diff --git a/.gitignore b/.gitignore index 2d690d4..1c1c8af 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.40.tar.bz2 +SOURCES/scap-security-guide-0.1.43.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 38b0eff..fd5976d 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -0e2850b70814bb080516ed6344d145d834ca12bc SOURCES/scap-security-guide-0.1.40.tar.bz2 +9ccdd4a8e5f34af380aaef4348b206803f4ca075 SOURCES/scap-security-guide-0.1.43.tar.bz2 diff --git a/SOURCES/add-missing-tags-and-platforms.patch b/SOURCES/add-missing-tags-and-platforms.patch new file mode 100644 index 0000000..21f1aa6 --- /dev/null +++ b/SOURCES/add-missing-tags-and-platforms.patch @@ -0,0 +1,768 @@ +From a732c5c1d77f96438f866928839639f92df9f36f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 20 May 2019 15:36:17 +0200 +Subject: [PATCH] Add missing tags and platform assertions + +Some tasks were missing tags, but they were dependencies of +other tasks. When user run the generated playbook with --tags, +those dependent tasks weren't evaluated and then the whole +playbook failed. For example rhbz#1685950. +--- + .../sssd_enable_smartcards/ansible/shared.yml | 7 ++++++- + .../sssd_memcache_timeout/ansible/shared.yml | 7 ++++++- + .../ansible/shared.yml | 7 ++++++- + .../ansible/shared.yml | 7 ++++++- + .../ansible/shared.yml | 6 ++++-- + .../configure_opensc_nss_db/ansible/shared.yml | 11 +++++++---- + .../ansible/shared.yml | 6 ++++-- + .../no_direct_root_logins/ansible/shared.yml | 3 +++ + .../ansible/shared.yml | 14 ++++++++++++-- + .../ansible/shared.yml | 17 +++++++++++++++-- + .../ansible/shared.yml | 14 ++++++++++++-- + .../ansible/shared.yml | 14 ++++++++++++-- + .../ansible/shared.yml | 3 +++ + .../configure_crypto_policy/ansible/shared.yml | 3 +++ + .../ansible/shared.yml | 4 +++- + .../ansible/shared.yml | 4 +++- + .../ansible/shared.yml | 3 +++ + ...emplate_ANSIBLE_audit_rules_dac_modification | 14 ++++++++++++-- + ...ate_ANSIBLE_audit_rules_file_deletion_events | 14 ++++++++++++-- + .../template_ANSIBLE_audit_rules_login_events | 14 ++++++++++++-- + ...late_ANSIBLE_audit_rules_privileged_commands | 11 +++++++++-- + ...E_audit_rules_unsuccessful_file_modification | 14 ++++++++++++-- + ...e_ANSIBLE_audit_rules_usergroup_modification | 14 ++++++++++++-- + .../templates/template_ANSIBLE_file_groupowner | 3 +++ + shared/templates/template_ANSIBLE_file_owner | 3 +++ + .../templates/template_ANSIBLE_file_permissions | 5 ++++- + .../template_ANSIBLE_file_regex_permissions | 1 + + shared/templates/template_ANSIBLE_sebool_var | 2 ++ + 28 files changed, 190 insertions(+), 35 deletions(-) + +diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml +index f6dbdf4..2232b83 100644 +--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml ++++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml +@@ -8,6 +8,9 @@ + register: test_grep_domain + ignore_errors: yes + changed_when: False ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: "Add default domain group (if no domain there)" + ini_file: +@@ -20,7 +23,9 @@ + with_items: + - { section: sssd, option: domains, value: default} + - { section: domain/default, option: id_provider, value: files } +- when: test_grep_domain.stdout == "" ++ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + - name: "Enable Smartcards in SSSD" + ini_file: + dest: /etc/sssd/sssd.conf +diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +index 3cf2af4..a5f7658 100644 +--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml ++++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +@@ -10,6 +10,9 @@ + register: test_grep_domain + ignore_errors: yes + changed_when: False ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: "Add default domain group (if no domain there)" + ini_file: +@@ -22,7 +25,9 @@ + with_items: + - { section: sssd, option: domains, value: default} + - { section: domain/default, option: id_provider, value: files } +- when: test_grep_domain.stdout == "" ++ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: "Configure SSSD's Memory Cache to Expire" + ini_file: +diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml +index f2cddfd..f8d0b00 100644 +--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml ++++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml +@@ -8,6 +8,9 @@ + register: test_grep_domain + ignore_errors: yes + changed_when: False ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: "Add default domain group (if no domain there)" + ini_file: +@@ -20,7 +23,9 @@ + with_items: + - { section: sssd, option: domains, value: default} + - { section: domain/default, option: id_provider, value: files } +- when: test_grep_domain.stdout == "" ++ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: "Configure SSD to Expire Offline Credentials" + ini_file: +diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +index 61bd798..d7f246e 100644 +--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml ++++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +@@ -10,6 +10,9 @@ + register: test_grep_domain + ignore_errors: yes + changed_when: False ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: "Add default domain group (if no domain there)" + ini_file: +@@ -22,7 +25,9 @@ + with_items: + - { section: sssd, option: domains, value: default} + - { section: domain/default, option: id_provider, value: files } +- when: test_grep_domain.stdout == "" ++ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: "Configure SSSD to Expire SSH Known Hosts" + ini_file: +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml +index f4617b1..69f488a 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml +@@ -9,6 +9,9 @@ + stat: + path: /etc/opensc-{{ ansible_architecture }}.conf + register: opensc_conf_cd ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: "@RULE_TITLE@" + lineinfile: +@@ -16,7 +19,6 @@ + line: ' card_drivers = {{ var_smartcard_drivers }}' + regexp: '(^\s+#|^)\s+card_drivers\s+=\s+.*' + state: present +- when: opensc_conf_cd.stat.exists ++ when: opensc_conf_cd.stat.exists and @ANSIBLE_PLATFORM_CONDITION@ + tags: + @ANSIBLE_TAGS@ +- @ANSIBLE_ENSURE_PLATFORM@ +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml +index 1e1dee5..dcef0b6 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml +@@ -3,10 +3,13 @@ + # strategy = configure + # complexity = low + # disruption = low +-- name: Check existence of pkcs11-switch +- stat: +- path: /usr/bin/pkcs11-switch +- register: pkcs11switch ++- name: Check existence of pkcs11-switch ++ stat: ++ path: /usr/bin/pkcs11-switch ++ register: pkcs11switch ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: Get NSS database smart card configuration + command: /usr/bin/pkcs11-switch +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml +index 30452e8..a5da032 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml +@@ -9,6 +9,9 @@ + stat: + path: /etc/opensc-{{ ansible_architecture }}.conf + register: opensc_conf_fcd ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: "@RULE_TITLE@" + lineinfile: +@@ -16,7 +19,6 @@ + line: ' force_card_driver = {{ var_smartcard_drivers }}' + regexp: '(^\s+#|^)\s+force_card_driver\s+=\s+.*' + state: present +- when: opensc_conf_fcd.stat.exists ++ when: opensc_conf_fcd.stat.exists and @ANSIBLE_PLATFORM_CONDITION@ + tags: + @ANSIBLE_TAGS@ +- @ANSIBLE_ENSURE_PLATFORM@ +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml +index 7b20eed..e4e5e0f 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml +@@ -7,6 +7,9 @@ + stat: + path: /etc/securetty + register: securetty_empty ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: "Direct root Logins Not Allowed" + shell: echo > /etc/securetty +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/ansible/shared.yml +index bd42214..39f35f0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/ansible/shared.yml +@@ -7,6 +7,9 @@ + - name: Set architecture for audit create_module tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + # Inserts/replaces the rule in /etc/audit/rules.d + +@@ -17,16 +20,23 @@ + contains: ^.*create_module.*$ + patterns: '*.rules' + register: find_create_module ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules +- when: find_create_module.matched == 0 ++ when: find_create_module.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_create_module.files | map(attribute=''path'') | list | first }}' +- when: find_create_module.matched > 0 ++ when: find_create_module.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + - name: Inserts/replaces the create_module rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml +index 59df796..0f2b57f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml +@@ -7,6 +7,9 @@ + - name: Set architecture for audit delete_module tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + # Inserts/replaces the rule in /etc/audit/rules.d + +@@ -17,16 +20,26 @@ + contains: ^.*delete_module.*$ + patterns: '*.rules' + register: find_delete_module ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ ++ + - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules +- when: find_delete_module.matched == 0 ++ when: find_delete_module.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ ++ + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_delete_module.files | map(attribute=''path'') | list | first }}' +- when: find_delete_module.matched > 0 ++ when: find_delete_module.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ ++ + - name: Inserts/replaces the delete_module rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +index dbd6a8b..be89110 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +@@ -7,6 +7,9 @@ + - name: Set architecture for audit finit_module tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + # Inserts/replaces the rule in /etc/audit/rules.d + +@@ -17,16 +20,23 @@ + contains: ^.*finit_module.*$ + patterns: '*.rules' + register: find_finit_module ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules +- when: find_finit_module.matched == 0 ++ when: find_finit_module.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_finit_module.files | map(attribute=''path'') | list | first }}' +- when: find_finit_module.matched > 0 ++ when: find_finit_module.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + - name: Inserts/replaces the finit_module rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +index 7514401..dd41927 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +@@ -7,6 +7,9 @@ + - name: Set architecture for audit init_module tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + # Inserts/replaces the rule in /etc/audit/rules.d + +@@ -17,16 +20,23 @@ + contains: ^.*init_module.*$ + patterns: '*.rules' + register: find_init_module ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules +- when: find_init_module.matched == 0 ++ when: find_init_module.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_init_module.files | map(attribute=''path'') | list | first }}' +- when: find_init_module.matched > 0 ++ when: find_init_module.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + - name: Inserts/replaces the init_module rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' +diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/ansible/shared.yml +index b0de57f..19f5a14 100644 +--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/ansible/shared.yml ++++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/ansible/shared.yml +@@ -21,6 +21,9 @@ + option: gelocation + value: "false" + create: yes ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: "Prevent user modification of GNOME geolocation - location tracking" + lineinfile: +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml +index 2254249..c50753c 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml +@@ -17,3 +17,6 @@ + + - name: Verify that Crypto Policy is Set (runtime) + shell: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/shared.yml +index 551087e..8589950 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/shared.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/shared.yml +@@ -8,7 +8,9 @@ + path: /etc/yum.conf + register: yum_config_file + check_mode: no +- when: ansible_distribution == "Fedora" ++ when: ansible_distribution == "Fedora" and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + # Old versions of Fedora use yum + +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/ansible/shared.yml +index cc61f4f..1313dc0 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/ansible/shared.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/ansible/shared.yml +@@ -8,7 +8,9 @@ + path: /etc/yum.conf + register: yum_config_file + check_mode: no +- when: ansible_distribution == "Fedora" ++ when: ansible_distribution == "Fedora" and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + # Old versions of Fedora use yum + +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml +index 56050ef..500459f 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml +@@ -10,6 +10,9 @@ + patterns: "*.repo" + contains: ^\[.+]$ + register: yum_find ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: Ensure gpgcheck Enabled For All {{{ pkg_manager }}} Package Repositories + with_items: "{{ yum_find.files }}" +diff --git a/shared/templates/template_ANSIBLE_audit_rules_dac_modification b/shared/templates/template_ANSIBLE_audit_rules_dac_modification +index 0f43d05..eb69f49 100644 +--- a/shared/templates/template_ANSIBLE_audit_rules_dac_modification ++++ b/shared/templates/template_ANSIBLE_audit_rules_dac_modification +@@ -10,6 +10,9 @@ + - name: Set architecture for audit {{{ ATTR }}} tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + # + # Inserts/replaces the rule in /etc/audit/rules.d +@@ -21,18 +24,25 @@ + contains: "-F key=perm_mod$" + patterns: "*.rules" + register: find_{{{ ATTR }}} ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules +- when: find_{{{ ATTR }}}.matched == 0 ++ when: find_{{{ ATTR }}}.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - "{{ find_{{{ ATTR }}}.files | map(attribute='path') | list | first }}" +- when: find_{{{ ATTR }}}.matched > 0 ++ when: find_{{{ ATTR }}}.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on x86 + lineinfile: +diff --git a/shared/templates/template_ANSIBLE_audit_rules_file_deletion_events b/shared/templates/template_ANSIBLE_audit_rules_file_deletion_events +index 1ccef80..c15c2cd 100644 +--- a/shared/templates/template_ANSIBLE_audit_rules_file_deletion_events ++++ b/shared/templates/template_ANSIBLE_audit_rules_file_deletion_events +@@ -10,6 +10,9 @@ + - name: Set architecture for audit {{{ NAME }}} tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + # + # Inserts/replaces the rule in /etc/audit/rules.d +@@ -21,18 +24,25 @@ + contains: "-F key=delete$" + patterns: "*.rules" + register: find_{{{ NAME }}} ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/delete.rules +- when: find_{{{ NAME }}}.matched == 0 ++ when: find_{{{ NAME }}}.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" +- when: find_{{{ NAME }}}.matched > 0 ++ when: find_{{{ NAME }}}.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86 + lineinfile: +diff --git a/shared/templates/template_ANSIBLE_audit_rules_login_events b/shared/templates/template_ANSIBLE_audit_rules_login_events +index 835bf3a..cb319eb 100644 +--- a/shared/templates/template_ANSIBLE_audit_rules_login_events ++++ b/shared/templates/template_ANSIBLE_audit_rules_login_events +@@ -10,6 +10,9 @@ + - name: Set architecture for audit {{{ NAME }}} tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + # + # Inserts/replaces the rule in /etc/audit/rules.d +@@ -21,18 +24,25 @@ + contains: "-k logins$" + patterns: "*.rules" + register: find_{{{ NAME }}} ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/logins.rules +- when: find_{{{ NAME }}}.matched == 0 ++ when: find_{{{ NAME }}}.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" +- when: find_{{{ NAME }}}.matched > 0 ++ when: find_{{{ NAME }}}.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86 + lineinfile: +diff --git a/shared/templates/template_ANSIBLE_audit_rules_privileged_commands b/shared/templates/template_ANSIBLE_audit_rules_privileged_commands +index a8bbc66..63a14d2 100644 +--- a/shared/templates/template_ANSIBLE_audit_rules_privileged_commands ++++ b/shared/templates/template_ANSIBLE_audit_rules_privileged_commands +@@ -13,18 +13,25 @@ + contains: "^.*path={{{ PATH }}}.*$" + patterns: "*.rules" + register: find_{{{ NAME }}} ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules +- when: find_{{{ NAME }}}.matched == 0 ++ when: find_{{{ NAME }}}.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" +- when: find_{{{ NAME }}}.matched > 0 ++ when: find_{{{ NAME }}}.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: Inserts/replaces the {{{ NAME }}} rule in rules.d + lineinfile: +diff --git a/shared/templates/template_ANSIBLE_audit_rules_unsuccessful_file_modification b/shared/templates/template_ANSIBLE_audit_rules_unsuccessful_file_modification +index 015a29b..99b7bdd 100644 +--- a/shared/templates/template_ANSIBLE_audit_rules_unsuccessful_file_modification ++++ b/shared/templates/template_ANSIBLE_audit_rules_unsuccessful_file_modification +@@ -10,6 +10,9 @@ + - name: Set architecture for audit {{{ NAME }}} tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + # + # Inserts/replaces the rule in /etc/audit/rules.d +@@ -21,18 +24,25 @@ + contains: "-F key=perm_mod$" + patterns: "*.rules" + register: find_{{{ NAME }}} ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules +- when: find_{{{ NAME }}}.matched == 0 ++ when: find_{{{ NAME }}}.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" +- when: find_{{{ NAME }}}.matched > 0 ++ when: find_{{{ NAME }}}.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86 + lineinfile: +diff --git a/shared/templates/template_ANSIBLE_audit_rules_usergroup_modification b/shared/templates/template_ANSIBLE_audit_rules_usergroup_modification +index a4b3a0a..df71891 100644 +--- a/shared/templates/template_ANSIBLE_audit_rules_usergroup_modification ++++ b/shared/templates/template_ANSIBLE_audit_rules_usergroup_modification +@@ -10,6 +10,9 @@ + - name: Set architecture for audit {{{ NAME }}} tasks + set_fact: + audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + # + # Inserts/replaces the rule in /etc/audit/rules.d +@@ -21,18 +24,25 @@ + contains: "-k audit_rules_usergroup_modification$" + patterns: "*.rules" + register: find_{{{ NAME }}} ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules +- when: find_{{{ NAME }}}.matched == 0 ++ when: find_{{{ NAME }}}.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" +- when: find_{{{ NAME }}}.matched > 0 ++ when: find_{{{ NAME }}}.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ ++ tags: ++ @ANSIBLE_TAGS@ + + - name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86 + lineinfile: +diff --git a/shared/templates/template_ANSIBLE_file_groupowner b/shared/templates/template_ANSIBLE_file_groupowner +index 3c7335a..f9c7a9c 100644 +--- a/shared/templates/template_ANSIBLE_file_groupowner ++++ b/shared/templates/template_ANSIBLE_file_groupowner +@@ -7,6 +7,9 @@ + stat: + path: {{{ FILEPATH }}} + register: file_exists ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: Ensure group owner {{{ FILEGID }}} on {{{ FILEPATH }}} + file: +diff --git a/shared/templates/template_ANSIBLE_file_owner b/shared/templates/template_ANSIBLE_file_owner +index 13fd7dd..6eb0cff 100644 +--- a/shared/templates/template_ANSIBLE_file_owner ++++ b/shared/templates/template_ANSIBLE_file_owner +@@ -7,6 +7,9 @@ + stat: + path: {{{ FILEPATH }}} + register: file_exists ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: Ensure owner {{{ FILEUID }}} on {{{ FILEPATH }}} + file: +diff --git a/shared/templates/template_ANSIBLE_file_permissions b/shared/templates/template_ANSIBLE_file_permissions +index 57c8394..8d226a5 100644 +--- a/shared/templates/template_ANSIBLE_file_permissions ++++ b/shared/templates/template_ANSIBLE_file_permissions +@@ -7,7 +7,10 @@ + stat: + path: {{{ FILEPATH }}} + register: file_exists +- ++ tags: ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ ++ + - name: Ensure permission {{{ FILEMODE }}} on {{{ FILEPATH }}} + file: + path: {{{ FILEPATH }}} +diff --git a/shared/templates/template_ANSIBLE_file_regex_permissions b/shared/templates/template_ANSIBLE_file_regex_permissions +index 01e36e7..478d29b 100644 +--- a/shared/templates/template_ANSIBLE_file_regex_permissions ++++ b/shared/templates/template_ANSIBLE_file_regex_permissions +@@ -11,6 +11,7 @@ + register: files_found + tags: + @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: Set permissions for {{{ FILEPATH }}} file(s) + file: +diff --git a/shared/templates/template_ANSIBLE_sebool_var b/shared/templates/template_ANSIBLE_sebool_var +index ae6bee4..d48d1cf 100644 +--- a/shared/templates/template_ANSIBLE_sebool_var ++++ b/shared/templates/template_ANSIBLE_sebool_var +@@ -11,6 +11,8 @@ + state: latest + tags: + - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice ++ @ANSIBLE_TAGS@ ++ @ANSIBLE_ENSURE_PLATFORM@ + + - name: Set SELinux boolean {{{ SEBOOLID }}} accordingly + seboolean: +-- +2.20.1 + diff --git a/SOURCES/centos-debranding.patch b/SOURCES/centos-debranding.patch deleted file mode 100644 index 5e10621..0000000 --- a/SOURCES/centos-debranding.patch +++ /dev/null @@ -1,134 +0,0 @@ -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/C2S.profile scap-security-guide-0.1.40/rhel7/profiles/C2S.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/C2S.profile 2018-07-25 12:50:14.000000000 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/C2S.profile 2018-11-25 15:17:23.769888627 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'C2S for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile demonstrates compliance against the - U.S. Government Commercial Cloud Services (C2S) baseline. - -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/cjis.profile scap-security-guide-0.1.40/rhel7/profiles/cjis.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/cjis.profile 2018-07-25 12:50:14.000000000 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/cjis.profile 2018-11-25 15:29:55.671294215 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Criminal Justice Information Services (CJIS) Security Policy' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile is derived from FBI's CJIS v5.4 - Security Policy. A copy of this policy can be found at the CJIS Security - Policy Resource Center: -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/hipaa.profile scap-security-guide-0.1.40/rhel7/profiles/hipaa.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/hipaa.profile 2018-07-25 12:50:14.000000000 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/hipaa.profile 2018-11-25 15:30:15.463278958 +0000 -@@ -3,6 +3,8 @@ documentation_complete: True - title: 'Health Insurance Portability and Accountability Act (HIPAA)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - The HIPAA Security Rule establishes U.S. national standards to protect individuals’ - electronic personal health information that is created, received, used, or - maintained by a covered entity. The Security Rule requires appropriate -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/nist-800-171-cui.profile scap-security-guide-0.1.40/rhel7/profiles/nist-800-171-cui.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/nist-800-171-cui.profile 2018-07-25 12:50:14.000000000 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/nist-800-171-cui.profile 2018-11-25 15:24:33.985542271 +0000 -@@ -2,7 +2,9 @@ documentation_complete: true - - title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' - --description: "From NIST 800-171, Section 2.2:\nSecurity requirements for protecting the confidentiality of CUI in nonfederal\ -+description: "**Not applicable to CentOS Linux, included for reference only** \n -+ \ \n -+ \ From NIST 800-171, Section 2.2:\nSecurity requirements for protecting the confidentiality of CUI in nonfederal\ - \ \ninformation systems and organizations have a well-defined structure that \nconsists of:\n\n(i) a basic security requirements\ - \ section;\n(ii) a derived security requirements section.\n\nThe basic security requirements are obtained from FIPS Publication\ - \ 200, which\nprovides the high-level and fundamental security requirements for federal\ninformation and information systems.\ -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/ospp42.profile scap-security-guide-0.1.40/rhel7/profiles/ospp42.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/ospp42.profile 2018-11-25 12:23:46.255295645 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/ospp42.profile 2018-11-25 15:19:26.088789033 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'OSPP - Protection Profile for General Purpose Operating Systems v. 4.2' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile reflects mandatory configuration controls identified in the - NIAP Configuration Annex to the Protection Profile for General Purpose - Operating Systems (Protection Profile Version 4.2). -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/ospp.profile scap-security-guide-0.1.40/rhel7/profiles/ospp.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/ospp.profile 2018-11-25 12:23:46.255295645 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/ospp.profile 2018-11-25 15:21:23.225693654 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'United States Government Configuration Baseline' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This compliance profile reflects the core set of security - related configuration settings for deployment of Red Hat Enterprise - Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/pci-dss.profile scap-security-guide-0.1.40/rhel7/profiles/pci-dss.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/pci-dss.profile 2018-07-25 12:50:14.000000000 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/pci-dss.profile 2018-11-25 15:13:32.587076868 +0000 -@@ -2,8 +2,10 @@ documentation_complete: true - - title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7' - --description: 'Ensures PCI-DSS v3 related security configuration settings \n -- \ are applied.' -+description: "**Not applicable to CentOS Linux, included for reference only** \n -+ \ \n -+ \ Ensures PCI-DSS v3 related security configuration settings \n -+ \ are applied." - - selections: - - var_password_pam_unix_remember=4 -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/rht-ccp.profile scap-security-guide-0.1.40/rhel7/profiles/rht-ccp.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/rht-ccp.profile 2018-07-25 12:50:14.000000000 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/rht-ccp.profile 2018-11-25 15:04:16.105536090 +0000 -@@ -2,10 +2,12 @@ documentation_complete: true - - title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' - --description: 'This profile contains the minimum security relevant \n -+description: "**Not applicable to CentOS Linux, included for reference only** \n -+ \ \n -+ \ This profile contains the minimum security relevant \n - \ configuration settings recommended by Red Hat, Inc for \n - \ Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified \n -- \ Cloud Providers.' -+ \ Cloud Providers." - - selections: - - var_selinux_state=enforcing -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/standard.profile scap-security-guide-0.1.40/rhel7/profiles/standard.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/standard.profile 2018-07-25 12:50:14.000000000 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/standard.profile 2018-11-25 15:18:14.952846958 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Standard System Security Profile for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains rules to ensure standard security baseline - of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload - all of these checks should pass. -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/stig-rhel7-disa.profile scap-security-guide-0.1.40/rhel7/profiles/stig-rhel7-disa.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/stig-rhel7-disa.profile 2018-07-25 12:50:14.000000000 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/stig-rhel7-disa.profile 2018-11-25 15:06:41.962411218 +0000 -@@ -2,7 +2,9 @@ documentation_complete: true - - title: 'DISA STIG for Red Hat Enterprise Linux 7' - --description: "This profile contains configuration checks that align to the \n -+description: "**Not applicable to CentOS Linux, included for reference only** \n -+ \ \n -+ \ This profile contains configuration checks that align to the \n - \ DISA STIG for Red Hat Enterprise Linux V1R4. \n - \ \n - \ In addition to being applicable to RHEL7, DISA recognizes this \n diff --git a/SOURCES/evaluate_new_package_cpes_to_true.patch b/SOURCES/evaluate_new_package_cpes_to_true.patch new file mode 100644 index 0000000..8915893 --- /dev/null +++ b/SOURCES/evaluate_new_package_cpes_to_true.patch @@ -0,0 +1,57 @@ +From 40ced7704f5e6f8166cd4e7b0fa273854c7c53ba Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 10 May 2019 14:27:51 +0200 +Subject: [PATCH] Evaluate Ansible platform macro True package CPE + +Other platforms were introduced, like yum, pam, shadow-utils... +Let's handle the case when platform is machine normally, and evaluate +the other platforms to True. +--- + shared/transforms/xccdf-addremediations.xslt | 24 ++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/shared/transforms/xccdf-addremediations.xslt b/shared/transforms/xccdf-addremediations.xslt +index 360877b2f..6339c020e 100644 +--- a/shared/transforms/xccdf-addremediations.xslt ++++ b/shared/transforms/xccdf-addremediations.xslt +@@ -127,6 +127,9 @@ + + + ++ ++ ++ + + + +@@ -149,6 +152,27 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + +-- +2.20.1 + diff --git a/SOURCES/remove_dconf_use_text_backend_rule_from_profiles.patch b/SOURCES/remove_dconf_use_text_backend_rule_from_profiles.patch new file mode 100644 index 0000000..4bbb4a7 --- /dev/null +++ b/SOURCES/remove_dconf_use_text_backend_rule_from_profiles.patch @@ -0,0 +1,572 @@ +commit 23e988daddbaec48ad565eef28c45d858587a45c +Author: Gabriel Becker +Date: Fri May 24 13:56:54 2019 +0200 + + Remove dconf_use_text_backend rule from profiles. + + Rule is faulty and does not fix properly the dconf bugs. + +diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile +index f13f97a..f33d348 100644 +--- a/fedora/profiles/ospp.profile ++++ b/fedora/profiles/ospp.profile +@@ -43,7 +43,6 @@ selections: + - sysctl_kernel_kptr_restrict + - sysctl_kernel_kexec_load_disabled + - sysctl_kernel_dmesg_restrict +- - dconf_use_text_backend + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay +diff --git a/fedora/profiles/pci-dss.profile b/fedora/profiles/pci-dss.profile +index 0e6f543..5e47534 100644 +--- a/fedora/profiles/pci-dss.profile ++++ b/fedora/profiles/pci-dss.profile +@@ -98,7 +98,6 @@ selections: + - account_disable_post_pw_expiration + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_unlock_time +- - dconf_use_text_backend + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_lock_enabled +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml +index c418384..28a39e8 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml +@@ -28,10 +28,6 @@ rationale: |- + + severity: high + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + identifiers: + cce@rhel7: 80107-6 + +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml +index 1b3a0d3..bc15a48 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml +@@ -27,10 +27,6 @@ rationale: |- + + severity: medium + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + identifiers: + cce@rhel7: 80106-8 + +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml +index a9d157d..e3f5e79 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml +@@ -26,10 +26,6 @@ rationale: |- + + severity: medium + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + identifiers: + cce@rhel7: 80108-4 + +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml +index f4eed0d..7b02bc1 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml +@@ -27,10 +27,6 @@ rationale: |- + + severity: medium + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + identifiers: + cce@rhel7: 80109-2 + cce@rhel8: 80771-9 +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml +index 7caf212..fbf9578 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml +@@ -31,10 +31,6 @@ rationale: |- + + severity: unknown + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + identifiers: + cce@rhel7: 80122-5 + +diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/rule.yml +index 6081267..e239b46 100644 +--- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/rule.yml +@@ -30,10 +30,6 @@ rationale: |- + + severity: unknown + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + identifiers: + cce@rhel7: 80123-3 + +diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/rule.yml b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/rule.yml +index cbfaec0..9b1963b 100644 +--- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/rule.yml +@@ -24,10 +24,6 @@ rationale: |- + + severity: medium + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + identifiers: + cce@rhel7: 80118-3 + +diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/rule.yml b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/rule.yml +index 51f29ef..09f50e0 100644 +--- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/rule.yml +@@ -24,10 +24,6 @@ rationale: |- + Wireless network connections should not be allowed to be configured by general + users on a given system as it could open the system to backdoor attacks. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml +index a5927e7..872514b 100644 +--- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml +@@ -22,10 +22,6 @@ rationale: |- + Username and password prompting is required for remote access. Otherwise, non-authorized + and nefarious users can access the system freely. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml +index 825348f..101b148 100644 +--- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml +@@ -22,10 +22,6 @@ rationale: |- + Open X displays allow an attacker to capture keystrokes and to execute commands + remotely. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml +index 730844f..82a88d7 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml +@@ -29,10 +29,6 @@ rationale: |- + login session does not have administrator rights and the display station is located in a + controlled-access area. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/rule.yml +index da3f041..d2980f0 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/rule.yml +@@ -16,10 +16,6 @@ rationale: |- + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity + of the information system but does not want to logout because of the temporary nature of the absense. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +index ac6c968..db8dcbb 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +@@ -26,10 +26,6 @@ rationale: |- + system session prior to vacating the vicinity, GNOME3 can be configured to identify when + a user's session has idled and take action to initiate a session lock. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +index 42f0d11..a66c458 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +@@ -21,10 +21,6 @@ rationale: |- + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity + of the information system but does not want to logout because of the temporary nature of the absense. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +index 842bcf4..bf007d3 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +@@ -21,10 +21,6 @@ rationale: |- + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity + of the information system but does not want to logout because of the temporary nature of the absense. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml +index da8cbe7..e6b459a 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml +@@ -16,10 +16,6 @@ rationale: |- + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity + of the information system but does not want to logout because of the temporary nature of the absense. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml +index e792620..c81ee8e 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml +@@ -21,10 +21,6 @@ rationale: |- + Setting the screensaver mode to blank-only conceals the + contents of the display from passersby. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml +index 3640d34..6ecf953 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml +@@ -23,10 +23,6 @@ rationale: |- + Setting the splash screen to not reveal the logged in user's name + conceals who has access to the system from passersby. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml +index 30a29ea..87f690b 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml +@@ -19,10 +19,6 @@ rationale: |- + GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the + session lock. As such, users should not be allowed to change session settings. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml +index 9ca213d..0d094ca 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml +@@ -19,10 +19,6 @@ rationale: |- + GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the + session lock. As such, users should not be allowed to change session settings. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml +index e7c5054..e1f3a95 100644 +--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml +@@ -26,10 +26,6 @@ rationale: |- + the case of mixed OS environment, this can create the risk of short-term + loss of availability of systems due to unintentional reboot. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: high + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/rule.yml +index 647d024..083d81b 100644 +--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/rule.yml +@@ -29,10 +29,6 @@ rationale: |- + Enabling power settings on non-mobile devices could have unintended processing + consequences on standard systems. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/rule.yml +index 5a62042..c983409 100644 +--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/rule.yml +@@ -24,10 +24,6 @@ rationale: |- + Enabling power settings on non-mobile devices could have unintended processing + consequences on standard systems. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: medium + + identifiers: +diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml +index e521d91..28265ac 100644 +--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml +@@ -26,10 +26,6 @@ rationale: |- + unintended configuration changes as well as a nefarious user the capability to make system + changes such as adding new accounts, etc. + +-warnings: +- - dependency: |- +- {{{ body_of_dconf_warning_about_dependent_rule() }}} +- + severity: high + + identifiers: +diff --git a/ol7/profiles/pci-dss.profile b/ol7/profiles/pci-dss.profile +index 8f2a5cc..acfe1be 100644 +--- a/ol7/profiles/pci-dss.profile ++++ b/ol7/profiles/pci-dss.profile +@@ -108,7 +108,6 @@ selections: + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_unlock_time + - account_unique_name +- - dconf_use_text_backend + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_enabled +diff --git a/ol7/profiles/stig-ol7-disa.profile b/ol7/profiles/stig-ol7-disa.profile +index 0c9cd56..f9d2f4c 100644 +--- a/ol7/profiles/stig-ol7-disa.profile ++++ b/ol7/profiles/stig-ol7-disa.profile +@@ -109,7 +109,6 @@ selections: + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow +- - dconf_use_text_backend + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_activation_locked + - dconf_gnome_screensaver_idle_delay +diff --git a/ol8/profiles/ospp.profile b/ol8/profiles/ospp.profile +index 9309177..9e5b245 100644 +--- a/ol8/profiles/ospp.profile ++++ b/ol8/profiles/ospp.profile +@@ -42,7 +42,6 @@ selections: + - sysctl_kernel_kptr_restrict + - sysctl_kernel_kexec_load_disabled + - sysctl_kernel_dmesg_restrict +- - dconf_use_text_backend + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay +diff --git a/ol8/profiles/pci-dss.profile b/ol8/profiles/pci-dss.profile +index d7d5909..ef6c60f 100644 +--- a/ol8/profiles/pci-dss.profile ++++ b/ol8/profiles/pci-dss.profile +@@ -122,7 +122,6 @@ selections: + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_unlock_time + - account_unique_name +- - dconf_use_text_backend + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_enabled +diff --git a/rhel7/profiles/C2S.profile b/rhel7/profiles/C2S.profile +index 3d6b4f3..6580595 100644 +--- a/rhel7/profiles/C2S.profile ++++ b/rhel7/profiles/C2S.profile +@@ -70,7 +70,6 @@ selections: + - selinux_confinement_of_daemons + - banner_etc_issue + - login_banner_text=usgcb_default +- - dconf_use_text_backend + - dconf_gnome_login_banner_text + - dconf_gnome_banner_enabled + - security_patches_up_to_date +diff --git a/rhel7/profiles/cjis.profile b/rhel7/profiles/cjis.profile +index 1bf4006..a7f8c0b 100644 +--- a/rhel7/profiles/cjis.profile ++++ b/rhel7/profiles/cjis.profile +@@ -86,7 +86,6 @@ selections: + - var_password_pam_retry=5 + - var_accounts_passwords_pam_faillock_deny=5 + - var_accounts_passwords_pam_faillock_unlock_time=600 +- - dconf_use_text_backend + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_lock_enabled +diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile +index 719093b..76fb4a8 100644 +--- a/rhel7/profiles/hipaa.profile ++++ b/rhel7/profiles/hipaa.profile +@@ -28,7 +28,6 @@ selections: + - service_debug-shell_disabled + - disable_ctrlaltdel_reboot + - disable_ctrlaltdel_burstaction +- - dconf_use_text_backend + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption + - sshd_disable_empty_passwords +diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile +index a4357a6..36e5d7e 100644 +--- a/rhel7/profiles/ospp.profile ++++ b/rhel7/profiles/ospp.profile +@@ -401,7 +401,6 @@ selections: + - network_sniffer_disabled + - network_ipv6_disable_rpc + - network_ipv6_privacy_extensions +- - dconf_use_text_backend + - dconf_gnome_banner_enabled + - dconf_gnome_disable_automount + - dconf_gnome_disable_ctrlaltdel_reboot +diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile +index e2173c9..dbd1935 100644 +--- a/rhel7/profiles/ospp42.profile ++++ b/rhel7/profiles/ospp42.profile +@@ -42,7 +42,6 @@ selections: + - sysctl_kernel_kptr_restrict + - sysctl_kernel_kexec_load_disabled + - sysctl_kernel_dmesg_restrict +- - dconf_use_text_backend + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay +diff --git a/rhel7/profiles/pci-dss.profile b/rhel7/profiles/pci-dss.profile +index 7ba7873..da56ff1 100644 +--- a/rhel7/profiles/pci-dss.profile ++++ b/rhel7/profiles/pci-dss.profile +@@ -79,7 +79,6 @@ selections: + - account_disable_post_pw_expiration + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_unlock_time +- - dconf_use_text_backend + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_lock_enabled +diff --git a/rhel7/profiles/stig-rhel7-disa.profile b/rhel7/profiles/stig-rhel7-disa.profile +index 9f8e9ab..245efd7 100644 +--- a/rhel7/profiles/stig-rhel7-disa.profile ++++ b/rhel7/profiles/stig-rhel7-disa.profile +@@ -56,7 +56,6 @@ selections: + - rpm_verify_permissions + - rpm_verify_ownership + - rpm_verify_hashes +- - dconf_use_text_backend + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text + - banner_etc_issue +diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile +index 288fbf0..ec225d8 100644 +--- a/rhel8/profiles/cjis.profile ++++ b/rhel8/profiles/cjis.profile +@@ -86,7 +86,6 @@ selections: + - var_password_pam_retry=5 + - var_accounts_passwords_pam_faillock_deny=5 + - var_accounts_passwords_pam_faillock_unlock_time=600 +- - dconf_use_text_backend + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_lock_enabled +diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile +index f5533f1..d44960d 100644 +--- a/rhel8/profiles/hipaa.profile ++++ b/rhel8/profiles/hipaa.profile +@@ -28,7 +28,6 @@ selections: + - service_debug-shell_disabled + - disable_ctrlaltdel_reboot + - disable_ctrlaltdel_burstaction +- - dconf_use_text_backend + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption + - sshd_disable_empty_passwords +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index 3c6e193..31b4be5 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -219,7 +219,6 @@ selections: + ### FMT_MOF_EXT.1 / AC-11(a) + ### Enable Screen Lock + - package_tmux_installed +- - dconf_use_text_backend + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay +diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile +index 6b73cd8..3894da0 100644 +--- a/rhel8/profiles/pci-dss.profile ++++ b/rhel8/profiles/pci-dss.profile +@@ -98,7 +98,6 @@ selections: + - account_disable_post_pw_expiration + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_unlock_time +- - dconf_use_text_backend + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_lock_enabled diff --git a/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch b/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch deleted file mode 100644 index 6a437b2..0000000 --- a/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/docs/scap-security-guide.8 b/docs/scap-security-guide.8 -index 10b83bc..305957b 100644 ---- a/docs/scap-security-guide.8 -+++ b/docs/scap-security-guide.8 -@@ -301,24 +301,6 @@ This profile configures Red Hat Enterprise Linux 7 to the NIST Special Publicati - for securing Controlled Unclassified Information (CUI). - - --.SH Fedora PROFILES --The Fedora SSG content is broken into 'profiles,' groupings of security settings that --correlate to a known policy. Currently available profile: -- --.I common --.RS --The common profile is intended to be used as a base, universal profile for --scanning of general-purpose Fedora systems. --.RE -- --.I standard --.RS --The Standard System Security Profile contains rules to ensure standard security --baseline of a Fedora system. --Regardless of your system's workload all of these checks should pass. --.RE -- -- - .SH EXAMPLES - To scan your system utilizing the OpenSCAP utility against the - ospp profile: diff --git a/SOURCES/scap-security-guide-0.1.41-audit_file_deletion.patch b/SOURCES/scap-security-guide-0.1.41-audit_file_deletion.patch deleted file mode 100644 index 9ec4614..0000000 --- a/SOURCES/scap-security-guide-0.1.41-audit_file_deletion.patch +++ /dev/null @@ -1,275 +0,0 @@ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule -new file mode 100644 -index 0000000000..3fdcb3e89d ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule -@@ -0,0 +1,46 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Delete Attempts to Files - rename' -+ -+description: |- -+ The audit system should collect unsuccessful file deletion -+ attempts for all users and root. If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+    -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+ If the system is 64 bit then also add the following lines: -+
-+    -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+    -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+ -+rationale: |- -+ Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ cis: 5.2.10 -+ cui: 3.1.7 -+ disa: 172,2884 -+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 -+ ospp@rhel7: FAU_GEN.1.1.c -+ pcidss: Req-10.2.4,Req-10.2.1 -+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="rename") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping these system -+ calls with others as identifying earlier in this guide is more efficient. -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule -new file mode 100644 -index 0000000000..848ea3256e ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule -@@ -0,0 +1,46 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Delete Attempts to Files - renameat' -+ -+description: |- -+ The audit system should collect unsuccessful file deletion -+ attempts for all users and root. If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+    -a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+ If the system is 64 bit then also add the following lines: -+
-+    -a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+    -a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+ -+rationale: |- -+ Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ cis: 5.2.10 -+ cui: 3.1.7 -+ disa: 172,2884 -+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 -+ ospp@rhel7: FAU_GEN.1.1.c -+ pcidss: Req-10.2.4,Req-10.2.1 -+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="renameat") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping these system -+ calls with others as identifying earlier in this guide is more efficient. -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule -new file mode 100644 -index 0000000000..8a64a965ea ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule -@@ -0,0 +1,46 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Delete Attempts to Files - unlink' -+ -+description: |- -+ The audit system should collect unsuccessful file deletion -+ attempts for all users and root. If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+    -a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+ If the system is 64 bit then also add the following lines: -+
-+    -a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+    -a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+ -+rationale: |- -+ Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ cis: 5.2.10 -+ cui: 3.1.7 -+ disa: 172,2884 -+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 -+ ospp@rhel7: FAU_GEN.1.1.c -+ pcidss: Req-10.2.4,Req-10.2.1 -+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="unlink") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping these system -+ calls with others as identifying earlier in this guide is more efficient. -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule -new file mode 100644 -index 0000000000..c89d7d880b ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule -@@ -0,0 +1,46 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Delete Attempts to Files - unlinkat' -+ -+description: |- -+ The audit system should collect unsuccessful file deletion -+ attempts for all users and root. If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+    -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+ If the system is 64 bit then also add the following lines: -+
-+    -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+    -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-+ -+rationale: |- -+ Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ cis: 5.2.10 -+ cui: 3.1.7 -+ disa: 172,2884 -+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 -+ ospp@rhel7: FAU_GEN.1.1.c -+ pcidss: Req-10.2.4,Req-10.2.1 -+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="unlinkat") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping these system -+ calls with others as identifying earlier in this guide is more efficient. -diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile -index 6ca2b4b58f..1f5e45a436 100644 ---- a/rhel7/profiles/ospp42-draft.profile -+++ b/rhel7/profiles/ospp42-draft.profile -@@ -90,6 +90,10 @@ selections: - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_truncate -+ - audit_rules_unsuccessful_file_modification_unlink -+ - audit_rules_unsuccessful_file_modification_unlinkat -+ - audit_rules_unsuccessful_file_modification_rename -+ - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_file_deletion_events_renameat - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_rmdir -diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv -index 632bd19a68..3246204984 100644 ---- a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv -+++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv -@@ -3,4 +3,8 @@ ftruncate - open - openat - open_by_handle_at -+rename -+renameat - truncate -+unlink -+unlinkat -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/default.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/default.pass.sh -new file mode 100644 -index 0000000000..a6b47565ea ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/default.pass.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+echo "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules -+echo "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules -+echo "-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules -+echo "-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/empty.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/empty.fail.sh -new file mode 100644 -index 0000000000..d703da5cf8 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/empty.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+rm -f /etc/audit/rules.d/* -+> /etc/audit/audit.rules -+true -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/only_eacces.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/only_eacces.fail.sh -new file mode 100644 -index 0000000000..07d6e6b22b ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/only_eacces.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+echo "-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules -+echo "-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules diff --git a/SOURCES/scap-security-guide-0.1.41-audit_file_open.patch b/SOURCES/scap-security-guide-0.1.41-audit_file_open.patch deleted file mode 100644 index 90741fd..0000000 --- a/SOURCES/scap-security-guide-0.1.41-audit_file_open.patch +++ /dev/null @@ -1,1157 +0,0 @@ -diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml -new file mode 100644 -index 0000000000..3eb97c1234 ---- /dev/null -+++ b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml -@@ -0,0 +1,200 @@ -+ -+ -+ -+ Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_creat -+ -+ Red Hat Enterprise Linux 7 -+ multi_platform_fedora -+ -+ Audit rules about the information on the unsuccessful use of open O_CREAT is enabled. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* -+ -+ -+ [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ -+ -+ -+ -+ (?:[^.]|\.\s)* -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule -new file mode 100644 -index 0000000000..c879183de2 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule -@@ -0,0 +1,54 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unauthorized Creation Attempts to Files (unsuccessful) - open O_CREAT' -+ -+ -+description: |- -+ The audit system should collect unauthorized file accesses for -+ all users and root. The open syscall can be used to create new files -+ when O_CREAT flag is specified. -+ The following auidt rules will asure that unsuccessful attempts to create a -+ file via open syscall are collected. -+ If the auditd daemon is configured to use the augenrules -+ program to read audit rules during daemon startup (the default), add the -+ rules below to a file with suffix .rules in the directory -+ /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the rules below to -+ /etc/audit/audit.rules file. -+
-+    -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    
-+ If the system is 64 bit then also add the following lines: -+
-+    -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    
-+ -+rationale: |- -+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ cis: 5.2.10 -+ cui: 3.1.7 -+ disa: 172,2884 -+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 -+ ospp@rhel7: FAU_GEN.1.1.c -+ pcidss: Req-10.2.4,Req-10.2.1 -+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping these system -+ calls with others as identifying earlier in this guide is more efficient. -diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml -new file mode 100644 -index 0000000000..49540d8d4c ---- /dev/null -+++ b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml -@@ -0,0 +1,200 @@ -+ -+ -+ -+ Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_trunc -+ -+ Red Hat Enterprise Linux 7 -+ multi_platform_fedora -+ -+ Audit rules about the information on the unsuccessful use of open O_TRUNC is enabled. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* -+ -+ -+ [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ -+ -+ -+ -+ (?:[^.]|\.\s)* -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule -new file mode 100644 -index 0000000000..8525b31bb1 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule -@@ -0,0 +1,53 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unauthorized Modification Attempts to Files (unsuccessful) - open O_TRUNC' -+ -+description: |- -+ The audit system should collect detailed unauthorized file accesses for -+ all users and root. The open syscall can be used to modify files -+ if called for write operation of with O_TRUNC flag. -+ The following auidt rules will asure that unsuccessful attempts to modify a -+ file via open syscall are collected. -+ If the auditd daemon is configured to use the augenrules -+ program to read audit rules during daemon startup (the default), add the -+ rules below to a file with suffix .rules in the directory -+ /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the rules below to -+ /etc/audit/audit.rules file. -+
-+    -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    
-+ If the system is 64 bit then also add the following lines: -+
-+    -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    
-+ -+rationale: |- -+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ cis: 5.2.10 -+ cui: 3.1.7 -+ disa: 172,2884 -+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 -+ ospp@rhel7: FAU_GEN.1.1.c -+ pcidss: Req-10.2.4,Req-10.2.1 -+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping these system -+ calls with others as identifying earlier in this guide is more efficient. -diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml -new file mode 100644 -index 0000000000..780fdf60d4 ---- /dev/null -+++ b/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml -@@ -0,0 +1,474 @@ -+ -+ -+ -+ Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly -+ -+ Red Hat Enterprise Linux 7 -+ multi_platform_fedora -+ -+ Audit rules about the information on the unsuccessful use of open is configured in the proper rule order. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* -+ -+ -+ [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ -+ -+ -+ -+ (?:[^.]|\.\s)* -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule -new file mode 100644 -index 0000000000..60a1b9de12 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule -@@ -0,0 +1,64 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly' -+ -+description: |- -+ The audit system should collect detailed unauthorized file -+ accesses for all users and root. -+ To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access -+ of files via open syscall the audit rules collecting these events need to be in certain order. -+ The more specific rules need to come before the less specific rules. The reason for that is that more -+ specific rules cover a subset of events covered in the less specific rules, thus, they need to come -+ before to not be overshadowed by less specific rules, which match a bigger set of events. -+ Make sure that rules for unsuccessful calls of open syscall are in the order shown below. -+ If the auditd daemon is configured to use the augenrules -+ program to read audit rules during daemon startup (the default), check the order of -+ rules below in a file with suffix .rules in the directory -+ /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, check the order of rules below in -+ /etc/audit/audit.rules file. -+
-+    -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b32 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b32 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+    -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+    
-+ If the system is 64 bit then also add the following lines: -+
-+    -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b64 -S open -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b64 -S open -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+    -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+    
-+ -+rationale: |- -+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ cis: 5.2.10 -+ cui: 3.1.7 -+ disa: 172,2884 -+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 -+ ospp@rhel7: FAU_GEN.1.1.c -+ pcidss: Req-10.2.4,Req-10.2.1 -+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping these system -+ calls with others as identifying earlier in this guide is more efficient. -diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -index 555375c757..36e255c28a 100644 ---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -@@ -51,7 +51,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -60,7 +60,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -69,7 +69,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -78,7 +78,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -87,7 +87,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -96,7 +96,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -105,7 +105,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -114,7 +114,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - diff --git a/SOURCES/scap-security-guide-0.1.41-audit_file_open_ospp.patch b/SOURCES/scap-security-guide-0.1.41-audit_file_open_ospp.patch deleted file mode 100644 index 4cb77a1..0000000 --- a/SOURCES/scap-security-guide-0.1.41-audit_file_open_ospp.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile -index 6ca2b4b58f..2d39437948 100644 ---- a/rhel7/profiles/ospp42-draft.profile -+++ b/rhel7/profiles/ospp42-draft.profile -@@ -87,6 +87,9 @@ - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_open_by_handle_at -+ - audit_rules_unsuccessful_file_modification_open_o_creat -+ - audit_rules_unsuccessful_file_modification_open_o_trunc_write -+ - audit_rules_unsuccessful_file_modification_open_rule_order - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_truncate diff --git a/SOURCES/scap-security-guide-0.1.41-audit_file_ownership.patch b/SOURCES/scap-security-guide-0.1.41-audit_file_ownership.patch deleted file mode 100644 index dc2d16d..0000000 --- a/SOURCES/scap-security-guide-0.1.41-audit_file_ownership.patch +++ /dev/null @@ -1,248 +0,0 @@ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown.rule -new file mode 100644 -index 0000000000..2d64245ec8 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chown.rule -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Ownership Changes to Files - chown' -+ -+description: |- -+ The audit system should collect unsuccessful file ownership change -+ attempts for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ If the system is 64 bit then also add the following lines: -+
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ -+ -+rationale: |- -+ Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="chown") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the audit rule checks a -+ system call independently of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown.rule -new file mode 100644 -index 0000000000..8835dd2d5f ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchown.rule -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Ownership Changes to Files - fchown' -+ -+description: |- -+ The audit system should collect unsuccessful file ownership change -+ attempts for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ If the system is 64 bit then also add the following lines: -+
-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ -+ -+rationale: |- -+ Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="fchown") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the audit rule checks a -+ system call independently of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat.rule -new file mode 100644 -index 0000000000..c40152d7b0 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchownat.rule -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Ownership Changes to Files - fchownat' -+ -+description: |- -+ The audit system should collect unsuccessful file ownership change -+ attempts for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ If the system is 64 bit then also add the following lines: -+
-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ -+ -+rationale: |- -+ Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="fchownat") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the audit rule checks a -+ system call independently of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown.rule -new file mode 100644 -index 0000000000..2293c4afdd ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lchown.rule -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Ownership Changes to Files - lchown' -+ -+description: |- -+ The audit system should collect unsuccessful file ownership change -+ attempts for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ If the system is 64 bit then also add the following lines: -+
-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ -+ -+rationale: |- -+ Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="lchown") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the audit rule checks a -+ system call independently of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile -index 6ca2b4b58f..5398114123 100644 ---- a/rhel7/profiles/ospp42-draft.profile -+++ b/rhel7/profiles/ospp42-draft.profile -@@ -110,9 +110,13 @@ selections: - - audit_rules_execution_setsebool - - audit_rules_mac_modification - - audit_rules_dac_modification_chown -+ - audit_rules_unsuccessful_file_modification_chown - - audit_rules_dac_modification_fchownat -+ - audit_rules_unsuccessful_file_modification_fchownat - - audit_rules_dac_modification_fchown -+ - audit_rules_unsuccessful_file_modification_fchown - - audit_rules_dac_modification_lchown -+ - audit_rules_unsuccessful_file_modification_lchown - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_userhelper -diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv -index 632bd19a68..15cf44c0f4 100644 ---- a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv -+++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv -@@ -1,5 +1,9 @@ - creat -+chown -+fchown -+fchownat - ftruncate -+lchown - open - openat - open_by_handle_at -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/default.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/default.pass.sh -new file mode 100644 -index 0000000000..4e1e71b717 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/default.pass.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules -+echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules -+echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules -+echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/empty.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/empty.fail.sh -new file mode 100644 -index 0000000000..d8e8e0b1dd ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/empty.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+rm -f /etc/audit/rules.d/* -+> /etc/audit/audit.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/one_filter.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/one_filter.fail.sh -new file mode 100644 -index 0000000000..e8691611dc ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_chown/one_filter.fail.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules -+echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules -+echo "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules -+echo "-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change" >> /etc/audit/rules.d/unsuccessful-perm-change.rules diff --git a/SOURCES/scap-security-guide-0.1.41-audit_file_permission.patch b/SOURCES/scap-security-guide-0.1.41-audit_file_permission.patch deleted file mode 100644 index ebfcc8e..0000000 --- a/SOURCES/scap-security-guide-0.1.41-audit_file_permission.patch +++ /dev/null @@ -1,444 +0,0 @@ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chmod.rule -new file mode 100644 -index 0000000000..fc5d1c0b92 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_chmod.rule -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Permission Changes to Files - chmod' -+ -+description: |- -+ The audit system should collect unsuccessful file permission change -+ attempts for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ If the system is 64 bit then also add the following lines: -+
-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ -+ -+rationale: |- -+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="chmod") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the audit rule checks a -+ system call independently of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmod.rule -new file mode 100644 -index 0000000000..0b86c9b6b9 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmod.rule -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Permission Changes to Files - fchmod' -+ -+description: |- -+ The audit system should collect unsuccessful file permission change -+ attempts for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ If the system is 64 bit then also add the following lines: -+
-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ -+ -+rationale: |- -+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="fchmod") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the audit rule checks a -+ system call independently of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmodat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmodat.rule -new file mode 100644 -index 0000000000..6b9a4796ca ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fchmodat.rule -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Permission Changes to Files - fchmodat' -+ -+description: |- -+ The audit system should collect unsuccessful file permission change -+ attempts for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ If the system is 64 bit then also add the following lines: -+
-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ -+ -+rationale: |- -+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="fchmodat") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the audit rule checks a -+ system call independently of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr.rule -new file mode 100644 -index 0000000000..7a20898b00 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fremovexattr.rule -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Permission Changes to Files - fremovexattr' -+ -+description: |- -+ The audit system should collect unsuccessful file permission change -+ attempts for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ If the system is 64 bit then also add the following lines: -+
-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ -+ -+rationale: |- -+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="fremovexattr") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the audit rule checks a -+ system call independently of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr.rule -new file mode 100644 -index 0000000000..aa2d8fddf1 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_fsetxattr.rule -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Permission Changes to Files - fsetxattr' -+ -+description: |- -+ The audit system should collect unsuccessful file permission change -+ attempts for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ If the system is 64 bit then also add the following lines: -+
-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ -+ -+rationale: |- -+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="fsetxattr") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the audit rule checks a -+ system call independently of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr.rule -new file mode 100644 -index 0000000000..ceac04e986 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lremovexattr.rule -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Permission Changes to Files - lremovexattr' -+ -+description: |- -+ The audit system should collect unsuccessful file permission change -+ attempts for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ If the system is 64 bit then also add the following lines: -+
-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ -+ -+rationale: |- -+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="lremovexattr") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the audit rule checks a -+ system call independently of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr.rule -new file mode 100644 -index 0000000000..6ff2f59d03 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_lsetxattr.rule -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Permission Changes to Files - lsetxattr' -+ -+description: |- -+ The audit system should collect unsuccessful file permission change -+ attempts for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ If the system is 64 bit then also add the following lines: -+
-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ -+ -+rationale: |- -+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="lsetxattr") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the audit rule checks a -+ system call independently of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_removexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_removexattr.rule -new file mode 100644 -index 0000000000..b8946872d7 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_removexattr.rule -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Permission Changes to Files - removexattr' -+ -+description: |- -+ The audit system should collect unsuccessful file permission change -+ attempts for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ If the system is 64 bit then also add the following lines: -+
-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ -+ -+rationale: |- -+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="removexattr") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the audit rule checks a -+ system call independently of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_setxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_setxattr.rule -new file mode 100644 -index 0000000000..a14cc93628 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_setxattr.rule -@@ -0,0 +1,38 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unsuccessul Permission Changes to Files - setxattr' -+ -+description: |- -+ The audit system should collect unsuccessful file permission change -+ attempts for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file. -+
-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ If the system is 64 bit then also add the following lines: -+
-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+    -a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-+ -+ -+rationale: |- -+ Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="setxattr") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the audit rule checks a -+ system call independently of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile -index 42c1e98e39..9802576814 100644 ---- a/rhel7/profiles/ospp42-draft.profile -+++ b/rhel7/profiles/ospp42-draft.profile -@@ -108,6 +108,15 @@ selections: - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr -+ - audit_rules_unsuccessful_file_modification_chmod -+ - audit_rules_unsuccessful_file_modification_fchmodat -+ - audit_rules_unsuccessful_file_modification_fchmod -+ - audit_rules_unsuccessful_file_modification_fremovexattr -+ - audit_rules_unsuccessful_file_modification_fsetxattr -+ - audit_rules_unsuccessful_file_modification_lremovexattr -+ - audit_rules_unsuccessful_file_modification_lsetxattr -+ - audit_rules_unsuccessful_file_modification_removexattr -+ - audit_rules_unsuccessful_file_modification_setxattr - - audit_rules_execution_chcon - - audit_rules_execution_restorecon - - audit_rules_execution_semanage -diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv -index 61b81a2ae0..5cc029eb92 100644 ---- a/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv -+++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification.csv -@@ -1,14 +1,23 @@ - creat -+chmod - chown -+fchmod -+fchmodat - fchown - fchownat -+fremovexattr -+fsetxattr - ftruncate - lchown -+lremovexattr -+lsetxattr - open - openat - open_by_handle_at -+removexattr - rename - renameat -+setxattr - truncate - unlink - unlinkat diff --git a/SOURCES/scap-security-guide-0.1.41-audit_log_access.patch b/SOURCES/scap-security-guide-0.1.41-audit_log_access.patch deleted file mode 100644 index 587c4d8..0000000 --- a/SOURCES/scap-security-guide-0.1.41-audit_log_access.patch +++ /dev/null @@ -1,180 +0,0 @@ -diff --git a/shared/checks/oval/directory_access_var_log_audit.xml b/shared/checks/oval/directory_access_var_log_audit.xml -new file mode 100644 -index 0000000000..8edc5970d3 ---- /dev/null -+++ b/shared/checks/oval/directory_access_var_log_audit.xml -@@ -0,0 +1,57 @@ -+ -+ -+ -+ Ensure auditd Collects Information Read Access to /var/log/audit -+ -+ Red Hat Enterprise Linux 7 -+ multi_platform_fedora -+ -+ Audit rules about the read events to /var/log/audit -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/audit.rules -+ -+ 1 -+ -+ -+ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule -new file mode 100644 -index 0000000000..acf6fc6a0e ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule -@@ -0,0 +1,33 @@ -+documentation_complete: true -+ -+title: 'Record Access Events to Audit Log directory' -+ -+description: |- -+ The audit system should collect access events to read audit log directory. -+ The following audit rule will assure that access to audit log directory are -+ collected. -+
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-+ If the auditd daemon is configured to use the augenrules -+ program to read audit rules during daemon startup (the default), add the -+ rule to a file with suffix .rules in the directory -+ /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the rule to -+ /etc/audit/audit.rules file. -+ -+rationale: |- -+ Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system. -+ Auditing these events could serve as evidence of potential system compromise.' -+ -+references: -+ ospp@rhel7: FAU_GEN.1.1.c -+ -+severity: unknown -+ -+ocil_clause: "no line is returned" -+ -+ocil: |- -+ To determine if the system is configured to audit accesses to -+ /var/log/audit directory, run the following command: -+
$ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules
-+ If the system is configured to audit this activity, it will return a line. -diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile -index 42c1e98e39..0a71eb16f6 100644 ---- a/rhel7/profiles/ospp42-draft.profile -+++ b/rhel7/profiles/ospp42-draft.profile -@@ -139,6 +139,7 @@ selections: - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_su - - audit_rules_session_events -+ - directory_access_var_log_audit - - ensure_redhat_gpgkey_installed - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_never_disabled -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh -new file mode 100644 -index 0000000000..e9b1d56af3 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_correct_rule.pass.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+# remediation = none -+ -+# Use auditctl in RHEL7 -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+echo "-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/audit.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh -new file mode 100644 -index 0000000000..1c68a3229b ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/auditctl_wrong_dir.fail.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+# remediation = none -+ -+# Use auditctl in RHEL7 -+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -+ -+echo "-a always,exit -F dir=/var/log/auditd/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/audit.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh -new file mode 100644 -index 0000000000..58ef8bc15f ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_correct_rule.pass.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+# remediation = none -+ -+echo "-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh -new file mode 100644 -index 0000000000..29f0f2d38e ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_dir.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+# remediation = none -+ -+echo "-a always,exit -F dir=/var/log/auditd/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh -new file mode 100644 -index 0000000000..82eae1895d ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/rule_directory_access_var_log_audit/augenrules_wrong_perm.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+# remediation = none -+ -+echo "-a always,exit -F dir=/var/log/audit/ -F perm=w -F auid>=1000 -F auid!=unset -F key=access-audit-trail" >> /etc/audit/rules.d/var_log_audit.rules diff --git a/SOURCES/scap-security-guide-0.1.41-audit_misc_improvements.patch b/SOURCES/scap-security-guide-0.1.41-audit_misc_improvements.patch deleted file mode 100644 index 63cf9fe..0000000 --- a/SOURCES/scap-security-guide-0.1.41-audit_misc_improvements.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule -index 3fdcb3e89d..33b8371e91 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule -@@ -42,5 +42,6 @@ warnings: - - general: |- - Note that these rules can be configured in a - number of ways while still achieving the desired effect. Here the system calls -- have been placed independent of other system calls. Grouping these system -- calls with others as identifying earlier in this guide is more efficient. -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule -index 848ea3256e..7f9093fcd2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule -@@ -42,5 +42,6 @@ warnings: - - general: |- - Note that these rules can be configured in a - number of ways while still achieving the desired effect. Here the system calls -- have been placed independent of other system calls. Grouping these system -- calls with others as identifying earlier in this guide is more efficient. -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule -index 8a64a965ea..f898cc5686 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule -@@ -42,5 +42,6 @@ warnings: - - general: |- - Note that these rules can be configured in a - number of ways while still achieving the desired effect. Here the system calls -- have been placed independent of other system calls. Grouping these system -- calls with others as identifying earlier in this guide is more efficient. -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule -index c89d7d880b..7c5403361c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule -@@ -42,5 +42,6 @@ warnings: - - general: |- - Note that these rules can be configured in a - number of ways while still achieving the desired effect. Here the system calls -- have been placed independent of other system calls. Grouping these system -- calls with others as identifying earlier in this guide is more efficient. -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
diff --git a/SOURCES/scap-security-guide-0.1.41-audit_passwd_log_writes.patch b/SOURCES/scap-security-guide-0.1.41-audit_passwd_log_writes.patch deleted file mode 100644 index 8c1c30e..0000000 --- a/SOURCES/scap-security-guide-0.1.41-audit_passwd_log_writes.patch +++ /dev/null @@ -1,153 +0,0 @@ -diff --git a/shared/checks/oval/audit_rules_etc_passwd_open.xml b/shared/checks/oval/audit_rules_etc_passwd_open.xml -new file mode 100644 -index 0000000000..fd5c3efb28 ---- /dev/null -+++ b/shared/checks/oval/audit_rules_etc_passwd_open.xml -@@ -0,0 +1,96 @@ -+ -+ -+ -+ Ensure auditd Collects Write Events to /etc/passwd -+ -+ Red Hat Enterprise Linux 7 -+ multi_platform_fedora -+ -+ Audit rules about the write events to /etc/passwd -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/audit.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ /etc/audit/audit.rules -+ -+ 1 -+ -+ -+ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open.rule -new file mode 100644 -index 0000000000..6e4aabcbe8 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open.rule -@@ -0,0 +1,36 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Events that Modify User/Group Information via open syscall - /etc/passwd' -+ -+description: |- -+ The audit system should collect write events to /etc/passwd file for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d: -+
-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file: -+
-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+ -+rationale: |- -+ Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. -+ Auditing these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ ospp@rhel7: FAU_GEN.1.1.c -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile -index 63b7223731..86fb0ff2fb 100644 ---- a/rhel7/profiles/ospp42-draft.profile -+++ b/rhel7/profiles/ospp42-draft.profile -@@ -161,3 +161,4 @@ selections: - - audit_rules_kernel_module_loading_modprobe - - audit_rules_kernel_module_loading_rmmod - - security_patches_up_to_date -+ - audit_rules_etc_passwd_open diff --git a/SOURCES/scap-security-guide-0.1.41-audit_privileged_commands.patch b/SOURCES/scap-security-guide-0.1.41-audit_privileged_commands.patch deleted file mode 100644 index 09154b8..0000000 --- a/SOURCES/scap-security-guide-0.1.41-audit_privileged_commands.patch +++ /dev/null @@ -1,568 +0,0 @@ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare.rule -new file mode 100644 -index 0000000000..ce7a936545 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare.rule -@@ -0,0 +1,40 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Any Attempts to Run seunshare' -+ -+description: |- -+ At a minimum, the audit system should collect any execution attempt -+ of the seunshare command for all users and root. If the auditd -+ daemon is configured to use the augenrules program to read audit rules -+ during daemon startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d: -+
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
-+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file: -+
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
-+ -+rationale: |- -+ Misuse of privileged functions, either intentionally or unintentionally by -+ authorized users, or by unauthorized external entities that have compromised system accounts, -+ is a serious and ongoing concern and can have significant adverse impacts on organizations. -+ Auditing the use of privileged functions is one way to detect such misuse and identify -+ the risk from insider and advanced persistent threast. -+

