From 32caed89b5cf14f86e5d842569c4f73cdae6ed26 Mon Sep 17 00:00:00 2001 From: Shawn Wells Date: Wed, 3 Apr 2019 16:49:38 -0400 Subject: [PATCH 01/11] create PAM package CPE --- .../oval/installed_env_has_pam_package.xml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 shared/checks/oval/installed_env_has_pam_package.xml diff --git a/shared/checks/oval/installed_env_has_pam_package.xml b/shared/checks/oval/installed_env_has_pam_package.xml new file mode 100644 index 0000000000..b6376575b2 --- /dev/null +++ b/shared/checks/oval/installed_env_has_pam_package.xml @@ -0,0 +1,25 @@ + + + + + Package pam is installed + + multi_platform_all + + Checks if package pam is installed. + + + + + + + + + + + + pam + + + From 213a472a89b3b591a4fd441bcf0f0f3ba633afe3 Mon Sep 17 00:00:00 2001 From: Shawn Wells Date: Wed, 3 Apr 2019 16:49:53 -0400 Subject: [PATCH 02/11] add PAM CPE to constants --- ssg/constants.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ssg/constants.py b/ssg/constants.py index f96fd51790..e87eb7f43c 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -376,6 +376,7 @@ XCCDF_PLATFORM_TO_CPE = { "machine": "cpe:/a:machine", "container": "cpe:/a:container", + "pam": "cpe:/a:pam", "shadow-utils": "cpe:/a:shadow-utils", } From 6afde50cf7a4a75829ed092c8e30116df7a99601 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 8 Apr 2019 15:43:04 +0200 Subject: [PATCH 03/11] Update rules for PAM CPE check --- .../accounts_password_pam_dcredit.rule | 2 ++ .../accounts_password_pam_difok.rule | 2 ++ .../accounts_password_pam_maxclassrepeat.rule | 2 ++ .../accounts_password_pam_minclass.rule | 2 ++ .../accounts_password_pam_minlen.rule | 2 ++ .../accounts_max_concurrent_login_sessions.rule | 2 ++ 6 files changed, 12 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit.rule index 72fc5970ea..fe997d97c8 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit.rule +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit.rule @@ -52,3 +52,5 @@ ocil: |-
$ grep dcredit /etc/security/pwquality.conf
The dcredit parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as dcredit = -1. + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok.rule index 931f0aa9e4..d1855a2cf4 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok.rule +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok.rule @@ -53,3 +53,5 @@ ocil: |- To check how many characters must differ during a password change, run the following command:
$ grep difok /etc/security/pwquality.conf
The difok parameter will indicate how many characters must differ. + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat.rule index 35de1318d5..d964a5e3ea 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat.rule +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat.rule @@ -43,3 +43,5 @@ ocil: |- To check the value for maximum consecutive repeating characters, run the following command:
$ grep maxclassrepeat /etc/security/pwquality.conf
For DoD systems, the output should show maxclassrepeat=4. + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass.rule index 7f99aba143..dc3377de0b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass.rule +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass.rule @@ -60,3 +60,5 @@ ocil: |- The minclass parameter will indicate how many character classes must be used. If the requirement was for the password to contain characters from three different categories, then this would appear as minclass = 3. + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen.rule index d6462579fe..0799aecf01 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen.rule +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen.rule @@ -49,3 +49,5 @@ ocil: |- To check how many characters are required in a password, run the following command:
$ grep minlen /etc/security/pwquality.conf
Your output should contain minlen = + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions.rule b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions.rule index bd53c19c08..f9d9a08706 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions.rule +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions.rule @@ -45,3 +45,5 @@ ocil_clause: 'maxlogins is not equal to or less than the expected value' ocil: "Run the following command to ensure the maxlogins value is configured for all users\non the system:\n
# grep \"maxlogins\" /etc/security/limits.conf
\nYou should receive output similar to the following:\n
*\t\thard\tmaxlogins\t
