diff --git a/.gitignore b/.gitignore index 7a06ebd..6d68201 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.33.tar.bz2 +SOURCES/scap-security-guide-0.1.36.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index ec8edd4..8589e93 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -165667e0ac14d568b3544e42170d16761b637b3b SOURCES/scap-security-guide-0.1.33.tar.bz2 +1c244d1053d58edb7e5020b7e906b9edc89db48c SOURCES/scap-security-guide-0.1.36.tar.bz2 diff --git a/SOURCES/scap-security-guide-0.1.33-drop_set_firewalld_default_zone_remediation.patch b/SOURCES/scap-security-guide-0.1.33-drop_set_firewalld_default_zone_remediation.patch deleted file mode 100644 index a080fd1..0000000 --- a/SOURCES/scap-security-guide-0.1.33-drop_set_firewalld_default_zone_remediation.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 8098e6e16c1b7a403c27744508c9892d482061fa Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 14 Sep 2017 19:07:46 +0200 -Subject: [PATCH] Drop firewalld default zone and sshd port fixes - -Providing a fix for 'firewalld_sshd_port_enabled' can be very complicated -and will very likely not fit to everyone's use case. And because of that -we drop remediation for 'set_firewalld_sshd_port', which is causing the -remediated machine to refuse all connections. ---- - shared/templates/static/bash/set_firewalld_default_zone.sh | 10 ---- - 1 file changed, 10 deletions(-) - delete mode 100644 shared/templates/static/bash/set_firewalld_default_zone.sh - -diff --git a/shared/templates/static/bash/set_firewalld_default_zone.sh b/shared/templates/static/bash/set_firewalld_default_zone.sh -deleted file mode 100644 -index ada8b68a7..000000000 ---- a/shared/templates/static/bash/set_firewalld_default_zone.sh -+++ /dev/null -@@ -1,6 +0,0 @@ --# platform = Red Hat Enterprise Linux 7 --grep -q ^DefaultZone= /etc/firewalld/firewalld.conf && \ -- sed -i "s/DefaultZone=.*/DefaultZone=drop/g" /etc/firewalld/firewalld.conf --if ! [ $? -eq 0 ]; then -- echo "DefaultZone=drop" >> /etc/firewalld/firewalld.conf --fi diff --git a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch deleted file mode 100644 index 15650cb..0000000 --- a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 96e23141350598de62a0265b5a5007f107bb2525 Mon Sep 17 00:00:00 2001 -From: Martin Preisler -Date: Thu, 18 May 2017 11:23:35 -0400 -Subject: [PATCH] Use double dash instead of a single dash in ANACONDA - remediation templates - ---- - shared/templates/template_ANACONDA_package_installed | 2 +- - shared/templates/template_ANACONDA_package_removed | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/shared/templates/template_ANACONDA_package_installed b/shared/templates/template_ANACONDA_package_installed -index 0fb9ba08d..9adffa7e6 100644 ---- a/shared/templates/template_ANACONDA_package_installed -+++ b/shared/templates/template_ANACONDA_package_installed -@@ -4,4 +4,4 @@ - # complexity = low - # disruption = low - --package -add=PKGNAME -+package --add=PKGNAME -diff --git a/shared/templates/template_ANACONDA_package_removed b/shared/templates/template_ANACONDA_package_removed -index 21d950692..1882c0deb 100644 ---- a/shared/templates/template_ANACONDA_package_removed -+++ b/shared/templates/template_ANACONDA_package_removed -@@ -4,4 +4,4 @@ - # complexity = low - # disruption = low - --package -remove=PKGNAME -+package --remove=PKGNAME diff --git a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch deleted file mode 100644 index 5b682ad..0000000 --- a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch +++ /dev/null @@ -1,19 +0,0 @@ -From 1b25ec4ff54215a7668a8cfdcf83ec6c6bb0f4bf Mon Sep 17 00:00:00 2001 -From: Gabe -Date: Thu, 18 May 2017 09:31:43 -0600 -Subject: [PATCH] Fix typo in ANACONDA static templates - ---- - shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda b/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda -index 992562ebf..b10200ab1 100644 ---- a/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda -+++ b/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda -@@ -4,4 +4,4 @@ - # complexity = low - # disruption = high - --part /tmp -mountoptions="nodev" -+part /tmp --mountoptions="nodev" diff --git a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch deleted file mode 100644 index e1006a1..0000000 --- a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 620d6704401d8c9538d590c7e8bfdd18cb33034c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 14 Jun 2017 15:32:30 +0200 -Subject: [PATCH] RHBZ#1461330: Add Anaconda remediation for rule - "smartcard_auth" - -Packages pam_pkcs11 and esc weren't installed by Anaconda during -installing, which caused that users can't log in. ---- - shared/templates/static/anaconda/smartcard_auth.anaconda | 3 +++ - 1 file changed, 3 insertions(+) - create mode 100644 shared/templates/static/anaconda/smartcard_auth.anaconda - -diff --git a/shared/templates/static/anaconda/smartcard_auth.anaconda b/shared/templates/static/anaconda/smartcard_auth.anaconda -new file mode 100644 -index 000000000..fbe3aa984 ---- /dev/null -+++ b/shared/templates/static/anaconda/smartcard_auth.anaconda -@@ -0,0 +1,3 @@ -+# platform = multi_platform_rhel -+ -+package --add=pam_pkcs11 --add=esc diff --git a/SOURCES/scap-security-guide-0.1.33-fix-guide-role-install-dir.patch b/SOURCES/scap-security-guide-0.1.33-fix-guide-role-install-dir.patch deleted file mode 100644 index 65640f6..0000000 --- a/SOURCES/scap-security-guide-0.1.33-fix-guide-role-install-dir.patch +++ /dev/null @@ -1,56 +0,0 @@ -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 45a841f..83a3ad0 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -753,7 +753,7 @@ macro(ssg_build_product PRODUCT) - install( - CODE " - file(GLOB GUIDE_FILES \"${CMAKE_BINARY_DIR}/guides/ssg-${PRODUCT}-guide-*.html\") \n -- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_GUIDE_INSTALL_DIR}\" -+ file(INSTALL DESTINATION \"${SSG_GUIDE_INSTALL_DIR}\" - TYPE FILE FILES \${GUIDE_FILES} - )" - COMPONENT doc -@@ -761,14 +761,14 @@ macro(ssg_build_product PRODUCT) - install( - CODE " - file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${PRODUCT}-role-*.yml\") \n -- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\" -+ file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\" - TYPE FILE FILES \${ROLE_FILES} - )" - ) - install( - CODE " - file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${PRODUCT}-role-*.sh\") \n -- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\" -+ file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\" - TYPE FILE FILES \${ROLE_FILES} - )" - ) -@@ -878,7 +878,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - install( - CODE " - file(GLOB GUIDE_FILES \"${CMAKE_BINARY_DIR}/guides/ssg-${DERIVATIVE}-guide-*.html\") \n -- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_GUIDE_INSTALL_DIR}\" -+ file(INSTALL DESTINATION \"${SSG_GUIDE_INSTALL_DIR}\" - TYPE FILE FILES \${GUIDE_FILES} - )" - COMPONENT doc -@@ -886,14 +886,14 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) - install( - CODE " - file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${DERIVATIVE}-role-*.yml\") \n -- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\" -+ file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\" - TYPE FILE FILES \${ROLE_FILES} - )" - ) - install( - CODE " - file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${DERIVATIVE}-role-*.sh\") \n -- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\" -+ file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\" - TYPE FILE FILES \${ROLE_FILES} - )" - ) diff --git a/SOURCES/scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch b/SOURCES/scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch deleted file mode 100644 index c2a1579..0000000 --- a/SOURCES/scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 17c80ede5d0e9d6253b2fa0c70714dd64e349eca Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 15 May 2017 17:25:35 +0200 -Subject: [PATCH] Build table for ospp-rhel7, not ospp-rhel7-server - -The profile has been renamed from ospp-rhel7-server to ospp-rhel7. ---- - RHEL/7/CMakeLists.txt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/RHEL/7/CMakeLists.txt b/RHEL/7/CMakeLists.txt -index b49f556e8..5253b3a9f 100644 ---- a/RHEL/7/CMakeLists.txt -+++ b/RHEL/7/CMakeLists.txt -@@ -10,7 +10,7 @@ ssg_build_html_table_by_ref(${PRODUCT} "cui") - ssg_build_html_table_by_ref(${PRODUCT} "pcidss") - - ssg_build_html_nistrefs_table(${PRODUCT} "common") --ssg_build_html_nistrefs_table(${PRODUCT} "ospp-${PRODUCT}-server") -+ssg_build_html_nistrefs_table(${PRODUCT} "ospp-${PRODUCT}") - ssg_build_html_nistrefs_table(${PRODUCT} "C2S") - ssg_build_html_nistrefs_table(${PRODUCT} "stig-${PRODUCT}-disa") - diff --git a/SOURCES/scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch b/SOURCES/scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch deleted file mode 100644 index f297c49..0000000 --- a/SOURCES/scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch +++ /dev/null @@ -1,23 +0,0 @@ -From cca881e45751b0abd4f7044813079dc61d5a53ec Mon Sep 17 00:00:00 2001 -From: Martin Preisler -Date: Tue, 9 May 2017 15:51:55 -0400 -Subject: [PATCH] Use @override for NIST 800 171 CUI profile - -Otherwise the name of the profile gets concatenated with the name of the -profile it extends. ---- - RHEL/7/input/profiles/nist-800-171-cui.xml | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/RHEL/7/input/profiles/nist-800-171-cui.xml b/RHEL/7/input/profiles/nist-800-171-cui.xml -index 0a3ea2550..a021035f9 100644 ---- a/RHEL/7/input/profiles/nist-800-171-cui.xml -+++ b/RHEL/7/input/profiles/nist-800-171-cui.xml -@@ -1,6 +1,5 @@ - --Unclassified Information in Non-federal Information Systems and --Organizations (NIST 800-171) -+Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) - From NIST 800-171, Section 2.2: - Security requirements for protecting the confidentiality of CUI in nonfederal - information systems and organizations have a well-defined structure that diff --git a/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch b/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch index aae4ece..f37821c 100644 --- a/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch +++ b/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch @@ -26,4 +26,4 @@ index 10b83bc..305957b 100644 - .SH EXAMPLES To scan your system utilizing the OpenSCAP utility against the - stig-rhel6-server-upstream profile: + ospp-rhel7 profile: diff --git a/SOURCES/scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch b/SOURCES/scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch new file mode 100644 index 0000000..928131d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch @@ -0,0 +1,57 @@ +From 44d270133421722ac0dfa0af9756b73d582f4d56 Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Fri, 8 Dec 2017 11:59:13 -0700 +Subject: [PATCH] Deprecate RhostsRSAAuthentication as it have been deprecated + in 7.4 + +- Fixes #2478 +--- + shared/checks/oval/sshd_disable_rhosts_rsa.xml | 7 +++++-- + shared/xccdf/services/ssh.xml | 9 +++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/shared/checks/oval/sshd_disable_rhosts_rsa.xml b/shared/checks/oval/sshd_disable_rhosts_rsa.xml +index d7e00fafc..2abf88c70 100644 +--- a/shared/checks/oval/sshd_disable_rhosts_rsa.xml ++++ b/shared/checks/oval/sshd_disable_rhosts_rsa.xml +@@ -15,8 +15,11 @@ + + +- ++ ++ ++ ++ + + + +diff --git a/shared/xccdf/services/ssh.xml b/shared/xccdf/services/ssh.xml +index 6edd47ab8..53c28faa9 100644 +--- a/shared/xccdf/services/ssh.xml ++++ b/shared/xccdf/services/ssh.xml +@@ -603,6 +603,11 @@ following line in /etc/ssh/sshd_config: +
RhostsRSAAuthentication no
+
+ ++To check which SSH protocol version is allowed, check version of ++openssh-server with following command: ++
$ rpm -qi openssh-server | grep Version
++Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. ++If version is lower than 7.4, run the following command to check configuration: + +
+ +@@ -610,6 +615,10 @@ Configuring this setting for the SSH daemon provides additional + assurance that remove login via SSH will require a password, even + in the event of misconfiguration elsewhere. + ++As of openssh-server version 7.4 and above, ++the RhostsRSAAuthentication option has been deprecated, and the line ++
RhostsRSAAuthentication no
in /etc/ssh/sshd_config is not ++necessary.