-+ Privileged programs are subject to escalation-of-privilege attacks, -+ which attempt to subvert their normal role of providing some necessary but -+ limited capability. As such, motivation exists to monitor these programs for -+ unusual activity. -+ -+severity: medium -+ -+references: -+ ospp@rhel7: FAU_GEN.1.1.c -+ -+ocil: |- -+ To verify that execution of the command is being audited, run the following command: -+
$ sudo grep "path=/usr/sbin/seunshare" /etc/audit/audit.rules /etc/audit/rules.d/*
-+ The output should return something similar to: -+
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged-priv_change
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at.rule -new file mode 100644 -index 0000000000..6d1a5c909b ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_at.rule -@@ -0,0 +1,42 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - at' -+ -+description: |- -+ At a minimum, the audit system should collect the execution of -+ privileged commands for all users and root. If the auditd daemon is -+ configured to use the augenrules program to read audit rules during -+ daemon startup (the default), add a line of the following form to a file with -+ suffix .rules in the directory /etc/audit/rules.d: -+
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add a line of the following -+ form to /etc/audit/audit.rules: -+
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-+ -+rationale: |- -+ Misuse of privileged functions, either intentionally or unintentionally by -+ authorized users, or by unauthorized external entities that have compromised system accounts, -+ is a serious and ongoing concern and can have significant adverse impacts on organizations. -+ Auditing the use of privileged functions is one way to detect such misuse and identify -+ the risk from insider and advanced persistent threast. -+

-+ Privileged programs are subject to escalation-of-privilege attacks, -+ which attempt to subvert their normal role of providing some necessary but -+ limited capability. As such, motivation exists to monitor these programs for -+ unusual activity. -+ -+severity: medium -+ -+references: -+ ospp@rhel7: FAU_GEN.1.1.c -+ -+ocil_clause: 'it is not the case' -+ -+ocil: |- -+ To verify that auditing of privileged command use is configured, run the -+ following command: -+
$ sudo grep '\bat\b' /etc/audit/audit.rules /etc/audit/rules.d/*
-+ It should return a relevant line in the audit rules. -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount.rule -new file mode 100644 -index 0000000000..8eb3f39f01 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount.rule -@@ -0,0 +1,42 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - mount' -+ -+description: |- -+ At a minimum, the audit system should collect the execution of -+ privileged commands for all users and root. If the auditd daemon is -+ configured to use the augenrules program to read audit rules during -+ daemon startup (the default), add a line of the following form to a file with -+ suffix .rules in the directory /etc/audit/rules.d: -+
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add a line of the following -+ form to /etc/audit/audit.rules: -+
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-+ -+rationale: |- -+ Misuse of privileged functions, either intentionally or unintentionally by -+ authorized users, or by unauthorized external entities that have compromised system accounts, -+ is a serious and ongoing concern and can have significant adverse impacts on organizations. -+ Auditing the use of privileged functions is one way to detect such misuse and identify -+ the risk from insider and advanced persistent threast. -+

-+ Privileged programs are subject to escalation-of-privilege attacks, -+ which attempt to subvert their normal role of providing some necessary but -+ limited capability. As such, motivation exists to monitor these programs for -+ unusual activity. -+ -+severity: medium -+ -+references: -+ ospp@rhel7: FAU_GEN.1.1.c -+ -+ocil_clause: 'it is not the case' -+ -+ocil: |- -+ To verify that auditing of privileged command use is configured, run the -+ following command: -+
$ sudo grep mount /etc/audit/audit.rules /etc/audit/rules.d/*
-+ It should return a relevant line in the audit rules. -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap.rule -new file mode 100644 -index 0000000000..bd8dbcf1bd ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgidmap.rule -@@ -0,0 +1,42 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap' -+ -+description: |- -+ At a minimum, the audit system should collect the execution of -+ privileged commands for all users and root. If the auditd daemon is -+ configured to use the augenrules program to read audit rules during -+ daemon startup (the default), add a line of the following form to a file with -+ suffix .rules in the directory /etc/audit/rules.d: -+
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add a line of the following -+ form to /etc/audit/audit.rules: -+
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-+ -+rationale: |- -+ Misuse of privileged functions, either intentionally or unintentionally by -+ authorized users, or by unauthorized external entities that have compromised system accounts, -+ is a serious and ongoing concern and can have significant adverse impacts on organizations. -+ Auditing the use of privileged functions is one way to detect such misuse and identify -+ the risk from insider and advanced persistent threast. -+