" + +platform: pam From 351ee6945df37a28cc4f4589b17eb4c35066b00b Mon Sep 17 00:00:00 2001 From: Shawn Wells Date: Wed, 3 Apr 2019 17:17:40 -0400 Subject: [PATCH 04/11] add libuser CPE --- .../installed_env_has_libuser_package.xml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 shared/checks/oval/installed_env_has_libuser_package.xml diff --git a/shared/checks/oval/installed_env_has_libuser_package.xml b/shared/checks/oval/installed_env_has_libuser_package.xml new file mode 100644 index 0000000000..ee79b19f8a --- /dev/null +++ b/shared/checks/oval/installed_env_has_libuser_package.xml @@ -0,0 +1,24 @@ + + + + Package libuser is installed + + multi_platform_all + + Checks if package libuser is installed. + + + + + + + + + + + + libuser + + + From e0b2db79f718b2f64ec25c39f01b53d4e9a80b00 Mon Sep 17 00:00:00 2001 From: Shawn Wells Date: Wed, 3 Apr 2019 17:17:50 -0400 Subject: [PATCH 05/11] add systemd CPE --- .../installed_env_has_systemd_package.xml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 shared/checks/oval/installed_env_has_systemd_package.xml diff --git a/shared/checks/oval/installed_env_has_systemd_package.xml b/shared/checks/oval/installed_env_has_systemd_package.xml new file mode 100644 index 0000000000..99706ee1c6 --- /dev/null +++ b/shared/checks/oval/installed_env_has_systemd_package.xml @@ -0,0 +1,24 @@ + + + + Package systemd is installed + + multi_platform_all + + Checks if package systemd is installed. + + + + + + + + + + + + systemd + + + From 2ec6e5654ef63232c973d91cdee6f8eb9156eb9b Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 8 Apr 2019 15:45:01 +0200 Subject: [PATCH 06/11] Update rules with package CPEs --- .../accounts/accounts-pam/display_login_attempts.rule | 2 ++ .../accounts_password_pam_unix_remember.rule | 2 ++ .../accounts_passwords_pam_faillock_deny.rule | 2 ++ .../accounts_passwords_pam_faillock_deny_root.rule | 2 ++ .../accounts_passwords_pam_faillock_interval.rule | 2 ++ .../accounts_passwords_pam_faillock_unlock_time.rule | 2 ++ .../accounts_password_pam_lcredit.rule | 2 ++ .../accounts_password_pam_ocredit.rule | 2 ++ .../accounts_password_pam_retry.rule | 2 ++ .../accounts_password_pam_ucredit.rule | 2 ++ .../set_password_hashing_algorithm_libuserconf.rule | 2 ++ .../set_password_hashing_algorithm_logindefs.rule | 2 ++ .../set_password_hashing_algorithm_systemauth.rule | 2 ++ .../accounts-physical/disable_ctrlaltdel_burstaction.rule | 2 ++ .../user_umask/accounts_umask_etc_login_defs.rule | 2 ++ ssg/constants.py | 2 ++ 16 files changed, 32 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts.rule b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts.rule index 5c2287a4d3..baeece4b59 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts.rule +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts.rule @@ -47,3 +47,5 @@ ocil: |- the following command:
$ grep pam_lastlog.so /etc/pam.d/postlogin
The output should show output showfailed. + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember.rule index dcde239e85..a63e0e6d1d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember.rule +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember.rule @@ -56,3 +56,5 @@ ocil: |-
$ grep remember /etc/pam.d/system-auth
The output should show the following at the end of the line:
remember=
+ +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny.rule index c8147e7c17..e10b0a1b67 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny.rule +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny.rule @@ -56,3 +56,5 @@ ocil: |- To ensure the failed password attempt policy is configured correctly, run the following command:
$ grep pam_faillock /etc/pam.d/system-auth
The output should show deny=. + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root.rule index b5283b052e..b4c4df7186 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root.rule +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root.rule @@ -50,3 +50,5 @@ ocil: |- attempts, run the following command:
$ grep even_deny_root /etc/pam.d/system-auth
The output should show even_deny_root. + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval.rule index 485fb7970d..ac21fe4c81 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval.rule +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval.rule @@ -65,3 +65,5 @@ ocil_clause: 'fail_interval is less than the required value' ocil: "To ensure the failed password attempt policy is configured correctly, run the following command:\n
$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