+ + + diff --git a/SOURCES/scap-security-guide-0.1.37-add-disa-stig-rule-id.patch b/SOURCES/scap-security-guide-0.1.37-add-disa-stig-rule-id.patch new file mode 100644 index 0000000..16e5eac --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-add-disa-stig-rule-id.patch @@ -0,0 +1,95 @@ +From 4bfc0f1d9cfe21ec672fc806f5421272f1c0b41f Mon Sep 17 00:00:00 2001 +From: Wesley Ceraso Prudencio +Date: Wed, 1 Nov 2017 14:17:24 +0100 +Subject: [PATCH] Enables the STIG Rule ID to be output + +Signed-off-by: Wesley Ceraso Prudencio +--- + cmake/SSGCommon.cmake | 5 ++++ + shared/utils/add_stig_references.py | 57 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 62 insertions(+) + create mode 100755 shared/utils/add_stig_references.py + +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index 8ac826ef6..786e07532 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -130,10 +130,15 @@ macro(ssg_build_shorthand_xml PRODUCT) + endmacro() + + macro(ssg_build_xccdf_unlinked PRODUCT) ++ file(GLOB STIG_REFERENCE_FILE_LIST "${SSG_SHARED_REFS}/disa-stig-${PRODUCT}-*-xccdf-manual.xml") ++ list(APPEND STIG_REFERENCE_FILE_LIST "not-found") ++ list(GET STIG_REFERENCE_FILE_LIST 0 STIG_REFERENCE_FILE) ++ + add_custom_command( + OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" + COMMAND "${XSLTPROC_EXECUTABLE}" --stringparam ssg_version "${SSG_VERSION}" --output "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/shorthand2xccdf.xslt" "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" + COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" xccdf resolve -o "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" ++ COMMAND "${SSG_SHARED_UTILS}/add_stig_references.py" --disa-stig "${STIG_REFERENCE_FILE}" --unlinked-xccdf "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" + DEPENDS generate-internal-${PRODUCT}-shorthand.xml + DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" + DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/shorthand2xccdf.xslt" +diff --git a/shared/utils/add_stig_references.py b/shared/utils/add_stig_references.py +new file mode 100755 +index 000000000..0ab208793 +--- /dev/null ++++ b/shared/utils/add_stig_references.py +@@ -0,0 +1,57 @@ ++#!/usr/bin/env python2 ++ ++try: ++ from xml.etree import cElementTree as etree ++except ImportError: ++ import cElementTree as etree ++ ++import re ++import sys ++import argparse ++ ++parser = argparse.ArgumentParser( ++ description='Add STIG references to XCCDF files.') ++parser.add_argument( ++ "--disa-stig", help="DISA STIG Reference XCCDF file",dest="reference") ++parser.add_argument( ++ "--unlinked-xccdf", help="unlinked SSG XCCDF file", dest="destination") ++args = parser.parse_args() ++ ++reference = args.reference ++destination = args.destination ++ ++xccdf_namespace = "http://checklists.nist.gov/xccdf/1.1" ++stig_href = 'http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx' ++stig_references_beginning = 'http://iase.disa.mil/stigs/' ++ ++try: ++ reference_root = etree.parse(reference) ++except IOError as exception: ++ print 'INFO: DISA STIG Reference file not found for this platform' ++ sys.exit(0) ++ ++reference_rules = reference_root.findall('.//{%s}Rule' % xccdf_namespace) ++ ++dictionary = {} ++ ++for rule in reference_rules: ++ version = rule.find('.//{%s}version' % xccdf_namespace) ++ if version is not None and version.text: ++ dictionary[version.text] = rule.get('id') ++ ++target_root = etree.parse(destination) ++target_rules = target_root.findall('.//{%s}Rule' % xccdf_namespace) ++ ++for rule in target_rules: ++ refs = rule.findall('.//{%s}reference' % xccdf_namespace) ++ for ref in refs: ++ if (ref.get('href').startswith(stig_references_beginning) and ++ ref.text in dictionary): ++ index = rule.getchildren().index(ref) ++ new_ref = etree.Element( ++ '{%s}reference' % xccdf_namespace, {'href': stig_href}) ++ new_ref.text = dictionary[ref.text] ++ new_ref.tail = ref.tail ++ rule.insert(index + 1, new_ref) ++ ++target_root.write(destination) diff --git a/SOURCES/scap-security-guide-0.1.37-disable-check-libexec_ownership.patch b/SOURCES/scap-security-guide-0.1.37-disable-check-libexec_ownership.patch new file mode 100644 index 0000000..6289dcb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-disable-check-libexec_ownership.patch @@ -0,0 +1,23 @@ +From 6f502074053282dd3afbb5ed1594fbbd524c9bc6 Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Fri, 8 Dec 2017 11:34:50 -0700 +Subject: [PATCH] Do not check library ownership in libexec + +- Fixes #2473 +--- + shared/checks/oval/file_ownership_library_dirs.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/checks/oval/file_ownership_library_dirs.xml b/shared/checks/oval/file_ownership_library_dirs.xml +index 41394a01e..186c99012 100644 +--- a/shared/checks/oval/file_ownership_library_dirs.xml ++++ b/shared/checks/oval/file_ownership_library_dirs.xml +@@ -34,7 +34,7 @@ + + + +- ^\/lib(|64)|^\/usr\/lib(|64) ++ ^\/lib(|64)\/|^\/usr\/lib(|64)\/ + ^.