-+ Privileged programs are subject to escalation-of-privilege attacks, -+ which attempt to subvert their normal role of providing some necessary but -+ limited capability. As such, motivation exists to monitor these programs for -+ unusual activity. -+ -+severity: medium -+ -+references: -+ ospp@rhel7: FAU_GEN.1.1.c -+ -+ocil_clause: 'it is not the case' -+ -+ocil: |- -+ To verify that auditing of privileged command use is configured, run the -+ following command: -+
$ sudo grep newgidmap /etc/audit/audit.rules /etc/audit/rules.d/*
-+ It should return a relevant line in the audit rules. -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap.rule -new file mode 100644 -index 0000000000..199dc381a1 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newuidmap.rule -@@ -0,0 +1,42 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap' -+ -+description: |- -+ At a minimum, the audit system should collect the execution of -+ privileged commands for all users and root. If the auditd daemon is -+ configured to use the augenrules program to read audit rules during -+ daemon startup (the default), add a line of the following form to a file with -+ suffix .rules in the directory /etc/audit/rules.d: -+
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add a line of the following -+ form to /etc/audit/audit.rules: -+
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-+ -+rationale: |- -+ Misuse of privileged functions, either intentionally or unintentionally by -+ authorized users, or by unauthorized external entities that have compromised system accounts, -+ is a serious and ongoing concern and can have significant adverse impacts on organizations. -+ Auditing the use of privileged functions is one way to detect such misuse and identify -+ the risk from insider and advanced persistent threast. -+

-+ Privileged programs are subject to escalation-of-privilege attacks, -+ which attempt to subvert their normal role of providing some necessary but -+ limited capability. As such, motivation exists to monitor these programs for -+ unusual activity. -+ -+severity: medium -+ -+references: -+ ospp@rhel7: FAU_GEN.1.1.c -+ -+ocil_clause: 'it is not the case' -+ -+ocil: |- -+ To verify that auditing of privileged command use is configured, run the -+ following command: -+
$ sudo grep newuidmap /etc/audit/audit.rules /etc/audit/rules.d/*
-+ It should return a relevant line in the audit rules. -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl.rule -new file mode 100644 -index 0000000000..c574f82d25 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usernetctl.rule -@@ -0,0 +1,42 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl' -+ -+description: |- -+ At a minimum, the audit system should collect the execution of -+ privileged commands for all users and root. If the auditd daemon is -+ configured to use the augenrules program to read audit rules during -+ daemon startup (the default), add a line of the following form to a file with -+ suffix .rules in the directory /etc/audit/rules.d: -+
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add a line of the following -+ form to /etc/audit/audit.rules: -+
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-+ -+rationale: |- -+ Misuse of privileged functions, either intentionally or unintentionally by -+ authorized users, or by unauthorized external entities that have compromised system accounts, -+ is a serious and ongoing concern and can have significant adverse impacts on organizations. -+ Auditing the use of privileged functions is one way to detect such misuse and identify -+ the risk from insider and advanced persistent threast. -+

-+ Privileged programs are subject to escalation-of-privilege attacks, -+ which attempt to subvert their normal role of providing some necessary but -+ limited capability. As such, motivation exists to monitor these programs for -+ unusual activity. -+ -+severity: medium -+ -+references: -+ ospp@rhel7: FAU_GEN.1.1.c -+ -+ocil_clause: 'it is not the case' -+ -+ocil: |- -+ To verify that auditing of privileged command use is configured, run the -+ following command: -+
$ sudo grep usernetctl /etc/audit/audit.rules /etc/audit/rules.d/*
-+ It should return a relevant line in the audit rules. -diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42-draft.profile -index 9802576814..270a94f85f 100644 ---- a/rhel7/profiles/ospp42-draft.profile -+++ b/rhel7/profiles/ospp42-draft.profile -@@ -121,6 +121,7 @@ selections: - - audit_rules_execution_restorecon - - audit_rules_execution_semanage - - audit_rules_execution_setsebool -+ - audit_rules_execution_seunshare - - audit_rules_mac_modification - - audit_rules_dac_modification_chown - - audit_rules_unsuccessful_file_modification_chown -@@ -130,15 +131,20 @@ selections: - - audit_rules_unsuccessful_file_modification_fchown - - audit_rules_dac_modification_lchown - - audit_rules_unsuccessful_file_modification_lchown -+ - audit_rules_privileged_commands_at -+ - audit_rules_privileged_commands_mount - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_userhelper -+ - audit_rules_privileged_commands_usernetctl - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_pt_chown - - audit_rules_sysadmin_actions - - audit_rules_privileged_commands_gpasswd -+ - audit_rules_privileged_commands_newgidmap - - audit_rules_privileged_commands_newgrp -+ - audit_rules_privileged_commands_newuidmap - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd -diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh -index 73a08dd98a..3fd55c84d4 100644 ---- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh -+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh -@@ -79,7 +79,7 @@ do - local count_of_inspected_files=0 - - # Define expected rule form for this binary -- expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged" -+ expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=unset -k privileged" - - # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary - if [[ ${#files_to_inspect[@]} -eq 0 ]]; then -@@ -100,9 +100,9 @@ do - # * existing rule contains all arguments from expected rule form (though can contain - # them in arbitrary order) - -- base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \ -- -e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \ -- -e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=4294967295/!d' \ -+ base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \ -+ -e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \ -+ -e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(?:4294967295\|unset\)/!d' \ - -e '/-k privileged/!d' "$afile") - - # Increase the count of inspected files for this sbinary -diff --git a/shared/templates/csv/audit_rules_execution.csv b/shared/templates/csv/audit_rules_execution.csv -index 8a78a4323c..45aa7493f3 100644 ---- a/shared/templates/csv/audit_rules_execution.csv -+++ b/shared/templates/csv/audit_rules_execution.csv -@@ -3,3 +3,4 @@ - /usr/sbin/semanage - /usr/sbin/setfiles - /usr/sbin/setsebool -+/usr/sbin/seunshare -diff --git a/shared/templates/csv/audit_rules_privileged_commands.csv b/shared/templates/csv/audit_rules_privileged_commands.csv -index 2d45332344..7fa26ffe2d 100644 ---- a/shared/templates/csv/audit_rules_privileged_commands.csv -+++ b/shared/templates/csv/audit_rules_privileged_commands.csv -@@ -1,8 +1,12 @@ -+/usr/bin/at - /usr/bin/chage - /usr/bin/chsh - /usr/bin/crontab - /usr/bin/gpasswd -+/usr/bin/mount -+/usr/bin/newgidmap - /usr/bin/newgrp -+/usr/bin/newuidmap - /usr/sbin/pam_timestamp_check - /usr/bin/passwd - /usr/sbin/postdrop -@@ -15,3 +19,4 @@ - /usr/bin/umount - /usr/sbin/unix_chkpwd - /usr/sbin/userhelper -+/usr/sbin/usernetctl -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/generate_privileged_commands_rule.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/generate_privileged_commands_rule.sh -new file mode 100755 -index 0000000000..9dc0cd1ce2 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/generate_privileged_commands_rule.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+ -+AUID=$1 -+KEY=$2 -+RULEPATH=$3 -+for file in $(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null); do -+ echo "-a always,exit -F path=$file -F perm=x -F auid>=$AUID -F auid!=unset -k $KEY" >> $RULEPATH -+done -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_audit.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_audit.rules -deleted file mode 100644 -index 703bbafe10..0000000000 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_audit.rules -+++ /dev/null -@@ -1,37 +0,0 @@ ---a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/write -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/ksu -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/libexec/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/sbin/netreport -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/bin/cgclassify -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/bin/cgexec -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ---a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_auditctl_rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_auditctl_rules_configured.pass.sh -index 60b9eb0c45..a8a25ebdb3 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_auditctl_rules_configured.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_auditctl_rules_configured.pass.sh -@@ -2,7 +2,6 @@ - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash - --cp rhel6_audit.rules /etc/audit/rules.d/privileged.rules --cp rhel6_audit.rules /etc/audit/audit.rules -+./generate_privileged_commands_rule.sh 500 privileged /etc/audit/audit.rules - # This is a trick to fail setup of this test in rhel7 systems - ls /etc/sysconfig/auditd -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_augenrules_rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_augenrules_rules_configured.pass.sh -index 1b628be506..5594d7566a 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_augenrules_rules_configured.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel6_augenrules_rules_configured.pass.sh -@@ -2,6 +2,5 @@ - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash - --cp rhel6_audit.rules /etc/audit/rules.d/privileged.rules --cp rhel6_audit.rules /etc/audit/audit.rules -+./generate_privileged_commands_rule.sh 500 privileged /etc/audit/rules.d/privileged.rules - sed -i "s/USE_AUGENRULES=.*/USE_AUGENRULES=\"yes\"/" /etc/sysconfig/auditd -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_auditctl_rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_auditctl_rules_configured.pass.sh -index ee95d13d5d..3f891eed60 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_auditctl_rules_configured.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_auditctl_rules_configured.pass.sh -@@ -2,6 +2,5 @@ - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash - --cp rhel7_privileged.rules /etc/audit/rules.d/privileged.rules --cp rhel7_privileged.rules /etc/audit/audit.rules -+./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/audit.rules - sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh -index 77f9549418..74583bf989 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh -@@ -2,7 +2,6 @@ - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash - --cp rhel7_privileged.rules /etc/audit/rules.d/privileged.rules --cp rhel7_privileged.rules /etc/audit/audit.rules -+./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules - # This is a trick to fail setup of this test in rhel6 systems - ls /usr/lib/systemd/system/auditd.service -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_own_key.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_own_key.rules -deleted file mode 100644 -index 4df6d4ec8b..0000000000 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_own_key.rules -+++ /dev/null -@@ -1,30 +0,0 @@ ---a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key ---a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_privileged.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_privileged.rules -deleted file mode 100644 -index 4eb644acbc..0000000000 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_privileged.rules -+++ /dev/null -@@ -1,30 +0,0 @@ ---a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged ---a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh -index ac5ef2ddd9..35a5fde2c6 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh -@@ -2,7 +2,6 @@ - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash - --cp rhel7_own_key.rules /etc/audit/rules.d/privileged.rules --cp rhel7_own_key.rules /etc/audit/audit.rules -+./generate_privileged_commands_rule.sh 1000 own_key /etc/audit/rules.d/privileged.rules - # This is a trick to fail setup of this test in rhel6 systems - ls /usr/lib/systemd/system/auditd.service diff --git a/SOURCES/scap-security-guide-0.1.41-audit_unset_4294967295.patch b/SOURCES/scap-security-guide-0.1.41-audit_unset_4294967295.patch deleted file mode 100644 index af6d07e..0000000 --- a/SOURCES/scap-security-guide-0.1.41-audit_unset_4294967295.patch +++ /dev/null @@ -1,240 +0,0 @@ -diff --git a/shared/checks/oval/audit_rules_privileged_commands.xml b/shared/checks/oval/audit_rules_privileged_commands.xml -index 0131c69f5f..227be65330 100644 ---- a/shared/checks/oval/audit_rules_privileged_commands.xml -+++ b/shared/checks/oval/audit_rules_privileged_commands.xml -@@ -75,7 +75,7 @@ - - - ^/etc/audit/rules\.d/.*\.rules -- ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>={{{ auid }}} -F auid!=4294967295[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - state_proper_audit_rule_but_for_unprivileged_command - -@@ -99,7 +99,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>={{{ auid }}} -F auid!=4294967295[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - state_proper_audit_rule_but_for_unprivileged_command - -diff --git a/shared/checks/oval/audit_rules_media_export.xml b/shared/checks/oval/audit_rules_media_export.xml -index 3db93755c0..e6ad472745 100644 ---- a/shared/checks/oval/audit_rules_media_export.xml -+++ b/shared/checks/oval/audit_rules_media_export.xml -@@ -37,7 +37,7 @@ - - - ^/etc/audit/rules\.d/.*\.rules -- ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}\s+\-F\s+auid!=4294967295\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ -+ ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - -@@ -46,7 +46,7 @@ - - - ^/etc/audit/rules\.d/.*\.rules -- ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}\s+\-F\s+auid!=4294967295\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ -+ ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - -@@ -55,7 +55,7 @@ - - - /etc/audit/audit.rules -- ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}\s+\-F\s+auid!=4294967295\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ -+ ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - -@@ -64,7 +64,7 @@ - - - /etc/audit/audit.rules -- ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}\s+\-F\s+auid!=4294967295\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ -+ ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ - 1 - - -diff --git a/shared/templates/template_OVAL_audit_rules_dac_modification b/shared/templates/template_OVAL_audit_rules_dac_modification -index 9d59ce6736..f7491bc3f2 100644 ---- a/shared/templates/template_OVAL_audit_rules_dac_modification -+++ b/shared/templates/template_OVAL_audit_rules_dac_modification -@@ -43,7 +43,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -52,7 +52,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -61,7 +61,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -70,7 +70,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ ATTR }}}[\s]+|([\s]+|[,]){{{ ATTR }}}([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -diff --git a/shared/templates/template_OVAL_audit_rules_file_deletion_events b/shared/templates/template_OVAL_audit_rules_file_deletion_events -index 4d8e8f8cec..74f37f385c 100644 ---- a/shared/templates/template_OVAL_audit_rules_file_deletion_events -+++ b/shared/templates/template_OVAL_audit_rules_file_deletion_events -@@ -43,7 +43,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -52,7 +52,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -61,7 +61,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -70,7 +70,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -diff --git a/shared/templates/template_OVAL_audit_rules_privileged_commands b/shared/templates/template_OVAL_audit_rules_privileged_commands -index 1c0975ed36..f518a55e0d 100644 ---- a/shared/templates/template_OVAL_audit_rules_privileged_commands -+++ b/shared/templates/template_OVAL_audit_rules_privileged_commands -@@ -30,7 +30,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -39,7 +39,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=4294967295[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -index fc3dc3306c..555375c757 100644 ---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -@@ -51,7 +51,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -60,7 +60,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -69,7 +69,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -78,7 +78,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -87,7 +87,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -96,7 +96,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -105,7 +105,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -114,7 +114,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - diff --git a/SOURCES/scap-security-guide-0.1.41-bash_and_tests_for_grub2_audit_argument.patch b/SOURCES/scap-security-guide-0.1.41-bash_and_tests_for_grub2_audit_argument.patch deleted file mode 100644 index 1d2cbdb..0000000 --- a/SOURCES/scap-security-guide-0.1.41-bash_and_tests_for_grub2_audit_argument.patch +++ /dev/null @@ -1,131 +0,0 @@ -From fde8c630799aee5339076355be0812b64f89c733 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 11 Sep 2018 10:27:48 +0200 -Subject: [PATCH 1/3] Add bash for rule grub2_audit_argument - ---- - .../auditing/grub2_audit_argument/bash/shared.sh | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - create mode 100644 shared/fixes/bash/grub2_audit_argument.sh - -diff --git a/shared/fixes/bash/grub2_audit_argument.sh b/shared/fixes/bash/grub2_audit_argument.sh -new file mode 100644 -index 0000000000..913ebd6788 ---- /dev/null -+++ b/shared/fixes/bash/grub2_audit_argument.sh -@@ -0,0 +1,13 @@ -+# platform = Red Hat Enterprise Linux 7, multi_platform_fedora -+ -+# Correct the form of default kernel command line in GRUB -+if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"' '/etc/default/grub' ; then -+ # modify the GRUB command-line if an audit= arg already exists -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=1 \2/' '/etc/default/grub' -+else -+ # no audit=arg is present, append it -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=1"/' '/etc/default/grub' -+fi -+ -+# Correct the form of kernel command line for each installed kernel in the bootloader -+grubby --update-kernel=ALL --args="audit=1" - -From 3cb4d82b850c6b8a29a449a68ce30254508a6fd6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 11 Sep 2018 10:28:15 +0200 -Subject: [PATCH 2/3] Add tests for grub2_audit_argument - ---- - .../rule_grub2_audit_argument/arg_not_there.fail.sh | 9 +++++++++ - .../rule_grub2_audit_argument/correct_value.pass.sh | 11 +++++++++++ - .../rule_grub2_audit_argument/wrong_value.fail.sh | 11 +++++++++++ - 3 files changed, 31 insertions(+) - create mode 100644 tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh - create mode 100644 tests/data/group_system/group_auditing/rule_grub2_audit_argument/correct_value.pass.sh - create mode 100644 tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh - -diff --git a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh -new file mode 100644 -index 0000000000..04f07457b0 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+# Correct the form of default kernel command line in GRUB -+if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"' '/etc/default/grub' ; then -+ # Remove the audit arg from the GRUB command-line if an audit arg already exists -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' -+fi -diff --git a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/correct_value.pass.sh b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/correct_value.pass.sh -new file mode 100644 -index 0000000000..320d979a9b ---- /dev/null -+++ b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/correct_value.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+# Correct the form of default kernel command line in GRUB -+if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"' '/etc/default/grub' ; then -+ # modify the GRUB command-line if an audit= arg already exists -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=1 \2/' '/etc/default/grub' -+else -+ # no audit=arg is present, append it -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=1"/' '/etc/default/grub' -+fi -diff --git a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh -new file mode 100644 -index 0000000000..4c3ce2c723 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+# Correct the form of default kernel command line in GRUB -+if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"' '/etc/default/grub' ; then -+ # modify the GRUB command-line if an audit= arg already exists -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=0 \2/' '/etc/default/grub' -+else -+ # no audit=arg is present, append it -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=0"/' '/etc/default/grub' -+fi - -From b0cf50b476bd626b7cbf60e18726e02a6282f977 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 11 Sep 2018 13:10:16 +0200 -Subject: [PATCH 3/3] Improve comments - ---- - .../rule_grub2_audit_argument/arg_not_there.fail.sh | 3 +-- - .../rule_grub2_audit_argument/wrong_value.fail.sh | 2 +- - 2 files changed, 2 insertions(+), 3 deletions(-) - -diff --git a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh -index 04f07457b0..0230da8045 100644 ---- a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh -+++ b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh -@@ -2,8 +2,7 @@ - - # profiles = xccdf_org.ssgproject.content_profile_ospp - --# Correct the form of default kernel command line in GRUB -+# Removes audit argument from kernel command line - if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"' '/etc/default/grub' ; then -- # Remove the audit arg from the GRUB command-line if an audit arg already exists - sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub' - fi -diff --git a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh -index 4c3ce2c723..21dc897d4a 100644 ---- a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh -+++ b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_ospp - --# Correct the form of default kernel command line in GRUB -+# Break the audit argument in kernel command line - if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"' '/etc/default/grub' ; then - # modify the GRUB command-line if an audit= arg already exists - sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=0 \2/' '/etc/default/grub' diff --git a/SOURCES/scap-security-guide-0.1.41-dev_shm_mount_option.patch b/SOURCES/scap-security-guide-0.1.41-dev_shm_mount_option.patch deleted file mode 100644 index 24c036e..0000000 --- a/SOURCES/scap-security-guide-0.1.41-dev_shm_mount_option.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile -index d6068ea7f7..440de8b7f8 100644 ---- a/rhel7/profiles/ospp42.profile -+++ b/rhel7/profiles/ospp42.profile -@@ -186,3 +186,6 @@ selections: - - audit_rules_etc_group_open_by_handle_at - - package_abrt_removed - - package_sendmail_removed -+ - mount_option_dev_shm_nodev -+ - mount_option_dev_shm_noexec -+ - mount_option_dev_shm_nosuid diff --git a/SOURCES/scap-security-guide-0.1.41-drop-dev-cdrom-fix.patch b/SOURCES/scap-security-guide-0.1.41-drop-dev-cdrom-fix.patch deleted file mode 100644 index 1da4906..0000000 --- a/SOURCES/scap-security-guide-0.1.41-drop-dev-cdrom-fix.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/shared/templates/csv/mount_options.csv b/shared/templates/csv/mount_options.csv -index 7e3263decf..23ea936f52 100644 ---- a/shared/templates/csv/mount_options.csv -+++ b/shared/templates/csv/mount_options.csv -@@ -7,9 +7,9 @@ - # If the remediation can create (i.e. not just modify) an /etc/fstab line, - # add the 'create_fstab_entry_if_needed' literal string as the third argument. - --var_removable_partition,nodev,create_fstab_entry_if_needed --var_removable_partition,nosuid,create_fstab_entry_if_needed --var_removable_partition,noexec,create_fstab_entry_if_needed -+var_removable_partition,nodev,create_fstab_entry_if_needed #except-for:anaconda -+var_removable_partition,nosuid,create_fstab_entry_if_needed #except-for:anaconda -+var_removable_partition,noexec,create_fstab_entry_if_needed #except-for:anaconda - remote_filesystems,nodev,create_fstab_entry_if_needed - remote_filesystems,nosuid,create_fstab_entry_if_needed - remote_filesystems,noexec,create_fstab_entry_if_needed diff --git a/SOURCES/scap-security-guide-0.1.41-fix_audit_rules_unsuccessful_file_modification_regex.patch b/SOURCES/scap-security-guide-0.1.41-fix_audit_rules_unsuccessful_file_modification_regex.patch deleted file mode 100644 index aec83eb..0000000 --- a/SOURCES/scap-security-guide-0.1.41-fix_audit_rules_unsuccessful_file_modification_regex.patch +++ /dev/null @@ -1,76 +0,0 @@ -diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -index 36e255c28a..bc88220dac 100644 ---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -@@ -51,7 +51,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -60,7 +60,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -69,7 +69,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -78,7 +78,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -87,7 +87,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -96,7 +96,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -105,7 +105,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -114,7 +114,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]+(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - diff --git a/SOURCES/scap-security-guide-0.1.41-fix_dconf_gnome_screensaver_lock_enabled.patch b/SOURCES/scap-security-guide-0.1.41-fix_dconf_gnome_screensaver_lock_enabled.patch deleted file mode 100644 index 4fdf075..0000000 --- a/SOURCES/scap-security-guide-0.1.41-fix_dconf_gnome_screensaver_lock_enabled.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/shared/checks/oval/dconf_gnome_screensaver_lock_enabled.xml -index a8dd00b23a..0f72f6a56e 100644 ---- a/shared/checks/oval/dconf_gnome_screensaver_lock_enabled.xml -+++ b/shared/checks/oval/dconf_gnome_screensaver_lock_enabled.xml -@@ -12,7 +12,6 @@ - - - -- - - - diff --git a/SOURCES/scap-security-guide-0.1.41-fix_owners_groups.patch b/SOURCES/scap-security-guide-0.1.41-fix_owners_groups.patch deleted file mode 100644 index 1884459..0000000 --- a/SOURCES/scap-security-guide-0.1.41-fix_owners_groups.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git a/shared/templates/template_OVAL_file_groupowner b/shared/templates/template_OVAL_file_groupowner -index da1364e..e1bfdd5 100644 ---- a/shared/templates/template_OVAL_file_groupowner -+++ b/shared/templates/template_OVAL_file_groupowner -@@ -19,7 +19,7 @@ - {{{ FILEGID }}} - - -- {{{ FILEDIR }}} -+ {{{ UNIX_DIR }}} - {{{ UNIX_FILENAME }}} - - -diff --git a/shared/templates/template_OVAL_file_owner b/shared/templates/template_OVAL_file_owner -index 758b6c3..8b716b6 100644 ---- a/shared/templates/template_OVAL_file_owner -+++ b/shared/templates/template_OVAL_file_owner -@@ -19,7 +19,7 @@ - {{{ FILEUID }}} - - -- {{{ FILEDIR }}} -+ {{{ UNIX_DIR }}} - {{{ UNIX_FILENAME }}} - - diff --git a/SOURCES/scap-security-guide-0.1.41-fix_syscall_in_last_position.patch b/SOURCES/scap-security-guide-0.1.41-fix_syscall_in_last_position.patch deleted file mode 100644 index a303839..0000000 --- a/SOURCES/scap-security-guide-0.1.41-fix_syscall_in_last_position.patch +++ /dev/null @@ -1,289 +0,0 @@ -diff --git a/shared/templates/template_OVAL_audit_rules_path_syscall b/shared/templates/template_OVAL_audit_rules_path_syscall -index dcc1d7b0a2..2544099b8d 100644 ---- a/shared/templates/template_OVAL_audit_rules_path_syscall -+++ b/shared/templates/template_OVAL_audit_rules_path_syscall -@@ -40,13 +40,14 @@ - - - -+ - - -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - - -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - - -diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -index 804c0d50b8..cbed460f00 100644 ---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -@@ -46,12 +46,60 @@ - - - -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ NAME }}})(?:|(?:,[\S]+)+))[\s]+ -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ NAME }}})(?:|(?:,[\S]+)+))[\s]+ -+ -+ -+ [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ - - - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ - 1 - - -@@ -60,7 +108,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ - 1 - - -@@ -69,7 +117,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ - 1 - - -@@ -78,7 +126,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ - 1 - - -@@ -87,7 +135,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ - 1 - - -@@ -96,7 +144,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ - 1 - - -@@ -105,7 +153,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ - 1 - - -@@ -114,7 +162,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ - 1 - - -diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat -index 7f1bf6f68f..01e155f016 100644 ---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat -+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat -@@ -51,10 +51,10 @@ - - - -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+ - - -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+ - - - [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write -index ce7d3c44c7..64f7277a60 100644 ---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write -+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write -@@ -51,10 +51,10 @@ - - - -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+ - - -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+ - - - [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order -index 66a8ecf249..12da792d51 100644 ---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order -+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order -@@ -52,10 +52,10 @@ - - - -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+ - - -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:|(?:[\S]+,)+)({{{ SYSCALL }}})(?:|(?:,[\S]+)+))[\s]+ - - - [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -@@ -84,7 +84,7 @@ - - - -- (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) -+ (?:-F\s+exit=-EACCES) - - - -@@ -107,7 +107,7 @@ - - - -- (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) -+ (?:-F\s+exit=-EPERM) - - - -@@ -130,7 +130,7 @@ - - - -- (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) -+ (?:-F\s+exit=-EACCES) - - - -@@ -153,7 +153,7 @@ - - - -- (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) -+ (?:-F\s+exit=-EPERM) - - - -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_before_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_before_last.pass.sh -new file mode 100644 -index 0000000000..1f30447324 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_before_last.pass.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+# remediation = none -+ -+sed 's/openat,open_by_handle_at/open,open_by_handle_at/' ../audit_open.rules > /etc/audit/rules.d/open_o_creat.rules -+sed -i 's/ open,/ openat,/' /etc/audit/rules.d/open_o_creat.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_last.pass.sh -new file mode 100644 -index 0000000000..d3fdcf71a5 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open/open_last.pass.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+# remediation = none -+ -+sed 's/_by_handle_at//' ../audit_open.rules > /etc/audit/rules.d/open_o_creat.rules -+sed -i 's/open,/open_by_handle_at,/' /etc/audit/rules.d/open_o_creat.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh -new file mode 100644 -index 0000000000..acdec877ef ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_before_last.pass.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+# remediation = none -+ -+sed 's/openat,open_by_handle_at/open,open_by_handle_at/' ../audit_open_o_creat.rules > /etc/audit/rules.d/open_o_creat.rules -+sed -i 's/ open,/ openat,/' /etc/audit/rules.d/open_o_creat.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh -new file mode 100644 -index 0000000000..33a3ad88bf ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_open_o_creat/o_creat_last.pass.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+# remediation = none -+ -+sed 's/_by_handle_at//' ../audit_open_o_creat.rules > /etc/audit/rules.d/open_o_creat.rules -+sed -i 's/open,/open_by_handle_at,/' /etc/audit/rules.d/open_o_creat.rules diff --git a/SOURCES/scap-security-guide-0.1.41-fix_unauthorized_syscall_regex.patch b/SOURCES/scap-security-guide-0.1.41-fix_unauthorized_syscall_regex.patch deleted file mode 100644 index 629fec7..0000000 --- a/SOURCES/scap-security-guide-0.1.41-fix_unauthorized_syscall_regex.patch +++ /dev/null @@ -1,104 +0,0 @@ -diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -index bc88220dac..804c0d50b8 100644 ---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification -@@ -51,7 +51,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -60,7 +60,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -69,7 +69,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -78,7 +78,7 @@ - - - /etc/audit/rules\.d/.*\.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -87,7 +87,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -96,7 +96,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -105,7 +105,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EACCES[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -@@ -114,7 +114,7 @@ - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))[\S]*[\s]*(?!.*-F\s+a2&)[\s]*(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?!.*-F\s+a2&)(?:.*-F\s+exit=\-EPERM[\s]+)(?:.*-F\s+auid>={{{ auid }}}[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - 1 - - -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/one_sys_with_filter.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/one_sys_with_filter.fail.sh -new file mode 100644 -index 0000000000..a76abb7901 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/one_sys_with_filter.fail.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+echo "-a always,exit -F arch=b32 -S unlink -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules -+echo "-a always,exit -F arch=b64 -S unlink -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules -+echo "-a always,exit -F arch=b32 -S unlink -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules -+echo "-a always,exit -F arch=b64 -S unlink -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/two_sys_with_filter.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/two_sys_with_filter.fail.sh -new file mode 100644 -index 0000000000..85270468b5 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_unsuccessful_file_modification/rule_audit_rules_unsuccessful_file_modification_unlink/two_sys_with_filter.fail.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+echo "-a always,exit -F arch=b32 -S unlink,unlinkat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules -+echo "-a always,exit -F arch=b64 -S unlink,unlinkat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules -+echo "-a always,exit -F arch=b32 -S unlink,unlinkat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules -+echo "-a always,exit -F arch=b64 -S unlink,unlinkat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete" >> /etc/audit/rules.d/unsuccessful-delete.rules diff --git a/SOURCES/scap-security-guide-0.1.41-grub2_bootloader_arguments.patch b/SOURCES/scap-security-guide-0.1.41-grub2_bootloader_arguments.patch deleted file mode 100644 index add8de0..0000000 --- a/SOURCES/scap-security-guide-0.1.41-grub2_bootloader_arguments.patch +++ /dev/null @@ -1,506 +0,0 @@ -diff --git a/shared/fixes/bash/grub2_audit_argument.sh -deleted file mode 100644 -index 913ebd6788..0000000000 ---- a/shared/fixes/bash/grub2_audit_argument.sh -+++ /dev/null -@@ -1,13 +0,0 @@ --# platform = Red Hat Enterprise Linux 7, multi_platform_fedora -- --# Correct the form of default kernel command line in GRUB --if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"' '/etc/default/grub' ; then -- # modify the GRUB command-line if an audit= arg already exists -- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=1 \2/' '/etc/default/grub' --else -- # no audit=arg is present, append it -- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=1"/' '/etc/default/grub' --fi -- --# Correct the form of kernel command line for each installed kernel in the bootloader --grubby --update-kernel=ALL --args="audit=1" -diff --git a/shared/checks/oval/grub2_audit_argument.xml -deleted file mode 100644 -index 0a943fd97a..0000000000 ---- a/shared/checks/oval/grub2_audit_argument.xml -+++ /dev/null -@@ -1,55 +0,0 @@ -- -- -- -- Enable Auditing for Processes Which Start Prior to the Audit Daemon -- -- Red Hat Enterprise Linux 7 -- multi_platform_fedora -- -- Look for argument audit=1 in the kernel line in /etc/default/grub. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- /etc/default/grub -- ^\s*GRUB_CMDLINE_LINUX="(.*)"$ -- 1 -- -- -- -- -- -- -- -- -- /etc/default/grub -- ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ -- 1 -- -- -- -- ^.*audit=1.*$ -- -- -- -diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule -new file mode 100644 -index 0000000000..361a6b9853 ---- /dev/null -+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule -@@ -0,0 +1,51 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Extend Audit Backlog Limit for the Audit Daemon' -+ -+description: |- -+ To improve the kernel capacity to queue all log events, even those which occurred -+ prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default -+ GRUB 2 command line for the Linux operating system in -+ /etc/default/grub, in the manner below: -+
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192"
-+ -+rationale: |- -+ audit_backlog_limit sets the queue length for audit events awaiting transfer -+ to the audit daemon. Until the audit daemon is up and running, all log messages -+ are stored in this queue. If the queue is overrun during boot process, the action -+ defined by audit failure flag is taken. -+ -+severity: unknown -+ -+ocil_clause: 'audit backlog limit is not configured' -+ -+ocil: |- -+ Inspect the form of default GRUB 2 command line for the Linux operating system -+ in /etc/default/grub. If they include audit_backlog_limit=1, then auditing -+ is enabled at boot time. -+

-+ To ensure audit_backlog_limit=1 is configured on all installed kernels, the -+ following command may be used: -+
-+
$ sudo /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=1"
-+
-+ -+warnings: -+ - management: |- -+ The GRUB 2 configuration file, grub.cfg, -+ is automatically updated each time a new kernel is installed. Note that any -+ changes to /etc/default/grub require rebuilding the grub.cfg -+ file. To update the GRUB 2 configuration file manually, use the -+
grub2-mkconfig -o
command as follows: -+
    -+
  • On BIOS-based machines, issue the following command as root: -+
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • -+
  • On UEFI-based machines, issue the following command as root: -+{{% if product == "rhel7" %}} -+
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  • -+{{% else %}} -+
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    -+{{% endif %}} -+
-diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule -new file mode 100644 -index 0000000000..8773f2407f ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule -@@ -0,0 +1,49 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Disable vsyscalls' -+ -+description: |- -+ To disable use of virtual syscalls, -+ add the argument vsyscall=none to the default -+ GRUB 2 command line for the Linux operating system in -+ /etc/default/grub, in the manner below: -+
GRUB_CMDLINE_LINUX="vsyscall=none"
-+ -+rationale: |- -+ Virtual Syscalls provide an opportunity of attack for a user who has control -+ of the return instruction pointer. -+ -+severity: unknown -+ -+ocil_clause: 'vsyscalls are enabled' -+ -+ocil: |- -+ Inspect the form of default GRUB 2 command line for the Linux operating system -+ in /etc/default/grub. If they include vsyscall=none, -+ then virtyal syscalls are not enabled at boot time. -+

-+ To ensure vsyscall=none is configured on all installed kernels, the -+ following command may be used: -+
-+
$ sudo /sbin/grubby --update-kernel=ALL --args="vsyscall=none
-+
-+ -+warnings: -+ - management: |- -+ The GRUB 2 configuration file, grub.cfg, -+ is automatically updated each time a new kernel is installed. Note that any -+ changes to /etc/default/grub require rebuilding the grub.cfg -+ file. To update the GRUB 2 configuration file manually, use the -+
grub2-mkconfig -o
command as follows: -+
    -+
  • On BIOS-based machines, issue the following command as root: -+
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • -+
  • On UEFI-based machines, issue the following command as root: -+{{% if product == "rhel7" %}} -+
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  • -+{{% else %}} -+
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    -+{{% endif %}} -+
-diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml -new file mode 100644 -index 0000000000..6a7a370f2b ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml -@@ -0,0 +1,8 @@ -+documentation_complete: true -+ -+title: 'Memory Poisoning' -+ -+description: |- -+ Memory Poisoning consists of writing a special value to uninitialized or freed memory. -+ Poisoning can be used as a mechanism to prevent leak of information and detection of -+ corrupted memory. -diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule -new file mode 100644 -index 0000000000..9056613b0d ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule -@@ -0,0 +1,52 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Enable page allocator poisoning' -+ -+description: |- -+ To enable poisoning of free pages, -+ add the argument page_poison=1 to the default -+ GRUB 2 command line for the Linux operating system in -+ /etc/default/grub, in the manner below: -+
GRUB_CMDLINE_LINUX="page_poison=1"
-+ -+rationale: |- -+ Poisoning writes an arbitrary value to freed pages, so any modification or -+ reference to that page after being freed or before being initialized will be -+ detected and prevented. -+ This prevents many types of use-after-free vulnerabilities at little performance cost. -+ Also prevents leak of data and detection of corrupted memory. -+ -+severity: unknown -+ -+ocil_clause: 'page allocator poisoning is not enabled' -+ -+ocil: |- -+ Inspect the form of default GRUB 2 command line for the Linux operating system -+ in /etc/default/grub. If they include page_poison=1, -+ then page poisoning is enabled at boot time. -+

