-07-021310" disa="366" severity="low"> +- <VMSinfo VKey="72059" SVKey="86683" VRelease="2"/> ++ <VMSinfo VKey="204493" SVKey="204493r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent)."/> + </overlay> + <overlay owner="disastig" ruleid="partition_for_var" ownerid="RHEL-07-021320" disa="366" severity="low"> +- <VMSinfo VKey="72061" SVKey="86685" VRelease="2"/> ++ <VMSinfo VKey="204494" SVKey="204494r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must use a separate file system for /var."/> + </overlay> + <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="RHEL-07-021330" disa="366" severity="low"> +- <VMSinfo VKey="72063" SVKey="86687" VRelease="6"/> ++ <VMSinfo VKey="204495" SVKey="204495r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path."/> + </overlay> + <overlay owner="disastig" ruleid="partition_for_tmp" ownerid="RHEL-07-021340" disa="366" severity="low"> +- <VMSinfo VKey="72065" SVKey="86689" VRelease="3"/> ++ <VMSinfo VKey="204496" SVKey="204496r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent)."/> + </overlay> + <overlay owner="disastig" ruleid="grub2_enable_fips_mode" ownerid="RHEL-07-021350" disa="2476" severity="high"> +- <VMSinfo VKey="72067" SVKey="86691" VRelease="4"/> ++ <VMSinfo VKey="204497" SVKey="204497r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."/> + </overlay> + <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="RHEL-07-021600" disa="366" severity="low"> +- <VMSinfo VKey="72069" SVKey="86693" VRelease="3"/> ++ <VMSinfo VKey="204498" SVKey="204498r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs)."/> + </overlay> + <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="RHEL-07-021610" disa="366" severity="low"> +- <VMSinfo VKey="72071" SVKey="86695" VRelease="3"/> ++ <VMSinfo VKey="204499" SVKey="204499r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes."/> + </overlay> + <overlay owner="disastig" ruleid="aide_use_fips_hashes" ownerid="RHEL-07-021620" disa="366" severity="medium"> +- <VMSinfo VKey="72073" SVKey="86697" VRelease="4"/> ++ <VMSinfo VKey="204500" SVKey="204500r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories."/> + </overlay> +- <overlay owner="disastig" ruleid="uefi_no_removeable_media" ownerid="RHEL-07-021700" disa="1814" severity="medium"> +- <VMSinfo VKey="72075" SVKey="86699" VRelease="2"/> ++ <overlay owner="disastig" ruleid="uefi_no_removeable_media" ownerid="RHEL-07-021700" disa="1812" severity="medium"> ++ <VMSinfo VKey="204501" SVKey="204501r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved."/> + </overlay> + <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="RHEL-07-021710" disa="381" severity="high"> +- <VMSinfo VKey="72077" SVKey="86701" VRelease="2"/> ++ <VMSinfo VKey="204502" SVKey="204502r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not have the telnet-server package installed."/> + </overlay> +- <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-07-030000" disa="131" severity="high"> +- <VMSinfo VKey="72079" SVKey="86703" VRelease="3"/> ++ <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-07-030000" disa="126" severity="medium"> ++ <VMSinfo VKey="204503" SVKey="204503r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_system_shutdown" ownerid="RHEL-07-030010" disa="139" severity="medium"> +- <VMSinfo VKey="72081" SVKey="86705" VRelease="5"/> ++ <VMSinfo VKey="204504" SVKey="204504r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure."/> + </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030201" disa="1851" severity="medium"> +- <VMSinfo VKey="81017" SVKey="95729" VRelease="2"/> ++ <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030201" disa="1851" severity="medium"> ++ <VMSinfo VKey="204506" SVKey="204506r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited."/> + </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030210" disa="1851" severity="medium"> +- <VMSinfo VKey="81019" SVKey="95731" VRelease="1"/> +- <title text="The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full."/> ++ <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030210" disa="1851" severity="medium"> ++ <VMSinfo VKey="204507" SVKey="204507r5059" VRelease="r505924"/> ++ <title text="The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full."/> + </overlay> +- <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030211" disa="1851" severity="medium"> +- <VMSinfo VKey="81021" SVKey="95733" VRelease="1"/> ++ <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030211" disa="1851" severity="medium"> ++ <VMSinfo VKey="204508" SVKey="204508r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server."/> + </overlay> + <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030300" disa="1851" severity="medium"> +- <VMSinfo VKey="72083" SVKey="86707" VRelease="2"/> ++ <VMSinfo VKey="204509" SVKey="204509r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited."/> + </overlay> + <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030310" disa="1851" severity="medium"> +- <VMSinfo VKey="72085" SVKey="86709" VRelease="2"/> ++ <VMSinfo VKey="204510" SVKey="204510r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited."/> + </overlay> + <overlay owner="disastig" ruleid="auditd_audispd_disk_full_action" ownerid="RHEL-07-030320" disa="1851" severity="medium"> +- <VMSinfo VKey="72087" SVKey="86711" VRelease="3"/> ++ <VMSinfo VKey="204511" SVKey="204511r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full."/> + </overlay> + <overlay owner="disastig" ruleid="auditd_audispd_network_failure_action" ownerid="RHEL-07-030321" disa="1851" severity="medium"> +- <VMSinfo VKey="73163" SVKey="87815" VRelease="3"/> ++ <VMSinfo VKey="204512" SVKey="204512r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system."/> + </overlay> + <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="RHEL-07-030330" disa="1855" severity="medium"> +- <VMSinfo VKey="72089" SVKey="86713" VRelease="4"/> ++ <VMSinfo VKey="204513" SVKey="204513r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity."/> + </overlay> + <overlay owner="disastig" ruleid="auditd_data_retention_space_left_action" ownerid="RHEL-07-030340" disa="1855" severity="medium"> +- <VMSinfo VKey="72091" SVKey="86715" VRelease="2"/> ++ <VMSinfo VKey="204514" SVKey="204514r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached."/> + </overlay> + <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="RHEL-07-030350" disa="1855" severity="medium"> +- <VMSinfo VKey="72093" SVKey="86717" VRelease="3"/> ++ <VMSinfo VKey="204515" SVKey="204515r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands" ownerid="RHEL-07-030360" disa="2234" severity="medium"> +- <VMSinfo VKey="72095" SVKey="86719" VRelease="7"/> ++ <VMSinfo VKey="204516" SVKey="204516r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all executions of privileged functions."/> + </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_chown" ownerid="RHEL-07-030370" disa="172" severity="medium"> +- <VMSinfo VKey="72097" SVKey="86721" VRelease="6"/> ++ <overlay owner="disastig" ruleid="audit_rules_dac_modification_chown" ownerid="RHEL-07-030370" disa="126" severity="medium"> ++ <VMSinfo VKey="204517" SVKey="204517r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchown" ownerid="RHEL-07-030380" disa="172" severity="medium"> +- <VMSinfo VKey="72099" SVKey="86723" VRelease="6"/> ++ <VMSinfo VKey="204518" SVKey="204518r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall."/> + </overlay> +- <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="RHEL-07-030390" disa="172" severity="medium"> +- <VMSinfo VKey="72101" SVKey="86725" VRelease="6"/> ++ <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="RHEL-07-030390" disa="126" severity="medium"> ++ <VMSinfo VKey="204519" SVKey="204519r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchownat" ownerid="RHEL-07-030400" disa="172" severity="medium"> +- <VMSinfo VKey="72103" SVKey="86727" VRelease="6"/> ++ <VMSinfo VKey="204520" SVKey="204520r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_dac_modification_chmod" ownerid="RHEL-07-030410" disa="172" severity="medium"> +- <VMSinfo VKey="72105" SVKey="86729" VRelease="6"/> ++ <VMSinfo VKey="204521" SVKey="204521r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmod" ownerid="RHEL-07-030420" disa="172" severity="medium"> +- <VMSinfo VKey="72107" SVKey="86731" VRelease="6"/> ++ <VMSinfo VKey="204522" SVKey="204522r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmodat" ownerid="RHEL-07-030430" disa="172" severity="medium"> +- <VMSinfo VKey="72109" SVKey="86733" VRelease="6"/> ++ <VMSinfo VKey="204523" SVKey="204523r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_dac_modification_setxattr" ownerid="RHEL-07-030440" disa="172" severity="medium"> +- <VMSinfo VKey="72111" SVKey="86735" VRelease="6"/> ++ <VMSinfo VKey="204524" SVKey="204524r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_dac_modification_fsetxattr" ownerid="RHEL-07-030450" disa="172" severity="medium"> +- <VMSinfo VKey="72113" SVKey="86737" VRelease="6"/> ++ <VMSinfo VKey="204525" SVKey="204525r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_dac_modification_lsetxattr" ownerid="RHEL-07-030460" disa="172" severity="medium"> +- <VMSinfo VKey="72115" SVKey="86739" VRelease="6"/> ++ <VMSinfo VKey="204526" SVKey="204526r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_dac_modification_removexattr" ownerid="RHEL-07-030470" disa="172" severity="medium"> +- <VMSinfo VKey="72117" SVKey="86741" VRelease="6"/> ++ <VMSinfo VKey="204527" SVKey="204527r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_dac_modification_fremovexattr" ownerid="RHEL-07-030480" disa="172" severity="medium"> +- <VMSinfo VKey="72119" SVKey="86743" VRelease="6"/> ++ <VMSinfo VKey="204528" SVKey="204528r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_dac_modification_lremovexattr" ownerid="RHEL-07-030490" disa="172" severity="medium"> +- <VMSinfo VKey="72121" SVKey="86745" VRelease="6"/> ++ <VMSinfo VKey="204529" SVKey="204529r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_creat" ownerid="RHEL-07-030500" disa="2884" severity="medium"> +- <VMSinfo VKey="72123" SVKey="86747" VRelease="6"/> ++ <VMSinfo VKey="204530" SVKey="204530r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open" ownerid="RHEL-07-030510" disa="2884" severity="medium"> +- <VMSinfo VKey="72125" SVKey="86749" VRelease="6"/> ++ <VMSinfo VKey="204531" SVKey="204531r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the open syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_openat" ownerid="RHEL-07-030520" disa="2884" severity="medium"> +- <VMSinfo VKey="72127" SVKey="86751" VRelease="6"/> ++ <VMSinfo VKey="204532" SVKey="204532r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open_by_handle_at" ownerid="RHEL-07-030530" disa="2884" severity="medium"> +- <VMSinfo VKey="72129" SVKey="86753" VRelease="6"/> ++ <VMSinfo VKey="204533" SVKey="204533r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_truncate" ownerid="RHEL-07-030540" disa="2884" severity="medium"> +- <VMSinfo VKey="72131" SVKey="86755" VRelease="6"/> ++ <VMSinfo VKey="204534" SVKey="204534r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_ftruncate" ownerid="RHEL-07-030550" disa="2884" severity="medium"> +- <VMSinfo VKey="72133" SVKey="86757" VRelease="6"/> ++ <VMSinfo VKey="204535" SVKey="204535r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_execution_semanage" ownerid="RHEL-07-030560" disa="2884" severity="medium"> +- <VMSinfo VKey="72135" SVKey="86759" VRelease="5"/> ++ <VMSinfo VKey="204536" SVKey="204536r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the semanage command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_execution_setsebool" ownerid="RHEL-07-030570" disa="2884" severity="medium"> +- <VMSinfo VKey="72137" SVKey="86761" VRelease="5"/> ++ <VMSinfo VKey="204537" SVKey="204537r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_execution_chcon" ownerid="RHEL-07-030580" disa="2884" severity="medium"> +- <VMSinfo VKey="72139" SVKey="86763" VRelease="5"/> ++ <VMSinfo VKey="204538" SVKey="204538r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chcon command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_execution_setfiles" ownerid="RHEL-07-030590" disa="2884" severity="medium"> +- <VMSinfo VKey="72141" SVKey="86765" VRelease="6"/> ++ <VMSinfo VKey="204539" SVKey="204539r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_login_events_faillock" ownerid="RHEL-07-030610" disa="2884" severity="medium"> +- <VMSinfo VKey="72145" SVKey="86769" VRelease="4"/> ++ <VMSinfo VKey="204540" SVKey="204540r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="RHEL-07-030620" disa="2884" severity="medium"> +- <VMSinfo VKey="72147" SVKey="86771" VRelease="3"/> ++ <VMSinfo