*$ + state_owner_libraries_not_root + diff --git a/SOURCES/scap-security-guide-0.1.37-fix-missing-bash-remediation-include.patch b/SOURCES/scap-security-guide-0.1.37-fix-missing-bash-remediation-include.patch new file mode 100644 index 0000000..83822b8 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-fix-missing-bash-remediation-include.patch @@ -0,0 +1,31 @@ +From 4f9987487d11001ef666408dc88abaf783fa7395 Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Tue, 12 Dec 2017 00:04:39 +0100 +Subject: [PATCH] Fixed few remediation errors caused by missing include. + +--- + ...el7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh | 2 ++ + shared/fixes/bash/disable_ctrlaltdel_burstaction.sh | 3 +++ + 2 files changed, 5 insertions(+) + +diff --git a/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh b/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh +index 26498471e..755d483ac 100644 +--- a/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh ++++ b/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh +@@ -1,3 +1,5 @@ ++source fix_audit_syscall_rule.sh ++ + # Perform the remediation for the 'adjtimex', 'settimeofday', and 'stime' audit + # system calls on Red Hat Enterprise Linux 7 or Fedora OSes + function rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation { +diff --git a/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh b/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh +index ab01748c8..5266cf255 100644 +--- a/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh ++++ b/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh +@@ -1,3 +1,6 @@ + # platform = Red Hat Enterprise Linux 7, multi_platform_fedora + ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ + replace_or_append '/etc/systemd/system.conf' '^CtrlAltDelBurstAction=' 'none' '@CCENUM@' '%s=%s' diff --git a/SOURCES/scap-security-guide-0.1.37-fix-srg-table-empty-column.path b/SOURCES/scap-security-guide-0.1.37-fix-srg-table-empty-column.path new file mode 100644 index 0000000..242934a --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-fix-srg-table-empty-column.path @@ -0,0 +1,51 @@ +From 8b43d43533cf4a00de60da71a8aaa6e87776766f Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Fri, 3 Nov 2017 10:36:57 -0600 +Subject: [PATCH] Remove CCI formatting from shared table-srgmap XSLT + +- CCI formatting is now done in earlier XSLT transformations. +- Fixes #2447 +--- + shared/transforms/shared_table-srgmap.xslt | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/shared/transforms/shared_table-srgmap.xslt b/shared/transforms/shared_table-srgmap.xslt +index 4a50dea33..7179f560e 100644 +--- a/shared/transforms/shared_table-srgmap.xslt ++++ b/shared/transforms/shared_table-srgmap.xslt +@@ -46,7 +46,7 @@ + + + +- ++ + + + +@@ -77,10 +77,9 @@ + + + +- +- +- +- ++ ++ ++ + + + +@@ -100,10 +99,9 @@ + + + +- +- ++ + +- ++ + + + diff --git a/SOURCES/scap-security-guide-0.1.37-fix-sshd_required-unset.patch b/SOURCES/scap-security-guide-0.1.37-fix-sshd_required-unset.patch new file mode 100644 index 0000000..8aeb431 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-fix-sshd_required-unset.patch @@ -0,0 +1,822 @@ +From 939d1cfd84b980e3a96dd1d82dfddcabf4b2a34a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 8 Dec 2017 15:14:26 +0100 +Subject: [PATCH 1/6] Drop check of package in sshd_required definitions + +This is not the best place to check if openssh-server is installed. + +We can check for openssh-server package when sshd is required and not +required. +But when sshd_required is not set, we don't check if openssh-server is +installed or not, because both are valid states. + +This gives the impression that when extending sshd_required_or_unset +and sshd_not_required_or_unset there is no need to check for +openssh-server package, which is not true. + +The only purpose of these definitions should be to check for state of +sshd_required value. +--- + shared/checks/oval/sshd_not_required_or_unset.xml | 6 +----- + shared/checks/oval/sshd_required_or_unset.xml | 6 +----- + 2 files changed, 2 insertions(+), 10 deletions(-) + +diff --git a/shared/checks/oval/sshd_not_required_or_unset.xml b/shared/checks/oval/sshd_not_required_or_unset.xml +index 76bf1b9b4..206b1b474 100644 +--- a/shared/checks/oval/sshd_not_required_or_unset.xml ++++ b/shared/checks/oval/sshd_not_required_or_unset.xml +@@ -9,11 +9,7 @@ + If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good. + + +- +- +- +- ++ + + +diff --git a/shared/checks/oval/sshd_required_or_unset.xml b/shared/checks/oval/sshd_required_or_unset.xml +index 04d6a687b..4518b181f 100644 +--- a/shared/checks/oval/sshd_required_or_unset.xml ++++ b/shared/checks/oval/sshd_required_or_unset.xml +@@ -9,11 +9,7 @@ + If SSHD is required, we check it is installed. If SSH requirement is unset, we are good. + + +- +- +- +- ++ + + + +From 0b02493e535e9b529af9eb71bf97f5b02d04c89e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 13 Dec 2017 18:09:47 +0100 +Subject: [PATCH 2/6] Also check state openssh-server package when + sshd_required is unset + +Explicitly check state of openssh-server package. +When openssh-server is installed, system should be configured, when not +installed, system is ok. +When sshd_required is set, either to required or not required, they act +as selector of openssh-server package state. If sshd_required is unset, +the state of openssh-server package selects whether system should be +configured or not. +--- + rhel7/checks/oval/sshd_disable_compression.xml | 14 ++++++++++---- + rhel7/checks/oval/sshd_disable_gssapi_auth.xml | 14 ++++++++++---- + rhel7/checks/oval/sshd_disable_kerb_auth.xml | 14 ++++++++++---- + rhel7/checks/oval/sshd_enable_strictmodes.xml | 14 ++++++++++---- + rhel7/checks/oval/sshd_use_approved_macs.xml | 14 ++++++++++---- + rhel7/checks/oval/sshd_use_priv_separation.xml | 14 ++++++++++---- + shared/checks/oval/disable_host_auth.xml | 15 +++++++++++---- + shared/checks/oval/sshd_allow_only_protocol2.xml | 15 +++++++++++---- + shared/checks/oval/sshd_disable_empty_passwords.xml | 14 ++++++++++---- + shared/checks/oval/sshd_disable_rhosts.xml | 14 ++++++++++---- + shared/checks/oval/sshd_disable_rhosts_rsa.xml | 14 ++++++++++---- + shared/checks/oval/sshd_disable_root_login.xml | 14 ++++++++++---- + shared/checks/oval/sshd_disable_user_known_hosts.xml | 15 +++++++++++---- + shared/checks/oval/sshd_do_not_permit_user_env.xml | 14 ++++++++++---- + shared/checks/oval/sshd_enable_warning_banner.xml | 14 ++++++++++---- + shared/checks/oval/sshd_enable_x11_forwarding.xml | 14 ++++++++++---- + shared/checks/oval/sshd_print_last_log.xml | 14 ++++++++++---- + shared/checks/oval/sshd_set_idle_timeout.xml | 18 ++++++++++++------ + shared/checks/oval/sshd_set_keepalive.xml | 14 ++++++++++---- + shared/checks/oval/sshd_use_approved_ciphers.xml | 18 ++++++++++++------ + shared/checks/oval/sshd_use_approved_macs.xml | 14 ++++++++++---- + 21 files changed, 217 insertions(+), 88 deletions(-) + +diff --git a/rhel7/checks/oval/sshd_disable_compression.xml b/rhel7/checks/oval/sshd_disable_compression.xml +index 8a4334f06..014741fe1 100644 +--- a/rhel7/checks/oval/sshd_disable_compression.xml ++++ b/rhel7/checks/oval/sshd_disable_compression.xml +@@ -7,13 +7,19 @@ + + SSH should either have compression disabled or set to delayed. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/rhel7/checks/oval/sshd_disable_gssapi_auth.xml b/rhel7/checks/oval/sshd_disable_gssapi_auth.xml +index ee184b8e8..5f32edc1e 100644 +--- a/rhel7/checks/oval/sshd_disable_gssapi_auth.xml ++++ b/rhel7/checks/oval/sshd_disable_gssapi_auth.xml +@@ -8,13 +8,19 @@ + Unless needed, disable the GSSAPI authentication option for + the SSH Server. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/rhel7/checks/oval/sshd_disable_kerb_auth.xml b/rhel7/checks/oval/sshd_disable_kerb_auth.xml +index c63cef03e..6f0e0babe 100644 +--- a/rhel7/checks/oval/sshd_disable_kerb_auth.xml ++++ b/rhel7/checks/oval/sshd_disable_kerb_auth.xml +@@ -8,13 +8,19 @@ + Unless needed, disable the Kerberos authentication option for + the SSH Server. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/rhel7/checks/oval/sshd_enable_strictmodes.xml b/rhel7/checks/oval/sshd_enable_strictmodes.xml +index 1346191d5..7728f6ae6 100644 +--- a/rhel7/checks/oval/sshd_enable_strictmodes.xml ++++ b/rhel7/checks/oval/sshd_enable_strictmodes.xml +@@ -8,13 +8,19 @@ + Enable StrictMode to check users home directory permissions + and configurations. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/rhel7/checks/oval/sshd_use_approved_macs.xml b/rhel7/checks/oval/sshd_use_approved_macs.xml +index bd05a5152..20b57041b 100644 +--- a/rhel7/checks/oval/sshd_use_approved_macs.xml ++++ b/rhel7/checks/oval/sshd_use_approved_macs.xml +@@ -9,13 +9,19 @@ + + + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/rhel7/checks/oval/sshd_use_priv_separation.xml b/rhel7/checks/oval/sshd_use_priv_separation.xml +index c5ae32c27..2ec883fea 100644 +--- a/rhel7/checks/oval/sshd_use_priv_separation.xml ++++ b/rhel7/checks/oval/sshd_use_priv_separation.xml +@@ -8,13 +8,19 @@ + Use priviledge separation to cause the SSH process to drop + root privileges when not needed. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/disable_host_auth.xml b/shared/checks/oval/disable_host_auth.xml +index 3e4cc5aea..3a00964ab 100644 +--- a/shared/checks/oval/disable_host_auth.xml ++++ b/shared/checks/oval/disable_host_auth.xml +@@ -7,12 +7,19 @@ + + SSH host-based authentication should be disabled. + +- +- ++ ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_allow_only_protocol2.xml b/shared/checks/oval/sshd_allow_only_protocol2.xml +index 0a7ace128..224010263 100644 +--- a/shared/checks/oval/sshd_allow_only_protocol2.xml ++++ b/shared/checks/oval/sshd_allow_only_protocol2.xml +@@ -9,12 +9,19 @@ + + The OpenSSH daemon should be running protocol 2. + +- +- ++ ++ ++ ++ ++ + +- ++ + + + Remote connections from accounts with empty passwords should + be disabled (and dependencies are met) + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_disable_rhosts.xml b/shared/checks/oval/sshd_disable_rhosts.xml +index 86eb94a22..163ccfca5 100644 +--- a/shared/checks/oval/sshd_disable_rhosts.xml ++++ b/shared/checks/oval/sshd_disable_rhosts.xml +@@ -8,13 +8,19 @@ + Emulation of the rsh command through the ssh server should + be disabled (and dependencies are met) + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_disable_rhosts_rsa.xml b/shared/checks/oval/sshd_disable_rhosts_rsa.xml +index 2abf88c70..e949fb031 100644 +--- a/shared/checks/oval/sshd_disable_rhosts_rsa.xml ++++ b/shared/checks/oval/sshd_disable_rhosts_rsa.xml +@@ -8,13 +8,19 @@ + SSH can allow authentication through the obsolete rsh command + through the use of the authenticating user's SSH keys. This should be disabled. + +- +- ++ ++ ++ ++ + +- ++ + + + Root login via SSH should be disabled (and dependencies are + met) + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_disable_user_known_hosts.xml b/shared/checks/oval/sshd_disable_user_known_hosts.xml +index cc01ec6ca..0e121d496 100644 +--- a/shared/checks/oval/sshd_disable_user_known_hosts.xml ++++ b/shared/checks/oval/sshd_disable_user_known_hosts.xml +@@ -9,12 +9,19 @@ + to connect to systems if a cache of the remote systems public keys are available. + This should be disabled. + +- +- ++ ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_do_not_permit_user_env.xml b/shared/checks/oval/sshd_do_not_permit_user_env.xml +index ad8ecdf68..afb799e20 100644 +--- a/shared/checks/oval/sshd_do_not_permit_user_env.xml ++++ b/shared/checks/oval/sshd_do_not_permit_user_env.xml +@@ -7,13 +7,19 @@ + + PermitUserEnvironment should be disabled + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_enable_warning_banner.xml b/shared/checks/oval/sshd_enable_warning_banner.xml +index 933822eb6..cd14ec9e9 100644 +--- a/shared/checks/oval/sshd_enable_warning_banner.xml ++++ b/shared/checks/oval/sshd_enable_warning_banner.xml +@@ -8,13 +8,19 @@ + SSH warning banner should be enabled (and dependencies are + met) + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_enable_x11_forwarding.xml b/shared/checks/oval/sshd_enable_x11_forwarding.xml +index 3aa45e51b..0a0e1bafd 100644 +--- a/shared/checks/oval/sshd_enable_x11_forwarding.xml ++++ b/shared/checks/oval/sshd_enable_x11_forwarding.xml +@@ -7,13 +7,19 @@ + + Enable X11Forwarding to encrypt X11 remote connections over SSH. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_print_last_log.xml b/shared/checks/oval/sshd_print_last_log.xml +index 29367969d..83bc0df79 100644 +--- a/shared/checks/oval/sshd_print_last_log.xml ++++ b/shared/checks/oval/sshd_print_last_log.xml +@@ -8,13 +8,19 @@ + Enable PrintLastLog to display user's last login time + and date. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_set_idle_timeout.xml b/shared/checks/oval/sshd_set_idle_timeout.xml +index a414790a0..180e87d83 100644 +--- a/shared/checks/oval/sshd_set_idle_timeout.xml ++++ b/shared/checks/oval/sshd_set_idle_timeout.xml +@@ -8,14 +8,20 @@ + The SSH idle timeout interval should be set to an + appropriate value. + +- +- ++ +- +- +- ++ ++ ++ ++ ++ + + +diff --git a/shared/checks/oval/sshd_set_keepalive.xml b/shared/checks/oval/sshd_set_keepalive.xml +index 5640638ae..8774e1d25 100644 +--- a/shared/checks/oval/sshd_set_keepalive.xml ++++ b/shared/checks/oval/sshd_set_keepalive.xml +@@ -8,13 +8,19 @@ + The SSH ClientAliveCountMax should be set to an appropriate + value (and dependencies are met) + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_use_approved_ciphers.xml b/shared/checks/oval/sshd_use_approved_ciphers.xml +index 84088aa5c..5a4e3a1f9 100644 +--- a/shared/checks/oval/sshd_use_approved_ciphers.xml ++++ b/shared/checks/oval/sshd_use_approved_ciphers.xml +@@ -9,13 +9,19 @@ + + + +- +- +- +- ++ ++ ++ ++ ++ ++ ++ + + +diff --git a/shared/checks/oval/sshd_use_approved_macs.xml b/shared/checks/oval/sshd_use_approved_macs.xml +index d2f622af1..b403d0449 100644 +--- a/shared/checks/oval/sshd_use_approved_macs.xml ++++ b/shared/checks/oval/sshd_use_approved_macs.xml +@@ -9,13 +9,19 @@ + + + +- +- ++ ++ ++ ++ + +- ++ + + + +From 441881052627a5b14be015d74d36d271f9268908 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 13 Dec 2017 18:22:29 +0100 +Subject: [PATCH 3/6] Remove backslashes from echo command + +Echo command output is literal, there is no need for backslashes +--- + .../rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh +index 227611543..7172539c7 100644 +--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh ++++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh +@@ -5,5 +5,5 @@ + if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config + else +- echo "Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config ++ echo "Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator.liu.se" >> /etc/ssh/sshd_config + fi + +From 995a5e64eb841c73849571395cc985f94607c4cb Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 18 Dec 2017 11:12:13 +0100 +Subject: [PATCH 4/6] Fix test scenarios for sshd_use_priv_separation + +As of PR #2162 the Rule checks for "sandbox" +--- + .../rule_sshd_use_priv_separation/correct_value.pass.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh +index d63caa85b..36e8c1bba 100644 +--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh ++++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh +@@ -3,7 +3,7 @@ + # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 + + if grep -q "^UsePrivilegeSeparation" /etc/ssh/sshd_config; then +- sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation yes/" /etc/ssh/sshd_config ++ sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation sandbox/" /etc/ssh/sshd_config + else +- echo "UsePrivilegeSeparation yes" >> /etc/ssh/sshd_config ++ echo "UsePrivilegeSeparation sandbox" >> /etc/ssh/sshd_config + fi + +From 877f3620d7462e2af6727a9feff16d6a7f08a239 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 18 Dec 2017 11:40:07 +0100 +Subject: [PATCH 5/6] Fix test scenarios for sshd_disable_kerb_auth + +As of Pr #2463, the definition checks for ausence of +"KerberosAuthentication yes", as default setting is not enabled. +--- + .../group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh | 9 --------- + .../group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh | 9 +++++++++ + .../{line_not_there.fail.sh => line_not_there.pass.sh} | 0 + 3 files changed, 9 insertions(+), 9 deletions(-) + delete mode 100644 tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh + create mode 100644 tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh + rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/{line_not_there.fail.sh => line_not_there.pass.sh} (100%) + +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh +deleted file mode 100644 +index 3ae082173..000000000 +--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh ++++ /dev/null +@@ -1,9 +0,0 @@ +-#!/bin/bash +-# +-# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 +- +-if grep -q "^KerberosAuthentication" /etc/ssh/sshd_config; then +- sed -i "s/^KerberosAuthentication.