-+ To ensure page_poison=1 is configured on all installed kernels, the -+ following command may be used: -+
-+
$ sudo /sbin/grubby --update-kernel=ALL --args="page_poison=1
-+
-+ -+warnings: -+ - management: |- -+ The GRUB 2 configuration file, grub.cfg, -+ is automatically updated each time a new kernel is installed. Note that any -+ changes to /etc/default/grub require rebuilding the grub.cfg -+ file. To update the GRUB 2 configuration file manually, use the -+
grub2-mkconfig -o
command as follows: -+
    -+
  • On BIOS-based machines, issue the following command as root: -+
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • -+
  • On UEFI-based machines, issue the following command as root: -+{{% if product == "rhel7" %}} -+
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  • -+{{% else %}} -+
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    -+{{% endif %}} -+
-diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule -new file mode 100644 -index 0000000000..ea982ee216 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule -@@ -0,0 +1,52 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Enable SLUB/SLAB allocator poisoning' -+ -+description: |- -+ To enable poisoning of SLUB/SLAB objects, -+ add the argument slub_debug=P to the default -+ GRUB 2 command line for the Linux operating system in -+ /etc/default/grub, in the manner below: -+
GRUB_CMDLINE_LINUX="slub_debug=P"
-+ -+rationale: |- -+ Poisoning writes an arbitrary value to freed objects, so any modification or -+ reference to that object after being freed or before being initialized will be -+ detected and prevented. -+ This prevents many types of use-after-free vulnerabilities at little performance cost. -+ Also prevents leak of data and detection of corrupted memory. -+ -+severity: unknown -+ -+ocil_clause: 'SLUB/SLAB poisoning is not enabled' -+ -+ocil: |- -+ Inspect the form of default GRUB 2 command line for the Linux operating system -+ in /etc/default/grub. If they include slub_debug=P, -+ then SLUB/SLAB poisoning is enabled at boot time. -+