VKey="204541" SVKey="204541r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passwd" ownerid="RHEL-07-030630" disa="2884" severity="medium"> +- <VMSinfo VKey="72149" SVKey="86773" VRelease="6"/> ++ <VMSinfo VKey="204542" SVKey="204542r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the passwd command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_unix_chkpwd" ownerid="RHEL-07-030640" disa="2884" severity="medium"> +- <VMSinfo VKey="72151" SVKey="86775" VRelease="6"/> ++ <VMSinfo VKey="204543" SVKey="204543r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_gpasswd" ownerid="RHEL-07-030650" disa="2884" severity="medium"> +- <VMSinfo VKey="72153" SVKey="86777" VRelease="6"/> ++ <VMSinfo VKey="204544" SVKey="204544r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chage" ownerid="RHEL-07-030660" disa="2884" severity="medium"> +- <VMSinfo VKey="72155" SVKey="86779" VRelease="6"/> ++ <VMSinfo VKey="204545" SVKey="204545r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chage command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_userhelper" ownerid="RHEL-07-030670" disa="2884" severity="medium"> +- <VMSinfo VKey="72157" SVKey="86781" VRelease="6"/> ++ <VMSinfo VKey="204546" SVKey="204546r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_su" ownerid="RHEL-07-030680" disa="2884" severity="medium"> +- <VMSinfo VKey="72159" SVKey="86783" VRelease="6"/> ++ <VMSinfo VKey="204547" SVKey="204547r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the su command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="RHEL-07-030690" disa="2884" severity="medium"> +- <VMSinfo VKey="72161" SVKey="86785" VRelease="5"/> ++ <VMSinfo VKey="204548" SVKey="204548r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the sudo command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_sysadmin_actions" ownerid="RHEL-07-030700" disa="2884" severity="medium"> +- <VMSinfo VKey="72163" SVKey="86787" VRelease="5"/> ++ <VMSinfo VKey="204549" SVKey="204549r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_newgrp" ownerid="RHEL-07-030710" disa="2884" severity="medium"> +- <VMSinfo VKey="72165" SVKey="86789" VRelease="5"/> ++ <VMSinfo VKey="204550" SVKey="204550r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chsh" ownerid="RHEL-07-030720" disa="2884" severity="medium"> +- <VMSinfo VKey="72167" SVKey="86791" VRelease="5"/> ++ <VMSinfo VKey="204551" SVKey="204551r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chsh command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_mount" ownerid="RHEL-07-030740" disa="2884" severity="medium"> +- <VMSinfo VKey="72171" SVKey="86795" VRelease="8"/> ++ <VMSinfo VKey="204552" SVKey="204552r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_umount" ownerid="RHEL-07-030750" disa="2884" severity="medium"> +- <VMSinfo VKey="72173" SVKey="86797" VRelease="6"/> ++ <VMSinfo VKey="204553" SVKey="204553r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the umount command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postdrop" ownerid="RHEL-07-030760" disa="2884" severity="medium"> +- <VMSinfo VKey="72175" SVKey="86799" VRelease="5"/> ++ <VMSinfo VKey="204554" SVKey="204554r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postqueue" ownerid="RHEL-07-030770" disa="2884" severity="medium"> +- <VMSinfo VKey="72177" SVKey="86801" VRelease="4"/> ++ <VMSinfo VKey="204555" SVKey="204555r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_keysign" ownerid="RHEL-07-030780" disa="2884" severity="medium"> +- <VMSinfo VKey="72179" SVKey="86803" VRelease="4"/> ++ <VMSinfo VKey="204556" SVKey="204556r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_crontab" ownerid="RHEL-07-030800" disa="2884" severity="medium"> +- <VMSinfo VKey="72183" SVKey="86807" VRelease="4"/> ++ <VMSinfo VKey="204557" SVKey="204557r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the crontab command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_privileged_commands_pam_timestamp_check" ownerid="RHEL-07-030810" disa="172" severity="medium"> +- <VMSinfo VKey="72185" SVKey="86809" VRelease="5"/> ++ <VMSinfo VKey="204558" SVKey="204558r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030819" disa="172" severity="medium"> +- <VMSinfo VKey="78999" SVKey="93705" VRelease="3"/> ++ <VMSinfo VKey="204559" SVKey="204559r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_init" ownerid="RHEL-07-030820" disa="172" severity="medium"> +- <VMSinfo VKey="72187" SVKey="86811" VRelease="5"/> ++ <VMSinfo VKey="204560" SVKey="204560r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="RHEL-07-030821" disa="172" severity="medium"> +- <VMSinfo VKey="79001" SVKey="93707" VRelease="3"/> ++ <VMSinfo VKey="204561" SVKey="204561r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030830" disa="172" severity="medium"> +- <VMSinfo VKey="72189" SVKey="86813" VRelease="5"/> ++ <VMSinfo VKey="204562" SVKey="204562r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030840" disa="172" severity="medium"> +- <VMSinfo VKey="72191" SVKey="86815" VRelease="6"/> ++ <VMSinfo VKey="204563" SVKey="204563r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the kmod command."/> + </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="RHEL-07-030870" disa="2130" severity="medium"> +- <VMSinfo VKey="72197" SVKey="86821" VRelease="5"/> ++ <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="RHEL-07-030870" disa="1403" severity="medium"> ++ <VMSinfo VKey="204564" SVKey="204564r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="RHEL-07-030871" disa="2130" severity="medium"> +- <VMSinfo VKey="73165" SVKey="87817" VRelease="3"/> ++ <VMSinfo VKey="204565" SVKey="204565r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/> + </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="RHEL-07-030872" disa="2130" severity="medium"> +- <VMSinfo VKey="73167" SVKey="87819" VRelease="4"/> ++ <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="RHEL-07-030872" disa="1403" severity="medium"> ++ <VMSinfo VKey="204566" SVKey="204566r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="RHEL-07-030873" disa="2130" severity="medium"> +- <VMSinfo VKey="73171" SVKey="87823" VRelease="4"/> ++ <VMSinfo VKey="204567" SVKey="204567r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/> + </overlay> +- <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="RHEL-07-030874" disa="2130" severity="medium"> +- <VMSinfo