*/# KerberosAuthentication no/" /etc/ssh/sshd_config +-else +- echo "# KerberosAuthentication no" >> /etc/ssh/sshd_config +-fi +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh +new file mode 100644 +index 000000000..c7d58fbc6 +--- /dev/null ++++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 ++ ++if grep -q "^KerberosAuthentication" /etc/ssh/sshd_config; then ++ sed -i "s/^KerberosAuthentication.*/# KerberosAuthentication yes/" /etc/ssh/sshd_config ++else ++ echo "# KerberosAuthentication yes" >> /etc/ssh/sshd_config ++fi +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.pass.sh +similarity index 100% +rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.fail.sh +rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.pass.sh + +From 4ebe165ede448c8998251257998cc94ea5cf3786 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 18 Dec 2017 11:52:39 +0100 +Subject: [PATCH 6/6] Fix test scenarios for sshd_enable_strictmodes + +As of Pr #2463, the definition checks fo ausence of "StrictModes no", as +default value is enabled already. +--- + .../rule_sshd_enable_strictmodes/{comment.fail.sh => comment.pass.sh} | 4 ++-- + .../{line_not_there.fail.sh => line_not_there.pass.sh} | 0 + 2 files changed, 2 insertions(+), 2 deletions(-) + rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/{comment.fail.sh => comment.pass.sh} (53%) + rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/{line_not_there.fail.sh => line_not_there.pass.sh} (100%) + +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh +similarity index 53% +rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh +rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh +index 3d3b90875..bac02cb4f 100644 +--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh ++++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh +@@ -3,7 +3,7 @@ + # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 + + if grep -q "^StrictModes" /etc/ssh/sshd_config; then +- sed -i "s/^StrictModes.*/# StrictModes yes/" /etc/ssh/sshd_config ++ sed -i "s/^StrictModes.*/# StrictModes no/" /etc/ssh/sshd_config + else +- echo "# StrictModes yes" >> /etc/ssh/sshd_config ++ echo "# StrictModes no" >> /etc/ssh/sshd_config + fi +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.pass.sh +similarity index 100% +rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.fail.sh +rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.pass.sh diff --git a/SOURCES/scap-security-guide-0.1.37-fix-title.patch b/SOURCES/scap-security-guide-0.1.37-fix-title.patch new file mode 100644 index 0000000..7d41a1b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-fix-title.patch @@ -0,0 +1,20 @@ +From a29a5b25a537298144d43a1deba5f8fe14fd1472 Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Sat, 9 Dec 2017 00:21:10 +0100 +Subject: [PATCH] Fix title of DISA STIG profile in RHEL6 DS. + +--- + rhel6/profiles/stig-rhel6-disa.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel6/profiles/stig-rhel6-disa.xml b/rhel6/profiles/stig-rhel6-disa.xml +index eec5e92e5..9694d6591 100644 +--- a/rhel6/profiles/stig-rhel6-disa.xml ++++ b/rhel6/profiles/stig-rhel6-disa.xml +@@ -1,5 +1,5 @@ + +-DISA STIG for Red Hat Enterprise Linux 6 ++DISA STIG for Red Hat Enterprise Linux 6 + + This profile contains configuration checks that align to the + DISA STIG for Red Hat Enterprise Linux 6. diff --git a/SOURCES/scap-security-guide-0.1.37-fix-umask_for_daemons.patch b/SOURCES/scap-security-guide-0.1.37-fix-umask_for_daemons.patch new file mode 100644 index 0000000..06a0fa1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-fix-umask_for_daemons.patch @@ -0,0 +1,39 @@ +From 810c6774166d8b591300322e269acd6a1d3554ef Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 5 Dec 2017 16:15:46 +0100 +Subject: [PATCH] RHBZ #1520493: Fix umask_for_daemons + +OpenSCAP evaluated this rule as "error" because it tried to evauluate +the variable 'var_umask_for_daemons_umask_as_number', which was defined +as external, but in fact is created in other definition. OpenSCAP +could not find its value. The fix is very similar to PR #1945. +--- + shared/checks/oval/umask_for_daemons.xml | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/shared/checks/oval/umask_for_daemons.xml b/shared/checks/oval/umask_for_daemons.xml +index 7f54e4957..a8ce76275 100644 +--- a/shared/checks/oval/umask_for_daemons.xml ++++ b/shared/checks/oval/umask_for_daemons.xml +@@ -61,12 +61,6 @@ + + + +- +- +- + + +@@ -77,6 +71,8 @@ + var_etc_init_d_functions_umask_as_number + + ++ + + + diff --git a/SOURCES/scap-security-guide-0.1.38-fix-reference-to-pam-config-manual.patch b/SOURCES/scap-security-guide-0.1.38-fix-reference-to-pam-config-manual.patch new file mode 100644 index 0000000..9e484b4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.38-fix-reference-to-pam-config-manual.patch @@ -0,0 +1,22 @@ +From b0b3bf1153e72f178400ef91b722d7fcdab94277 Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Fri, 5 Jan 2018 22:54:11 +0100 +Subject: [PATCH] Fixing reference to outdated PAM configuration manual + +--- + shared/xccdf/system/accounts/pam.