-+ To ensure slub_debug=P is configured on all installed kernels, the -+ following command may be used: -+
-+
$ sudo /sbin/grubby --update-kernel=ALL --args="slub_debug=P
-+
-+ -+warnings: -+ - management: |- -+ The GRUB 2 configuration file, grub.cfg, -+ is automatically updated each time a new kernel is installed. Note that any -+ changes to /etc/default/grub require rebuilding the grub.cfg -+ file. To update the GRUB 2 configuration file manually, use the -+
grub2-mkconfig -o
command as follows: -+
    -+
  • On BIOS-based machines, issue the following command as root: -+
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • -+
  • On UEFI-based machines, issue the following command as root: -+{{% if product == "rhel7" %}} -+
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  • -+{{% else %}} -+
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    -+{{% endif %}} -+
-diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile -index bfdc68de8b..dd157a6e5b 100644 ---- a/rhel7/profiles/ospp42.profile -+++ b/rhel7/profiles/ospp42.profile -@@ -15,6 +15,7 @@ description: |- - selections: - - installed_OS_is_certified - - grub2_audit_argument -+ - grub2_audit_backlog_limit_argument - - service_auditd_enabled - - grub2_enable_fips_mode - - rpm_verify_hashes -@@ -53,6 +54,9 @@ selections: - - grub2_password - - grub2_uefi_password - - grub2_disable_interactive_boot -+ - grub2_slub_debug_argument -+ - grub2_page_poison_argument -+ - grub2_vsyscall_argument - - no_empty_passwords - - require_singleuser_auth - - service_debug-shell_disabled -diff --git a/shared/templates/create_grub2_bootloader_argument.py b/shared/templates/create_grub2_bootloader_argument.py -new file mode 100644 -index 0000000000..bbd6e46a82 ---- /dev/null -+++ b/shared/templates/create_grub2_bootloader_argument.py -@@ -0,0 +1,40 @@ -+#!/usr/bin/python2 -+ -+# -+# create_grub2_bootloader_argument.py -+# generate template-based checks for unsuccessful file modifications detailed -+ -+ -+from template_common import FilesGenerator, UnknownTargetError -+ -+import re -+ -+class GRUB2BootloaderArgumentGenerator(FilesGenerator): -+ def generate(self, target, args): -+ arg_name, arg_value = args[0:2] -+ arg_name_value = arg_name + '=' + arg_value -+ -+ if target == "bash": -+ self.file_from_template( -+ "./template_BASH_grub2_bootloader_argument", -+ { -+ "ARG_NAME": arg_name, -+ "ARG_NAME_VALUE": arg_name_value -+ }, -+ "./bash/grub2_{0}_argument.sh", arg_name -+ ) -+ elif target == "oval": -+ self.file_from_template( -+ "./template_OVAL_grub2_bootloader_argument", -+ { -+ "ARG_NAME": arg_name, -+ "ARG_NAME_VALUE": arg_name_value -+ }, -+ "./oval/grub2_{0}_argument.xml", arg_name -+ ) -+ else: -+ raise UnknownTargetError(target) -+ -+ def csv_format(self): -+ return("CSV should contains lines of the format: " + -+ "SYSCALL") -diff --git a/shared/templates/csv/grub2_bootloader_argument.csv b/shared/templates/csv/grub2_bootloader_argument.csv -new file mode 100644 -index 0000000000..8610111715 ---- /dev/null -+++ b/shared/templates/csv/grub2_bootloader_argument.csv -@@ -0,0 +1,10 @@ -+# format: -+# , -+# - argument_name is the name of argument for the bootloader -+# - value is the value for the argument -+ -+audit,1 -+audit_backlog_limit,8192 -+slub_debug,P -+page_poison,1 -+vsyscall,none -diff --git a/shared/templates/template_BASH_grub2_bootloader_argument b/shared/templates/template_BASH_grub2_bootloader_argument -new file mode 100644 -index 0000000000..9f48517415 ---- /dev/null -+++ b/shared/templates/template_BASH_grub2_bootloader_argument -@@ -0,0 +1,13 @@ -+# platform = Red Hat Enterprise Linux 7, multi_platform_fedora -+ -+# Correct the form of default kernel command line in GRUB -+if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ ARG_NAME }}}=.*"' '/etc/default/grub' ; then -+ # modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/' '/etc/default/grub' -+else -+ # no {{{ ARG_NAME }}}=arg is present, append it -+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/' '/etc/default/grub' -+fi -+ -+# Correct the form of kernel command line for each installed kernel in the bootloader -+grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}" -diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument -new file mode 100644 -index 0000000000..b6f4b1397a ---- /dev/null -+++ b/shared/templates/template_OVAL_grub2_bootloader_argument -@@ -0,0 +1,55 @@ -+ -+ -+ -+ Ensure GRUB 2 is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}} -+ -+ Red Hat Enterprise Linux 7 -+ multi_platform_fedora -+ -+ Look for argument {{{ ARG_NAME_VALUE }}} in the kernel line in /etc/default/grub. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/default/grub -+ ^\s*GRUB_CMDLINE_LINUX="(.*)"$ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/default/grub -+ ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ -+ 1 -+ -+ -+ -+ ^.*{{{ ARG_NAME_VALUE }}}.*$ -+ -+ -+ -diff --git a/ssg/build_templates.py b/ssg/build_templates.py -index f4373553b2..c36bbbacc4 100644 ---- a/ssg/build_templates.py -+++ b/ssg/build_templates.py -@@ -28,6 +28,7 @@ - from create_audit_rules_usergroup_modification import AuditRulesUserGroupModificationGenerator - from create_audit_rules_execution import AuditRulesExecutionGenerator - from create_audit_rules_path_syscall import AuditRulesPathSyscallGenerator -+from create_grub2_bootloader_argument import GRUB2BootloaderArgumentGenerator - - - class Builder(object): -@@ -74,6 +75,7 @@ def __init__(self, env_yaml): - "audit_rules_usergroup_modification.csv": AuditRulesUserGroupModificationGenerator(), - "audit_rules_execution.csv": AuditRulesExecutionGenerator(), - "audit_rules_path_syscall.csv": AuditRulesPathSyscallGenerator(), -+ "grub2_bootloader_argument.csv": GRUB2BootloaderArgumentGenerator(), - } - self.langs = TEMPLATED_LANGUAGES - utils_dir = os.path.dirname(os.path.realpath(__file__)) diff --git a/SOURCES/scap-security-guide-0.1.41-install-dracut-fips.patch b/SOURCES/scap-security-guide-0.1.41-install-dracut-fips.patch deleted file mode 100644 index 76a96d6..0000000 --- a/SOURCES/scap-security-guide-0.1.41-install-dracut-fips.patch +++ /dev/null @@ -1,151 +0,0 @@ -diff --git a/rhel7/fixes/anaconda/grub2_enable_fips_mode.anaconda b/rhel7/fixes/anaconda/grub2_enable_fips_mode.anaconda -new file mode 100644 -index 0000000..99693f6 ---- /dev/null -+++ b/rhel7/fixes/anaconda/grub2_enable_fips_mode.anaconda -@@ -0,0 +1,3 @@ -+# platform = Red Hat Enterprise Linux 7 -+ -+package --add=dracut-fips -diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule -index ac89c4e8ac..4f70107829 100644 ---- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule -+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule -@@ -5,8 +5,9 @@ prodtype: rhel7 - title: 'Enable FIPS Mode in GRUB2' - - description: |- -- To ensure FIPS mode is enabled, rebuild initramfs by running the following command: --
dracut -f
-+ To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands: -+
{{{ package_install("dracut-fips") }}}
-+    dracut -f
- After the dracut command has been run, add the argument fips=1 to the default - GRUB 2 command line for the Linux operating system in - /etc/default/grub, in the manner below: -diff --git a/shared/macros-highlevel.jinja b/shared/macros-highlevel.jinja -index 722f15fd2a..d1dba54154 100644 ---- a/shared/macros-highlevel.jinja -+++ b/shared/macros-highlevel.jinja -@@ -19,31 +19,39 @@ - {{%- endif -%}} - {{%- endmacro %}} - -- - {{%- macro describe_package_install(package) -%}} -+ The {{{ package }}} package can be installed with the following command: -+
{{{ package_install(package) }}}
-+{{%- endmacro %}} -+ -+{{%- macro package_install(package) -%}} - {{%- if pkg_manager == "apt_get" -%}} -- {{{ apt_get_describe_package_install(package) }}} -+ {{{ apt_get_package_install(package) }}} - {{%- elif pkg_manager == "zypper" -%}} -- {{{ zypper_describe_package_install(package) }}} -+ {{{ zypper_package_install(package) }}} - {{%- elif pkg_manager == "yum" -%}} -- {{{ yum_describe_package_install(package) }}} -+ {{{ yum_package_install(package) }}} - {{%- elif pkg_manager == "dnf" -%}} -- {{{ dnf_describe_package_install(package) }}} -+ {{{ dnf_package_install(package) }}} - {{%- else %}} - JINJA MACRO ERROR: Unknown package manager '{{{ pkg_manager }}}'. - {{%- endif -%}} - {{%- endmacro %}} - -- - {{%- macro describe_package_remove(package) -%}} -+ The {{{ package }}} package can be removed with the following command: -+
{{{ package_remove(package) }}}
-+{{%- endmacro %}} -+ -+{{%- macro package_remove(package) -%}} - {{%- if pkg_manager == "apt_get" -%}} -- {{{ apt_get_describe_package_remove(package) }}} -+ {{{ apt_get_package_remove(package) }}} - {{%- elif pkg_manager == "zypper" -%}} -- {{{ zypper_describe_package_remove(package) }}} -+ {{{ zypper_package_remove(package) }}} - {{%- elif pkg_manager == "yum" -%}} -- {{{ yum_describe_package_remove(package) }}} -+ {{{ yum_package_remove(package) }}} - {{%- elif pkg_manager == "dnf" -%}} -- {{{ dnf_describe_package_remove(package) }}} -+ {{{ dnf_package_remove(package) }}} - {{%- else %}} - JINJA MACRO ERROR: Unknown package manager '{{{ pkg_manager }}}'. - {{%- endif -%}} -diff --git a/shared/macros.jinja b/shared/macros.jinja -index 2d93808ed2..e2b46e9a44 100644 ---- a/shared/macros.jinja -+++ b/shared/macros.jinja -@@ -395,51 +395,43 @@ ocil_clause: "{{{ sebool }}} is not enabled" - {{%- endmacro %}} - - --{{%- macro apt_get_describe_package_install(package) %}} -- The {{{ package }}} package can be installed with the following command: --
$ apt-get install {{{ package }}}
-+{{%- macro apt_get_package_install(package) %}} -+ $ apt-get install {{{ package }}} - {{%- endmacro %}} - - --{{%- macro apt_get_describe_package_remove(package) %}} -- The {{{ package }}} package can be removed with the following command: --
$ apt-get remove {{{ package }}}
-+{{%- macro apt_get_package_remove(package) %}} -+ $ apt-get remove {{{ package }}} - {{%- endmacro %}} - - --{{%- macro dnf_describe_package_install(package) %}} -- The {{{ package }}} package can be installed with the following command: --
$ sudo dnf install {{{ package }}}
-+{{%- macro dnf_package_install(package) %}} -+ $ sudo dnf install {{{ package }}} - {{%- endmacro %}} - - --{{%- macro dnf_describe_package_remove(package) %}} -- The {{{ package }}} package can be removed with the following command: --
$ sudo dnf erase {{{ package }}}
-+{{%- macro dnf_package_remove(package) %}} -+ $ sudo dnf erase {{{ package }}} - {{%- endmacro %}} - - --{{%- macro yum_describe_package_install(package) %}} -- The {{{ package }}} package can be installed with the following command: --
$ sudo yum install {{{ package }}}
-+{{%- macro yum_package_install(package) %}} -+ $ sudo yum install {{{ package }}} - {{%- endmacro %}} - - --{{%- macro yum_describe_package_remove(package) %}} -- The {{{ package }}} package can be removed with the following command: --
$ sudo yum erase {{{ package }}}
-+{{%- macro yum_package_remove(package) %}} -+ $ sudo yum erase {{{ package }}} - {{%- endmacro %}} - - --{{%- macro zypper_describe_package_install(package) %}} -- The {{{ package }}} package can be installed with the following command: --
$ sudo zypper install {{{ package }}}
-+{{%- macro zypper_package_install(package) %}} -+ $ sudo zypper install {{{ package }}} - {{%- endmacro %}} - - --{{%- macro zypper_describe_package_remove(package) %}} -- The {{{ package }}} package can be removed with the following command: --
$ sudo zypper remove {{{ package }}}
-+{{%- macro zypper_package_remove(package) %}} -+ $ sudo zypper remove {{{ package }}} - {{%- endmacro %}} - - diff --git a/SOURCES/scap-security-guide-0.1.41-kptr_restrict.patch b/SOURCES/scap-security-guide-0.1.41-kptr_restrict.patch deleted file mode 100644 index 24687d8..0000000 --- a/SOURCES/scap-security-guide-0.1.41-kptr_restrict.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- /dev/null 2018-09-24 12:07:02.352998857 +0200 -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict.rule 2018-08-20 22:58:34.441789550 +0200 -@@ -0,0 +1,19 @@ -+documentation_complete: true -+ -+title: 'Restrict exposed kernel pointers addresses access' -+ -+description: '{{{ describe_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}' -+ -+rationale: |- -+ Exposing kernel pointers (through procfs or seq_printf()) exposes -+ kernel writeable structures that can contain functions pointers. If a write vulnereability occurs -+ in the kernel allowing a write access to any of this structure, the kernel can be compromise. This -+ option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses, -+ replacing them with 0. -+ -+severity: low -+ -+references: -+ anssi: NT28(R23) -+ -+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} diff --git a/SOURCES/scap-security-guide-0.1.41-ospp_enable.patch b/SOURCES/scap-security-guide-0.1.41-ospp_enable.patch deleted file mode 100644 index c694fff..0000000 --- a/SOURCES/scap-security-guide-0.1.41-ospp_enable.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff --git a/rhel7/profiles/ospp42-draft.profile b/rhel7/profiles/ospp42.profile -similarity index 97% -rename from rhel7/profiles/ospp42-draft.profile -rename to rhel7/profiles/ospp42.profile -index 63b7223731..7610768980 100644 ---- a/rhel7/profiles/ospp42-draft.profile -+++ b/rhel7/profiles/ospp42.profile -@@ -1,9 +1,9 @@ --documentation_complete: false -+documentation_complete: true - --title: 'DRAFT - Protection Profile for General Purpose Operating Systems' -+title: 'Protection Profile for General Purpose Operating Systems v. 4.2' - - description: "This profile reflects mandatory configuration controls identified\nin the NIAP Configuration Annex to the Protection\ -- \ Profile for General Purpose Operating\nSystems (Protection Profile Version 4.2 draft). \n\nThis Annex is consistent\ -+ \ Profile for General Purpose Operating\nSystems (Protection Profile Version 4.2). \n\nThis Annex is consistent\ - \ with CNSSI-1253, which requires US National Security\nSystems to adhere to certain configuration parameters. Accordingly,\ - \ configuration\nguidance produced according to the requirements of this Annex is suitable for use\nin US National Security\ - \ Systems." diff --git a/SOURCES/scap-security-guide-0.1.41-packages_abrt_sendmail_removed.patch b/SOURCES/scap-security-guide-0.1.41-packages_abrt_sendmail_removed.patch deleted file mode 100644 index 13c3db3..0000000 --- a/SOURCES/scap-security-guide-0.1.41-packages_abrt_sendmail_removed.patch +++ /dev/null @@ -1,47 +0,0 @@ -diff --git a/linux_os/guide/services/base/package_abrt_removed.rule b/linux_os/guide/services/base/package_abrt_removed.rule -new file mode 100644 -index 0000000000..6cdca812c8 ---- /dev/null -+++ b/linux_os/guide/services/base/package_abrt_removed.rule -@@ -0,0 +1,22 @@ -+documentation_complete: true -+ -+prodtype: rhel6,rhel7,fedora -+ -+title: 'Uninstall Automatic Bug Reporting Tool (abrt)' -+ -+description: |- -+ The Automatic Bug Reporting Tool (abrt) collects -+ and reports crash data when an application crash is detected. Using a variety -+ of plugins, abrt can email crash reports to system administrators, log crash -+ reports to files, or forward crash reports to a centralized issue tracking -+ system such as RHTSupport. -+ {{{ describe_package_remove(package="abrt") }}} -+ -+rationale: |- -+ Mishandling crash data could expose sensitive information about -+ vulnerabilities in software executing on the system, as well as sensitive -+ information from within a process's address space or registers. -+ -+severity: unknown -+ -+{{{ complete_ocil_entry_package(package="abrt") }}} -diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile -index 8550434ffa..376aebba51 100644 ---- a/rhel7/profiles/ospp42.profile -+++ b/rhel7/profiles/ospp42.profile -@@ -184,3 +184,4 @@ selections: - - audit_rules_etc_group_open - - audit_rules_etc_group_openat - - audit_rules_etc_group_open_by_handle_at -+ - package_abrt_removed - -diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile -index 376aebba51..d6068ea7f7 100644 ---- a/rhel7/profiles/ospp42.profile -+++ b/rhel7/profiles/ospp42.profile -@@ -185,3 +185,4 @@ selections: - - audit_rules_etc_group_openat - - audit_rules_etc_group_open_by_handle_at - - package_abrt_removed -+ - package_sendmail_removed diff --git a/SOURCES/scap-security-guide-0.1.41-profile_title_rename_etc.patch b/SOURCES/scap-security-guide-0.1.41-profile_title_rename_etc.patch deleted file mode 100644 index f86fdc0..0000000 --- a/SOURCES/scap-security-guide-0.1.41-profile_title_rename_etc.patch +++ /dev/null @@ -1,95 +0,0 @@ -diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile -index 09136fb5ce..e0d9b02c38 100644 ---- a/rhel7/profiles/ospp.profile -+++ b/rhel7/profiles/ospp.profile -@@ -2,34 +2,35 @@ documentation_complete: true - - title: 'United States Government Configuration Baseline' - --description: "This compliance profile reflects the core set of security \n -- \ related configuration settings for deployment of Red Hat Enterprise \n -- \ Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. \n -- \ Development partners and sponsors include the U.S. National Institute \n -- \ of Standards and Technology (NIST), U.S. Department of Defense, \n -- \ the National Security Agency, and Red Hat. \n -- \ \n -- \ This baseline implements configuration requirements from the following \n -- \ sources: \n -- \ \n -- \ - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) \n -- \ - NIST Controlled Unclassified Information (NIST 800-171) \n -- \ - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) \n -- \ - U.S. Government Configuration Baseline (USGCB) \n -- \ - NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0) \n -- \ - DISA Operating System Security Requirements Guide (OS SRG) \n -- \ \n -- \ For any differing configuration requirements, e.g. password lengths, the stricter \n -- \ security setting was chosen. Security Requirement Traceability Guides (RTMs) and \n -- \ sample System Security Configuration Guides are provided via the \n -- \ scap-security-guide-docs package. \n -- \ \n -- \ This profile reflects U.S. Government consensus content and is developed through \n -- \ the OpenSCAP/SCAP Security Guide initiative, championed by the National \n -- \ Security Agency. Except for differences in formatting to accommodate \n -- \ publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide \n -- \ content as minor divergences, such as bugfixes, work through the \n -- \ consensus and release processes." -+description: |- -+ This compliance profile reflects the core set of security -+ related configuration settings for deployment of Red Hat Enterprise -+ Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. -+ Development partners and sponsors include the U.S. National Institute -+ of Standards and Technology (NIST), U.S. Department of Defense, -+ the National Security Agency, and Red Hat. -+ -+ This baseline implements configuration requirements from the following -+ sources: -+ -+ - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) -+ - NIST Controlled Unclassified Information (NIST 800-171) -+ - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) -+ - U.S. Government Configuration Baseline (USGCB) -+ - NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0) -+ - DISA Operating System Security Requirements Guide (OS SRG) -+ -+ For any differing configuration requirements, e.g. password lengths, the stricter -+ security setting was chosen. Security Requirement Traceability Guides (RTMs) and -+ sample System Security Configuration Guides are provided via the -+ scap-security-guide-docs package. -+ -+ This profile reflects U.S. Government consensus content and is developed through -+ the OpenSCAP/SCAP Security Guide initiative, championed by the National -+ Security Agency. Except for differences in formatting to accommodate -+ publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide -+ content as minor divergences, such as bugfixes, work through the -+ consensus and release processes. - - selections: - - installed_OS_is_certified -diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile -index 8550434ffa..e4a5e9892c 100644 ---- a/rhel7/profiles/ospp42.profile -+++ b/rhel7/profiles/ospp42.profile -@@ -1,12 +1,16 @@ - documentation_complete: true - --title: 'Protection Profile for General Purpose Operating Systems v. 4.2' -+title: 'OSPP - Protection Profile for General Purpose Operating Systems v. 4.2' - --description: "This profile reflects mandatory configuration controls identified\nin the NIAP Configuration Annex to the Protection\ -- \ Profile for General Purpose Operating\nSystems (Protection Profile Version 4.2). \n\nThis Annex is consistent\ -- \ with CNSSI-1253, which requires US National Security\nSystems to adhere to certain configuration parameters. Accordingly,\ -- \ configuration\nguidance produced according to the requirements of this Annex is suitable for use\nin US National Security\ -- \ Systems." -+description: |- -+ This profile reflects mandatory configuration controls identified in the -+ NIAP Configuration Annex to the Protection Profile for General Purpose -+ Operating Systems (Protection Profile Version 4.2). -+ -+ This Annex is consistent with CNSSI-1253, which requires US National Security -+ Systems to adhere to certain configuration parameters. Accordingly, configuration -+ guidance produced according to the requirements of this Annex is suitable for use -+ in US National Security Systems. - - selections: - - installed_OS_is_certified diff --git a/SOURCES/scap-security-guide-0.1.41-restrict-remediation-for-dev-shm.patch b/SOURCES/scap-security-guide-0.1.41-restrict-remediation-for-dev-shm.patch deleted file mode 100644 index 6269fa2..0000000 --- a/SOURCES/scap-security-guide-0.1.41-restrict-remediation-for-dev-shm.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 3cba3a59a004582c787cba725fee033c104bfe43 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 25 Jul 2018 18:02:01 +0200 -Subject: [PATCH 1/4] Drop restrictions to build remediations for some sysctl - rules - -Templated generation of remediations for these rules were restricted. -I don't see the motivation to restrict them, besides to easy comparison -of generated datastream in 9aa2184d8d0f866df3fb6f1ea1beeafb076b3be5. - -RHEL7 content build the OVAL just fine. ---- - rhel6/templates/csv/sysctl_values.csv | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/rhel6/templates/csv/sysctl_values.csv b/rhel6/templates/csv/sysctl_values.csv -index ad0507a2f4..af321acde0 100644 ---- a/rhel6/templates/csv/sysctl_values.csv -+++ b/rhel6/templates/csv/sysctl_values.csv -@@ -21,8 +21,8 @@ net.ipv4.ip_forward,0 - net.ipv4.tcp_syncookies, - net.ipv6.conf.default.accept_ra, - net.ipv6.conf.default.accept_redirects, --net.ipv6.conf.all.accept_ra,#only-for:oval --net.ipv6.conf.all.accept_redirects,#only-for:oval --net.ipv6.conf.default.accept_source_route,#only-for:oval --net.ipv6.conf.all.accept_source_route,#only-for:oval --net.ipv6.conf.all.forwarding,#only-for:oval -+net.ipv6.conf.all.accept_ra, -+net.ipv6.conf.all.accept_redirects, -+net.ipv6.conf.default.accept_source_route, -+net.ipv6.conf.all.accept_source_route, -+net.ipv6.conf.all.forwarding, - -From 574defca3e1559bb5b954e65763b5df542bfeb99 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 25 Jul 2018 18:08:12 +0200 -Subject: [PATCH 2/4] Drop generation of kernel_dmesg_restrict - -Rule kernel_dmest_restrict is not selected by any sle12 Profile. -And currently the rule is applicable for rhel6, rhel7 and fedora. -I see this as a copy pasta legacy. ---- - sle12/templates/csv/sysctl_values.csv | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/sle12/templates/csv/sysctl_values.csv b/sle12/templates/csv/sysctl_values.csv -index 9428bc8a9f..d9b34c9aad 100644 ---- a/sle12/templates/csv/sysctl_values.csv -+++ b/sle12/templates/csv/sysctl_values.csv -@@ -1,7 +1,6 @@ - # Add to generate hard-coded OVAL and remediation content. - # Add to generate OVAL and remediation content that use the XCCDF value. - fs.suid_dumpable,0 --kernel.dmesg_restrict,1#only-for:bash,ansible - #kernel.exec-shield,1 - kernel.randomize_va_space,2 - net.ipv4.conf.all.accept_redirects, - -From 79166dab27c8f23e6918b675e126f473395bc70b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 25 Jul 2018 18:27:08 +0200 -Subject: [PATCH 3/4] Flip template restriction to exclude target languages - -It is more likely and easier that we want to generate content for -all supported languages, and filter out the exceptions. ---- - shared/templates/template_common.py | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/shared/templates/template_common.py b/shared/templates/template_common.py -index da746e0323..b0fdf5fcc9 100644 ---- a/shared/templates/template_common.py -+++ b/shared/templates/template_common.py -@@ -36,7 +36,7 @@ def __init__(self, template, paths): - - - TEMPLATED_LANGUAGES = ["bash", "ansible", "oval", "anaconda", "puppet"] --TARGET_REGEX = re.compile(r"#\s*only-for:([\s\w,]*)") -+TARGET_EXCLUDE_REGEX = re.compile(r"#\s*except-for:([\s\w,]*)") - - - class FilesGenerator(object): -@@ -113,13 +113,13 @@ def process_csv_line(self, line, target): - """ - - if target is not None: -- match = TARGET_REGEX.search(line) -+ exclude_match = TARGET_EXCLUDE_REGEX.search(line) - -- if match: -- # if line contains restriction to target, check it -- supported_targets = \ -- [x.strip() for x in match.group(1).split(",")] -- if target not in supported_targets: -+ if exclude_match: -+ # Check if line contains restriction to target -+ unsupported_targets = \ -+ [x.strip() for x in exclude_match.group(1).split(",")] -+ if target in unsupported_targets: - return None - - # get part before comment - -From 89a059d096641d8f971c9f2d9af903742d251083 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 25 Jul 2018 18:44:11 +0200 -Subject: [PATCH 4/4] Dont generate fix for unavailable mount points - -Do not generate anaconda remediation for mount options of /dev/shm. -These mount points are not there at install time. ---- - rhel7/templates/csv/mount_options.csv | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/rhel7/templates/csv/mount_options.csv b/rhel7/templates/csv/mount_options.csv -index 759e51b0fe..f5d9ed8cea 100644 ---- a/rhel7/templates/csv/mount_options.csv -+++ b/rhel7/templates/csv/mount_options.csv -@@ -6,9 +6,11 @@ - # '$' to reference a variable, e.g. var_removable_partition,nodev) - # If the remediation can create (i.e. not just modify) an /etc/fstab line, - # add the 'create_fstab_entry_if_needed' literal string as the third argument. --/dev/shm,nodev --/dev/shm,noexec --/dev/shm,nosuid -+ -+# /dev/shm is created by systemd and is not available at install time -+/dev/shm,nodev #except-for:anaconda -+/dev/shm,noexec #except-for:anaconda -+/dev/shm,nosuid #except-for:anaconda - /home,nosuid - /home,nodev - /tmp,nodev diff --git a/SOURCES/scap-security-guide-0.1.41-select_missing_arpc_for_OSPP42.patch b/SOURCES/scap-security-guide-0.1.41-select_missing_arpc_for_OSPP42.patch deleted file mode 100644 index 465d641..0000000 --- a/SOURCES/scap-security-guide-0.1.41-select_missing_arpc_for_OSPP42.patch +++ /dev/null @@ -1,25 +0,0 @@ -From ed1f049c0c1e1f6c0aaa63b78e88229d2d25a5b6 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 20 Sep 2018 22:23:10 +0200 -Subject: [PATCH 1/2] Select rules for audit privileged commands - -- crontab -- umount ---- - rhel7/profiles/ospp42.profile | 2 ++ - 2 files changed, 4 insertions(+) - -diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile -index 58ad10b1be..8550434ffa 100644 ---- a/rhel7/profiles/ospp42.profile -+++ b/rhel7/profiles/ospp42.profile -@@ -141,7 +141,9 @@ selections: - - audit_rules_dac_modification_lchown - - audit_rules_unsuccessful_file_modification_lchown - - audit_rules_privileged_commands_at -+ - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_mount -+ - audit_rules_privileged_commands_umount - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_userhelper diff --git a/SOURCES/scap-security-guide-0.1.41-small_bash_fix_for_gnome_screensaver_lock_delay.patch b/SOURCES/scap-security-guide-0.1.41-small_bash_fix_for_gnome_screensaver_lock_delay.patch deleted file mode 100644 index b045772..0000000 --- a/SOURCES/scap-security-guide-0.1.41-small_bash_fix_for_gnome_screensaver_lock_delay.patch +++ /dev/null @@ -1,388 +0,0 @@ -From 0286990e3776fa2d3ecbff101eba824bd2addfc7 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 20 Sep 2018 15:59:52 +0200 -Subject: [PATCH 1/5] Add tests for dconf_gnome_screensaver_lock_enabled - ---- - .../comment.fail.sh | 14 ++++++++++++++ - .../correct_value.pass.sh | 19 +++++++++++++++++++ - .../correct_value_unlocked.fail.sh | 13 +++++++++++++ - .../line_not_there.fail.sh | 10 ++++++++++ - .../wrong_value.fail.sh | 13 +++++++++++++ - 5 files changed, 69 insertions(+) - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh - -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh -new file mode 100644 -index 0000000000..e7598e6496 ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh -@@ -0,0 +1,14 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+yum -y install dconf -+ -+# It is ok if string is not found in any file -+file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true -+ -+if [ -n "$file" ] ; then -+ sed -i "s/^lock-enabled=.*/#lock-enabled=true/g" $file -+else -+ echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings -+ echo "#lock-enabled=true" >> /etc/dconf/db/local.d/00-security-settings -+fi -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh -new file mode 100644 -index 0000000000..0997842791 ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh -@@ -0,0 +1,19 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+yum -y install dconf -+ -+# It is ok if string is not found in any file -+file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true -+if [ -n "$file" ] ; then -+ sed -i "s/^lock-enabled=.*/lock-enabled=true/g" $file -+else -+ echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings -+ echo "lock-enabled=true" >> /etc/dconf/db/local.d/00-security-settings -+fi -+ -+lockfile=$(grep -R "lock-enabled" /etc/dconf/db/local.d/locks) || true -+if [ -z "$file" ] ; then -+ mkdir -p /etc/dconf/db/local.d/locks -+ echo "/org/gnome/desktop/screensaver/lock-enabled" >> /etc/dconf/db/local.d/locks/00-security-settings-lock -+fi -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh -new file mode 100644 -index 0000000000..0fd465d43b ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh -@@ -0,0 +1,13 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+yum -y install dconf -+ -+# It is ok if string is not found in any file -+file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true -+if [ -n "$file" ] ; then -+ sed -i "s/^lock-enabled=.*/lock-enabled=true/g" $file -+else -+ echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings -+ echo "lock-enabled=true" >> /etc/dconf/db/local.d/00-security-settings -+fi -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh -new file mode 100644 -index 0000000000..fe09c8bf59 ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+yum -y install dconf -+ -+# It is ok if string is not found in any file -+file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true -+if [ -n "$file" ] ; then -+ sed -i "/^lock-enabled=.*/d" $file -+fi -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh -new file mode 100644 -index 0000000000..eb9e91c595 ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh -@@ -0,0 +1,13 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+yum -y install dconf -+ -+# It is ok if string is not found in any file -+file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true -+if [ -n "$file" ] ; then -+ sed -i "s/^lock-enabled=.*/lock-enabled=false/g" $file -+else -+ echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings -+ echo "lock-enabled=false" >> /etc/dconf/db/local.d/00-security-settings -+fi - -From d935d096b769223b40cf8fb08be93b317e9f7076 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 20 Sep 2018 16:01:12 +0200 -Subject: [PATCH 2/5] Do not accept commented keys as correct - ---- - shared/bash_remediation_functions/include_dconf_settings.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/bash_remediation_functions/include_dconf_settings.sh b/shared/bash_remediation_functions/include_dconf_settings.sh -index 9752698f34..ac79fe0653 100644 ---- a/shared/bash_remediation_functions/include_dconf_settings.sh -+++ b/shared/bash_remediation_functions/include_dconf_settings.sh -@@ -32,7 +32,7 @@ function dconf_settings { - echo "[${_path}]" >> ${DCONFFILE} - echo "${_key}=${_value}" >> ${DCONFFILE} - else -- if grep -q "${_key}" ${SETTINGSFILES[@]} -+ if grep -q "^(?!#)${_key}" ${SETTINGSFILES[@]} - then - sed -i "s/${_key}\s*=\s*.*/${_key}=${_value}/g" ${SETTINGSFILES[@]} - else - -From e8e8b1e8b55dfa67affa07eecf8054d5ca77108c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 20 Sep 2018 16:10:24 +0200 -Subject: [PATCH 3/5] Update dconf database after changing dconf setting - ---- - shared/bash_remediation_functions/include_dconf_settings.sh | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/shared/bash_remediation_functions/include_dconf_settings.sh b/shared/bash_remediation_functions/include_dconf_settings.sh -index ac79fe0653..02f9877e97 100644 ---- a/shared/bash_remediation_functions/include_dconf_settings.sh -+++ b/shared/bash_remediation_functions/include_dconf_settings.sh -@@ -39,6 +39,8 @@ function dconf_settings { - sed -i "\|\[${_path}]|a\\${_key}=${_value}" ${SETTINGSFILES[@]} - fi - fi -+ -+ dconf update - } - - # Function to configure DConf locks for RHEL and Fedora systems. - -From 61bc573ca262c711c93304106c92ff423f186aa7 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 20 Sep 2018 21:18:46 +0200 -Subject: [PATCH 4/5] Add common functions for testing - -Functions added: -- Clean up all dconf settings -- Add a dconf entry -- Add a dconf lock ---- - .../group_gnome/dconf_test_functions.sh | 29 +++++++++++++++++++ - .../comment.fail.sh | 15 ++++------ - .../correct_value.pass.sh | 20 ++++--------- - .../correct_value_unlocked.fail.sh | 13 +++------ - .../line_not_there.fail.sh | 10 ------- - .../setting_not_there.fail.sh | 7 +++++ - .../wrong_value.fail.sh | 14 ++++----- - 7 files changed, 55 insertions(+), 53 deletions(-) - create mode 100644 tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh - delete mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/setting_not_there.fail.sh - -diff --git a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh -new file mode 100644 -index 0000000000..f76d68e523 ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh -@@ -0,0 +1,29 @@ -+ -+# Wipes out dconf db settings directory -+clean_dconf_settings(){ -+ rm -rf /etc/dconf/db/* -+} -+ -+# Adds a new dconf setting -+# $1 _path -+# $2 _setting -+# $3 _value -+# $4 _db -+# $5 _settingFile -+add_dconf_setting() { -+ local _path=$1 _setting=$2 _value=$3 _db=$4 _settingFile=$5 -+ mkdir /etc/dconf/db/${_db} -+ echo "[${_path}]" > /etc/dconf/db/${_db}/${_settingFile} -+ echo "${_setting}=${_value}" >> /etc/dconf/db/${_db}/${_settingFile} -+} -+ -+# Adds a lock to a dconf setting -+# $1 _path -+# $2 _setting -+# $3 _db -+# $4 _settingFile -+add_dconf_lock(){ -+ local _path=$1 _setting=$2 _db=$3 _settingFile=$4 -+ mkdir -p /etc/dconf/db/${_db}/locks -+ echo "/${_path}/${_setting}" >> /etc/dconf/db/${_db}/locks/${_settingFile} -+} -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh -index e7598e6496..b76dee4f33 100644 ---- a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh -@@ -1,14 +1,9 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_ospp - --yum -y install dconf -- --# It is ok if string is not found in any file --file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true -+. ../../dconf_test_functions.sh - --if [ -n "$file" ] ; then -- sed -i "s/^lock-enabled=.*/#lock-enabled=true/g" $file --else -- echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings -- echo "#lock-enabled=true" >> /etc/dconf/db/local.d/00-security-settings --fi -+yum -y install dconf -+clean_dconf_settings -+add_dconf_setting "org/gnome/desktop/screensaver" "#lock-enabled" "true" "local.d" "00-security-settings" -+add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "local.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh -index 0997842791..a0e39c4409 100644 ---- a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh -@@ -1,19 +1,9 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_ospp - --yum -y install dconf -- --# It is ok if string is not found in any file --file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true --if [ -n "$file" ] ; then -- sed -i "s/^lock-enabled=.*/lock-enabled=true/g" $file --else -- echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings -- echo "lock-enabled=true" >> /etc/dconf/db/local.d/00-security-settings --fi -+. ../../dconf_test_functions.sh - --lockfile=$(grep -R "lock-enabled" /etc/dconf/db/local.d/locks) || true --if [ -z "$file" ] ; then -- mkdir -p /etc/dconf/db/local.d/locks -- echo "/org/gnome/desktop/screensaver/lock-enabled" >> /etc/dconf/db/local.d/locks/00-security-settings-lock --fi -+yum -y install dconf -+clean_dconf_settings -+add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "true" "local.d" "00-security-settings" -+add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "local.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh -index 0fd465d43b..53dea6c471 100644 ---- a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh -@@ -1,13 +1,8 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_ospp - --yum -y install dconf -+. ../../dconf_test_functions.sh - --# It is ok if string is not found in any file --file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true --if [ -n "$file" ] ; then -- sed -i "s/^lock-enabled=.*/lock-enabled=true/g" $file --else -- echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings -- echo "lock-enabled=true" >> /etc/dconf/db/local.d/00-security-settings --fi -+yum -y install dconf -+clean_dconf_settings -+add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "true" "local.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh -deleted file mode 100644 -index fe09c8bf59..0000000000 ---- a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh -+++ /dev/null -@@ -1,10 +0,0 @@ --#!/bin/bash --# profiles = xccdf_org.ssgproject.content_profile_ospp -- --yum -y install dconf -- --# It is ok if string is not found in any file --file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true --if [ -n "$file" ] ; then -- sed -i "/^lock-enabled=.*/d" $file --fi -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/setting_not_there.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/setting_not_there.fail.sh -new file mode 100644 -index 0000000000..38789f575d ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/setting_not_there.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../../dconf_test_functions.sh -+ -+yum -y install dconf -+clean_dconf_settings -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh -index eb9e91c595..19536910b2 100644 ---- a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh -@@ -1,13 +1,9 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_ospp - --yum -y install dconf -+. ../../dconf_test_functions.sh - --# It is ok if string is not found in any file --file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true --if [ -n "$file" ] ; then -- sed -i "s/^lock-enabled=.*/lock-enabled=false/g" $file --else -- echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings -- echo "lock-enabled=false" >> /etc/dconf/db/local.d/00-security-settings --fi -+yum -y install dconf -+clean_dconf_settings -+add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "false" "local.d" "00-security-settings" -+add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "local.d" "00-security-settings" - -From cb2ca84970c783660c03464a55295243841baaa1 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 20 Sep 2018 21:34:58 +0200 -Subject: [PATCH 5/5] Fix indents in dconf_test_functions.sh - ---- - .../group_software/group_gnome/dconf_test_functions.sh | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh -index f76d68e523..07940ea272 100644 ---- a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh -+++ b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh -@@ -1,7 +1,7 @@ - - # Wipes out dconf db settings directory - clean_dconf_settings(){ -- rm -rf /etc/dconf/db/* -+ rm -rf /etc/dconf/db/* - } - - # Adds a new dconf setting -@@ -12,7 +12,7 @@ clean_dconf_settings(){ - # $5 _settingFile - add_dconf_setting() { - local _path=$1 _setting=$2 _value=$3 _db=$4 _settingFile=$5 -- mkdir /etc/dconf/db/${_db} -+ mkdir /etc/dconf/db/${_db} - echo "[${_path}]" > /etc/dconf/db/${_db}/${_settingFile} - echo "${_setting}=${_value}" >> /etc/dconf/db/${_db}/${_settingFile} - } -@@ -24,6 +24,6 @@ add_dconf_setting() { - # $4 _settingFile - add_dconf_lock(){ - local _path=$1 _setting=$2 _db=$3 _settingFile=$4 -- mkdir -p /etc/dconf/db/${_db}/locks -+ mkdir -p /etc/dconf/db/${_db}/locks - echo "/${_path}/${_setting}" >> /etc/dconf/db/${_db}/locks/${_settingFile} - } diff --git a/SOURCES/scap-security-guide-0.1.41-sysctl_kernel.patch b/SOURCES/scap-security-guide-0.1.41-sysctl_kernel.patch deleted file mode 100644 index b743138..0000000 --- a/SOURCES/scap-security-guide-0.1.41-sysctl_kernel.patch +++ /dev/null @@ -1,150 +0,0 @@ -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule -new file mode 100644 -index 0000000000..a8fc8715e1 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule -@@ -0,0 +1,17 @@ -+documentation_complete: true -+ -+prodtype: rhel6,rhel7,fedora -+ -+title: 'Disable kernel image loading' -+ -+description: '{{{ describe_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}}' -+ -+rationale: | -+ Disabling kexec_load allows greater control of the kernel memory. -+ It makes it impossible to load another kernel image after it has been disabled. -+ -+severity: unknown -+ -+ -+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}} -+ -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule -new file mode 100644 -index 0000000000..67b7ff8056 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule -@@ -0,0 +1,19 @@ -+documentation_complete: true -+ -+prodtype: rhel6,rhel7,fedora -+ -+title: 'Restrict usage of ptrace to descendant processes' -+ -+description: '{{{ describe_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}}' -+ -+rationale: | -+ Unrestricted usage of ptrace allows compromised binaries to run ptrace -+ on another processes of the user. Like this, the attacker can steal -+ sensitive information from the target processes (e.g. SSH sessions, web browser, ...) -+ without any additional assistance from the user (i.e. without resorting to phishing). -+ -+severity: unknown -+ -+ -+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}} -+ -diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile -index 8550434ffa..a29e282b6e 100644 ---- a/rhel7/profiles/ospp42.profile -+++ b/rhel7/profiles/ospp42.profile -@@ -33,6 +33,10 @@ selections: - - var_password_pam_lcredit=1 - - accounts_password_pam_lcredit - - package_screen_installed -+ - sysctl_kernel_yama_ptrace_scope -+ - sysctl_kernel_kptr_restrict -+ - sysctl_kernel_kexec_load_disabled -+ - sysctl_kernel_dmesg_restrict - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay -diff --git a/rhel7/templates/csv/sysctl_values.csv b/rhel7/templates/csv/sysctl_values.csv -index 12f0232760..3090159aa5 100644 ---- a/rhel7/templates/csv/sysctl_values.csv -+++ b/rhel7/templates/csv/sysctl_values.csv -@@ -1,7 +1,10 @@ - # Add to generate hard-coded OVAL and remediation content. - # Add to generate OVAL and remediation content that use the XCCDF value. - fs.suid_dumpable,0 -+kernel.yama.ptrace_scope,1 -+kernel.kptr_restrict,1 - kernel.dmesg_restrict,1 -+kernel.kexec_load_disabled,1 - #kernel.exec-shield,1 - kernel.randomize_va_space,2 - net.ipv4.conf.all.accept_redirects, -diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh -new file mode 100644 -index 0000000000..715f0b81dc ---- /dev/null -+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_dmesg_restrict/disabled.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp42 -+ -+. ../sysctl.sh -+ -+sysctl_set_kernel_setting_to dmsg_restrict 0 -diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh -new file mode 100644 -index 0000000000..05cd772b7f ---- /dev/null -+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kexec_load_disabled/disabled.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp42 -+ -+. ../sysctl.sh -+ -+sysctl_set_kernel_setting_to kexec_load_disabled 0 -diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh -new file mode 100644 -index 0000000000..ac7922d927 ---- /dev/null -+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_kptr_restrict/disabled.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp42 -+ -+. ../sysctl.sh -+ -+sysctl_set_kernel_setting_to kptr_restrict 0 -diff --git a/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh -new file mode 100644 -index 0000000000..6e0892c4d8 ---- /dev/null -+++ b/tests/data/group_system/group_permissions/group_restrictions/rule_sysctl_kernel_yama_ptrace_scope/disabled.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp42 -+ -+. ../sysctl.sh -+ -+sysctl_set_kernel_setting_to yama.ptrace_scope 0 -diff --git a/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh b/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh -new file mode 100644 -index 0000000000..6a424a3641 ---- /dev/null -+++ b/tests/data/group_system/group_permissions/group_restrictions/sysctl.sh -@@ -0,0 +1,14 @@ -+#!/bin/bash -+ -+# Sets the kernel setting using sysctl exec as well as in sysctl config file. -+# $1: The setting name without the leading 'kernel.' -+# $2: The value to set the setting to -+function sysctl_set_kernel_setting_to { -+ local setting_name="kernel.$1" setting_value="$2" -+ sysctl -w "$setting_name=$setting_value" -+ if grep -q "^$setting_name" /etc/sysctl.conf; then -+ sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.conf -+ else -+ echo "$setting_name = $setting_value" >> /etc/sysctl.conf -+ fi -+} diff --git a/SOURCES/scap-security-guide-0.1.41-template_syscall_rules.patch b/SOURCES/scap-security-guide-0.1.41-template_syscall_rules.patch deleted file mode 100644 index 1bc0d7f..0000000 --- a/SOURCES/scap-security-guide-0.1.41-template_syscall_rules.patch +++ /dev/null @@ -1,2314 +0,0 @@ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat.rule -new file mode 100644 -index 0000000000..91fcecd155 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat.rule -@@ -0,0 +1,55 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unauthorized Creation Attempts to Files - open_by_handle_at O_CREAT' -+ -+ -+description: |- -+ The audit system should collect unauthorized file accesses for -+ all users and root. The open_by_handle_at syscall can be used to create new files -+ when O_CREAT flag is specified. -+ The following auidt rules will asure that unsuccessful attempts to create a -+ file via open_by_handle_at syscall are collected. -+ If the auditd daemon is configured to use the augenrules -+ program to read audit rules during daemon startup (the default), add the -+ rules below to a file with suffix .rules in the directory -+ /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the rules below to -+ /etc/audit/audit.rules file. -+
-+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    
-+ If the system is 64 bit then also add the following lines: -+
-+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    
-+ -+rationale: |- -+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ cis: 5.2.10 -+ cui: 3.1.7 -+ disa: 172,2884 -+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 -+ ospp@rhel7: FAU_GEN.1.1.c -+ pcidss: Req-10.2.4,Req-10.2.1 -+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write.rule -new file mode 100644 -index 0000000000..06e96678f2 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write.rule -@@ -0,0 +1,54 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unauthorized Modification Attempts to Files - open_by_handle_at O_TRUNC' -+ -+description: |- -+ The audit system should collect detailed unauthorized file accesses for -+ all users and root. The open_by_handle_at syscall can be used to modify files -+ if called for write operation of with O_TRUNC flag. -+ The following auidt rules will asure that unsuccessful attempts to modify a -+ file via open_by_handle_at syscall are collected. -+ If the auditd daemon is configured to use the augenrules -+ program to read audit rules during daemon startup (the default), add the -+ rules below to a file with suffix .rules in the directory -+ /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the rules below to -+ /etc/audit/audit.rules file. -+
-+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    
-+ If the system is 64 bit then also add the following lines: -+
-+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    
-+ -+rationale: |- -+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ cis: 5.2.10 -+ cui: 3.1.7 -+ disa: 172,2884 -+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 -+ ospp@rhel7: FAU_GEN.1.1.c -+ pcidss: Req-10.2.4,Req-10.2.1 -+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order.rule -new file mode 100644 -index 0000000000..0ecd5fff2f ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order.rule -@@ -0,0 +1,58 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly' -+ -+description: |- -+ The audit system should collect detailed unauthorized file -+ accesses for all users and root. -+ To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access -+ of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order. -+ The more specific rules need to come before the less specific rules. The reason for that is that more -+ specific rules cover a subset of events covered in the less specific rules, thus, they need to come -+ before to not be overshadowed by less specific rules, which match a bigger set of events. -+ Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below. -+ If the auditd daemon is configured to use the augenrules -+ program to read audit rules during daemon startup (the default), check the order of -+ rules below in a file with suffix .rules in the directory -+ /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, check the order of rules below in -+ /etc/audit/audit.rules file. -+
-+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+    -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+    
-+ If the system is 64 bit then also add the following lines: -+
-+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+    
-+ -+rationale: |- -+ The more specific rules cover a subset of events covered by the less specific rules. -+ By ordering them from more specific to less specific, it is assured that the less specific -+ rule will not catch events better recorded by the more specific rule. -+ -+severity: medium -+ -+references: -+ cis: 5.2.10 -+ cui: 3.1.7 -+ disa: 172,2884 -+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 -+ ospp@rhel7: FAU_GEN.1.1.c -+ pcidss: Req-10.2.4,Req-10.2.1 -+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}} -diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml -deleted file mode 100644 -index 3eb97c1234..0000000000 ---- a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_creat.xml -+++ /dev/null -@@ -1,200 +0,0 @@ -- -- -- -- Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_creat -- -- Red Hat Enterprise Linux 7 -- multi_platform_fedora -- -- Audit rules about the information on the unsuccessful use of open O_CREAT is enabled. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* -- -- -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* -- -- -- [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -- -- -- -- -- (?:[^.]|\.\s)* -- -- -- -- -- -- -- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) -- -- -- -- -- -- -- -- -- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) -- -- -- -- -- -- -- -- -- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) -- -- -- -- -- -- -- -- -- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) -- -- -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule -index c879183de2..a78f614c8f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_creat.rule -@@ -2,7 +2,7 @@ documentation_complete: true - - prodtype: rhel7,fedora - --title: 'Record Unauthorized Creation Attempts to Files (unsuccessful) - open O_CREAT' -+title: 'Record Unauthorized Creation Attempts to Files - open O_CREAT' - - - description: |- -@@ -50,5 +50,6 @@ warnings: - - general: |- - Note that these rules can be configured in a - number of ways while still achieving the desired effect. Here the system calls -- have been placed independent of other system calls. Grouping these system -- calls with others as identifying earlier in this guide is more efficient. -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml -deleted file mode 100644 -index 49540d8d4c..0000000000 ---- a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_o_trunc_write.xml -+++ /dev/null -@@ -1,200 +0,0 @@ -- -- -- -- Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - open o_trunc -- -- Red Hat Enterprise Linux 7 -- multi_platform_fedora -- -- Audit rules about the information on the unsuccessful use of open O_TRUNC is enabled. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* -- -- -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* -- -- -- [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -- -- -- -- -- (?:[^.]|\.\s)* -- -- -- -- -- -- -- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) -- -- -- -- -- -- -- -- -- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) -- -- -- -- -- -- -- -- -- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) -- -- -- -- -- -- -- -- -- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) -- -- -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule -index 8525b31bb1..bf5bae97c5 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_o_trunc_write.rule -@@ -2,7 +2,7 @@ documentation_complete: true - - prodtype: rhel7,fedora - --title: 'Record Unauthorized Modification Attempts to Files (unsuccessful) - open O_TRUNC' -+title: 'Record Unauthorized Modification Attempts to Files - open O_TRUNC' - - description: |- - The audit system should collect detailed unauthorized file accesses for -@@ -49,5 +49,6 @@ warnings: - - general: |- - Note that these rules can be configured in a - number of ways while still achieving the desired effect. Here the system calls -- have been placed independent of other system calls. Grouping these system -- calls with others as identifying earlier in this guide is more efficient. -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-diff --git a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml -deleted file mode 100644 -index 780fdf60d4..0000000000 ---- a/shared/checks/oval/audit_rules_unsuccessful_file_modification_open_rule_order.xml -+++ /dev/null -@@ -1,474 +0,0 @@ -- -- -- -- Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly -- -- Red Hat Enterprise Linux 7 -- multi_platform_fedora -- -- Audit rules about the information on the unsuccessful use of open is configured in the proper rule order. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* -- -- -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]* -- -- -- [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -- -- -- -- -- (?:[^.]|\.\s)* -- -- -- -- -- -- -- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) -- -- -- -- -- -- -- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) -- -- -- -- -- -- -- (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) -- -- -- -- -- -- -- -- -- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) -- -- -- -- -- -- -- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) -- -- -- -- -- -- -- (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) -- -- -- -- -- -- -- -- -- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) -- -- -- -- -- -- -- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) -- -- -- -- -- -- -- (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) -- -- -- -- -- -- -- -- -- (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) -- -- -- -- -- -- -- (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) -- -- -- -- -- -- -- (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- /etc/audit/rules\.d/.*\.rules -- -- 1 -- -- -- -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule -index 60a1b9de12..0c6949e27d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_rule_order.rule -@@ -39,8 +39,9 @@ description: |- - - - rationale: |- -- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -- these events could serve as evidence of potential system compromise. -+ The more specific rules cover a subset of events covered by the less specific rules. -+ By ordering them from more specific to less specific, it is assured that the less specific -+ rule will not catch events better recorded by the more specific rule. - - severity: medium - -@@ -55,10 +56,3 @@ references: - srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 - - {{{ complete_ocil_entry_audit_syscall(syscall="open") }}} -- --warnings: -- - general: |- -- Note that these rules can be configured in a -- number of ways while still achieving the desired effect. Here the system calls -- have been placed independent of other system calls. Grouping these system -- calls with others as identifying earlier in this guide is more efficient. -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat.rule -new file mode 100644 -index 0000000000..7470e2f80d ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_creat.rule -@@ -0,0 +1,55 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unauthorized Creation Attempts to Files - openat O_CREAT' -+ -+ -+description: |- -+ The audit system should collect unauthorized file accesses for -+ all users and root. The openat syscall can be used to create new files -+ when O_CREAT flag is specified. -+ The following auidt rules will asure that unsuccessful attempts to create a -+ file via openat syscall are collected. -+ If the auditd daemon is configured to use the augenrules -+ program to read audit rules during daemon startup (the default), add the -+ rules below to a file with suffix .rules in the directory -+ /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the rules below to -+ /etc/audit/audit.rules file. -+
-+    -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    
-+ If the system is 64 bit then also add the following lines: -+
-+    -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    
-+ -+rationale: |- -+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ cis: 5.2.10 -+ cui: 3.1.7 -+ disa: 172,2884 -+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 -+ ospp@rhel7: FAU_GEN.1.1.c -+ pcidss: Req-10.2.4,Req-10.2.1 -+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write.rule -new file mode 100644 -index 0000000000..8ee69927d8 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_o_trunc_write.rule -@@ -0,0 +1,54 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Unauthorized Modification Attempts to Files - openat O_TRUNC' -+ -+description: |- -+ The audit system should collect detailed unauthorized file accesses for -+ all users and root. The openat syscall can be used to modify files -+ if called for write operation of with O_TRUNC flag. -+ The following auidt rules will asure that unsuccessful attempts to modify a -+ file via openat syscall are collected. -+ If the auditd daemon is configured to use the augenrules -+ program to read audit rules during daemon startup (the default), add the -+ rules below to a file with suffix .rules in the directory -+ /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the rules below to -+ /etc/audit/audit.rules file. -+
-+    -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    
-+ If the system is 64 bit then also add the following lines: -+
-+    -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    
-+ -+rationale: |- -+ Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing -+ these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ cis: 5.2.10 -+ cui: 3.1.7 -+ disa: 172,2884 -+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 -+ ospp@rhel7: FAU_GEN.1.1.c -+ pcidss: Req-10.2.4,Req-10.2.1 -+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order.rule -new file mode 100644 -index 0000000000..d5849a46bf ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat_rule_order.rule -@@ -0,0 +1,58 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly' -+ -+description: |- -+ The audit system should collect detailed unauthorized file -+ accesses for all users and root. -+ To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access -+ of files via openat syscall the audit rules collecting these events need to be in certain order. -+ The more specific rules need to come before the less specific rules. The reason for that is that more -+ specific rules cover a subset of events covered in the less specific rules, thus, they need to come -+ before to not be overshadowed by less specific rules, which match a bigger set of events. -+ Make sure that rules for unsuccessful calls of openat syscall are in the order shown below. -+ If the auditd daemon is configured to use the augenrules -+ program to read audit rules during daemon startup (the default), check the order of -+ rules below in a file with suffix .rules in the directory -+ /etc/audit/rules.d. -+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, check the order of rules below in -+ /etc/audit/audit.rules file. -+
-+    -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+    -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+    
-+ If the system is 64 bit then also add the following lines: -+
-+    -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+    -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+    -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+    -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-+    
-+ -+rationale: |- -+ The more specific rules cover a subset of events covered by the less specific rules. -+ By ordering them from more specific to less specific, it is assured that the less specific -+ rule will not catch events better recorded by the more specific rule. -+ -+severity: medium -+ -+references: -+ cis: 5.2.10 -+ cui: 3.1.7 -+ disa: 172,2884 -+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) -+ nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 -+ ospp@rhel7: FAU_GEN.1.1.c -+ pcidss: Req-10.2.4,Req-10.2.1 -+ srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}} -diff --git a/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py b/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py -new file mode 100644 -index 0000000000..c14c35a381 ---- /dev/null -+++ b/shared/templates/create_audit_rules_unsuccessful_file_modification_detailed.py -@@ -0,0 +1,45 @@ -+#!/usr/bin/python2 -+ -+# -+# create_audit_rules_unsuccessful_file_modification_detailed.py -+# generate template-based checks for unsuccessful file modifications detailed -+# - audit_rules_unsuccessful_file_modification_syscall_o_creat -+# - audit_rules_unsuccessful_file_modification_syscall_o_trunc_write -+# - audit_rules_unsuccessful_file_modification_syscall_rule_order -+ -+ -+from template_common import FilesGenerator, UnknownTargetError -+ -+import re -+ -+class ARUFMDetailedGenerator(FilesGenerator): -+ def generate(self, target, args): -+ syscall = re.sub('[-\./]', '_', args[0]) -+ if target == "oval": -+ self.file_from_template( -+ "./template_OVAL_audit_rules_unsuccessful_file_modification_o_creat", -+ { -+ "SYSCALL": syscall -+ }, -+ "./oval/audit_rules_unsuccessful_file_modification_{0}_o_creat.xml", syscall -+ ) -+ self.file_from_template( -+ "./template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write", -+ { -+ "SYSCALL": syscall -+ }, -+ "./oval/audit_rules_unsuccessful_file_modification_{0}_o_trunc_write.xml", syscall -+ ) -+ self.file_from_template( -+ "./template_OVAL_audit_rules_unsuccessful_file_modification_rule_order", -+ { -+ "SYSCALL": syscall -+ }, -+ "./oval/audit_rules_unsuccessful_file_modification_{0}_rule_order.xml", syscall -+ ) -+ else: -+ raise UnknownTargetError(target) -+ -+ def csv_format(self): -+ return("CSV should contains lines of the format: " + -+ "SYSCALL") -diff --git a/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv b/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv -new file mode 100644 -index 0000000000..97d5c04e14 ---- /dev/null -+++ b/shared/templates/csv/audit_rules_unsuccessful_file_modification_detailed.csv -@@ -0,0 +1,7 @@ -+# format: -+# -+# - syscall is the syscall to generate detailed rules for -+ -+open -+openat -+open_by_handle_at -diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat -new file mode 100644 -index 0000000000..7f1bf6f68f ---- /dev/null -+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat -@@ -0,0 +1,200 @@ -+ -+ -+ -+ Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - {{{ SYSCALL }}} o_creat -+ -+ Red Hat Enterprise Linux 7 -+ multi_platform_fedora -+ -+ Audit rules about the information on the unsuccessful use of {{{ SYSCALL }}} O_CREAT is enabled. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* -+ -+ -+ [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ -+ -+ -+ -+ (?:[^.]|\.\s)* -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write -new file mode 100644 -index 0000000000..ce7d3c44c7 ---- /dev/null -+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write -@@ -0,0 +1,200 @@ -+ -+ -+ -+ Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - {{{ SYSCALL }}} o_trunc -+ -+ Red Hat Enterprise Linux 7 -+ multi_platform_fedora -+ -+ Audit rules about the information on the unsuccessful use of {{{ SYSCALL }}} O_TRUNC is enabled. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* -+ -+ -+ [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ -+ -+ -+ -+ (?:[^.]|\.\s)* -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order -new file mode 100644 -index 0000000000..66a8ecf249 ---- /dev/null -+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order -@@ -0,0 +1,474 @@ -+ -+ -+ -+ Ensure auditd Rules For Unauthorized Attempts To {{{ SYSCALL }}} Are Ordered Correctly -+ -+ Red Hat Enterprise Linux 7 -+ multi_platform_fedora -+ -+ Audit rules about the information on the unsuccessful use of {{{ SYSCALL }}} is configured in the proper rule order. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* -+ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]* -+ -+ -+ [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ -+ -+ -+ -+ (?:[^.]|\.\s)* -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EACCES) -+ -+ -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ (?!.*-F\s+a2&)[\s]+(?:-F\s+exit=-EPERM) -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/audit/rules\.d/.*\.rules -+ -+ 1 -+ -+ -+ -diff --git a/ssg/build_templates.py b/ssg/build_templates.py -index 8c6a18843e..964f6802e3 100644 ---- a/ssg/build_templates.py -+++ b/ssg/build_templates.py -@@ -21,6 +21,7 @@ - from create_sysctl import SysctlGenerator - from create_audit_rules_dac_modification import AuditRulesDacModificationGenerator - from create_audit_rules_unsuccessful_file_modification import AuditRulesUnsuccessfulFileModificationGenerator -+from create_audit_rules_unsuccessful_file_modification_detailed import ARUFMDetailedGenerator - from create_audit_rules_file_deletion_events import AuditRulesFileDeletionEventsGenerator - from create_audit_rules_login_events import AuditRulesLoginEventsGenerator - from create_audit_rules_privileged_commands import AuditRulesPrivilegedCommandsGenerator -@@ -64,10 +65,12 @@ def __init__(self, env_yaml): - "selinux_booleans.csv": SEBoolGenerator(), - "audit_rules_dac_modification.csv": AuditRulesDacModificationGenerator(), - "audit_rules_unsuccessful_file_modification.csv": AuditRulesUnsuccessfulFileModificationGenerator(), -+ "audit_rules_unsuccessful_file_modification_detailed.csv": ARUFMDetailedGenerator(), - "audit_rules_file_deletion_events.csv": AuditRulesFileDeletionEventsGenerator(), - "audit_rules_login_events.csv": AuditRulesLoginEventsGenerator(), - "audit_rules_privileged_commands.csv": AuditRulesPrivilegedCommandsGenerator(), - "audit_rules_usergroup_modification.csv": AuditRulesUserGroupModificationGenerator(), -+ "audit_rules_usergroup_modification.csv": AuditRulesUserGroupModificationGenerator(), - "audit_rules_execution.csv": AuditRulesExecutionGenerator(), - } - self.langs = TEMPLATED_LANGUAGES diff --git a/SOURCES/scap-security-guide-0.1.41-template_syscall_rules_ospp.patch b/SOURCES/scap-security-guide-0.1.41-template_syscall_rules_ospp.patch deleted file mode 100644 index 3238b4f..0000000 --- a/SOURCES/scap-security-guide-0.1.41-template_syscall_rules_ospp.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- a/rhel7/profiles/ospp42.profile -+++ b/rhel7/profiles/ospp42.profile -@@ -85,8 +85,14 @@ - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_unsuccessful_file_modification_creat -+ - audit_rules_unsuccessful_file_modification_openat_o_creat -+ - audit_rules_unsuccessful_file_modification_openat_o_trunc_write - - audit_rules_unsuccessful_file_modification_openat -+ - audit_rules_unsuccessful_file_modification_openat_rule_order -+ - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat -+ - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write - - audit_rules_unsuccessful_file_modification_open_by_handle_at -+ - audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order - - audit_rules_unsuccessful_file_modification_open_o_creat - - audit_rules_unsuccessful_file_modification_open_o_trunc_write - - audit_rules_unsuccessful_file_modification_open_rule_order diff --git a/SOURCES/scap-security-guide-0.1.41-template_watch_path.patch b/SOURCES/scap-security-guide-0.1.41-template_watch_path.patch deleted file mode 100644 index 8263b89..0000000 --- a/SOURCES/scap-security-guide-0.1.41-template_watch_path.patch +++ /dev/null @@ -1,433 +0,0 @@ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open.rule -new file mode 100644 -index 0000000000..c69567f1c7 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open.rule -@@ -0,0 +1,36 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Events that Modify User/Group Information via open syscall - /etc/group' -+ -+description: |- -+ The audit system should collect write events to /etc/group file for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d: -+
-a always,exit -F arch=b32 -S open -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file: -+
-a always,exit -F arch=b64 -S open -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+ -+rationale: |- -+ Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. -+ Auditing these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ ospp@rhel7: FAU_GEN.1.1.c -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="open") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at.rule -new file mode 100644 -index 0000000000..c33354b287 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_open_by_handle_at.rule -@@ -0,0 +1,36 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group' -+ -+description: |- -+ The audit system should collect write events to /etc/group file for all group and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d: -+
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file: -+
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+ -+rationale: |- -+ Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. -+ Auditing these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ ospp@rhel7: FAU_GEN.1.1.c -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule -new file mode 100644 -index 0000000000..61bde4d6e9 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule -@@ -0,0 +1,36 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Events that Modify User/Group Information via openat syscall - /etc/group' -+ -+description: |- -+ The audit system should collect write events to /etc/group file for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d: -+
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file: -+
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+ -+rationale: |- -+ Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. -+ Auditing these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ ospp@rhel7: FAU_GEN.1.1.c -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at.rule -new file mode 100644 -index 0000000000..0f91bb7d58 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_open_by_handle_at.rule -@@ -0,0 +1,36 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd' -+ -+description: |- -+ The audit system should collect write events to /etc/passwd file for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d: -+
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file: -+
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+ -+rationale: |- -+ Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. -+ Auditing these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ ospp@rhel7: FAU_GEN.1.1.c -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="open_by_handle_at") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat.rule -new file mode 100644 -index 0000000000..f1fab2b945 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat.rule -@@ -0,0 +1,36 @@ -+documentation_complete: true -+ -+prodtype: rhel7,fedora -+ -+title: 'Record Events that Modify User/Group Information via openat syscall - /etc/passwd' -+ -+description: |- -+ The audit system should collect write events to /etc/passwd file for all users and root. -+ If the auditd daemon is configured -+ to use the augenrules program to read audit rules during daemon -+ startup (the default), add the following lines to a file with suffix -+ .rules in the directory /etc/audit/rules.d: -+
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+ If the auditd daemon is configured to use the auditctl -+ utility to read audit rules during daemon startup, add the following lines to -+ /etc/audit/audit.rules file: -+
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+ -+rationale: |- -+ Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. -+ Auditing these events could serve as evidence of potential system compromise. -+ -+severity: medium -+ -+references: -+ ospp@rhel7: FAU_GEN.1.1.c -+ -+{{{ complete_ocil_entry_audit_syscall(syscall="openat") }}} -+ -+warnings: -+ - general: |- -+ Note that these rules can be configured in a -+ number of ways while still achieving the desired effect. Here the system calls -+ have been placed independent of other system calls. Grouping system calls related -+ to the same event is more efficient. See the following example: -+
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile -index 343ac9eb3c..68f4e38bc8 100644 ---- a/rhel7/profiles/ospp42.profile -+++ b/rhel7/profiles/ospp42.profile -@@ -171,3 +171,8 @@ selections: - - audit_rules_kernel_module_loading_rmmod - - security_patches_up_to_date - - audit_rules_etc_passwd_open -+ - audit_rules_etc_passwd_openat -+ - audit_rules_etc_passwd_open_by_handle_at -+ - audit_rules_etc_group_open -+ - audit_rules_etc_group_openat -+ - audit_rules_etc_group_open_by_handle_at -diff --git a/shared/templates/create_audit_rules_path_syscall.py b/shared/templates/create_audit_rules_path_syscall.py -new file mode 100644 -index 0000000000..0283bf439c ---- /dev/null -+++ b/shared/templates/create_audit_rules_path_syscall.py -@@ -0,0 +1,33 @@ -+#!/usr/bin/python2 -+ -+# -+# create_audit_rules_path_syscall_detailed.py -+# generate template-based checks for changes to a path via syscalls -+ -+ -+from template_common import FilesGenerator, UnknownTargetError -+ -+import re -+ -+class AuditRulesPathSyscallGenerator(FilesGenerator): -+ def generate(self, target, args): -+ path,syscall = args[0:2] -+ pathid = re.sub('[-\./]', '_', path) -+ # remove root slash made into '_' -+ pathid = pathid[1:] -+ if target == "oval": -+ self.file_from_template( -+ "./template_OVAL_audit_rules_path_syscall", -+ { -+ "PATH": path, -+ "PATHID": pathid, -+ "SYSCALL": syscall -+ }, -+ "./oval/audit_rules_{0}_{1}.xml", pathid, syscall -+ ) -+ else: -+ raise UnknownTargetError(target) -+ -+ def csv_format(self): -+ return("CSV should contains lines of the format: " + -+ "PATH,SYSCALL") -diff --git a/shared/templates/csv/audit_rules_path_syscall.csv b/shared/templates/csv/audit_rules_path_syscall.csv -new file mode 100644 -index 0000000000..015f02f58d ---- /dev/null -+++ b/shared/templates/csv/audit_rules_path_syscall.csv -@@ -0,0 +1,11 @@ -+# format: -+# , -+# - path is the absolute path to watch -+# - syscall is the syscall to wath the path for -+ -+/etc/passwd,open -+/etc/passwd,openat -+/etc/passwd,open_by_handle_at -+/etc/group,open -+/etc/group,openat -+/etc/group,open_by_handle_at -diff --git a/shared/checks/oval/audit_rules_etc_passwd_open.xml b/shared/templates/template_OVAL_audit_rules_path_syscall -similarity index 52% -rename from shared/checks/oval/audit_rules_etc_passwd_open.xml -rename to shared/templates/template_OVAL_audit_rules_path_syscall -index fd5c3efb28..dcc1d7b0a2 100644 ---- a/shared/checks/oval/audit_rules_etc_passwd_open.xml -+++ b/shared/templates/template_OVAL_audit_rules_path_syscall -@@ -1,12 +1,12 @@ - -- -+ - -- Ensure auditd Collects Write Events to /etc/passwd -+ Ensure auditd Collects Write Events to {{{ PATH }}} - - Red Hat Enterprise Linux 7 - multi_platform_fedora - -- Audit rules about the write events to /etc/passwd -+ Audit rules about the write events to {{{ PATH }}} - - - -@@ -14,26 +14,26 @@ - - - -- -+ - - - - - -- -+ - - - - - - -- -+ - - - - - -- -+ - - - -@@ -41,55 +41,55 @@ - - - -- -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - -- -- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+open[\s]+|(?:[\s]+|[,])open(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ -+ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S(?:[\s]+{{{ SYSCALL }}}[\s]+|(?:[\s]+|[,]){{{ SYSCALL }}}(?:[\s]+|[,])))[\S]*[\s]*(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path={{{ PATH }}})[\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - - -- -+ - -- -+ comment="defined audit rule must exist" id="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_32bit_augenrules" version="1"> -+ - -- -+ - /etc/audit/rules\.d/.*\.rules -- -+ - 1 - - - -- -+ comment="defined audit rule must exist" id="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_64bit_augenrules" version="1"> -+ - -- -+ - /etc/audit/rules\.d/.*\.rules -- -+ - 1 - - - - -- -+ - -- -+ comment="defined audit rule must exist" id="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_32bit_auditctl" version="1"> -+ - -- -+ - /etc/audit/audit.rules -- -+ - 1 - - - -- -+ comment="defined audit rule must exist" id="test_audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}_64bit_auditctl" version="1"> -+ - -- -+ - /etc/audit/audit.rules -- -+ - 1 - - -diff --git a/shared/templates/template_common.py b/shared/templates/template_common.py -index b0fdf5fcc9..c8930ee05c 100644 ---- a/shared/templates/template_common.py -+++ b/shared/templates/template_common.py -@@ -78,14 +78,15 @@ def get_template_filename(self, filename): - raise TemplateNotFoundError(filename, paths) - - def file_from_template(self, template_filename, constants, -- filename_format, filename_value): -+ filename_format, filename_value, *extra_filename_args): - """ - Load template, fill constant and create new file - """ - - template_filepath = self.get_template_filename(template_filename) -+ format_args = (filename_value,) + extra_filename_args - output_filepath = os.path.join( -- self.output_dir, filename_format.format(filename_value) -+ self.output_dir, filename_format.format(*format_args) - ) - - if self.action == ActionType.INPUT: diff --git a/SOURCES/scap-security-guide-0.1.41-template_watch_path_build_templates.patch b/SOURCES/scap-security-guide-0.1.41-template_watch_path_build_templates.patch deleted file mode 100644 index 1d60774..0000000 --- a/SOURCES/scap-security-guide-0.1.41-template_watch_path_build_templates.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff --git a/ssg/build_templates.py b/ssg/build_templates.py -index 8c6a18843e..34114b263a 100644 ---- a/ssg/build_templates.py -+++ b/ssg/build_templates.py -@@ -27,6 +27,7 @@ - from create_audit_rules_privileged_commands import AuditRulesPrivilegedCommandsGenerator - from create_audit_rules_usergroup_modification import AuditRulesUserGroupModificationGenerator - from create_audit_rules_execution import AuditRulesExecutionGenerator -+from create_audit_rules_path_syscall import AuditRulesPathSyscallGenerator - - - class Builder(object): -@@ -59,6 +60,7 @@ - "audit_rules_usergroup_modification.csv": AuditRulesUserGroupModificationGenerator(), - "audit_rules_usergroup_modification.csv": AuditRulesUserGroupModificationGenerator(), - "audit_rules_execution.csv": AuditRulesExecutionGenerator(), -+ "audit_rules_path_syscall.csv": AuditRulesPathSyscallGenerator(), - } - self.langs = TEMPLATED_LANGUAGES - utils_dir = os.path.dirname(os.path.realpath(__file__)) diff --git a/SOURCES/scap-security-guide-0.1.41-untemplate_var_tmp.patch b/SOURCES/scap-security-guide-0.1.41-untemplate_var_tmp.patch deleted file mode 100644 index 52965b7..0000000 --- a/SOURCES/scap-security-guide-0.1.41-untemplate_var_tmp.patch +++ /dev/null @@ -1,413 +0,0 @@ -diff --git a/debian8/templates/csv/mount_options.csv b/debian8/templates/csv/mount_options.csv -index 6e00a922cc..c85df506af 100644 ---- a/debian8/templates/csv/mount_options.csv -+++ b/debian8/templates/csv/mount_options.csv -@@ -19,4 +19,3 @@ - /tmp,nodev - /tmp,nosuid - /usr,nodev --/var/tmp,bind -diff --git a/fedora/templates/csv/mount_options.csv b/fedora/templates/csv/mount_options.csv -index 6bbdea38f9..9f4361a7f4 100644 ---- a/fedora/templates/csv/mount_options.csv -+++ b/fedora/templates/csv/mount_options.csv -@@ -12,5 +12,4 @@ - /tmp,nodev - /tmp,noexec - /tmp,nosuid --/var/tmp,bind - -diff --git a/shared/fixes/bash/mount_option_var_tmp_bind.sh -new file mode 100644 -index 0000000000..1466eff5f5 ---- /dev/null -+++ b/shared/fixes/bash/mount_option_var_tmp_bind.sh -@@ -0,0 +1,17 @@ -+# platform = multi_platform_rhel,multi_platform_fedora -+ -+. /usr/share/scap-security-guide/remediation_functions -+ -+# Delete particular /etc/fstab's row if /var/tmp is already configured to -+# represent a mount point (for some device or filesystem other than /tmp) -+if grep -q -P '.*\/var\/tmp.*' /etc/fstab -+then -+ sed -i '/.*\/var\/tmp.*/d' /etc/fstab -+fi -+umount /var/tmp -+ -+# Bind-mount /var/tmp to /tmp via /etc/fstab (preserving the /etc/fstab form) -+printf "%-24s%-24s%-8s%-32s%-3s\n" "/tmp" "/var/tmp" "none" "rw,nodev,noexec,nosuid,bind" "0 0" >> /etc/fstab -+ -+mkdir -p /var/tmp -+mount -B /tmp /var/tmp -diff --git a/shared/checks/oval/mount_option_var_tmp_bind.xml -new file mode 100644 -index 0000000000..7280364cfa ---- /dev/null -+++ b/shared/checks/oval/mount_option_var_tmp_bind.xml -@@ -0,0 +1,85 @@ -+ -+ -+ -+ Bind Mount /var/tmp To /tmp -+ -+ multi_platform_all -+ -+ The /var/tmp directory should be bind mounted to /tmp in -+ order to consolidate temporary storage into one location protected by the -+ same techniques as /tmp. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/fstab -+ ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ -+ 1 -+ -+ -+ -+ -+ -+ -+ /var/tmp -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/mtab -+ ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /tmp -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -diff --git a/ol7/templates/csv/mount_options.csv b/ol7/templates/csv/mount_options.csv -index 2f0aa49f0d..122198b57a 100644 ---- a/ol7/templates/csv/mount_options.csv -+++ b/ol7/templates/csv/mount_options.csv -@@ -1,3 +1,2 @@ - /dev/shm,nodev - /dev/shm,nosuid --/var/tmp,bind -diff --git a/opensuse/templates/csv/mount_options.csv b/opensuse/templates/csv/mount_options.csv -deleted file mode 100644 -index e024d02571..0000000000 ---- a/opensuse/templates/csv/mount_options.csv -+++ /dev/null -@@ -1,9 +0,0 @@ --# format: --# ,[,create_fstab_entry_if_needed] --# - mount point mounted with specified option. for more than --# one option, use multiple lines with the same , use the --# variable name (i.e. name beginning with var_, without the leading --# '$' to reference a variable, e.g. var_removable_partition,nodev) --# If the remediation can create (i.e. not just modify) an /etc/fstab line, --# add the 'create_fstab_entry_if_needed' literal string as the third argument. --/var/tmp,bind -diff --git a/rhel-osp7/templates/csv/mount_options.csv b/rhel-osp7/templates/csv/mount_options.csv -deleted file mode 100644 -index e024d02571..0000000000 ---- a/rhel-osp7/templates/csv/mount_options.csv -+++ /dev/null -@@ -1,9 +0,0 @@ --# format: --# ,[,create_fstab_entry_if_needed] --# - mount point mounted with specified option. for more than --# one option, use multiple lines with the same , use the --# variable name (i.e. name beginning with var_, without the leading --# '$' to reference a variable, e.g. var_removable_partition,nodev) --# If the remediation can create (i.e. not just modify) an /etc/fstab line, --# add the 'create_fstab_entry_if_needed' literal string as the third argument. --/var/tmp,bind -diff --git a/rhel6/templates/csv/mount_options.csv b/rhel6/templates/csv/mount_options.csv -index ebf6bba9df..de0056e08c 100644 ---- a/rhel6/templates/csv/mount_options.csv -+++ b/rhel6/templates/csv/mount_options.csv -@@ -12,4 +12,3 @@ - /tmp,nodev - /tmp,noexec - /tmp,nosuid --/var/tmp,bind -diff --git a/rhel7/templates/csv/mount_options.csv b/rhel7/templates/csv/mount_options.csv -index f5d9ed8cea..f9a3bc73dd 100644 ---- a/rhel7/templates/csv/mount_options.csv -+++ b/rhel7/templates/csv/mount_options.csv -@@ -19,4 +19,3 @@ - /var/tmp,nodev - /var/tmp,noexec - /var/tmp,nosuid --/var/tmp,bind -diff --git a/sle11/templates/csv/mount_options.csv b/sle11/templates/csv/mount_options.csv -deleted file mode 100644 -index e024d02571..0000000000 ---- a/sle11/templates/csv/mount_options.csv -+++ /dev/null -@@ -1,9 +0,0 @@ --# format: --# ,[,create_fstab_entry_if_needed] --# - mount point mounted with specified option. for more than --# one option, use multiple lines with the same , use the --# variable name (i.e. name beginning with var_, without the leading --# '$' to reference a variable, e.g. var_removable_partition,nodev) --# If the remediation can create (i.e. not just modify) an /etc/fstab line, --# add the 'create_fstab_entry_if_needed' literal string as the third argument. --/var/tmp,bind -diff --git a/sle12/templates/csv/mount_options.csv b/sle12/templates/csv/mount_options.csv -index 759e51b0fe..b2df6c9f08 100644 ---- a/sle12/templates/csv/mount_options.csv -+++ b/sle12/templates/csv/mount_options.csv -@@ -17,4 +17,3 @@ - /var/tmp,nodev - /var/tmp,noexec - /var/tmp,nosuid --/var/tmp,bind -diff --git a/tests/data/group_system/group_permissions/group_partitions/partition.sh b/tests/data/group_system/group_permissions/group_partitions/partition.sh -index 333a574f5e..f74a98b5b3 100644 ---- a/tests/data/group_system/group_permissions/group_partitions/partition.sh -+++ b/tests/data/group_system/group_permissions/group_partitions/partition.sh -@@ -8,16 +8,21 @@ create_partition() { - } - - # $1: The mount point --# $2: The additional mount options -+# $2: The type of file system -+# $3: The additional mount options - make_fstab_given_partition_line() { -- local _mount_point="$1" _additional_mount_options="$2" -+ local _mount_point="$1" _type="$2" _additional_mount_options="$3" - test -z "$_additional_mount_options" || _additional_mount_options=",$_additional_mount_options" -- printf "%s %s ext2 rw%s 0 0\n" "$PARTITION" "$_mount_point" "$_additional_mount_options" > /etc/fstab -+ printf "%s %s %s rw%s 0 0\n" "$PARTITION" "$_mount_point" "$_type" "$_additional_mount_options" >> /etc/fstab - } - - # $1: The mount point - make_fstab_correct_partition_line() { -- make_fstab_given_partition_line "$1" "nodev,noexec,nosuid" -+ make_fstab_given_partition_line "$1" "ext2" "nodev,noexec,nosuid" -+} -+ -+make_fstab_bind_partition_line() { -+ make_fstab_given_partition_line "$1" "none" "nodev,noexec,nosuid,bind" - } - - # $1: The mount point -@@ -28,5 +33,13 @@ mount_partition() { - - mount_bind_partition() { - mkdir -p "$1" -- mount --target -B "$1" -+ mount -B "$PARTITION" "$1" -+} -+ -+# $1: The path to umount and remove from /etc/fstab -+clean_up_partition() { -+ path="$1" -+ escaped_path=${path//$'/'/$'\/'} -+ sed -i "/${escaped_path}/d" /etc/fstab -+ umount ${path} || true # no problem if not mounted - } -diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/fstab.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/fstab.fail.sh -index 498f44911f..0cc19818d9 100644 ---- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/fstab.fail.sh -+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/fstab.fail.sh -@@ -7,6 +7,6 @@ umount /home || true # no problem if not mounted - - create_partition - --make_fstab_given_partition_line /home nodev -+make_fstab_given_partition_line /home ext2 nodev - - mount_partition /home -diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh -index 3128ad2aee..62d36b718a 100644 ---- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh -+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh -@@ -5,6 +5,6 @@ - - create_partition - --make_fstab_given_partition_line /tmp nodev -+make_fstab_given_partition_line /tmp ext2 nodev - - mount_partition /tmp -diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/configured_and_mounted.pass.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/configured_and_mounted.pass.sh -new file mode 100644 -index 0000000000..ad3c5d4f50 ---- /dev/null -+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/configured_and_mounted.pass.sh -@@ -0,0 +1,13 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S -+ -+. ../partition.sh -+ -+# Make sure scenario preparation starts from a clean state -+clean_up_partition /var/tmp -+ -+# Redefine PARTITION variable defined in partition.sh -+PARTITION="/tmp" -+make_fstab_bind_partition_line /var/tmp -+ -+mount_bind_partition /var/tmp -diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/just_configured.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/just_configured.fail.sh -new file mode 100644 -index 0000000000..87e7fc9726 ---- /dev/null -+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/just_configured.fail.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S -+ -+. ../partition.sh -+ -+# Make sure scenario preparation starts from a clean state -+clean_up_partition /var/tmp -+ -+# Redefine PARTITION variable defined in partition.sh -+PARTITION="/tmp" -+make_fstab_bind_partition_line /var/tmp -diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/just_mounted.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/just_mounted.fail.sh -new file mode 100644 -index 0000000000..d1bcb5a220 ---- /dev/null -+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/just_mounted.fail.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S -+ -+. ../partition.sh -+ -+# Make sure scenario preparation starts from a clean state -+clean_up_partition /var/tmp -+ -+# just mount the partition -+mount -B /tmp /var/tmp -diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/separated_and_mounted.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/separated_and_mounted.fail.sh -new file mode 100644 -index 0000000000..e315c54293 ---- /dev/null -+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/separated_and_mounted.fail.sh -@@ -0,0 +1,14 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S -+ -+. ../partition.sh -+ -+# Make sure scenario preparation starts from a clean state -+clean_up_partition /var/tmp -+ -+# by default /tmp is already configured and mounted -+ -+# Redefine PARTITION -+mkdir -p "$PARTITION" -+make_fstab_bind_partition_line /var/tmp -+mount_bind_partition /var/tmp -diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/wrong_bind.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/wrong_bind.fail.sh -new file mode 100644 -index 0000000000..6ec7d6cdea ---- /dev/null -+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/wrong_bind.fail.sh -@@ -0,0 +1,13 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S -+ -+. ../partition.sh -+ -+# Make sure scenario preparation starts from a clean state -+clean_up_partition /var/tmp -+ -+# PARTITION is defined in partition.sh -+mkdir -p "$PARTITION" -+make_fstab_bind_partition_line /var/tmp -+ -+mount_bind_partition /var/tmp -diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh -index 37bc6e9881..431636bd13 100644 ---- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh -+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh -@@ -5,6 +5,6 @@ - - create_partition - --make_fstab_given_partition_line /var/tmp nodev -+make_fstab_given_partition_line /var/tmp ext2 nodev - - mount_partition /var/tmp -diff --git a/ubuntu1404/templates/csv/mount_options.csv b/ubuntu1404/templates/csv/mount_options.csv -index 6e00a922cc..c85df506af 100644 ---- a/ubuntu1404/templates/csv/mount_options.csv -+++ b/ubuntu1404/templates/csv/mount_options.csv -@@ -19,4 +19,3 @@ - /tmp,nodev - /tmp,nosuid - /usr,nodev --/var/tmp,bind -diff --git a/ubuntu1604/templates/csv/mount_options.csv b/ubuntu1604/templates/csv/mount_options.csv -index 6e00a922cc..c85df506af 100644 ---- a/ubuntu1604/templates/csv/mount_options.csv -+++ b/ubuntu1604/templates/csv/mount_options.csv -@@ -19,4 +19,3 @@ - /tmp,nodev - /tmp,nosuid - /usr,nodev --/var/tmp,bind -diff --git a/wrlinux/templates/csv/mount_options.csv b/wrlinux/templates/csv/mount_options.csv -index 6bbdea38f9..9f4361a7f4 100644 ---- a/wrlinux/templates/csv/mount_options.csv -+++ b/wrlinux/templates/csv/mount_options.csv -@@ -12,5 +12,4 @@ - /tmp,nodev - /tmp,noexec - /tmp,nosuid --/var/tmp,bind - diff --git a/SOURCES/scap-security-guide-0.1.42-mark_rules_as_machine_only.patch b/SOURCES/scap-security-guide-0.1.42-mark_rules_as_machine_only.patch deleted file mode 100644 index beb54c7..0000000 --- a/SOURCES/scap-security-guide-0.1.42-mark_rules_as_machine_only.patch +++ /dev/null @@ -1,2196 +0,0 @@ -commit 724676573314ec7537015db800ea9edc08bdeafe -Author: Gabriel Becker -Date: Fri Apr 5 14:49:41 2019 +0200 - - Mark rules that are not applicable in containers. Backport of 8a858d0c and 313b634c. - -diff --git a/linux_os/guide/services/base/service_irqbalance_enabled.rule b/linux_os/guide/services/base/service_irqbalance_enabled.rule -index a94a60d..d74e543 100644 ---- a/linux_os/guide/services/base/service_irqbalance_enabled.rule -+++ b/linux_os/guide/services/base/service_irqbalance_enabled.rule -@@ -24,3 +24,5 @@ references: - nist: CM-7 - - ocil: '{{{ ocil_service_disabled(service="irqbalance") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/cron_and_at/group.yml b/linux_os/guide/services/cron_and_at/group.yml -index 30f07e0..745ed46 100644 ---- a/linux_os/guide/services/cron_and_at/group.yml -+++ b/linux_os/guide/services/cron_and_at/group.yml -@@ -8,3 +8,5 @@ description: |- - all systems to perform necessary maintenance tasks, while at may or - may not be required on a given system. Both daemons should be - configured defensively. -+ -+platform: machine -diff --git a/linux_os/guide/services/docker/docker_storage_configured.rule b/linux_os/guide/services/docker/docker_storage_configured.rule -index c675292..a1c90e6 100644 ---- a/linux_os/guide/services/docker/docker_storage_configured.rule -+++ b/linux_os/guide/services/docker/docker_storage_configured.rule -@@ -20,3 +20,5 @@ severity: low - - identifiers: - cce@rhel7: 80441-9 -+ -+platform: machine -diff --git a/linux_os/guide/services/docker/service_docker_enabled.rule b/linux_os/guide/services/docker/service_docker_enabled.rule -index 6cd9df4..309771b 100644 ---- a/linux_os/guide/services/docker/service_docker_enabled.rule -+++ b/linux_os/guide/services/docker/service_docker_enabled.rule -@@ -20,3 +20,5 @@ identifiers: - cce@rhel7: 80440-1 - - ocil: '{{{ ocil_service_enabled(service="docker") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/mail/group.yml b/linux_os/guide/services/mail/group.yml -index 97ddf50..13f9730 100644 ---- a/linux_os/guide/services/mail/group.yml -+++ b/linux_os/guide/services/mail/group.yml -@@ -23,3 +23,5 @@ description: |- - Postfix was coded with security in mind and can also be more effectively contained by - SELinux as its modular design has resulted in separate processes performing specific actions. - More information is available on its website, {{{ weblink(link="http://www.postfix.org") }}}. -+ -+platform: machine -diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml -index c85ac8c..737b7f4 100644 ---- a/linux_os/guide/services/ntp/group.yml -+++ b/linux_os/guide/services/ntp/group.yml -@@ -55,3 +55,5 @@ description: |- - The upstream manual pages at {{{ weblink(link="http://chrony.tuxfamily.org/manual.html") }}} for - chronyd and {{{ weblink(link="http://www.ntp.org") }}} for ntpd provide additional - information on the capabilities and configuration of each of the NTP daemons. -+ -+platform: machine -diff --git a/linux_os/guide/services/ssh/group.yml b/linux_os/guide/services/ssh/group.yml -index 8919c8c..feb65ee 100644 ---- a/linux_os/guide/services/ssh/group.yml -+++ b/linux_os/guide/services/ssh/group.yml -@@ -12,3 +12,5 @@ description: |- - {{{ weblink(link="http://www.openssh.org") }}}. Its server program - is called sshd and provided by the RPM package - openssh-server. -+ -+platform: machine -diff --git a/linux_os/guide/services/sssd/group.yml b/linux_os/guide/services/sssd/group.yml -index 49bfab9..ce74b3a 100644 ---- a/linux_os/guide/services/sssd/group.yml -+++ b/linux_os/guide/services/sssd/group.yml -@@ -17,3 +17,5 @@ description: |- - {{%- elif product == "rhel6" -%}} - {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html") }}} - {{%- endif %}} -+ -+platform: machine -diff --git a/linux_os/guide/services/sssd/sssd-ldap/group.yml b/linux_os/guide/services/sssd/sssd-ldap/group.yml -index a7c4c7d..0428dd1 100644 ---- a/linux_os/guide/services/sssd/sssd-ldap/group.yml -+++ b/linux_os/guide/services/sssd/sssd-ldap/group.yml -@@ -13,3 +13,5 @@ description: |- -