VKey="73173" SVKey="87825" VRelease="5"/> ++ <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="RHEL-07-030874" disa="1403" severity="medium"> ++ <VMSinfo VKey="204568" SVKey="204568r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rename" ownerid="RHEL-07-030880" disa="2884" severity="medium"> +- <VMSinfo VKey="72199" SVKey="86823" VRelease="6"/> ++ <VMSinfo VKey="204569" SVKey="204569r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_renameat" ownerid="RHEL-07-030890" disa="2884" severity="medium"> +- <VMSinfo VKey="72201" SVKey="86825" VRelease="6"/> ++ <VMSinfo VKey="204570" SVKey="204570r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rmdir" ownerid="RHEL-07-030900" disa="2884" severity="medium"> +- <VMSinfo VKey="72203" SVKey="86827" VRelease="6"/> ++ <VMSinfo VKey="204571" SVKey="204571r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlink" ownerid="RHEL-07-030910" disa="2884" severity="medium"> +- <VMSinfo VKey="72205" SVKey="86829" VRelease="6"/> ++ <VMSinfo VKey="204572" SVKey="204572r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall."/> + </overlay> + <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlinkat" ownerid="RHEL-07-030920" disa="2884" severity="medium"> +- <VMSinfo VKey="72207" SVKey="86831" VRelease="6"/> ++ <VMSinfo VKey="204573" SVKey="204573r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall."/> + </overlay> + <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-031000" disa="366" severity="medium"> +- <VMSinfo VKey="72209" SVKey="86833" VRelease="2"/> ++ <VMSinfo VKey="204574" SVKey="204574r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server."/> + </overlay> +- <overlay owner="disastig" ruleid="rsyslog_nolisten" ownerid="RHEL-07-031010" disa="1814" severity="medium"> +- <VMSinfo VKey="72211" SVKey="86835" VRelease="2"/> ++ <overlay owner="disastig" ruleid="rsyslog_nolisten" ownerid="RHEL-07-031010" disa="368" severity="medium"> ++ <VMSinfo VKey="204575" SVKey="204575r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation."/> + </overlay> + <overlay owner="disastig" ruleid="install_mcafee_antivirus" ownerid="RHEL-07-032000" disa="1668" severity="high"> +- <VMSinfo VKey="72213" SVKey="86837" VRelease="3"/> ++ <VMSinfo VKey="214801" SVKey="214801r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must use a virus scan program."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="RHEL-07-040000" disa="54" severity="low"> +- <VMSinfo VKey="72217" SVKey="86841" VRelease="3"/> ++ <VMSinfo VKey="204576" SVKey="204576r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."/> + </overlay> + <overlay owner="disastig" ruleid="configure_firewalld_ports" ownerid="RHEL-07-040100" disa="2314" severity="medium"> +- <VMSinfo VKey="72219" SVKey="86843" VRelease="2"/> ++ <VMSinfo VKey="204577" SVKey="204577r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."/> + </overlay> +- <overlay owner="disastig" ruleid="sshd_use_approved_ciphers" ownerid="RHEL-07-040110" disa="803" severity="medium"> +- <VMSinfo VKey="72221" SVKey="86845" VRelease="3"/> ++ <overlay owner="disastig" ruleid="sshd_use_approved_ciphers" ownerid="RHEL-07-040110" disa="68" severity="medium"> ++ <VMSinfo VKey="204578" SVKey="204578r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications."/> + </overlay> + <overlay owner="disastig" ruleid="accounts_tmout" ownerid="RHEL-07-040160" disa="2361" severity="medium"> +- <VMSinfo VKey="72223" SVKey="86847" VRelease="5"/> ++ <VMSinfo VKey="204579" SVKey="204579r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="RHEL-07-040170" disa="1388" severity="medium"> +- <VMSinfo VKey="72225" SVKey="86849" VRelease="5"/> ++ <VMSinfo VKey="204580" SVKey="204580r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts."/> + </overlay> + <overlay owner="disastig" ruleid="sssd_ldap_start_tls" ownerid="RHEL-07-040180" disa="1453" severity="medium"> +- <VMSinfo VKey="72227" SVKey="86851" VRelease="4"/> ++ <VMSinfo VKey="204581" SVKey="204581r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."/> + </overlay> +- <overlay owner="disastig" ruleid="sshd_use_approved_macs" ownerid="RHEL-07-040190" disa="1453" severity="medium"> +- <VMSinfo VKey="72229" SVKey="86853" VRelease="4"/> ++ <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_reqcert" ownerid="RHEL-07-040190" disa="1453" severity="medium"> ++ <VMSinfo VKey="204582" SVKey="204582r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/> + </overlay> + <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_ca_dir" ownerid="RHEL-07-040200" disa="1453" severity="medium"> +- <VMSinfo VKey="72231" SVKey="86855" VRelease="4"/> ++ <VMSinfo VKey="204583" SVKey="204583r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/> + </overlay> + <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="RHEL-07-040201" disa="366" severity="medium"> +- <VMSinfo VKey="77825" SVKey="92521" VRelease="2"/> ++ <VMSinfo VKey="204584" SVKey="204584r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must implement virtual address space randomization."/> + </overlay> + <overlay owner="disastig" ruleid="package_openssh-server_installed" ownerid="RHEL-07-040300" disa="2422" severity="medium"> +- <VMSinfo VKey="72233" SVKey="86857" VRelease="3"/> ++ <VMSinfo VKey="204585" SVKey="204585r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed."/> + </overlay> +- <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="RHEL-07-040310" disa="2422" severity="medium"> +- <VMSinfo VKey="72235" SVKey="86859" VRelease="3"/> ++ <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="RHEL-07-040310" disa="2420" severity="medium"> ++ <VMSinfo VKey="204586" SVKey="204586r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="RHEL-07-040320" disa="2361" severity="medium"> +- <VMSinfo VKey="72237" SVKey="86861" VRelease="4"/> ++ <VMSinfo VKey="204587" SVKey="204587r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_disable_rhosts_rsa" ownerid="RHEL-07-040330" disa="366" severity="medium"> +- <VMSinfo VKey="72239" SVKey="86863" VRelease="4"/> ++ <VMSinfo VKey="204588" SVKey="204588r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_set_keepalive" ownerid="RHEL-07-040340" disa="2361" severity="medium"> +- <VMSinfo VKey="72241" SVKey="86865" VRelease="4"/> ++ <VMSinfo VKey="204589" SVKey="204589r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_disable_rhosts" ownerid="RHEL-07-040350" disa="366" severity="medium"> +- <VMSinfo