\nFor each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is \n or greater. \nIf the fail_interval parameter is not set, the default setting of 900 seconds is acceptable." + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time.rule index 9abd02feea..f4bfaec622 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time.rule +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time.rule @@ -59,3 +59,5 @@ ocil: |- To ensure the failed password attempt policy is configured correctly, run the following command:
$ grep pam_faillock /etc/pam.d/system-auth
The output should show unlock_time=<some-large-number> or never. + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit.rule index ba0be4ebeb..21d86585ed 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit.rule +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit.rule @@ -51,3 +51,5 @@ ocil: |-
$ grep lcredit /etc/security/pwquality.conf
The lcredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit = -1. + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit.rule index c39cc2a09b..d7f7083d27 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit.rule +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit.rule @@ -53,3 +53,5 @@ ocil: |- The ocredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one special character in a password. This would appear as ocredit = -1. + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry.rule index c0f8ed8d6d..fea35e37a3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry.rule +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry.rule @@ -46,3 +46,5 @@ ocil: |- The retry parameter will indicate how many attempts are permitted. The DoD required value is less than or equal to 3. This would appear as retry=3, or a lower value. + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit.rule index 2222ac2297..a4ecdf969d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit.rule +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit.rule @@ -50,3 +50,5 @@ ocil: |- The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. The DoD and FISMA require at least one uppercase character in a password. This would appear as ucredit = -1. + +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf.rule b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf.rule index 0f6cf57e57..397bad4ea6 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf.rule +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf.rule @@ -55,3 +55,5 @@ ocil: |- Inspect /etc/libuser.conf and ensure the following line appears in the [default] section:
crypt_style = sha512
+ +platform: libuser diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs.rule b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs.rule index a23a7863c9..84212c7648 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs.rule +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs.rule @@ -47,3 +47,5 @@ ocil_clause: 'it does not' ocil: |- Inspect /etc/login.defs and ensure the following line appears:
ENCRYPT_METHOD SHA512
+ +platform: shadow-utils diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth.rule b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth.rule index 070e65fc3a..48e8ac427d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth.rule +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth.rule @@ -65,3 +65,5 @@ ocil: |- ensure that the pam_unix.so module includes the argument sha512:
$ grep sha512 /etc/pam.d/system-auth
+ +platform: pam diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction.rule b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction.rule index e215a41a91..d68bf2be38 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction.rule +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction.rule @@ -53,3 +53,5 @@ warnings: key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3. + +platform: systemd diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs.rule b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs.rule index e9e327352b..a087ca8f6a 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs.rule +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs.rule @@ -41,3 +41,5 @@ ocil: |- All output must show the value of umask set as shown in the below:
# grep -i "UMASK" /etc/login.defs
     umask 
+ +platform: shadow-utils diff --git a/ssg/constants.py b/ssg/constants.py index e87eb7f43c..8b3a792f10 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -376,8 +376,10 @@ XCCDF_PLATFORM_TO_CPE = { "machine": "cpe:/a:machine", "container": "cpe:/a:container", + "libuser": "cpe:/a:libuser", "pam": "cpe:/a:pam", "shadow-utils": "cpe:/a:shadow-utils", + "systemd": "cpe:/a:systemd", } # Application constants From e884c6f090bf4a7963721b4948f18b05193cc0bb Mon Sep 17 00:00:00 2001 From: Shawn Wells Date: Wed, 3 Apr 2019 17:45:31 -0400 Subject: [PATCH 07/11] Update LDAP check to evaluate for nss-pam-ldapd CPE --- .../ldap_client_start_tls.rule | 2 ++ ...nstalled_env_has_nss-pam-ldapd_package.xml | 24 +++++++++++++++++++ ssg/constants.py | 1 + 3 files changed, 27 insertions(+) create mode 100644 shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls.rule b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls.rule index c4839d7de5..22a9fd60d9 100644 --- a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls.rule +++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls.rule @@ -48,3 +48,5 @@ ocil: |-