- SSSD can support many backends including LDAP. The sssd-ldap backend - allows SSSD to fetch identity information from an LDAP server. -+ -+platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot.rule b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot.rule -index beb9a4d..52e6a26 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot.rule -+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot.rule -@@ -82,3 +82,5 @@ warnings: - key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The - Ctrl-Alt-Del key sequence will only be disabled if running in - the non-graphical runlevel 3. -+ -+platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot.rule b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot.rule -index 165bf92..d8d9116 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot.rule -+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot.rule -@@ -36,3 +36,5 @@ ocil: |- - systemd.confirm_spawn=(1|yes|true|on) in the kernel boot arguments. - Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates - that interactive boot is enabled at boot time. -+ -+platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth.rule b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth.rule -index 3d752e2..12d547d 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth.rule -+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth.rule -@@ -66,3 +66,5 @@ ocil: |- - ExecStart and /sbin/sulogin: -
ExecStart=-/sbin/sulogin
- {{% endif %}} -+ -+platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed.rule -index 56c2464..d721694 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed.rule -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed.rule -@@ -41,3 +41,5 @@ references: - ocil_clause: 'the package is not installed' - - ocil: '{{{ ocil_package(package="screen") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule -index 815097b..5c58455 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule -@@ -37,3 +37,5 @@ ocil: |- - To verify the operating system has the packages required for multifactor - authentication installed, run the following command: -
$ sudo yum list installed esc pam_pkcs11 authconfig-gtk
-+ -+platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule -index 5b01b62..e4c0870 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule -@@ -41,3 +41,5 @@ references: - ocil_clause: 'non-exempt accounts are not using CAC authentication' - - ocil: "Interview the SA to determine if all accounts not exempted by policy are\nusing CAC authentication.\nFor DoD systems, the following systems and accounts are exempt from using\nsmart card (CAC) authentication:\n
    \n
  • SIPRNET systems
  • \n
  • Standalone systems
  • \n
  • Application accounts
  • \n
  • Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV
  • \n
  • Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT
  • \n
  • Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT.
  • \n
" -+ -+platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule -index 9af1126..c68db6d 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule -@@ -42,3 +42,5 @@ ocil: |- -
cert_policy = ca, ocsp_on, signature;
-     cert_policy = ca, ocsp_on, signature;
-     cert_policy = ca, ocsp_on, signature;
-+ -+platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled.rule b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled.rule -index a2be942..184571c 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled.rule -+++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled.rule -@@ -31,3 +31,5 @@ references: - ospp@rhel7: FIA_AFL.1 - - ocil: '{{{ ocil_service_disabled(service="debug-shell") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule -index f1cd259..98fb3f8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule -@@ -57,3 +57,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule -index bc765d3..77be3c4 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule -@@ -55,3 +55,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule -index 62f9d31..e530ea9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule -@@ -55,3 +55,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule -index 6a3db98..2410fc9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule -@@ -55,3 +55,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule -index b4ffe52..4f0c7e7 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule -@@ -55,3 +55,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule -index 5a3435d..12d51f8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule -@@ -55,3 +55,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule -index ad029f1..b0ff227 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule -@@ -61,3 +61,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule -index e9cd1f9..4e19015 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule -@@ -55,3 +55,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule -index 5cfd606..39fb8bd 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule -@@ -55,3 +55,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule -index 72311d8..52d0c85 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule -@@ -61,3 +61,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule -index f84b153..f7ffae4 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule -@@ -55,3 +55,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule -index 6bd3dfc..3ff38cf 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule -@@ -60,3 +60,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule -index eaec4c5..da633bd 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule -@@ -55,3 +55,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml -index 0de3ac0..0be694d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml -@@ -19,3 +19,5 @@ description: |- -
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-         -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-         -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule -index 8e40014..f2c7891 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule -@@ -47,3 +47,5 @@ ocil: |- -
$ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/*
- The output should return something similar to: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
-+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule -index 2a97b84..ea42555 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule -@@ -46,3 +46,5 @@ ocil: |- -
$ sudo grep "path=/usr/sbin/restorecon" /etc/audit/audit.rules /etc/audit/rules.d/*
- The output should return something similar to: -
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
-+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule -index c2aedce..dd62afa 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule -@@ -47,3 +47,5 @@ ocil: |- -
$ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/*
- The output should return something similar to: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
-+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule -index 247453e..2804b8d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule -@@ -47,3 +47,5 @@ ocil: |- -
$ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/*
- The output should return something similar to: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
-+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule -index 346cd5a..d110f8a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule -@@ -65,3 +65,5 @@ warnings: -
  • audit_rules_file_deletion_events_unlink
  • -
  • audit_rules_file_deletion_events_unlinkat
  • - -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule -index e9948eb..51b1d54 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule -@@ -40,3 +40,5 @@ references: - stigid@rhel7: "030880" - - {{{ complete_ocil_entry_audit_syscall(syscall="rename") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule -index 82c93a2..96133fc 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule -@@ -40,3 +40,5 @@ references: - stigid@rhel7: "030890" - - {{{ complete_ocil_entry_audit_syscall(syscall="renameat") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule -index 419cb05..21abd3a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule -@@ -40,3 +40,5 @@ references: - stigid@rhel7: "030900" - - {{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule -index cfd3553..25c2ec2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule -@@ -40,3 +40,5 @@ references: - stigid@rhel7: "030910" - - {{{ complete_ocil_entry_audit_syscall(syscall="unlink") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule -index 217a3cb..390a4e5 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule -@@ -40,3 +40,5 @@ references: - stigid@rhel7: "030920" - - {{{ complete_ocil_entry_audit_syscall(syscall="unlinkat") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule -index f6a5e3e..370fbab 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule -@@ -38,3 +38,5 @@ references: - stigid@rhel7: "030830" - - {{{ complete_ocil_entry_audit_syscall(syscall="delete_module") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule -index 4ce4f24..d86680d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule -@@ -36,3 +36,5 @@ references: - stigid@rhel7: "030821" - - {{{ complete_ocil_entry_audit_syscall(syscall="finit_module") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule -index 8b73da7..01de6c8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule -@@ -37,3 +37,5 @@ references: - stigid@rhel7: "030820" - - {{{ complete_ocil_entry_audit_syscall(syscall="init_module") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule -index 3c4e05f..9610d30 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule -@@ -41,3 +41,5 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/usr/sbin/insmod"
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule -index 8ce37aa..bd266b8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule -@@ -41,3 +41,5 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/usr/sbin/modprobe"
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule -index 7ab7824..b913129 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule -@@ -41,3 +41,5 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule -index a2bd65f..11d187d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule -@@ -53,3 +53,5 @@ warnings: -
  • audit_rules_login_events_faillock
  • -
  • audit_rules_login_events_lastlog
  • - -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule -index 78f9d91..b730fdd 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule -@@ -43,3 +43,5 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/var/log/faillock"
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule -index 6c1919d..83c5cb7 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule -@@ -43,3 +43,5 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/var/log/lastlog"
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule -index b0eed40..9a9770a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule -@@ -43,3 +43,5 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/var/log/tallylog"
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule -index a1408e9..3815429 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule -@@ -81,3 +81,5 @@ warnings: -
  • audit_rules_privileged_commands_umount
  • -
  • audit_rules_privileged_commands_passwd
  • - -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule -index c2d56b1..9d6c828 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule -@@ -48,3 +48,5 @@ ocil: |- - following command: -
    $ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule -index 4c81432..ac5c38a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule -@@ -48,3 +48,5 @@ ocil: |- - following command: -
    $ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule -index 5baa248..03bcb6c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule -@@ -48,3 +48,5 @@ ocil: |- - following command: -
    $ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule -index cb856fa..5c8c407 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule -@@ -49,3 +49,5 @@ ocil: |- - following command: -
    $ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule -index 32f0182..b8f8e5c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule -@@ -49,3 +49,5 @@ ocil: |- - following command: -
    $ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule -index 7219c00..fda2e0c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule -@@ -48,3 +48,5 @@ ocil: |- - following command: -
    $ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule -index 8466855..cb41772 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule -@@ -49,3 +49,5 @@ ocil: |- - following command: -
    $ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule -index b648c05..6f3f787 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule -@@ -48,3 +48,5 @@ ocil: |- - following command: -
    $ sudo grep postdrop /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule -index eadb5f9..d6f4eeb 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule -@@ -48,3 +48,5 @@ ocil: |- - following command: -
    $ sudo grep postqueue /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule -index 600608b..21e0a11 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule -@@ -46,3 +46,5 @@ ocil: |- - following command: -
    $ sudo grep pt_chown /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule -index 07b6ecc..fa7ff2b 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule -@@ -49,3 +49,5 @@ ocil: |- - following command: -
    $ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule -index 5e7c3fc..d791805 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule -@@ -49,3 +49,5 @@ ocil: |- - following command: -
    $ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule -index b9c1c7a..e8b3585 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule -@@ -49,3 +49,5 @@ ocil: |- - following command: -
    $ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule -index 176de59..8984a84 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule -@@ -49,3 +49,5 @@ ocil: |- - following command: -
    $ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule -index d0fe096..5b636ea 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule -@@ -48,3 +48,5 @@ ocil: |- - following command: -
    $ sudo grep umount /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule -index 61e6cc6..205bf97 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule -@@ -49,3 +49,5 @@ ocil: |- - following command: -
    $ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule -index 83bec28..91f31f3 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule -@@ -49,3 +49,5 @@ ocil: |- - following command: -
    $ sudo grep userhelper /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule -index 991abcf..2c42c74 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule -@@ -37,3 +37,5 @@ references: - hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.310(a)(2)(iv),164.312(d),164.310(d)(2)(iii),164.312(b),164.312(e) - nist: AC-6,AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5 - pcidss: Req-10.5.2 -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule -index 7c4018b..5952dbb 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule -@@ -47,3 +47,5 @@ ocil: |- - If the system is configured to watch for changes to its SELinux - configuration, a line should be returned (including - perm=wa indicating permissions that are watched). -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule -index f1d9d6c..28c64ca 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule -@@ -50,3 +50,5 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for all media exportation events, run the following command: -
    $ sudo auditctl -l | grep syscall | grep mount
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule -index 3bda57f..55e1893 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule -@@ -55,3 +55,5 @@ ocil: |- -
    auditctl -l | egrep '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'
    - If the system is configured to watch for network configuration changes, a line should be returned for - each file specified (and perm=wa should be indicated for each). -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule -index e63f61a..017a053 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule -@@ -41,3 +41,5 @@ references: - nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 - ospp@rhel7: FAU_GEN.1.1.c - pcidss: Req-10.2.3 -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule -index 15c33a2..3be1932 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule -@@ -47,3 +47,5 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d"
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule -index a01adea..d40c9df 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule -@@ -46,3 +46,5 @@ ocil: |- -
    $ sudo grep "\-f 2" /etc/audit/audit.rules
    - The output should contain: -
    -f 2
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule -index b8716ef..2838470 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule -@@ -68,3 +68,5 @@ warnings: -
  • audit_rules_usergroup_modification_gshadow
  • -
  • audit_rules_usergroup_modification_passwd
  • - -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule -index f161b14..143e63b 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule -@@ -52,3 +52,5 @@ ocil: |- -

    - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule -index f9ae466..5e14989 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule -@@ -52,3 +52,5 @@ ocil: |- -

    - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule -index 4b02de3..9e7ce3d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule -@@ -52,3 +52,5 @@ ocil: |- -

    - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule -index 2940549..76bce57 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule -@@ -52,3 +52,5 @@ ocil: |- -

    - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule -index 0925d21..74819f5 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule -@@ -52,3 +52,5 @@ ocil: |- -

    - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule -index 67ce61f..9dc2ceb 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule -@@ -51,3 +51,5 @@ references: - ocil_clause: 'the system is not configured to audit time changes' - - {{{ complete_ocil_entry_audit_syscall(syscall="adjtimex") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule -index 136c6ef..436f5f0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule -@@ -51,3 +51,5 @@ references: - ocil_clause: 'the system is not configured to audit time changes' - - {{{ complete_ocil_entry_audit_syscall(syscall="clock_settime") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule -index 4003f25..22ec976 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule -@@ -51,3 +51,5 @@ references: - ocil_clause: 'the system is not configured to audit time changes' - - {{{ complete_ocil_entry_audit_syscall(syscall="settimeofday") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule -index d55c9a4..0572156 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule -@@ -57,3 +57,5 @@ ocil: |- - If the system is not configured to audit time changes, this is a finding. - If the system is 64-bit only, this is not applicable
    - {{{ complete_ocil_entry_audit_syscall(syscall="stime") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule -index 70ce059..2fb8f7d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule -@@ -50,3 +50,5 @@ ocil: |- - command: -
    $ sudo auditctl -l | grep "watch=/etc/localtime"
    - If the system is configured to audit this activity, it will return a line. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule -index 0151c6e..ea42793 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule -@@ -69,3 +69,5 @@ warnings: -
  • audit_rules_unsuccessful_file_modification_ftruncate
  • -
  • audit_rules_unsuccessful_file_modification_creat
  • - -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule -index f04df40..a328ff9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule -@@ -54,3 +54,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule -index ba75654..6229398 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule -@@ -54,3 +54,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule -index 6f07e27..13f12fe 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule -@@ -54,3 +54,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule -index c5adccc..ce4193a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule -@@ -54,3 +54,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule -index 4281e37..6f3c38a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule -@@ -54,3 +54,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule -index 97d81f5..f6e0263 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule -@@ -54,3 +54,5 @@ warnings: - number of ways while still achieving the desired effect. Here the system calls - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule -index c3f6674..14d41d0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule -@@ -33,3 +33,5 @@ references: - ocil: |- - {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} - {{{ describe_file_owner(file="/var/log/audit/*", owner="root") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule -index f9dc5f1..319b1bb 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule -@@ -35,3 +35,5 @@ ocil: |- - Run the following command to check the mode of the system audit logs: -
    $ sudo ls -l /var/log/audit
    - Audit logs must be mode 0640 or less permissive. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule -index a2c1e28..94af473 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule -@@ -37,3 +37,5 @@ ocil: |- - The output should return something similar to where REMOTE_SYSTEM - is an IP address or hostname: -
    remote_server = REMOTE_SYSTEM
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule -index fafa442..502843d 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule -@@ -40,3 +40,5 @@ ocil: |- -
    disk_full_action = single
    - Acceptable values also include syslog and - halt. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule -index 94292ff..07d36df 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule -@@ -34,3 +34,5 @@ ocil: |- -
    $ sudo grep -i enable_krb5 /etc/audisp/audisp-remote.conf
    - The output should return the following: -
    enable_krb5 = yes
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule -index 65cb5c2..7fc5566 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule -@@ -40,3 +40,5 @@ ocil: |- -
    network_failure_action = single
    - Acceptable values also include syslog and - halt. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule -index 75edf6a..c2891ab 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule -@@ -40,3 +40,5 @@ ocil: |- - To verify the audispd's syslog plugin is active, run the following command: -
    $ sudo grep active /etc/audisp/plugins.d/syslog.conf
    - If the plugin is active, the output will show yes. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule -index 692f804..cabdc03 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule -@@ -43,3 +43,5 @@ ocil: |- - determine if the system is configured to send email to an - account when it needs to notify an administrator: -
    action_mail_acct = root
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule -index bf07cff..7bad632 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule -@@ -48,3 +48,5 @@ ocil: |- - determine if the system is configured to either suspend, switch to single user mode, - or halt when disk space has run low: -
    admin_space_left_action single
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule -index 3a5b3ce..5475a85 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule -@@ -37,3 +37,5 @@ ocil: |- -
    flush = DATA
    - Acceptable values are DATA, and SYNC. The setting is - case-insensitive. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule -index faa46bf..06ec11d 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule -@@ -40,3 +40,5 @@ ocil: |- - determine how much data the system will retain in each audit log file: - $ sudo grep max_log_file /etc/audit/auditd.conf -
    max_log_file = 6
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule -index a6b6277..609ca46 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule -@@ -51,3 +51,5 @@ ocil: |- - maximum size: - $ sudo grep max_log_file_action /etc/audit/auditd.conf -
    max_log_file_action rotate
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule -index bf61ee0..5b1debc 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule -@@ -39,3 +39,5 @@ ocil: |- - determine how many logs the system is configured to retain after rotation: - $ sudo grep num_logs /etc/audit/auditd.conf -
    num_logs = 5
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule -index ac6bed0..d86ae02 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule -@@ -39,3 +39,5 @@ ocil: |- - Inspect /etc/audit/auditd.conf and locate the following line to - determine if the system is configured correctly: -
    space_left SIZE_in_MB
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule -index eb70dd0..7b4360f 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule -@@ -57,3 +57,5 @@ ocil: |- - $ sudo grep space_left_action /etc/audit/auditd.conf -
    space_left_action
    - Acceptable values are email, suspend, single, and halt. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/grub2_audit_argument.rule b/linux_os/guide/system/auditing/grub2_audit_argument.rule -index 68d4f49..29c451c 100644 ---- a/linux_os/guide/system/auditing/grub2_audit_argument.rule -+++ b/linux_os/guide/system/auditing/grub2_audit_argument.rule -@@ -57,3 +57,5 @@ warnings: -
  • On UEFI-based machines, issue the following command as root: -
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  • - -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/service_auditd_enabled.rule b/linux_os/guide/system/auditing/service_auditd_enabled.rule -index b2dd85f..ce32390 100644 ---- a/linux_os/guide/system/auditing/service_auditd_enabled.rule -+++ b/linux_os/guide/system/auditing/service_auditd_enabled.rule -@@ -41,3 +41,5 @@ references: - stigid@rhel7: "030000" - - ocil: '{{{ ocil_service_enabled(service="auditd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/system/bootloader-grub2/file_permissions_efi_grub2_cfg.rule b/linux_os/guide/system/bootloader-grub2/file_permissions_efi_grub2_cfg.rule -index 95c4589..02ee38d 100644 ---- a/linux_os/guide/system/bootloader-grub2/file_permissions_efi_grub2_cfg.rule -+++ b/linux_os/guide/system/bootloader-grub2/file_permissions_efi_grub2_cfg.rule -@@ -27,3 +27,5 @@ ocil: |- -
    $ sudo ls -lL /boot/efi/EFI/redhat/grub.cfg
    - If properly configured, the output should indicate the following - permissions: -rwx------ -+ -+platform: machine -diff --git a/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg.rule b/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg.rule -index 306a6c5..02e2515 100644 ---- a/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg.rule -+++ b/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg.rule -@@ -31,3 +31,5 @@ ocil: |- -
    $ sudo ls -lL /boot/grub2/grub.cfg
    - If properly configured, the output should indicate the following - permissions: -rw------- -+ -+platform: machine -diff --git a/linux_os/guide/system/bootloader-grub2/group.yml b/linux_os/guide/system/bootloader-grub2/group.yml -index 81807fc..fe35833 100644 ---- a/linux_os/guide/system/bootloader-grub2/group.yml -+++ b/linux_os/guide/system/bootloader-grub2/group.yml -@@ -14,3 +14,5 @@ description: |- - parameters and endangering security, protect the boot loader configuration - with a password and ensure its configuration file's permissions - are set properly. -+ -+platform: machine -diff --git a/linux_os/guide/system/logging/group.yml b/linux_os/guide/system/logging/group.yml -index f089e86..345043e 100644 ---- a/linux_os/guide/system/logging/group.yml -+++ b/linux_os/guide/system/logging/group.yml -@@ -19,3 +19,5 @@ description: |- - This section discusses how to configure rsyslog for - best effect, and how to use tools provided with the system to maintain and - monitor logs. -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-firewalld/group.yml b/linux_os/guide/system/network/network-firewalld/group.yml -index 9512aa9..78bd398 100644 ---- a/linux_os/guide/system/network/network-firewalld/group.yml -+++ b/linux_os/guide/system/network/network-firewalld/group.yml -@@ -20,3 +20,5 @@ description: |- - immediately implemented. There is no need to save or apply the changes. No - unintended disruption of existing network connections occurs as no part of - the firewall has to be reloaded. -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_ra.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_ra.rule -index b49d841..eed98e2 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_ra.rule -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_ra.rule -@@ -20,3 +20,5 @@ references: - nist: CM-7 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_redirects.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_redirects.rule -index 03e5540..fd66ec6 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_redirects.rule -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_redirects.rule -@@ -21,3 +21,5 @@ references: - nist: CM-7 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_redirects", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_source_route.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_source_route.rule -index 23cc26a..e643932 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_source_route.rule -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_accept_source_route.rule -@@ -29,3 +29,5 @@ references: - stigid@rhel7: "040830" - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_source_route", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_forwarding.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_forwarding.rule -index a3a7e91..48c7ba3 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_forwarding.rule -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_all_forwarding.rule -@@ -24,3 +24,5 @@ references: - ocil: |- - {{{ ocil_sysctl_option_value(sysctl="net.ipv6.conf.all.forwarding", value="0") }}} - The ability to forward packets is only appropriate for routers. -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_ra.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_ra.rule -index 449519d..58305d9 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_ra.rule -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_ra.rule -@@ -21,3 +21,5 @@ references: - nist: CM-7 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_redirects.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_redirects.rule -index 706f8c1..294fe2a 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_redirects.rule -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_redirects.rule -@@ -24,3 +24,5 @@ references: - nist: CM-7 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_redirects", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_source_route.rule b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_source_route.rule -index b2dc1b8..7942d50 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_source_route.rule -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfig/sysctl_net_ipv6_conf_default_accept_source_route.rule -@@ -27,3 +27,5 @@ references: - nist: AC-4 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_source_route", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6.rule b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6.rule -index 9c46fae..9d86019 100644 ---- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6.rule -+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6.rule -@@ -30,3 +30,5 @@ references: - ocil_clause: 'the ipv6 support is disabled on network interfaces' - - ocil: "If the system uses IPv6, this is not applicable.\n

    \nIf the system is configured to prevent the usage of the\nipv6 on network interfaces, it will contain a line\nof the form:\n
    net.ipv6.conf.all.disable_ipv6 = 1
    \nSuch lines may be inside any file in the /etc/sysctl.d directory. \nThis permits insertion of the IPv6 kernel module (which other parts of \nthe system expect to be present), but otherwise keeps all network interfaces\nfrom using IPv6.\nRun the following command to search for such\nlines in all files in /etc/sysctl.d:\n
    $ grep -r ipv6 /etc/sysctl.d
    " -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects.rule -index 7287608..89e9074 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects.rule -@@ -26,3 +26,5 @@ references: - stigid@rhel7: "040641" - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_redirects", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route.rule -index 5b66202..30aa26e 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route.rule -@@ -26,3 +26,5 @@ references: - stigid@rhel7: "040610" - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_source_route", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians.rule -index 4b08783..44b2eda 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians.rule -@@ -28,3 +28,5 @@ references: - nist: AC-17(7),CM-7,SC-5(3) - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.log_martians", value="1") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter.rule -index 296f675..f71cd86 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter.rule -@@ -28,3 +28,5 @@ references: - nist: AC-4,SC-5,SC-7 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects.rule -index f23a5a9..7163301 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects.rule -@@ -26,3 +26,5 @@ references: - nist: AC-4,CM-7,SC-5 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.secure_redirects", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects.rule -index f12a39b..c61122b 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects.rule -@@ -26,3 +26,5 @@ references: - stigid@rhel7: "040640" - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.accept_redirects", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route.rule -index 8d1ea9e..ca97a79 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route.rule -@@ -26,3 +26,5 @@ references: - stigid@rhel7: "040620" - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.accept_source_route", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians.rule -index b52b71f..6fc91a5 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians.rule -@@ -24,3 +24,5 @@ references: - nist: AC-17(7),CM-7,SC-5(3) - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.log_martians", value="1") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter.rule -index 536963b..146d1e9 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter.rule -@@ -27,3 +27,5 @@ references: - nist: AC-4,SC-5,SC-7 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.rp_filter", value="1") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects.rule -index 3f5d6ff..ef394a0 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects.rule -@@ -26,3 +26,5 @@ references: - nist: AC-4,CM-7,SC-5,SC-7 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.secure_redirects", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.rule -index 33b55da..9cd2206 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.rule -@@ -32,3 +32,5 @@ references: - stigid@rhel7: "040630" - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.icmp_echo_ignore_broadcasts", value="1") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.rule -index 6a19f10..d1b6671 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.rule -@@ -24,3 +24,5 @@ references: - nist: CM-7,SC-5 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.icmp_ignore_bogus_error_responses", value="1") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies.rule b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies.rule -index 68dfe68..bce344d 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies.rule -@@ -32,3 +32,5 @@ references: - srg: SRG-OS-000480-GPOS-00227 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.tcp_syncookies", value="1") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects.rule b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects.rule -index fcd4e0a..1b75c45 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects.rule -@@ -32,3 +32,5 @@ references: - stigid@rhel7: "040660" - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.send_redirects", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects.rule b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects.rule -index 76752ad..98a2df7 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects.rule -@@ -32,3 +32,5 @@ references: - stigid@rhel7: "040650" - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.send_redirects", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward.rule b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward.rule -index 068c595..1935645 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward.rule -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward.rule -@@ -31,3 +31,5 @@ references: - ocil: |- - {{{ ocil_sysctl_option_value(sysctl="net.ipv4.ip_forward", value="0") }}} - The ability to forward packets is only appropriate for routers. -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled.rule b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled.rule -index 5fa9b2b..7c8f938 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled.rule -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled.rule -@@ -32,3 +32,5 @@ references: - stigid: "020101" - - {{{ complete_ocil_entry_module_disable(module="dccp") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled.rule b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled.rule -index 07452ee..e739b7c 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled.rule -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled.rule -@@ -31,3 +31,5 @@ references: - nist: CM-7 - - {{{ complete_ocil_entry_module_disable(module="sctp") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled.rule b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled.rule -index fc3a8cb..2b25185 100644 ---- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled.rule -+++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled.rule -@@ -31,3 +31,5 @@ references: - nist: AC-17(8),AC-18(a),AC-18(d),AC-18(3),CM-7 - - {{{ complete_ocil_entry_module_disable(module="bluetooth") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios.rule b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios.rule -index 302b329..4080993 100644 ---- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios.rule -+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios.rule -@@ -24,3 +24,5 @@ identifiers: - references: - disa: "85" - nist: AC-17(8),AC-18(a),AC-18(d),AC-18(3),CM-7 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/mounting/bios_assign_password.rule b/linux_os/guide/system/permissions/mounting/bios_assign_password.rule -index 4d226ba..e0d0137 100644 ---- a/linux_os/guide/system/permissions/mounting/bios_assign_password.rule -+++ b/linux_os/guide/system/permissions/mounting/bios_assign_password.rule -@@ -22,3 +22,5 @@ severity: unknown - identifiers: - cce@rhel6: 27131-2 - cce@rhel7: 27194-0 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot.rule b/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot.rule -index 6f67dc5..7dcf2b7 100644 ---- a/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot.rule -+++ b/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot.rule -@@ -22,3 +22,5 @@ identifiers: - references: - disa: "1250" - nist: AC-19(a),AC-19(d),AC-19(e) -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled.rule -index 25d6507..bb9c4ba 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled.rule -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled.rule -@@ -22,3 +22,5 @@ references: - cis: 1.1.1.1 - cui: 3.4.6 - nist: CM-7 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled.rule -index 2b6718e..b4bbe6a 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled.rule -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_freevxfs_disabled.rule -@@ -22,3 +22,5 @@ references: - cis: 1.1.1.2 - cui: 3.4.6 - nist: CM-7 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled.rule -index 7bd3047..39cd1f9 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled.rule -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_hfs_disabled.rule -@@ -22,3 +22,5 @@ references: - cis: 1.1.1.4 - cui: 3.4.6 - nist: CM-7 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled.rule -index 313e5f9..a22bb32 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled.rule -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_hfsplus_disabled.rule -@@ -22,3 +22,5 @@ references: - cis: 1.1.1.5 - cui: 3.4.6 - nist: CM-7 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled.rule -index fdf7fb0..591acf1 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled.rule -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_jffs2_disabled.rule -@@ -22,3 +22,5 @@ references: - cis: 1.1.1.3 - cui: 3.4.6 - nist: CM-7 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled.rule -index e9ddc44..6d83e36 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled.rule -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_squashfs_disabled.rule -@@ -22,3 +22,5 @@ references: - cis: 1.1.1.6 - cui: 3.4.6 - nist: CM-7 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled.rule -index 6eb0d21..11c15e6 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled.rule -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_udf_disabled.rule -@@ -22,3 +22,5 @@ references: - cis: 1.1.1.7 - cui: 3.4.6 - nist: CM-7 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled.rule b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled.rule -index 9a8431a..6db6855 100644 ---- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled.rule -+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled.rule -@@ -34,3 +34,5 @@ references: - stigid@rhel7: "020100" - - {{{ complete_ocil_entry_module_disable(module="usb-storage") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev.rule b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev.rule -index 154c678..3094251 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev.rule -@@ -19,3 +19,5 @@ identifiers: - references: - cis: 1.1.15 - nist: CM-7,MP-2 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec.rule b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec.rule -index 4b2cde4..9cfa2cd 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec.rule -@@ -24,3 +24,5 @@ identifiers: - references: - cis: 1.1.17 - nist: CM-7,MP-2 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid.rule b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid.rule -index 91e10cb..9becb14 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid.rule -@@ -23,3 +23,5 @@ identifiers: - references: - cis: 1.1.16 - nist: CM-7,MP-2 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev.rule b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev.rule -index 6af13e5..055d5bc 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev.rule -@@ -20,3 +20,5 @@ severity: unknown - - references: - cis: 1.1.14 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid.rule b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid.rule -index 120f8c5..ee858ee 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid.rule -@@ -23,3 +23,5 @@ references: - cis: 1.1.3 - nist: CM-7,MP-2 - stigid@rhel7: "021000" -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions.rule b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions.rule -index 1766fce..b7f9c2b 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions.rule -@@ -22,3 +22,5 @@ identifiers: - references: - cis: 1.1.11 - nist: CM-7 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions.rule b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions.rule -index f7ebfdb..71569a2 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions.rule -@@ -27,3 +27,5 @@ identifiers: - references: - cis: 1.1.18 - nist: AC-19(a),AC-19(d),AC-19(e),CM-7,MP-2 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions.rule b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions.rule -index 81724d0..0a8bcaf 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions.rule -@@ -30,3 +30,5 @@ ocil: |- -
    $ grep -v noexec /etc/fstab
    - The resulting output will show partitions which do not have the noexec flag. Verify all partitions - in the output are not removable media. -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions.rule b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions.rule -index 9b1a00b..72e2091 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions.rule -@@ -29,3 +29,5 @@ references: - nist: AC-6,AC-19(a),AC-19(d),AC-19(e),CM-7,MP-2 - srg: SRG-OS-000480-GPOS-00227 - stigid@rhel7: "021010" -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev.rule b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev.rule -index 783756f..8c84d15 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev.rule -@@ -19,3 +19,5 @@ identifiers: - references: - cis: 1.1.3 - nist: CM-7,MP-2 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec.rule b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec.rule -index 2a55a62..28160a9 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec.rule -@@ -26,3 +26,5 @@ references: - disa@rhel6: '381' - cis: 1.1.5 - nist: CM-7,MP-2 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid.rule b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid.rule -index c01746c..44248fa 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid.rule -@@ -23,3 +23,5 @@ identifiers: - references: - cis: 1.1.4 - nist: CM-7,MP-2 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind.rule b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind.rule -index 3281e0d..5d33657 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind.rule -@@ -20,3 +20,5 @@ identifiers: - references: - cis: 1.1.6 - nist: CM-7 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev.rule b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev.rule -index 4900ca1..33f6ffe 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev.rule -@@ -14,3 +14,5 @@ severity: unknown - - references: - cis: 1.1.8 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec.rule b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec.rule -index 2653ab6..c5a1fef 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec.rule -@@ -18,3 +18,5 @@ severity: unknown - - references: - cis: 1.1.10 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid.rule b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid.rule -index 72d59c4..8ec2761 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid.rule -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid.rule -@@ -18,3 +18,5 @@ severity: unknown - - references: - cis: 1.1.9 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable.rule b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable.rule -index 0454e0d..ed99f96 100644 ---- a/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable.rule -+++ b/linux_os/guide/system/permissions/restrictions/coredumps/sysctl_fs_suid_dumpable.rule -@@ -25,3 +25,5 @@ references: - nist: SI-11 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="fs.suid_dumpable", value="0") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield.rule b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield.rule -index 3d3b169..9632025 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield.rule -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield.rule -@@ -38,3 +38,5 @@ ocil: |- -
    $ sysctl kernel.exec-shield
    - The output should be: - {{{ describe_sysctl_option_value(sysctl="kernel.exec-shield", value="1") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space.rule b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space.rule -index 6aba5c9..94ef5df 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space.rule -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space.rule -@@ -26,3 +26,5 @@ references: - stigid: "040201" - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.randomize_va_space", value="2") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions.rule b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions.rule -index 318f6b3..778d455 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions.rule -+++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions.rule -@@ -23,3 +23,5 @@ identifiers: - references: - cui: 3.1.7 - nist: CM-6(b) -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32.rule b/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32.rule -index 938b0c8..773f66f 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32.rule -+++ b/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32.rule -@@ -39,3 +39,5 @@ warnings: - The kernel-PAE package should not be - installed on older systems that do not support the XD or NX bit, as - 8this may prevent them from booting.8 -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict.rule -index eab021a..1574cc4 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict.rule -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict.rule -@@ -21,3 +21,5 @@ references: - nist: SI-11 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.dmesg_restrict", value="1") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/selinux/docker_selinux_enabled.rule b/linux_os/guide/system/selinux/docker_selinux_enabled.rule -index 400d66c..4cf537b 100644 ---- a/linux_os/guide/system/selinux/docker_selinux_enabled.rule -+++ b/linux_os/guide/system/selinux/docker_selinux_enabled.rule -@@ -23,3 +23,5 @@ severity: high - - identifiers: - cce@rhel7: 80442-7 -+ -+platform: machine -diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons.rule b/linux_os/guide/system/selinux/selinux_confinement_of_daemons.rule -index 179955d..226d4bf 100644 ---- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons.rule -+++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons.rule -@@ -29,3 +29,5 @@ references: - cui: 3.1.2,3.1.5,3.7.2 - hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) - nist: AC-6,AU-9,CM-7 -+ -+platform: machine -diff --git a/linux_os/guide/system/selinux/selinux_policytype.rule b/linux_os/guide/system/selinux/selinux_policytype.rule -index 08b0fe0..c5048b5 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype.rule -+++ b/linux_os/guide/system/selinux/selinux_policytype.rule -@@ -48,3 +48,5 @@ ocil_clause: 'it does not' - ocil: |- - Check the file /etc/selinux/config and ensure the following line appears: -
    SELINUXTYPE=
    -+ -+platform: machine -diff --git a/linux_os/guide/system/selinux/selinux_state.rule b/linux_os/guide/system/selinux/selinux_state.rule -index 2f4f1c5..3612c21 100644 ---- a/linux_os/guide/system/selinux/selinux_state.rule -+++ b/linux_os/guide/system/selinux/selinux_state.rule -@@ -39,3 +39,5 @@ ocil_clause: 'SELINUX is not set to enforcing' - ocil: |- - Check the file /etc/selinux/config and ensure the following line appears: -
    SELINUX=
    -+ -+platform: machine -diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions.rule b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions.rule -index 1caa1e2..f4c47f6 100644 ---- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions.rule -+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions.rule -@@ -67,3 +67,5 @@ ocil: |- - " TYPE="crypto_LUKS" -

    - Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding. -+ -+platform: machine -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home.rule b/linux_os/guide/system/software/disk_partitioning/partition_for_home.rule -index d3c01f1..77d204a 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_home.rule -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home.rule -@@ -33,3 +33,5 @@ references: - stigid@rhel7: "021310" - - {{{ complete_ocil_entry_separate_partition(part="/home") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp.rule b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp.rule -index 0c2c3d4..0297192 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp.rule -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp.rule -@@ -32,3 +32,5 @@ references: - stigid@rhel7: "021340" - - {{{ complete_ocil_entry_separate_partition(part="/tmp") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var.rule b/linux_os/guide/system/software/disk_partitioning/partition_for_var.rule -index 5b57cec..234d08a 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_var.rule -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var.rule -@@ -34,3 +34,5 @@ references: - stigid@rhel7: "021320" - - {{{ complete_ocil_entry_separate_partition(part="/var") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log.rule b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log.rule -index 451daa6..70ced03 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log.rule -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log.rule -@@ -28,3 +28,5 @@ references: - nist: AU-9,SC-32 - - {{{ complete_ocil_entry_separate_partition(part="/var/log") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit.rule b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit.rule -index e3b9238..632b1ff 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit.rule -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit.rule -@@ -37,3 +37,5 @@ references: - stigid@rhel7: "021330" - - {{{ complete_ocil_entry_separate_partition(part="/var/log/audit") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp.rule b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp.rule -index 1beb3ff..ec180e2 100644 ---- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp.rule -+++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp.rule -@@ -20,3 +20,5 @@ references: - cis: 1.1.7 - - {{{ complete_ocil_entry_separate_partition(part="/var/tmp") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/enable_dconf_user_profile.rule b/linux_os/guide/system/software/gnome/enable_dconf_user_profile.rule -index 9bd6a0b..604a8c6 100644 ---- a/linux_os/guide/system/software/gnome/enable_dconf_user_profile.rule -+++ b/linux_os/guide/system/software/gnome/enable_dconf_user_profile.rule -@@ -26,3 +26,5 @@ ocil: |- - system-db:local - system-db:site - system-db:distro -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown.rule b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown.rule -index 860a2c9..4bea499 100644 ---- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown.rule -+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown.rule -@@ -32,3 +32,5 @@ ocil: |- - To ensure that users cannot enable disable and restart on the login screen, run the following: -
    $ grep disable-restart-buttons /etc/dconf/db/gdm.d/locks/*
    - If properly configured, the output should be /org/gnome/login-screen/disable-restart-buttons -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list.rule b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list.rule -index 504c187..450c9b5 100644 ---- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list.rule -+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list.rule -@@ -28,3 +28,5 @@ ocil: |- - To ensure that users cannot enable displaying the user list, run the following: -
    $ grep disable-user-list /etc/dconf/db/gdm.d/locks/*
    - If properly configured, the output should be /org/gnome/login-screen/disable-user-list -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth.rule b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth.rule -index 176b811..690f330 100644 ---- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth.rule -+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth.rule -@@ -44,3 +44,5 @@ ocil: |- - To ensure that users cannot disable smart card authentication on the login screen, run the following: -
    $ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/locks/*
    - If properly configured, the output should be /org/gnome/login-screen/enable-smartcard-authentication -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries.rule b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries.rule -index 8297e04..4631a4e 100644 ---- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries.rule -+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries.rule -@@ -31,3 +31,5 @@ ocil: |- - number of failures on the login screen, run the following: -
    $ grep allowed-failures /etc/dconf/db/gdm.d/locks/*
    - If properly configured, the output should be /org/gnome/login-screen/allowed-failures -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login.rule b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login.rule -index 7170686..62e6d7e 100644 ---- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login.rule -+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login.rule -@@ -38,3 +38,5 @@ ocil: |- - The output should show the following: -
    [daemon]
    -     AutomaticLoginEnable=false
    -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login.rule b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login.rule -index 6390e10..dd13252 100644 ---- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login.rule -+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login.rule -@@ -38,3 +38,5 @@ ocil: |- - The output should show the following: -
    [daemon]
    -     TimedLoginEnable=false
    -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount.rule b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount.rule -index b3cfbcd..75422b0 100644 ---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount.rule -+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount.rule -@@ -53,3 +53,5 @@ ocil: |- - If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount - If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/auto-open - If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers.rule b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers.rule -index 6b1fd19..bfbfe01 100644 ---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers.rule -+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers.rule -@@ -45,3 +45,5 @@ ocil: |- - To ensure that users cannot how long until the the screensaver locks, run the following: -
    $ grep disable-all /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should be /org/gnome/desktop/thumbnailers/disable-all -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create.rule b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create.rule -index 0478e57..37ed712 100644 ---- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create.rule -+++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create.rule -@@ -40,3 +40,5 @@ ocil: |- -
    $ grep wifi-create /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should be - /org/gnome/nm-applet/disable-wifi-create -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification.rule b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification.rule -index 04867c8..e704c6e 100644 ---- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification.rule -+++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification.rule -@@ -42,3 +42,5 @@ ocil: |- -
    $ grep wireless-networks-available /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should be - /org/gnome/nm-applet/suppress-wireless-networks-available -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt.rule b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt.rule -index f2603b6..9891ea5 100644 ---- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt.rule -+++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt.rule -@@ -41,3 +41,5 @@ ocil: |- -
    $ grep authentication-methods /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should be - /org/gnome/Vino/authentication-methods -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption.rule b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption.rule -index e9a8b35..bda2f5c 100644 ---- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption.rule -+++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption.rule -@@ -45,3 +45,5 @@ ocil: |- -
    $ grep require-encryption /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should be - /org/gnome/Vino/require-encryption -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled.rule -index 736bca4..ac5a8cb 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled.rule -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled.rule -@@ -43,3 +43,5 @@ ocil: |- - To ensure that users cannot disable the screensaver idle inactivity setting, run the following: -
    $ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay.rule -index fb02c5b..21d6261 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay.rule -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay.rule -@@ -50,3 +50,5 @@ ocil: |- - To ensure that users cannot change the screensaver inactivity timeout setting, run the following: -
    $ grep idle-delay /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should be /org/gnome/desktop/session/idle-delay -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay.rule -index dd8f391..aa55f86 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay.rule -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay.rule -@@ -34,3 +34,5 @@ ocil: |- - To ensure that users cannot change how long until the the screensaver locks, run the following: -
    $ grep lock-delay /etc/dconf/db/local.d/locks/*
    - If properly configured, the output for lock-delay should be /org/gnome/desktop/screensaver/lock-delay -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled.rule -index b337b44..ba2f4e9 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled.rule -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled.rule -@@ -45,3 +45,5 @@ ocil: |- - To ensure that users cannot change how long until the the screensaver locks, run the following: -
    $ grep lock-enabled /etc/dconf/db/local.d/locks/*
    - If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank.rule -index f75dd46..a7e32c9 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank.rule -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank.rule -@@ -44,3 +44,5 @@ ocil: |- - To ensure that users cannot set the screensaver background, run the following: -
    $ grep picture-uri /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info.rule -index acf6d64..80fd5e1 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info.rule -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info.rule -@@ -40,3 +40,5 @@ ocil: |- - To ensure that users cannot enable user name on the lock screen, run the following: -
    $ grep show-full-name-in-top-bar /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should be /org/gnome/desktop/screensaver/show-full-name-in-top-bar -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks.rule -index 1459ef1..1d0c897 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks.rule -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks.rule -@@ -39,3 +39,5 @@ ocil: |- -
    $ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should return: - /org/gnome/desktop/screensaver/lock-delay -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks.rule b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks.rule -index b467e33..895cfc4 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks.rule -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks.rule -@@ -39,3 +39,5 @@ ocil: |- -
    $ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should return: - /org/gnome/desktop/session/idle-delay -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot.rule b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot.rule -index a6eac82..557d1d5 100644 ---- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot.rule -+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot.rule -@@ -35,3 +35,5 @@ ocil: |- -
    $ grep logout /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should be - /org/gnome/settings-daemon/plugins/media-keys/logout -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation.rule b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation.rule -index 29287df..e7d1377 100644 ---- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation.rule -+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation.rule -@@ -27,3 +27,5 @@ ocil: |- -
    $ grep location /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should be - /org/gnome/system/location/enabled and /org/gnome/clocks/geolocation. -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings.rule b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings.rule -index 45732fc..bed548f 100644 ---- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings.rule -+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings.rule -@@ -39,3 +39,5 @@ ocil: |- -
    $ grep power /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should be - /org/gnome/settings-daemon/plugins/power/active -+ -+platform: machine -diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin.rule b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin.rule -index a152d85..0ab59df 100644 ---- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin.rule -+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin.rule -@@ -45,3 +45,5 @@ ocil: |- -
    $ grep user-administration /etc/dconf/db/local.d/locks/*
    - If properly configured, the output should be - /org/gnome/desktop/lockdown/user-administration-disabled -+ -+platform: machine -diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus.rule b/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus.rule -index 95e9e56..8258357 100644 ---- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus.rule -+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus.rule -@@ -49,3 +49,5 @@ ocil: |- - To check on the age of uvscan virus definition files, run the following command: -
    $ sudo cd /opt/NAI/LinuxShield/engine/dat
    -     $ sudo ls -la avvscan.dat avvnames.dat avvclean.dat
    -+ -+platform: machine -diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids.rule b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids.rule -index 86b4b02..c46e88e 100644 ---- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids.rule -+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids.rule -@@ -43,3 +43,5 @@ warnings: - detection tools, such as the McAfee Host-based Security System, are available - to integrate with existing infrastructure. When these supplemental tools - interfere with proper functioning of SELinux, SELinux takes precedence. -+ -+platform: machine -diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus.rule b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus.rule -index 189e338..0c65b39 100644 ---- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus.rule -+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus.rule -@@ -36,3 +36,5 @@ warnings: - - general: |- - Due to McAfee HIPS being 3rd party software, automated - remediation is not available for this configuration check. -+ -+platform: machine -diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated.rule b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated.rule -index a88c025..bc7dfc7 100644 ---- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated.rule -+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated.rule -@@ -27,3 +27,5 @@ ocil: |- - To check on the age of McAfee virus definition files, run the following command: -
    $ sudo cd /opt/NAI/LinuxShield/engine/dat
    -     $ sudo ls -la avvscan.dat avvnames.dat avvclean.dat
    -+ -+platform: machine -diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/service_nails_enabled.rule b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/service_nails_enabled.rule -index ee96935..f68e59e 100644 ---- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/service_nails_enabled.rule -+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/service_nails_enabled.rule -@@ -24,3 +24,5 @@ references: - srg: SRG-OS-000480-GPOS-00227 - - ocil: '{{{ ocil_service_enabled(service="nails") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule -index 4f70107..c1223d6 100644 ---- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule -+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule -@@ -60,3 +60,5 @@ warnings: -