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/xccdf/system/accounts/pam.xml b/shared/xccdf/system/accounts/pam.xml +index 5ba904da1..572a1216c 100644 +--- a/shared/xccdf/system/accounts/pam.xml ++++ b/shared/xccdf/system/accounts/pam.xml +@@ -39,7 +39,7 @@ most users. + files, destroying any manually made changes and replacing them with + a series of system defaults. One reference to the configuration + file syntax can be found at +- ++ + . + + = 1.2.5, python-lxml, cmake >= 2.8 @@ -50,43 +52,53 @@ been generated from XCCDF benchmarks present in %{name} package. %setup -q -n %{name}-%{version} # Update manual page to drop the part dedicated to Fedora content %patch1 -p1 -b .man_page_update -%patch2 -p1 -b .guide_role_dir_fix -%patch3 -p1 -b .ospp_rhel7_table_fix -# Patches 4 and 5 fixes rhbz#1450731 -%patch4 -p1 -b .anaconda_template_add_remove_package_fix -%patch5 -p1 -b .anaconda_template_partition_mountoptions_fix -# Fix for rhbz#1449211 -%patch6 -p1 -b .profile_nist_800_171_cui_malformed_title_fix -%patch7 -p1 -b .anaconda-smart-card-auth -# Fix for rhbz#1478414, patch adapted from https://github.com/OpenSCAP/scap-security-guide/pull/2328 -%patch8 -p1 -b .drop_set_firewalld_default_zone_remediation +%patch2 -p1 -b .add_disa_stig_rule_id +# patch2 introduces a script that build system needs to execute +chmod u+x shared/utils/add_stig_references.py +mkdir build +# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1523809 +# Taken from https://github.com/OpenSCAP/scap-security-guide/pull/2479 +%patch3 -p1 -b .libexec_ownership +# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1521081 +# Taken from https://github.com/OpenSCAP/scap-security-guide/pull/2481 +%patch4 -p1 -b .title +# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1523827 +# Taken from https://github.com/OpenSCAP/scap-security-guide/pull/2480 +%patch5 -p1 -b .RhostsRSAAuthentication +# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1520493 +# Taken from https://github.com/OpenSCAP/scap-security-guide/pull/2476 +%patch6 -p1 -b .umask_for_daemons +%patch7 -p1 -b .sshd_required_unset +%patch8 -p1 -b .bash_remediation_include +%patch9 -p1 -b .srg_table_column_empty +%patch10 -p1 -b .reference_pam_config %build +cd build %cmake -D CMAKE_INSTALL_DOCDIR=%{_pkgdocdir} \ -DSSG_PRODUCT_CHROMIUM:BOOL=OFF \ -DSSG_PRODUCT_DEBIAN8:BOOL=OFF \ -DSSG_PRODUCT_FEDORA:BOOL=OFF \ --DSSG_PRODUCT_JBOSS_EAP5:BOOL=OFF \ +-DSSG_PRODUCT_JBOSS_EAP6:BOOL=OFF \ -DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF \ +-DSSG_PRODUCT_OCP3:BOOL=OFF \ -DSSG_PRODUCT_OPENSUSE:BOOL=OFF \ -DSSG_PRODUCT_OSP7:BOOL=OFF \ --DSSG_PRODUCT_RHEL5:BOOL=OFF \ -DSSG_PRODUCT_RHEV3:BOOL=OFF \ -DSSG_PRODUCT_SUSE11:BOOL=OFF \ -DSSG_PRODUCT_SUSE12:BOOL=OFF \ --DSSG_PRODUCT_UBUNTU1404:BOOL=OFF \ --DSSG_PRODUCT_UBUNTU1604:BOOL=OFF \ +-DSSG_PRODUCT_UBUNTU14:BOOL=OFF \ +-DSSG_PRODUCT_UBUNTU16:BOOL=OFF \ -DSSG_PRODUCT_WRLINUX:BOOL=OFF \ -DSSG_PRODUCT_WEBMIN:BOOL=OFF \ --DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \ --DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF . +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ +-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../ make %{?_smp_mflags} %install +cd build %make_install -sed 's/Red Hat Enterprise Linux/CentOS Linux/g' -i ssg-centos*.xml - %files %defattr(-,root,root,-) %{_datadir}/xml/scap @@ -95,17 +107,62 @@ sed 's/Red Hat Enterprise Linux/CentOS Linux/g' -i ssg-centos*.xml %doc LICENSE %doc Contributors.md %doc README.md -%doc RHEL/6/input/auxiliary/DISCLAIMER +%doc DISCLAIMER +# All files installed by cmake are automatically include in main package +# We exclude the guides to here add them in doc package +%exclude %{_pkgdocdir}/guides/ %files doc %defattr(-,root,root,-) -%doc roles/ssg-*-role*.yml -%doc roles/ssg-*-role*.sh -%doc guides/ssg-*-guide-*.html +%doc build/guides/ssg-*-guide-*.html %changelog -* Thu Oct 19 2017 Johnny Hughes 0.1.33-6 -- Manual CentOS debranding +* Mon Jan 08 2018 Watson Yuuma Sato - 0.1.36-7 +- Fix sshd_required unset (RHBZ#1522956) +- Fix missing bash remediation functions include (RHBZ#1524738) +- Fix empty columns in SRG HTML Table (RHBZ#1531105) +- Fix reference to oudated PAM config manual (RHBZ#1447760) + +* Tue Dec 12 2017 Watson Yuuma Sato - 0.1.36-6 +- Rebuild with OpenSCAP 1.2.16 + +* Mon Dec 11 2017 Matěj Týč - 0.1.36-5 +- Patched not to check library ownership in libexec. +- Patched to fix title of DISA STIG profile. +- Patched to deprecate RhostsRSAAuthentication. +- Patched to fix umask_for_daemons. + +* Thu Nov 16 2017 Watson Yuuma Sato - 0.1.36-4 +- Rebuild with OpenSCAP 1.2.16 + +* Tue Nov 14 2017 Watson Yuuma Sato - 0.1.36-3 +- Add DISA STIG Rule IDs to XCCDF Rules with STIGID + +* Fri Nov 03 2017 Watson Yuuma Sato - 0.1.36-2 +- Fix configuration to not build new products introduced in upstream + +* Fri Nov 03 2017 Watson Yuuma Sato - 0.1.36-1 +- Update to upstream release 0.1.36 +- Introduction of SCAP Security Guide Test Suite +- Better alignment of RHEL6 and RHEL7 with DISA STIG +- Remove JBoss EAP5 content due to being End-of-Life +- New STIG Profile for JBOSS EAP 6 +- Updates in C2S Profile for RHEL 7 +- Variables can be directly tailored in Ansible roles +- Content presents less false positives in containers +- Changes in directory layout + +* Wed Sep 20 2017 Watson Yuuma Sato - 0.1.35-2 +- Do not build content for JBOSS EAP6 + +* Wed Sep 20 2017 Watson Yuuma Sato - 0.1.35-1 +- Update to upstream release 0.1.35 +- Remove Red Hat Enterprise Linux 5 content due to being End-of-Life March 31, 2017 +- Added several templates for OVAL checks +- Many optimizations in build process +- Different title for PCI-DSS Benchmark variants +- Remediation roles moved to /usr/share/scap-security +- Fix duplicated roles and guides (RHBZ#1465691) * Tue Sep 19 2017 Watson Sato 0.1.33-6 - Dropped remediation that makes system not accessible by SSH (RHBZ#1478414)