$ grep start_tls /etc/pam_ldap.conf
The result should contain:
ssl start_tls
+ +platform: nss-pam-ldapd diff --git a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml new file mode 100644 index 0000000000..0637e4a64e --- /dev/null +++ b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml @@ -0,0 +1,24 @@ + + + + Package nss-pam-ldapd is installed + + multi_platform_all + + Checks if package nss-pam-ldapd is installed. + + + + + + + + + + + + nss-pam-ldapd + + + diff --git a/ssg/constants.py b/ssg/constants.py index 8b3a792f10..8d7a4cc290 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -377,6 +377,7 @@ "machine": "cpe:/a:machine", "container": "cpe:/a:container", "libuser": "cpe:/a:libuser", + "nss-pam-ldapd": "cpe:/a:nss-pam-ldapd", "pam": "cpe:/a:pam", "shadow-utils": "cpe:/a:shadow-utils", "systemd": "cpe:/a:systemd", From 7cbbe94a051f3978592edb207b5fb178fd6d0e2f Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 8 Apr 2019 15:55:08 +0200 Subject: [PATCH 08/11] Update FIPS checks to evaluate if in machine environment --- .../integrity/fips/grub_legacy_enable_fips_mode.rule | 2 ++ .../integrity/fips/package_dracut-fips_installed.rule | 2 ++ 3 files changed, 6 insertions(+) diff --git a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode.rule b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode.rule index f112bddacd..6761b8736d 100644 --- a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode.rule +++ b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode.rule @@ -50,3 +50,5 @@ warnings:

See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} for a list of FIPS certified vendors. + +platform: machine diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed.rule b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed.rule index c1f6e515e6..055ec8f774 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed.rule +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed.rule @@ -37,3 +37,5 @@ references: ocil_clause: 'the package is not installed' ocil: '{{{ ocil_package(package="dracut-fips") }}}' + +platform: machine From 86704595eb3500a8ef15f5fc0c1412d000c201d1 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 8 Apr 2019 16:15:45 +0200 Subject: [PATCH 09/11] Update CPE package check to handle deb packages --- .../oval/installed_env_has_libuser_package.xml | 15 ++++++++++++++- .../installed_env_has_nss-pam-ldapd_package.xml | 15 ++++++++++++++- .../checks/oval/installed_env_has_pam_package.xml | 15 ++++++++++++++- .../installed_env_has_shadow-utils_package.xml | 15 ++++++++++++++- .../oval/installed_env_has_systemd_package.xml | 15 ++++++++++++++- 5 files changed, 70 insertions(+), 5 deletions(-) diff --git a/shared/checks/oval/installed_env_has_libuser_package.xml b/shared/checks/oval/installed_env_has_libuser_package.xml index ee79b19f8a..b848337b0e 100644 --- a/shared/checks/oval/installed_env_has_libuser_package.xml +++ b/shared/checks/oval/installed_env_has_libuser_package.xml @@ -14,11 +14,24 @@ - +{{% if pkg_system == "rpm" %}} + libuser +{{% elif pkg_system == "dpkg" %}} + + + + + libuser + +{{% endif %}} diff --git a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml index 0637e4a64e..748f68f60f 100644 --- a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml +++ b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml @@ -14,11 +14,24 @@ - +{{% if pkg_system == "rpm" %}} + nss-pam-ldapd +{{% elif pkg_system == "dpkg" %}} + + + + + nss-pam-ldapd + +{{% endif %}} diff --git a/shared/checks/oval/installed_env_has_pam_package.xml b/shared/checks/oval/installed_env_has_pam_package.xml index b6376575b2..dee3bcd26f 100644 --- a/shared/checks/oval/installed_env_has_pam_package.xml +++ b/shared/checks/oval/installed_env_has_pam_package.xml @@ -15,11 +15,24 @@ - +{{% if pkg_system == "rpm" %}} + pam +{{% elif pkg_system == "dpkg" %}} + + + + + pam + +{{% endif %}} diff --git a/shared/checks/oval/installed_env_has_shadow-utils_package.xml b/shared/checks/oval/installed_env_has_shadow-utils_package.xml index 12dd5bd565..11f40a324f 100644 --- a/shared/checks/oval/installed_env_has_shadow-utils_package.xml +++ b/shared/checks/oval/installed_env_has_shadow-utils_package.xml @@ -14,11 +14,24 @@ - +{{% if pkg_system == "rpm" %}} + shadow-utils +{{% elif pkg_system == "dpkg" %}} + + + + + shadow-utils + +{{% endif %}} diff --git a/shared/checks/oval/installed_env_has_systemd_package.xml b/shared/checks/oval/installed_env_has_systemd_package.xml index 99706ee1c6..2dfdff10cc 100644 --- a/shared/checks/oval/installed_env_has_systemd_package.xml +++ b/shared/checks/oval/installed_env_has_systemd_package.xml @@ -14,11 +14,24 @@ - +{{% if pkg_system == "rpm" %}} + systemd +{{% elif pkg_system == "dpkg" %}} + + + + + systemd + +{{% endif %}} From d8dfd5c10412bc3ecd180325c4a1cc997e6e2b8f Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 8 Apr 2019 16:25:27 +0200 Subject: [PATCH 10/11] Add yum CPE and update rules plaforms --- .../clean_components_post_updating.rule | 2 + ....rule | 2 + .../ensure_gpgcheck_local_packages.rule | 2 + .../ensure_gpgcheck_repo_metadata.rule | 2 + .../oval/installed_env_has_yum_package.xml | 37 +++++++++++++++++++ ssg/constants.py | 1 + 6 files changed, 46 insertions(+) create mode 100644 shared/checks/oval/installed_env_has_yum_package.xml diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating.rule b/linux_os/guide/system/software/updating/clean_components_post_updating.rule index d5f0756c2a..9bbcadea11 100644 --- a/linux_os/guide/system/software/updating/clean_components_post_updating.rule +++ b/linux_os/guide/system/software/updating/clean_components_post_updating.rule @@ -40,3 +40,5 @@ ocil: |-
$ grep clean_requirements_on_remove /etc/yum.conf
The output should return something similar to:
clean_requirements_on_remove=1
+ +platform: yum diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated.rule b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated.rule index 73e29ae1a5..b19e178026 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated.rule +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated.rule @@ -67,3 +67,5 @@ ocil: |- A value of 1 indicates that gpgcheck is enabled. Absence of a gpgcheck line or a setting of 0 indicates that it is disabled. + +platform: yum diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages.rule b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages.rule index 7d94688af4..d1ffba4d4e 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages.rule +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages.rule @@ -47,3 +47,5 @@ ocil: |-
$ grep localpkg_gpgcheck /etc/yum.conf
The output should return something similar to:
localpkg_gpgcheck=1
+ +platform: yum diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata.rule b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata.rule index aa3aa83f70..4f8a76652c 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata.rule +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata.rule @@ -55,3 +55,5 @@ ocil: |-
$ grep repo_gpgcheck /etc/yum.conf
The output should return something similar to:
repo_gpgcheck=1
+ +platform: yum diff --git a/shared/checks/oval/installed_env_has_yum_package.xml b/shared/checks/oval/installed_env_has_yum_package.xml new file mode 100644 index 0000000000..916d568062 --- /dev/null +++ b/shared/checks/oval/installed_env_has_yum_package.xml @@ -0,0 +1,37 @@ + + + + Package yum is installed + + multi_platform_all + + Checks if package yum is installed. + + + + + + + +{{% if pkg_system == "rpm" %}} + + + + + yum + +{{% elif pkg_system == "dpkg" %}} + + + + + yum + +{{% endif %}} + + diff --git a/ssg/constants.py b/ssg/constants.py index 8d7a4cc290..94d9d8c180 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -381,6 +381,7 @@ "pam": "cpe:/a:pam", "shadow-utils": "cpe:/a:shadow-utils", "systemd": "cpe:/a:systemd", + "yum": "cpe:/a:yum", } # Application constants From b7250b641c3d533d10a8e633094cf6421b0c34dc Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 8 Apr 2019 18:00:19 +0200 Subject: [PATCH 11/11] Update rhel7 cpe-dictionary --- rhel7/cpe/rhel7-cpe-dictionary.xml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml index 44fe06f103..d64c18e846 100644 --- a/rhel7/cpe/rhel7-cpe-dictionary.xml +++ b/rhel7/cpe/rhel7-cpe-dictionary.xml @@ -47,9 +47,34 @@ installed_env_is_a_machine + + Package libuser is installed + + installed_env_has_libuser_package + + + Package nss-pam-ldapd is installed + + installed_env_has_nss-pam-ldapd_package + + + Package pam is installed + + installed_env_has_pam_package + Package shadow-utils is installed installed_env_has_shadow-utils_package + + Package systemd is installed + + installed_env_has_systemd_package + + + Package yum is installed + + installed_env_has_yum_package +