VKey="72243" SVKey="86867" VRelease="3"/> ++ <VMSinfo VKey="204590" SVKey="204590r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="RHEL-07-040360" disa="366" severity="medium"> +- <VMSinfo VKey="72245" SVKey="86869" VRelease="3"/> ++ <VMSinfo VKey="204591" SVKey="204591r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="RHEL-07-040370" disa="366" severity="medium"> +- <VMSinfo VKey="72247" SVKey="86871" VRelease="3"/> ++ <VMSinfo VKey="204592" SVKey="204592r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="RHEL-07-040380" disa="366" severity="medium"> +- <VMSinfo VKey="72249" SVKey="86873" VRelease="3"/> ++ <VMSinfo VKey="204593" SVKey="204593r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="RHEL-07-040390" disa="366" severity="high"> +- <VMSinfo VKey="72251" SVKey="86875" VRelease="4"/> ++ <VMSinfo VKey="204594" SVKey="204594r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_use_approved_macs" ownerid="RHEL-07-040400" disa="1453" severity="medium"> +- <VMSinfo VKey="72253" SVKey="86877" VRelease="3"/> ++ <VMSinfo VKey="204595" SVKey="204595r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."/> + </overlay> + <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="RHEL-07-040410" disa="366" severity="medium"> +- <VMSinfo VKey="72255" SVKey="86879" VRelease="2"/> ++ <VMSinfo VKey="204596" SVKey="204596r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive."/> + </overlay> + <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="RHEL-07-040420" disa="366" severity="medium"> +- <VMSinfo VKey="72257" SVKey="86881" VRelease="3"/> ++ <VMSinfo VKey="204597" SVKey="204597r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive."/> + </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_gssapi_auth" ownerid="RHEL-07-040430" disa="1814" severity="medium"> +- <VMSinfo VKey="72259" SVKey="86883" VRelease="3"/> ++ <overlay owner="disastig" ruleid="sshd_disable_gssapi_auth" ownerid="RHEL-07-040430" disa="1813" severity="medium"> ++ <VMSinfo VKey="204598" SVKey="204598r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed."/> + </overlay> +- <overlay owner="disastig" ruleid="sshd_disable_kerb_auth" ownerid="RHEL-07-040440" disa="1814" severity="medium"> +- <VMSinfo VKey="72261" SVKey="86885" VRelease="3"/> ++ <overlay owner="disastig" ruleid="sshd_disable_kerb_auth" ownerid="RHEL-07-040440" disa="1812" severity="medium"> ++ <VMSinfo VKey="204599" SVKey="204599r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="RHEL-07-040450" disa="366" severity="medium"> +- <VMSinfo VKey="72263" SVKey="86887" VRelease="3"/> ++ <VMSinfo VKey="204600" SVKey="204600r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_use_priv_separation" ownerid="RHEL-07-040460" disa="366" severity="medium"> +- <VMSinfo VKey="72265" SVKey="86889" VRelease="3"/> ++ <VMSinfo VKey="204601" SVKey="204601r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="RHEL-07-040470" disa="366" severity="medium"> +- <VMSinfo VKey="72267" SVKey="86891" VRelease="3"/> ++ <VMSinfo VKey="204602" SVKey="204602r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication."/> + </overlay> +- <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="RHEL-07-040500" disa="2046" severity="medium"> +- <VMSinfo VKey="72269" SVKey="86893" VRelease="5"/> ++ <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="RHEL-07-040500" disa="1891" severity="medium"> ++ <VMSinfo VKey="204603" SVKey="204603r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."/> + </overlay> + <overlay owner="disastig" ruleid="service_firewalld_enabled" ownerid="RHEL-07-040520" disa="366" severity="medium"> +- <VMSinfo VKey="72273" SVKey="86897" VRelease="2"/> ++ <VMSinfo VKey="204604" SVKey="204604r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must enable an application firewall, if available."/> + </overlay> + <overlay owner="disastig" ruleid="display_login_attempts" ownerid="RHEL-07-040530" disa="366" severity="low"> +- <VMSinfo VKey="72275" SVKey="86899" VRelease="4"/> ++ <VMSinfo VKey="204605" SVKey="204605r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon."/> + </overlay> + <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="RHEL-07-040540" disa="366" severity="high"> +- <VMSinfo VKey="72277" SVKey="86901" VRelease="2"/> ++ <VMSinfo VKey="204606" SVKey="204606r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not contain .shosts files."/> + </overlay> + <overlay owner="disastig" ruleid="no_host_based_files" ownerid="RHEL-07-040550" disa="366" severity="high"> +- <VMSinfo VKey="72279" SVKey="86903" VRelease="2"/> ++ <VMSinfo VKey="204607" SVKey="204607r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not contain shosts.equiv files."/> + </overlay> + <overlay owner="disastig" ruleid="network_configure_name_resolution" ownerid="RHEL-07-040600" disa="366" severity="low"> +- <VMSinfo VKey="72281" SVKey="86905" VRelease="3"/> ++ <VMSinfo VKey="204608" SVKey="204608r5059" VRelease="r505924"/> + <title text="For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured."/> + </overlay> + <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" ownerid="RHEL-07-040610" disa="366" severity="medium"> +- <VMSinfo VKey="72283" SVKey="86907" VRelease="2"/> ++ <VMSinfo VKey="204609" SVKey="204609r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."/> + </overlay> + <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_rp_filter" ownerid="RHEL-07-040611" disa="366" severity="medium"> +- <VMSinfo VKey="92251" SVKey="102353" VRelease="r1"/> ++ <VMSinfo VKey="204610" SVKey="204610r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces."/> + </overlay> + <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_rp_filter" ownerid="RHEL-07-040612" disa="366" severity="medium"> +- <VMSinfo VKey="92253" SVKey="102355" VRelease="r1"/> ++ <VMSinfo VKey="204611" SVKey="204611r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default."/> + </overlay> + <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" ownerid="RHEL-07-040620" disa="366" severity="medium"> +- <VMSinfo VKey="72285" SVKey="86909" VRelease="2"/> ++ <VMSinfo VKey="204612" SVKey="204612r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."/> + </overlay> + <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="RHEL-07-040630" disa="366" severity="medium"> +- <VMSinfo VKey="72287" SVKey="86911" VRelease="2"/> ++ <VMSinfo VKey="204613" SVKey="204613r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."/> + </overlay> + <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="RHEL-07-040640" disa="366" severity="medium"> +- <VMSinfo VKey="72289" SVKey="86913" VRelease="3"/> ++ <VMSinfo VKey="204614" SVKey="204614r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/> + </overlay> + <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" ownerid="RHEL-07-040641" disa="366" severity="medium"> +- <VMSinfo VKey="73175" SVKey="87827" VRelease="4"/> ++ <VMSinfo VKey="204615" SVKey="204615r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages."/> + </overlay> + <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="RHEL-07-040650" disa="366" severity="medium"> +- <VMSinfo VKey="72291" SVKey="86915" VRelease="4"/> ++ <VMSinfo VKey="204616" SVKey="204616r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default."/> + </overlay> + <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="RHEL-07-040660" disa="366" severity="medium"> +- <VMSinfo VKey="72293" SVKey="86917" VRelease="3"/> ++ <VMSinfo VKey="204617" SVKey="204617r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."/> + </overlay> + <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="RHEL-07-040670" disa="366" severity="medium"> +- <VMSinfo VKey="72295" SVKey="86919" VRelease="2"/> ++ <VMSinfo VKey="204618" SVKey="204618r5059" VRelease="r505924"/> + <title text="Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode."/> + </overlay> + <overlay owner="disastig" ruleid="postfix_prevent_unrestricted_relay" ownerid="RHEL-07-040680" disa="366" severity="medium"> +- <VMSinfo VKey="72297" SVKey="86921" VRelease="3"/> ++ <VMSinfo VKey="204619" SVKey="204619r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying."/> + </overlay> + <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="RHEL-07-040690" disa="366" severity="high"> +- <VMSinfo VKey="72299" SVKey="86923" VRelease="3"/> ++ <VMSinfo VKey="204620" SVKey="204620r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed."/> + </overlay> +- <overlay owner="disastig" ruleid="package_tftp-server_removed" ownerid="RHEL-07-040700" disa="1814" severity="high"> +- <VMSinfo VKey="72301" SVKey="86925" VRelease="2"/> ++ <overlay owner="disastig" ruleid="package_tftp-server_removed" ownerid="RHEL-07-040700" disa="368" severity="high"> ++ <VMSinfo VKey="204621" SVKey="204621r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support."/> + </overlay> + <overlay owner="disastig" ruleid="sshd_enable_x11_forwarding" ownerid="RHEL-07-040710" disa="366" severity="high"> +- <VMSinfo VKey="72303" SVKey="86927" VRelease="4"/> ++ <VMSinfo VKey="204622" SVKey="204622r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that remote X connections for interactive users are encrypted."/> + </overlay> + <overlay owner="disastig" ruleid="tftpd_uses_secure_mode" ownerid="RHEL-07-040720" disa="366" severity="medium"> +- <VMSinfo VKey="72305" SVKey="86929" VRelease="3"/> ++ <VMSinfo VKey="204623" SVKey="204623r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode."/> + </overlay> + <overlay owner="disastig" ruleid="package_xorg-x11-server-common_removed" ownerid="RHEL-07-040730" disa="366" severity="medium"> +- <VMSinfo VKey="72307" SVKey="86931" VRelease="4"/> +- <title text="The Red Hat Enterprise Linux operating system must not have an X Windows display manager installed unless approved."/> ++ <VMSinfo VKey="204624" SVKey="204624r5059" VRelease="r505924"/> ++ <title text="The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved."/> + </overlay> + <overlay owner="disastig" ruleid="sysctl_net_ipv4_ip_forward" ownerid="RHEL-07-040740" disa="366" severity="medium"> +- <VMSinfo VKey="72309" SVKey="86933" VRelease="2"/> ++ <VMSinfo VKey="204625" SVKey="204625r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router."/> + </overlay> + <overlay owner="disastig" ruleid="mount_option_krb_sec_remote_filesystems" ownerid="RHEL-07-040750" disa="366" severity="medium"> +- <VMSinfo VKey="72311" SVKey="86935" VRelease="4"/> ++ <VMSinfo VKey="204626" SVKey="204626r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."/> + </overlay> + <overlay owner="disastig" ruleid="snmpd_not_default_password" ownerid="RHEL-07-040800" disa="366" severity="high"> +- <VMSinfo VKey="72313" SVKey="86937" VRelease="2"/> ++ <VMSinfo VKey="204627" SVKey="204627r5059" VRelease="r505924"/> + <title text="SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default."/> + </overlay> + <overlay owner="disastig" ruleid="set_firewalld_default_zone" ownerid="RHEL-07-040810" disa="366" severity="medium"> +- <VMSinfo VKey="72315" SVKey="86939" VRelease="3"/> ++ <VMSinfo VKey="204628" SVKey="204628r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."/> + </overlay> + <overlay owner="disastig" ruleid="libreswan_approved_tunnels" ownerid="RHEL-07-040820" disa="366" severity="medium"> +- <VMSinfo VKey="72317" SVKey="86941" VRelease="2"/> ++ <VMSinfo VKey="204629" SVKey="204629r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured."/> + </overlay> + <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="RHEL-07-040830" disa="366" severity="medium"> +- <VMSinfo VKey="72319" SVKey="86943" VRelease="2"/> ++ <VMSinfo VKey="204630" SVKey="204630r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets."/> + </overlay> + <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="RHEL-07-041001" disa="1954" severity="medium"> +- <VMSinfo VKey="72417" SVKey="87041" VRelease="5"/> ++ <VMSinfo VKey="204631" SVKey="204631r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed."/> + </overlay> + <overlay owner="disastig" ruleid="sssd_enable_pam_services" ownerid="RHEL-07-041002" disa="1954" severity="medium"> +- <VMSinfo VKey="72427" SVKey="87051" VRelease="4"/> ++ <VMSinfo VKey="204632" SVKey="204632r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."/> + </overlay> +- <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="RHEL-07-041003" disa="1954" severity="medium"> +- <VMSinfo VKey="72433" SVKey="87057" VRelease="5"/> ++ <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="RHEL-07-041003" disa="1953" severity="medium"> ++ <VMSinfo VKey="204633" SVKey="204633r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication."/> + </overlay> + <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="RHEL-07-041010" disa="2418" severity="medium"> +- <VMSinfo VKey="73177" SVKey="87829" VRelease="2"/> ++ <VMSinfo VKey="204634" SVKey="204634r5059" VRelease="r505924"/> + <title text="The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled."/> + </overlay> ++ <overlay owner="disastig" ruleid="file_ownership_var_log_audit" ownerid="RHEL-07-910055" disa="1314" severity="medium"> ++ <VMSinfo VKey="228564" SVKey="228564r5059" VRelease="r505924"/> ++ <title text="The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion."/> ++ </overlay> + </overlays> +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index 1d94e79964..1841024572 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7' + + description: |- + This profile contains configuration checks that align to the +- DISA STIG for Red Hat Enterprise Linux V2R8. ++ DISA STIG for Red Hat Enterprise Linux V3R1. + + In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this + configuration baseline as applicable to the operating system tier of diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 29f5aaf..cf486d7 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -3,8 +3,8 @@ %global _pkgdocdir %{_docdir}/%{name}-%{version} Name: scap-security-guide -Version: 0.1.49 -Release: 13%{?dist} +Version: 0.1.52 +Release: 2%{?dist} Summary: Security guidance and baselines in SCAP formats Group: System Environment/Base @@ -12,81 +12,61 @@ License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content Source0: %{name}-%{version}.tar.bz2 Patch0: disable-not-in-good-shape-profiles.patch -Patch1: scap-security-guide-0.1.50-simplify_login_banner.patch -Patch2: scap-security-guide-0.1.50-fix_sysctl_rules_description.patch -Patch3: scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch -Patch4: scap-security-guide-0.1.50-ansible_audit_sysadmin_actions_PR_5288.patch -Patch5: scap-security-guide-0.1.50-add_ntp_and_chrony_cpes_PR_5299.patch -Patch6: scap-security-guide-0.1.50-add_chrony_rules_PR_5273.patch -# Changes present in 5299 removed from 5298 -Patch7: scap-security-guide-0.1.50-run_chronyd_as_chrony_user_PR_5298.patch -Patch8: scap-security-guide-0.1.50-ssh_references_PR_5297.patch -Patch9: scap-security-guide-0.1.50-system_file_permissions_references_PR_5301.patch -Patch10: scap-security-guide-0.1.50-add_rhel7_cis_profile_PR_5306.patch -Patch11: scap-security-guide-0.1.50-add_service_rsyncd_disabled_PR_5318.patch -Patch12: scap-security-guide-0.1.50-fix_chronyd_rule_title_PR_5309.patch -Patch13: scap-security-guide-0.1.50-audit_data_retention_reference_PR_5294.patch -Patch14: scap-security-guide-0.1.50-audit_installed_reference_PR_5292.patch -Patch15: scap-security-guide-0.1.50-audit_login_events_references_PR_5296.patch -Patch16: scap-security-guide-0.1.50-banner_permissions_and_owners_PR_5302.patch -Patch17: scap-security-guide-0.1.50-add_package_libselinux_installed_PR_5312.patch -Patch18: scap-security-guide-0.1.50-add_package_openldap-clients_installed_PR_5316.patch -Patch19: scap-security-guide-0.1.50-chrony_references_PR_5331.patch -Patch20: scap-security-guide-0.1.50-add_configure_etc_hosts_deny_PR_5332.patch -Patch21: scap-security-guide-0.1.50-check_banner_owners_and_groupowners_PR_5335.patch -Patch22: scap-security-guide-0.1.50-add_rules_etc_hosts_file_permissions_PR_5323.patch -Patch23: scap-security-guide-0.1.50-add_rules_accounts_backup_files_PR_5317.patch -Patch24: scap-security-guide-0.1.50-fix_typo_in_cce_assignment_PR_5340.patch -Patch25: scap-security-guide-0.1.50-fix_banner_etc_motd_PR_5319.patch -Patch26: scap-security-guide-0.1.50-fix_typo_in_ocil_clause_PR_5342.patch -Patch27: scap-security-guide-0.1.50-add_grub2_disable_ipv6_PR_5324.patch -Patch28: scap-security-guide-0.1.50-fix_ipv6_disable_rule_PR_5547.patch -Patch29: scap-security-guide-0.1.50-add_rules_legacy_plus_in_passwd_PR_5339.patch -Patch30: scap-security-guide-0.1.50-add_missing_cces_PR_5546.patch -Patch31: scap-security-guide-0.1.50-add_etc_hosts_deny_to_unselect_list_PR_5348.patch -Patch32: scap-security-guide-0.1.50-add_rhel7_cis_kickstart_PR_5545.patch -Patch33: scap-security-guide-0.1.50-update_cis_profile_PR_5349.patch -Patch35: scap-security-guide-0.1.50-removable_media_PR_5278.patch -Patch36: scap-security-guide-0.1.50-warn_nonlocal_users_groups.patch -Patch37: scap-security-guide-0.1.50-sshd_allow_p2.patch -Patch38: scap-security-guide-0.1.50-fix_audit_rules_privileged_commands.patch -Patch39: scap-security-guide-0.1.50-fix_ansible_postfix_listening_PR_5353.patch -Patch40: scap-security-guide-0.1.50-add_rule_sshd_disable_x11_forwarding_PR_5554.patch -Patch41: scap-security-guide-0.1.50-fix_rule_rsyslog_nolisten_regex_PR_5557.patch -Patch42: scap-security-guide-0.1.50-change_disable_ipv6_rule_PR_5574.patch -Patch43: scap-security-guide-0.1.50-add_ansible_audit_rules_media_export_PR_5590.patch -Patch44: scap-security-guide-0.1.50-add_ansible_audit_rules_kernel_module_loading_PR_5594.patch -Patch45: scap-security-guide-0.1.50-add_ansible_sshd_set_max_auth_tries_PR_5597.patch -Patch46: scap-security-guide-0.1.50-fix_service_chronyd_enabled_PR_5325.patch -Patch47: scap-security-guide-0.1.50-fix_permissions_backup_etc_passwd_PR_5619.patch -Patch48: scap-security-guide-0.1.50-update_sshd_disable_x11_forwarding_PR_5610.patch -Patch49: scap-security-guide-0.1.50-drop_configure_etc_hosts_deny_remediation_PR_5652.patch -Patch50: scap-security-guide-0.1.50-ansible_audit_avoid_duplicates_PR_5650.patch -Patch51: scap-security-guide-0.1.50-add_ansible_audit_rules_mac_modification_PR_5638.patch -Patch52: scap-security-guide-0.1.50-add_ansible_macro_watch_rule_PR_5658.patch -Patch53: scap-security-guide-0.1.50-add_ansible_macro_syscall_rule_PR_5709.patch -Patch54: scap-security-guide-0.1.50-fix_ansible_macro_watch_rule_PR_5716.patch -Patch55: scap-security-guide-0.1.50-add_ansible_audit_rules_session_events_PR_5721.patch -Patch56: scap-security-guide-0.1.50-add_arch_support_macro_syscall_PR_5723.patch -Patch57: scap-security-guide-0.1.50-add_ansible_audit_time_rules_PR_5720.patch -Patch58: scap-security-guide-0.1.50-add_field_support_macro_syscall_PR_5724.patch -Patch59: scap-security-guide-0.1.50-add_ansible_audit_networkconfig_mod_PR_5719.patch -Patch60: scap-security-guide-0.1.50-add_missing_cces_for_cis_PR_5329.patch -Patch61: scap-security-guide-0.1.50-fix_audit_privileged_commands_test_metadata_PR_5739.patch -Patch62: scap-security-guide-0.1.50-add_ansible_ipv6_option_disabled_PR_5737.patch -Patch63: scap-security-guide-0.1.50-add_audit_rules_immutable_PR_5609.patch -Patch64: scap-security-guide-0.1.50-add_missing_cces_kernel_modules_PR_5236.patch -Patch65: scap-security-guide-0.1.50-add_ansible_ensure_logrotate_activated_PR_5753.patch -Patch66: scap-security-guide-0.1.50-fix_ansible_template_mount_options_PR_5752.patch -Patch67: scap-security-guide-0.1.50-add_rpm_verify_warnings_PR_5755.patch -Patch68: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch -Patch69: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch -Patch70: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch -Patch71: scap-security-guide-0.1.50-fix_boot_target_after_xorg_removed_PR_5625.patch -Patch72: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch -Patch73: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch -Patch74: scap-security-guide-0.1.50-fix_test_suite_on_python3_PR_5711.patch -Patch999: centos-debranding.patch +Patch1: scap-security-guide-0.1.53-update_rule_max_pass_life-PR_6027.patch +Patch2: scap-security-guide-0.1.53-update_rule_disable_ctrlaltdel_reboot-PR_6043.patch +Patch3: scap-security-guide-0.1.53-remove_srg_accounts_pam_retry-PR_6045.patch +Patch4: scap-security-guide-0.1.53-update_severity_fail_delay-PR_6040.patch +Patch5: scap-security-guide-0.1.53-update_stig_RHEL_07_040180-PR_6032.diff +Patch6: scap-security-guide-0.1.53-fix_srg_mapping_2-PR_6068.patch +Patch7: scap-security-guide-0.1.53-update_tftpd_uses_secure_mode-PR_6051.patch +Patch8: scap-security-guide-0.1.53-update_stig_RHEL_07_010320_2-PR_6067.patch +Patch9: scap-security-guide-0.1.53-update_stig_RHEL_07_040000-PR_6063.patch +Patch10: scap-security-guide-0.1.53-update_stig_RHEL_07_010340-PR_6049.patch +Patch11: scap-security-guide-0.1.53-value_macros-PR_6048.patch +Patch12: scap-security-guide-0.1.53-update_stig_RHEL_07_020310-PR_6060.patch +Patch13: scap-security-guide-0.1.53-update_srgs_smartcart_cert_checking-PR_6073.patch +Patch14: scap-security-guide-0.1.53-remove_screen_from_stig-PR_6072.patch +Patch15: scap-security-guide-0.1.53-tftpd_fix_variable_type-PR_6077.patch +Patch16: scap-security-guide-0.1.53-update_stig_RHEL_07_010310-PR_6084.patch +Patch17: scap-security-guide-0.1.53-remove_stig_rule-PR_6086.patch +Patch18: scap-security-guide-0.1.53-clean_boilerplate-PR_6042.patch +Patch19: scap-security-guide-0.1.53-update_stig_RHEL_07_040160-PR_6085.patch +Patch20: scap-security-guide-0.1.53-add_ocil_rsyslog_nolisten-PR_6074.patch +Patch21: scap-security-guide-0.1.53-update_stig_references-PR_6104.patch +Patch22: scap-security-guide-0.1.53-update_snmpd_no_default_password-PR_6050.patch +Patch23: scap-security-guide-0.1.53-update_stig_RHEL_07_041001-PR_6083.diff +Patch24: scap-security-guide-0.1.53-add_stig_RHEL_07_040190-PR_6044.patch +Patch25: scap-security-guide-0.1.53-update_audisp_network_failure_action-PR_6071.patch +Patch26: scap-security-guide-0.1.53-ansible_platforms-PR_6025.patch +Patch27: scap-security-guide-0.1.53-introduce_package_platform_name_overrides-PR_6047.patch +Patch28: scap-security-guide-0.1.53-remove_eap6-PR_6119.patch +Patch29: scap-security-guide-0.1.53-fix_ansible_remediation-PR_6116.patch +Patch30: scap-security-guide-0.1.53-fix_severity_stig-PR_6110.patch +Patch31: scap-security-guide-0.1.53-update_rule_install_hips-PR_6039.diff +Patch32: scap-security-guide-0.1.53-fix_aide_rules-PR_6152.patch +Patch33: scap-security-guide-0.1.53-fix_scap_val-PR_6166.patch +Patch34: scap-security-guide-0.1.53-remove_ub1404-PR_6154.patch +Patch35: scap-security-guide-0.1.53-correct_templates-PR_6162.patch +Patch36: scap-security-guide-0.1.53-fix_efi_grub_rule-PR_6276.patch +Patch37: scap-security-guide-0.1.53-fix_audit_rules_privileged_commands_duplicate_rules-PR_6279.patch +Patch38: scap-security-guide-0.1.53-bash_platforms-PR_6061.patch +Patch39: scap-security-guide-0.1.53-fix_emtpy_wrapping-PR_6173.patch +Patch40: scap-security-guide-0.1.53-fix_platform_bash_shellcheck_warning-PR_6184.patch +Patch41: scap-security-guide-0.1.53-fix_zipl_package_mapping-PR_6130.patch +Patch42: scap-security-guide-0.1.53-handle_non_package_cpes-PR_6292.patch +# make other profiles than STIG stable in regards to the rule set. +# The z-stream for STIG update is not supposed to touch any other RHEL7 profiles than the STIG itself. +Patch43: remove_package_rear_installed_from_e8_profile.patch +Patch44: scap-security-guide-0.1.54-split-dconf-automount-rule-PR_5961.patch +Patch45: scap-security-guide-0.1.54-fix-bash_dconf_settings-macro-PR_6364.patch +Patch46: scap-security-guide-0.1.53-fix-extended-definition-PR_6186.patch +Patch47: scap-security-guide-0.1.54-update_stig_reference-PR_6422.patch +Patch48: scap-security-guide-0.1.54-select_xwindows_runlevel_target_stig-PR_6420.patch +Patch49: scap-security-guide-0.1.54-update_stig_severity-PR_6417.patch +Patch50: scap-security-guide-0.1.54-update_RHEL_07_910055-PR_6430.patch +Patch51: scap-security-guide-0.1.54-update_grub2_enable_fips_mode-PR_6418.patch +Patch52: scap-security-guide-0.1.54-add_dir_perms_world_writable_system_owned_group-PR_6421.patch +Patch53: scap-security-guide-0.1.54-update_stig_v3r1-PR_6438.patch BuildArch: noarch @@ -149,6 +129,7 @@ been generated from XCCDF benchmarks present in %{name} package. %patch31 -p1 %patch32 -p1 %patch33 -p1 +%patch34 -p1 %patch35 -p1 %patch36 -p1 %patch37 -p1 @@ -168,28 +149,6 @@ been generated from XCCDF benchmarks present in %{name} package. %patch51 -p1 %patch52 -p1 %patch53 -p1 -%patch54 -p1 -%patch55 -p1 -%patch56 -p1 -%patch57 -p1 -%patch58 -p1 -%patch59 -p1 -%patch60 -p1 -%patch61 -p1 -%patch62 -p1 -%patch63 -p1 -%patch64 -p1 -%patch65 -p1 -%patch66 -p1 -%patch67 -p1 -%patch68 -p1 -%patch69 -p1 -%patch70 -p1 -%patch71 -p1 -%patch72 -p1 -%patch73 -p1 -%patch74 -p1 -%patch999 -p1 # Workaround to remove Python byte cache files from the upstream sources # See https://github.com/ComplianceAsCode/content/issues/4042 @@ -232,6 +191,13 @@ cd build %doc build/guides/ssg-*-guide-*.html %changelog +* Fri Nov 27 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.52-2 +- Update RHEL7 DISA STIG to V3R1 (RHBZ#1665233) + +* Thu Oct 08 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.52-1 +- Update to the latest upstream release (RHBZ#1665233) +- Update RHEL7 DISA STIG to V2R8 (RHBZ#1665233) + * Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.49-13 - Add example kickstart for RHEL7 HIPAA (RHBZ#1513087) - Fix Test Suite to run on Python3