    - See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} - for a list of FIPS certified vendors. -+ -+platform: machine -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking.rule b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking.rule -index 5573351..1a29bac 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking.rule -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking.rule -@@ -56,3 +56,5 @@ ocil: |- -
    05 4 * * * root /usr/sbin/aide --check
    - - NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. -+ -+platform: machine diff --git a/SOURCES/scap-security-guide-0.1.42-rule_yml_platform_tag_support.patch b/SOURCES/scap-security-guide-0.1.42-rule_yml_platform_tag_support.patch deleted file mode 100644 index 0508a9c..0000000 --- a/SOURCES/scap-security-guide-0.1.42-rule_yml_platform_tag_support.patch +++ /dev/null @@ -1,334 +0,0 @@ -commit 7a1fe8125480948e4a15db51b723436da6cd3a7a -Author: Gabriel Becker -Date: Fri Apr 5 09:48:15 2019 +0200 - - Backport files so machine only tests can run. - -diff --git a/example/product.yml b/example/product.yml -new file mode 100644 -index 0000000..32538fa ---- /dev/null -+++ b/example/product.yml -@@ -0,0 +1,13 @@ -+product: example -+full_name: Example -+type: platform -+ -+benchmark_root: "../linux_os/guide" -+ -+profiles_root: "./profiles" -+ -+pkg_manager: "dnf" -+ -+init_system: "systemd" -+ -+cpes: [] -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule -index 61bde4d..355fca0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_etc_group_openat.rule -@@ -34,3 +34,5 @@ warnings: - have been placed independent of other system calls. Grouping system calls related - to the same event is more efficient. See the following example: -
    -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
    -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/group.yml b/linux_os/guide/system/auditing/group.yml -index 5ea9fee..e052243 100644 ---- a/linux_os/guide/system/auditing/group.yml -+++ b/linux_os/guide/system/auditing/group.yml -@@ -101,3 +101,5 @@ description: |- - the process, which in this case, is exe="/usr/sbin/httpd". - - -+ -+platform: machine -diff --git a/ssg/constants.py b/ssg/constants.py -index 9bef085..da36007 100644 ---- a/ssg/constants.py -+++ b/ssg/constants.py -@@ -4,6 +4,10 @@ from __future__ import print_function - import datetime - import os.path - -+product_directories = ['debian8', 'fedora', 'ol7', 'opensuse', 'rhel6', -+ 'rhel7', 'sle11', 'sle12', 'ubuntu1404', -+ 'ubuntu1604', 'wrlinux', 'rhel-osp7', 'chromium', -+ 'eap6', 'firefox', 'fuse6', 'jre', 'example'] - - JINJA_MACROS_BASE_DEFINITIONS = os.path.join(os.path.dirname(os.path.dirname( - __file__)), "shared", "macros.jinja") -@@ -68,6 +72,11 @@ PKG_MANAGER_TO_SYSTEM = { - "apt_get": "dpkg", - } - -+PKG_MANAGER_TO_CONFIG_FILE = { -+ "yum": "/etc/yum.conf", -+ "dnf": "/etc/dnf/dnf.conf", -+} -+ - RHEL_CENTOS_CPE_MAPPING = { - "cpe:/o:redhat:enterprise_linux:6": "cpe:/o:centos:centos:6", - "cpe:/o:redhat:enterprise_linux:7": "cpe:/o:centos:centos:7", - -commit 6c91ac3b8fbeebe7e8eeabddbf0430f66bd59a0e -Author: Gabriel Becker -Date: Thu Apr 4 17:38:28 2019 +0200 - - Backport of platform support from https://github.com/ComplianceAsCode/content/pull/3576. - -diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py -index ea6ffbe..7520a7c 100644 ---- a/ssg/build_yaml.py -+++ b/ssg/build_yaml.py -@@ -6,6 +6,7 @@ import os.path - import datetime - import sys - -+from .constants import XCCDF_PLATFORM_TO_CPE - from .checks import is_cce_valid - from .yaml import open_and_expand, open_and_macro_expand - from .utils import required_key -@@ -382,6 +383,7 @@ class Group(object): - self.values = {} - self.groups = {} - self.rules = {} -+ self.platform = None - - @staticmethod - def from_yaml(yaml_file, env_yaml=None): -@@ -397,6 +399,7 @@ class Group(object): - group.description = required_key(yaml_contents, "description") - del yaml_contents["description"] - group.warnings = yaml_contents.pop("warnings", []) -+ group.platform = yaml_contents.pop("platform", None) - - for warning_list in group.warnings: - if len(warning_list) != 1: -@@ -418,6 +421,14 @@ class Group(object): - add_sub_element(group, 'description', self.description) - add_warning_elements(group, self.warnings) - -+ if self.platform: -+ platform_el = ET.SubElement(group, "platform") -+ try: -+ platform_cpe = XCCDF_PLATFORM_TO_CPE[self.platform] -+ except KeyError: -+ raise ValueError("Unsupported platform '%s' in rule '%s'." % (self.platform, self.id_)) -+ platform_el.set("idref", platform_cpe) -+ - for _value in self.values.values(): - group.append(_value.to_xml_element()) - for _group in self.groups.values(): -@@ -440,11 +451,15 @@ class Group(object): - def add_group(self, group): - if group is None: - return -+ if self.platform and not group.platform: -+ group.platform = self.platform - self.groups[group.id_] = group - - def add_rule(self, rule): - if rule is None: - return -+ if self.platform and not rule.platform: -+ rule.platform = self.platform - self.rules[rule.id_] = rule - - def __str__(self): -@@ -467,6 +482,7 @@ class Rule(object): - self.ocil = None - self.external_oval = None - self.warnings = [] -+ self.platform = None - - @staticmethod - def from_yaml(yaml_file, env_yaml=None): -@@ -491,6 +507,7 @@ class Rule(object): - rule.ocil = yaml_contents.pop("ocil", None) - rule.external_oval = yaml_contents.pop("oval_external_content", None) - rule.warnings = yaml_contents.pop("warnings", []) -+ rule.platform = yaml_contents.pop("platform", None) - - for warning_list in rule.warnings: - if len(warning_list) != 1: -@@ -594,6 +611,14 @@ class Rule(object): - - add_warning_elements(rule, self.warnings) - -+ if self.platform: -+ platform_el = ET.SubElement(rule, "platform") -+ try: -+ platform_cpe = XCCDF_PLATFORM_TO_CPE[self.platform] -+ except KeyError: -+ raise ValueError("Unsupported platform '%s' in rule '%s'." % (self.platform, self.id_)) -+ platform_el.set("idref", platform_cpe) -+ - return rule - - def to_file(self, file_name): -@@ -663,6 +688,8 @@ def add_from_directory(action, parent_group, guide_directory, profiles_dir, - profiles_dir, env_yaml, bash_remediation_fns) - - if group is not None: -+ if parent_group: -+ parent_group.add_group(group) - for value_yaml in values: - if action == "list-inputs": - print(value_yaml) -@@ -682,9 +709,7 @@ def add_from_directory(action, parent_group, guide_directory, profiles_dir, - rule = Rule.from_yaml(rule_yaml, env_yaml) - group.add_rule(rule) - -- if parent_group: -- parent_group.add_group(group) -- else: -+ if not parent_group: - # We are on the top level! - # Lets dump the XCCDF group or benchmark to a file - if action == "build": -diff --git a/ssg/constants.py b/ssg/constants.py -index 54e5d61..9bef085 100644 ---- a/ssg/constants.py -+++ b/ssg/constants.py -@@ -194,5 +194,10 @@ OCILREFATTR_TO_TAG = { - "question_ref": "question", - } - -+XCCDF_PLATFORM_TO_CPE = { -+ "machine": "cpe:/a:machine", -+ "container": "cpe:/a:container" -+} -+ - # Application constants - DEFAULT_UID_MIN = 1000 -diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt -index 5b791a2..ecaa6dc 100644 ---- a/tests/CMakeLists.txt -+++ b/tests/CMakeLists.txt -@@ -31,3 +31,8 @@ add_test( - NAME "max-path-len" - COMMAND "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/ensure_paths_are_short.py" - ) -+ -+add_test( -+ NAME "machine-only-rules" -+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_machine_only_rules.py" --source_dir "${CMAKE_SOURCE_DIR}" --build_dir "${CMAKE_BINARY_DIR}" -+) -diff --git a/tests/test_machine_only_rules.py b/tests/test_machine_only_rules.py -new file mode 100644 -index 0000000..94a2e4e ---- /dev/null -+++ b/tests/test_machine_only_rules.py -@@ -0,0 +1,111 @@ -+#!/usr/bin/python3 -+ -+import os -+import argparse -+import xml.etree.ElementTree as ET -+import sys -+import ssg.constants -+import ssg.yaml -+ -+machine_cpe = "cpe:/a:machine" -+ -+ -+def main(): -+ args = parse_command_line_args() -+ for product in ssg.constants.product_directories: -+ product_dir = os.path.join(args.source_dir, product) -+ product_yaml_path = os.path.join(product_dir, "product.yml") -+ product_yaml = ssg.yaml.open_raw(product_yaml_path) -+ guide_dir = os.path.abspath( -+ os.path.join(product_dir, product_yaml['benchmark_root'])) -+ if not check_product(args.build_dir, product, guide_dir): -+ sys.exit(1) -+ -+ -+def check_product(build_dir, product, guide_dir): -+ input_groups, input_rules = scan_rules_groups(guide_dir, False) -+ ds_path = os.path.join(build_dir, "ssg-" + product + "-ds.xml") -+ if not check_ds(ds_path, "groups", input_groups): -+ return False -+ return True -+ -+ -+def check_ds(ds_path, what, input_elems): -+ try: -+ tree = ET.parse(ds_path) -+ except IOError as e: -+ sys.stderr.write("The product datastream '%s' hasn't been build, " -+ "skipping the test." % (ds_path)) -+ return True -+ root = tree.getroot() -+ if what == "groups": -+ replacement = "xccdf_org.ssgproject.content_group_" -+ xpath_query = ".//{%s}Group" % ssg.constants.XCCDF12_NS -+ if what == "rules": -+ replacement = "xccdf_org.ssgproject.content_rule_" -+ xpath_query = ".//{%s}Rule" % ssg.constants.XCCDF12_NS -+ benchmark = root.find(".//{%s}Benchmark" % ssg.constants.XCCDF12_NS) -+ for elem in benchmark.findall(xpath_query): -+ elem_id = elem.get("id") -+ elem_short_id = elem_id.replace(replacement, "") -+ if elem_short_id not in input_elems: -+ continue -+ platforms = elem.findall("{%s}platform" % ssg.constants.XCCDF12_NS) -+ machine_platform = False -+ for p in platforms: -+ idref = p.get("idref") -+ if idref == machine_cpe: -+ machine_platform = True -+ if not machine_platform: -+ sys.stderr.write("%s %s in %s is missing element" % -+ (what, elem_short_id, ds_path)) -+ return False -+ return True -+ -+ -+def parse_command_line_args(): -+ parser = argparse.ArgumentParser( -+ description="Tests if 'machine' CPEs are " -+ "propagated to the built datastream") -+ parser.add_argument("--source_dir", required=True, -+ help="Content source directory path") -+ parser.add_argument("--build_dir", required=True, -+ help="Build directory containing built datastreams") -+ args = parser.parse_args() -+ return args -+ -+ -+def check_if_machine_only(dirpath, name, is_machine_only_group): -+ if name in os.listdir(dirpath): -+ if is_machine_only_group: -+ return True -+ yml_path = os.path.join(dirpath, name) -+ with open(yml_path, "r") as yml_file: -+ yml_file_contents = yml_file.read() -+ if "platform: machine" in yml_file_contents: -+ return True -+ return False -+ -+ -+def scan_rules_groups(dirpath, parent_machine_only): -+ groups = set() -+ rules = set() -+ name = os.path.basename(dirpath) -+ is_machine_only = False -+ if check_if_machine_only(dirpath, "group.yml", parent_machine_only): -+ groups.add(name) -+ is_machine_only = True -+ if check_if_machine_only(dirpath, "rule.yml", parent_machine_only): -+ rules.add(name) -+ for dir_item in os.listdir(dirpath): -+ subdir_path = os.path.join(dirpath, dir_item) -+ if os.path.isdir(subdir_path): -+ subdir_groups, subdir_rules = scan_rules_groups( -+ subdir_path, is_machine_only) -+ groups |= subdir_groups -+ rules |= subdir_rules -+ return groups, rules -+ -+ -+if __name__ == "__main__": -+ main() diff --git a/SOURCES/scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch b/SOURCES/scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch index 26d66d3..00baced 100644 --- a/SOURCES/scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch +++ b/SOURCES/scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch @@ -68,72 +68,72 @@ Date: Mon, 8 Apr 2019 15:43:04 +0200 Subject: [PATCH 03/11] Update rules for PAM CPE check --- - .../accounts_password_pam_dcredit.rule | 2 ++ - .../accounts_password_pam_difok.rule | 2 ++ - .../accounts_password_pam_maxclassrepeat.rule | 2 ++ - .../accounts_password_pam_minclass.rule | 2 ++ - .../accounts_password_pam_minlen.rule | 2 ++ - .../accounts_max_concurrent_login_sessions.rule | 2 ++ + .../accounts_password_pam_dcredit/rule.yml | 2 ++ + .../accounts_password_pam_difok/rule.yml | 2 ++ + .../accounts_password_pam_maxclassrepeat/rule.yml | 2 ++ + .../accounts_password_pam_minclass/rule.yml | 2 ++ + .../accounts_password_pam_minlen/rule.yml | 2 ++ + .../accounts_max_concurrent_login_sessions/rule.yml | 2 ++ 6 files changed, 12 insertions(+) -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml index 72fc5970ea..fe997d97c8 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit.rule +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml @@ -52,3 +52,5 @@ ocil: |-
    $ grep dcredit /etc/security/pwquality.conf
    The dcredit parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as dcredit = -1. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml index 931f0aa9e4..d1855a2cf4 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok.rule +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml @@ -53,3 +53,5 @@ ocil: |- To check how many characters must differ during a password change, run the following command:
    $ grep difok /etc/security/pwquality.conf
    The difok parameter will indicate how many characters must differ. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml index 35de1318d5..d964a5e3ea 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat.rule +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml @@ -43,3 +43,5 @@ ocil: |- To check the value for maximum consecutive repeating characters, run the following command:
    $ grep maxclassrepeat /etc/security/pwquality.conf
    For DoD systems, the output should show maxclassrepeat=4. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml index 7f99aba143..dc3377de0b 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass.rule +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml @@ -60,3 +60,5 @@ ocil: |- The minclass parameter will indicate how many character classes must be used. If the requirement was for the password to contain characters from three different categories, then this would appear as minclass = 3. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml index d6462579fe..0799aecf01 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen.rule +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml @@ -49,3 +49,5 @@ ocil: |- To check how many characters are required in a password, run the following command:
    $ grep minlen /etc/security/pwquality.conf
    Your output should contain minlen = + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions.rule b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions.rule +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml index bd53c19c08..f9d9a08706 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions.rule -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions.rule -@@ -45,3 +45,5 @@ - ocil_clause: 'maxlogins is not equal to or less than the expected value' - - ocil: "Run the following command to ensure the maxlogins value is configured for all users\non the system:\n
    # grep \"maxlogins\" /etc/security/limits.conf
    \nYou should receive output similar to the following:\n
    *\t\thard\tmaxlogins\t
    " +--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +@@ -45,3 +45,5 @@ ocil: |- +
    # grep "maxlogins" /etc/security/limits.conf
    + You should receive output similar to the following: +
    *\t\thard\tmaxlogins\t
    + +platform: pam @@ -225,168 +225,168 @@ Date: Mon, 8 Apr 2019 15:45:01 +0200 Subject: [PATCH 06/11] Update rules with package CPEs --- - .../accounts/accounts-pam/display_login_attempts.rule | 2 ++ - .../accounts_password_pam_unix_remember.rule | 2 ++ - .../accounts_passwords_pam_faillock_deny.rule | 2 ++ - .../accounts_passwords_pam_faillock_deny_root.rule | 2 ++ - .../accounts_passwords_pam_faillock_interval.rule | 2 ++ - .../accounts_passwords_pam_faillock_unlock_time.rule | 2 ++ - .../accounts_password_pam_lcredit.rule | 2 ++ - .../accounts_password_pam_ocredit.rule | 2 ++ - .../accounts_password_pam_retry.rule | 2 ++ - .../accounts_password_pam_ucredit.rule | 2 ++ - .../set_password_hashing_algorithm_libuserconf.rule | 2 ++ - .../set_password_hashing_algorithm_logindefs.rule | 2 ++ - .../set_password_hashing_algorithm_systemauth.rule | 2 ++ - .../accounts-physical/disable_ctrlaltdel_burstaction.rule | 2 ++ - .../user_umask/accounts_umask_etc_login_defs.rule | 2 ++ + .../accounts/accounts-pam/display_login_attempts/rule.yml | 2 ++ + .../accounts_password_pam_unix_remember/rule.yml | 2 ++ + .../accounts_passwords_pam_faillock_deny/rule.yml | 2 ++ + .../accounts_passwords_pam_faillock_deny_root/rule.yml | 2 ++ + .../accounts_passwords_pam_faillock_interval/rule.yml | 2 ++ + .../accounts_passwords_pam_faillock_unlock_time/rule.yml | 2 ++ + .../accounts_password_pam_lcredit/rule.yml | 2 ++ + .../accounts_password_pam_ocredit/rule.yml | 2 ++ + .../accounts_password_pam_retry/rule.yml | 2 ++ + .../accounts_password_pam_ucredit/rule.yml | 2 ++ + .../set_password_hashing_algorithm_libuserconf/rule.yml | 2 ++ + .../set_password_hashing_algorithm_logindefs/rule.yml | 2 ++ + .../set_password_hashing_algorithm_systemauth/rule.yml | 2 ++ + .../accounts-physical/disable_ctrlaltdel_burstaction/rule.yml | 2 ++ + .../user_umask/accounts_umask_etc_login_defs/rule.yml | 2 ++ ssg/constants.py | 2 ++ 16 files changed, 32 insertions(+) -diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts.rule b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml index 5c2287a4d3..baeece4b59 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts.rule +--- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml @@ -47,3 +47,5 @@ ocil: |- the following command:
    $ grep pam_lastlog.so /etc/pam.d/postlogin
    The output should show output showfailed. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml index dcde239e85..a63e0e6d1d 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember.rule +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml @@ -56,3 +56,5 @@ ocil: |-
    $ grep remember /etc/pam.d/system-auth
    The output should show the following at the end of the line:
    remember=
    + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml index c8147e7c17..e10b0a1b67 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny.rule +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml @@ -56,3 +56,5 @@ ocil: |- To ensure the failed password attempt policy is configured correctly, run the following command:
    $ grep pam_faillock /etc/pam.d/system-auth
    The output should show deny=. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml index b5283b052e..b4c4df7186 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root.rule +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml @@ -50,3 +50,5 @@ ocil: |- attempts, run the following command:
    $ grep even_deny_root /etc/pam.d/system-auth
    The output should show even_deny_root. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml index 485fb7970d..ac21fe4c81 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval.rule -@@ -65,3 +65,5 @@ - ocil_clause: 'fail_interval is less than the required value' - - ocil: "To ensure the failed password attempt policy is configured correctly, run the following command:\n
    $ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
    \nFor each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is \n or greater. \nIf the fail_interval parameter is not set, the default setting of 900 seconds is acceptable." +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +@@ -65,3 +65,5 @@ ocil: |- + For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is or greater. + If the fail_interval parameter is not set, the default setting + of 900 seconds is acceptable. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time.rule b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml index 9abd02feea..f4bfaec622 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time.rule +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml @@ -59,3 +59,5 @@ ocil: |- To ensure the failed password attempt policy is configured correctly, run the following command:
    $ grep pam_faillock /etc/pam.d/system-auth
    The output should show unlock_time=<some-large-number> or never. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml index ba0be4ebeb..21d86585ed 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit.rule +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml @@ -51,3 +51,5 @@ ocil: |-
    $ grep lcredit /etc/security/pwquality.conf
    The lcredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit = -1. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml index c39cc2a09b..d7f7083d27 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit.rule +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml @@ -53,3 +53,5 @@ ocil: |- The ocredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one special character in a password. This would appear as ocredit = -1. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml index c0f8ed8d6d..fea35e37a3 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry.rule +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml @@ -46,3 +46,5 @@ ocil: |- The retry parameter will indicate how many attempts are permitted. The DoD required value is less than or equal to 3. This would appear as retry=3, or a lower value. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml index 2222ac2297..a4ecdf969d 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit.rule +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml @@ -50,3 +50,5 @@ ocil: |- The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. The DoD and FISMA require at least one uppercase character in a password. This would appear as ucredit = -1. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf.rule b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml index 0f6cf57e57..397bad4ea6 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf.rule +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml @@ -55,3 +55,5 @@ ocil: |- Inspect /etc/libuser.conf and ensure the following line appears in the [default] section:
    crypt_style = sha512
    + +platform: libuser -diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs.rule b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml index a23a7863c9..84212c7648 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs.rule +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml @@ -47,3 +47,5 @@ ocil_clause: 'it does not' ocil: |- Inspect /etc/login.defs and ensure the following line appears:
    ENCRYPT_METHOD SHA512
    + +platform: shadow-utils -diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth.rule b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml index 070e65fc3a..48e8ac427d 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth.rule +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml @@ -65,3 +65,5 @@ ocil: |- ensure that the pam_unix.so module includes the argument sha512:
    $ grep sha512 /etc/pam.d/system-auth
    + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction.rule b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction.rule +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml index e215a41a91..d68bf2be38 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction.rule -+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction.rule +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml @@ -53,3 +53,5 @@ warnings: key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3. + +platform: systemd -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs.rule b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs.rule +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml index e9e327352b..a087ca8f6a 100644 ---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs.rule -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs.rule +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml @@ -41,3 +41,5 @@ ocil: |- All output must show the value of umask set as shown in the below:
    # grep -i "UMASK" /etc/login.defs
    @@ -415,16 +415,16 @@ Date: Wed, 3 Apr 2019 17:45:31 -0400
     Subject: [PATCH 07/11] Update LDAP check to evaluate for nss-pam-ldapd CPE
     
     ---
    - .../ldap_client_start_tls.rule            |  2 ++
    + .../ldap_client_start_tls/rule.yml            |  2 ++
      ...nstalled_env_has_nss-pam-ldapd_package.xml | 24 +++++++++++++++++++
      ssg/constants.py                              |  1 +
      3 files changed, 27 insertions(+)
      create mode 100644 shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml
     
    -diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls.rule b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls.rule
    +diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml
     index c4839d7de5..22a9fd60d9 100644
    ---- a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls.rule
    -+++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls.rule
    +--- a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml
    ++++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml
     @@ -48,3 +48,5 @@ ocil: |-
          
    $ grep start_tls /etc/pam_ldap.conf
    The result should contain: @@ -481,24 +481,35 @@ Subject: [PATCH 08/11] Update FIPS checks to evaluate if in machine environment --- - .../integrity/fips/grub_legacy_enable_fips_mode.rule | 2 ++ - .../integrity/fips/package_dracut-fips_installed.rule | 2 ++ + .../software/integrity/fips/enable_dracut_fips_module/rule.yml | 2 ++ + .../integrity/fips/grub_legacy_enable_fips_mode/rule.yml | 2 ++ + .../integrity/fips/package_dracut-fips_installed/rule.yml | 2 ++ 3 files changed, 6 insertions(+) -diff --git a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode.rule b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode.rule +diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml +index 08faf42259..dbdf64d526 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml +@@ -48,3 +48,5 @@ warnings: +

    + See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} + for a list of FIPS certified vendors. ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml index f112bddacd..6761b8736d 100644 ---- a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode.rule -+++ b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode.rule +--- a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml @@ -50,3 +50,5 @@ warnings:

    See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} for a list of FIPS certified vendors. + +platform: machine -diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed.rule b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed.rule +diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml index c1f6e515e6..055ec8f774 100644 ---- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed.rule -+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed.rule +--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml @@ -37,3 +37,5 @@ references: ocil_clause: 'the package is not installed' @@ -676,51 +687,51 @@ Date: Mon, 8 Apr 2019 16:25:27 +0200 Subject: [PATCH 10/11] Add yum CPE and update rules plaforms --- - .../clean_components_post_updating.rule | 2 + - ....rule | 2 + - .../ensure_gpgcheck_local_packages.rule | 2 + - .../ensure_gpgcheck_repo_metadata.rule | 2 + + .../clean_components_post_updating/rule.yml | 2 + + .../rule.yml | 2 + + .../ensure_gpgcheck_local_packages/rule.yml | 2 + + .../ensure_gpgcheck_repo_metadata/rule.yml | 2 + .../oval/installed_env_has_yum_package.xml | 37 +++++++++++++++++++ ssg/constants.py | 1 + 6 files changed, 46 insertions(+) create mode 100644 shared/checks/oval/installed_env_has_yum_package.xml -diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating.rule b/linux_os/guide/system/software/updating/clean_components_post_updating.rule +diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml index d5f0756c2a..9bbcadea11 100644 ---- a/linux_os/guide/system/software/updating/clean_components_post_updating.rule -+++ b/linux_os/guide/system/software/updating/clean_components_post_updating.rule +--- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml ++++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml @@ -40,3 +40,5 @@ ocil: |- -
    $ grep clean_requirements_on_remove /etc/yum.conf
    +
    $ grep clean_requirements_on_remove {{{ pkg_manager_config_file }}}
    The output should return something similar to:
    clean_requirements_on_remove=1
    + +platform: yum -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated.rule b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated.rule +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml index 73e29ae1a5..b19e178026 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated.rule -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated.rule +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml @@ -67,3 +67,5 @@ ocil: |- A value of 1 indicates that gpgcheck is enabled. Absence of a gpgcheck line or a setting of 0 indicates that it is disabled. + +platform: yum -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages.rule b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages.rule +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml index 7d94688af4..d1ffba4d4e 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages.rule -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages.rule +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml @@ -47,3 +47,5 @@ ocil: |- -
    $ grep localpkg_gpgcheck /etc/yum.conf
    +
    $ grep localpkg_gpgcheck {{{ pkg_manager_config_file }}}
    The output should return something similar to:
    localpkg_gpgcheck=1
    + +platform: yum -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata.rule b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata.rule +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml index aa3aa83f70..4f8a76652c 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata.rule -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata.rule +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml @@ -55,3 +55,5 @@ ocil: |- -
    $ grep repo_gpgcheck /etc/yum.conf
    +
    $ grep repo_gpgcheck {{{ pkg_manager_config_file }}}
    The output should return something similar to:
    repo_gpgcheck=1
    + diff --git a/SOURCES/scap-security-guide-0.1.44-cpe-remaining.patch b/SOURCES/scap-security-guide-0.1.44-cpe-remaining.patch index 0e1bcdb..bdb3fed 100644 --- a/SOURCES/scap-security-guide-0.1.44-cpe-remaining.patch +++ b/SOURCES/scap-security-guide-0.1.44-cpe-remaining.patch @@ -4,35 +4,35 @@ Date: Wed, 10 Apr 2019 17:57:39 +0200 Subject: [PATCH] Set various platform package CPE --- - .../accounts_password_pam_maxrepeat.rule | 2 ++ - .../accounts-session/accounts_have_homedir_login_defs.rule | 2 ++ - .../restrictions/coredumps/disable_users_coredumps.rule | 2 ++ + .../accounts_password_pam_maxrepeat/rule.yml | 2 ++ + .../accounts-session/accounts_have_homedir_login_defs/rule.yml | 2 ++ + .../restrictions/coredumps/disable_users_coredumps/rule.yml | 2 ++ 3 files changed, 6 insertions(+) -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat.rule b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat.rule +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml index d23b1d99d0..925288b4f3 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat.rule -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat.rule +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml @@ -46,3 +46,5 @@ ocil: |-
    $ grep maxrepeat /etc/security/pwquality.conf
    Look for the value of the maxrepeat parameter. The DoD requirement is 3, which would appear as maxrepeat=3. + +platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs.rule b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs.rule +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml index 300f409ca3..215565460c 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs.rule -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs.rule +--- a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml @@ -32,3 +32,5 @@ ocil: |-

    $ sudo grep create_home /etc/login.defs


    + +platform: shadow-utils -diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps.rule b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps.rule +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml index 99c2521afa..0e30d0d7ee 100644 ---- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps.rule -+++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps.rule +--- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml @@ -37,3 +37,5 @@ ocil: |-
    $ grep core /etc/security/limits.conf
    The output should be: diff --git a/SOURCES/scap-security-guide-0.1.44-cpe-shadow-utils.patch b/SOURCES/scap-security-guide-0.1.44-cpe-shadow-utils.patch index 4b69b63..bc99269 100644 --- a/SOURCES/scap-security-guide-0.1.44-cpe-shadow-utils.patch +++ b/SOURCES/scap-security-guide-0.1.44-cpe-shadow-utils.patch @@ -64,68 +64,68 @@ Subject: [PATCH 2/3] Rules are applicable when shadow-utils installed If package shadow-utils is not installed, the rule will result in notapplicable. --- - .../account_disable_post_pw_expiration.rule | 2 ++ - .../accounts_maximum_age_login_defs.rule | 2 ++ - .../accounts_minimum_age_login_defs.rule | 2 ++ - .../accounts_password_minlen_login_defs.rule | 2 ++ - .../accounts_password_warn_age_login_defs.rule | 2 ++ - .../accounts-session/accounts_logon_fail_delay.rule | 2 ++ + .../account_disable_post_pw_expiration/rule.yml | 2 ++ + .../accounts_maximum_age_login_defs/rule.yml | 2 ++ + .../accounts_minimum_age_login_defs/rule.yml | 2 ++ + .../accounts_password_minlen_login_defs/rule.yml | 2 ++ + .../accounts_password_warn_age_login_defs/rule.yml | 2 ++ + .../accounts-session/accounts_logon_fail_delay/rule.yml | 2 ++ 6 files changed, 12 insertions(+) -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml index 9d19274f1c..d8b29b6436 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule -+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration.rule +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml @@ -62,3 +62,5 @@ ocil: |- to an appropriate integer as shown in the example below:
    $ grep "INACTIVE" /etc/default/useradd
          INACTIVE=
    + +platform: shadow-utils -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml index 90dc1b4f2b..de322bc787 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs.rule +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml @@ -55,3 +55,5 @@ ocil: |-
    $ grep PASS_MAX_DAYS /etc/login.defs
    The DoD and FISMA requirement is 60. A value of 180 days is sufficient for many environments. + +platform: shadow-utils -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml index 88706c8b3e..dd7030cd0a 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs.rule +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml @@ -49,3 +49,5 @@ ocil_clause: 'it is not equal to or greater than the required value' ocil: |- To check the minimum password age, run the command:
    $ grep PASS_MIN_DAYS /etc/login.defs
    + +platform: shadow-utils -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml index 814fda94b9..d38ee253fb 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs.rule +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml @@ -51,3 +51,5 @@ ocil: |- To check the minimum password length, run the command:
    $ grep PASS_MIN_LEN /etc/login.defs
    The DoD requirement is 15. + +platform: shadow-utils -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml index d8947ad9fd..85b5cd762f 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs.rule +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml @@ -40,3 +40,5 @@ ocil: |- To check the password warning age, run the command:
    $ grep PASS_WARN_AGE /etc/login.defs
    The DoD requirement is 7. + +platform: shadow-utils -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml index 171051e138..33fc873e97 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay.rule +--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml @@ -37,3 +37,5 @@ ocil: |- All output must show the value of FAIL_DELAY set as shown in the below:
    $ sudo grep -i "FAIL_DELAY" /etc/login.defs
    diff --git a/SOURCES/scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules.patch b/SOURCES/scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules.patch
    new file mode 100644
    index 0000000..3ca8f90
    --- /dev/null
    +++ b/SOURCES/scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules.patch
    @@ -0,0 +1,97 @@
    +commit 270af4a39fe2688fafbe3f91c383673f0fdcb2f2
    +Author: Gabriel Becker 
    +Date:   Thu Apr 25 16:43:30 2019 +0200
    +
    +    Remove duplicated assigned CCEs from rules and assign new ones to them.
    +
    +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
    +index 0b2e278..72b5f77 100644
    +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
    ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml
    +@@ -29,7 +29,7 @@ severity: unknown
    + 
    + identifiers:
    +     cce@rhel6: 27474-6
    +-    cce@rhel7: 27498-5
    ++    cce@rhel7: 81000-2
    + 
    + references:
    +     stigid@rhel6: RHEL-06-000297
    +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
    +index c25cfbb..31338ea 100644
    +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
    ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
    +@@ -26,7 +26,7 @@ rationale: |-
    + severity: medium
    + 
    + identifiers:
    +-    cce@rhel7: 27206-2
    ++    cce@rhel7: 80995-4
    +     cce@rhel8: 80703-2
    + 
    + references:
    +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
    +index 5b1ff7b..b11acd8 100644
    +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
    ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
    +@@ -26,7 +26,7 @@ rationale: |-
    + severity: medium
    + 
    + identifiers:
    +-    cce@rhel7: 27206-2
    ++    cce@rhel7: 80996-2
    +     cce@rhel8: 80706-5
    + 
    + references:
    +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
    +index 26c31e9..397e0cf 100644
    +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
    ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
    +@@ -25,7 +25,7 @@ rationale: |-
    + severity: medium
    + 
    + identifiers:
    +-    cce@rhel7: 80382-5
    ++    cce@rhel7: 80994-7
    +     cce@rhel8: 80720-6
    + 
    + references:
    +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml
    +index 92564b9..f0e2d2e 100644
    +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml
    ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml
    +@@ -28,7 +28,7 @@ rationale: |-
    + severity: medium
    + 
    + identifiers:
    +-    cce@rhel7: 80381-7
    ++    cce@rhel7: 80997-0
    +     cce@rhel8: 80744-6
    + 
    + references:
    +diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
    +index edc747c..6309aee 100644
    +--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
    ++++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
    +@@ -14,7 +14,7 @@ rationale: |-
    + severity: medium
    + 
    + identifiers:
    +-    cce@rhel7: 27361-5
    ++    cce@rhel7: 80998-8
    +     cce@rhel8: 80877-4
    + 
    + references:
    +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
    +index 44174ba..45db89d 100644
    +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
    ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
    +@@ -17,7 +17,7 @@ severity: medium
    + 
    + identifiers:
    +     cce@rhel6: 27001-7
    +-    cce@rhel7: 80156-3
    ++    cce@rhel7: 80999-6
    +     cce@rhel8: 80921-0
    + 
    + references:
    diff --git a/SOURCES/scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules2.patch b/SOURCES/scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules2.patch
    new file mode 100644
    index 0000000..4decb97
    --- /dev/null
    +++ b/SOURCES/scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules2.patch
    @@ -0,0 +1,80 @@
    +From 74177471031fb6c4348c28b2bdda72999d9f52bf Mon Sep 17 00:00:00 2001
    +From: Gabriel Becker 
    +Date: Thu, 9 May 2019 17:23:36 +0200
    +Subject: [PATCH] Deduplicate CCE from rule force_opensc_card_drivers.
    +
    +---
    + .../smart_card_login/force_opensc_card_drivers/rule.yml         | 2 +-
    + shared/references/cce-rhel-avail.txt                          | 1 -
    + 2 files changed, 1 insertion(+), 2 deletions(-)
    +
    +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml
    +index 717b570f05..cc934eb0cb 100644
    +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml
    ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml
    +@@ -27,7 +27,7 @@ rationale: |-
    + severity: medium
    + 
    + identifiers:
    +-    cce@rhel7: 80207-4
    ++    cce@rhel7: 81002-8
    +     cce@rhel8: 80821-2
    + 
    + references:
    +diff --git a/shared/references/cce-rhel-avail.txt b/shared/references/cce-rhel-avail.txt
    +index a08b2ed5dc..3cc6d0a916 100644
    +--- a/shared/references/cce-rhel-avail.txt
    ++++ b/shared/references/cce-rhel-avail.txt
    +@@ -1,52 +1,3 @@
    +-CCE-80954-1
    +-CCE-80955-8
    +-CCE-80956-6
    +-CCE-80957-4
    +-CCE-80958-2
    +-CCE-80959-0
    +-CCE-80960-8
    +-CCE-80961-6
    +-CCE-80962-4
    +-CCE-80963-2
    +-CCE-80964-0
    +-CCE-80965-7
    +-CCE-80966-5
    +-CCE-80967-3
    +-CCE-80968-1
    +-CCE-80969-9
    +-CCE-80970-7
    +-CCE-80971-5
    +-CCE-80972-3
    +-CCE-80973-1
    +-CCE-80974-9
    +-CCE-80975-6
    +-CCE-80976-4
    +-CCE-80977-2
    +-CCE-80978-0
    +-CCE-80979-8
    +-CCE-80980-6
    +-CCE-80981-4
    +-CCE-80982-2
    +-CCE-80983-0
    +-CCE-80984-8
    +-CCE-80985-5
    +-CCE-80986-3
    +-CCE-80987-1
    +-CCE-80988-9
    +-CCE-80989-7
    +-CCE-80990-5
    +-CCE-80991-3
    +-CCE-80992-1
    +-CCE-80993-9
    +-CCE-80994-7
    +-CCE-80995-4
    +-CCE-80996-2
    +-CCE-80997-0
    +-CCE-80998-8
    +-CCE-80999-6
    +-CCE-81000-2
    +-CCE-81001-0
    +-CCE-81002-8
    + CCE-81003-6
    + CCE-81004-4
    + CCE-81005-1
    diff --git a/SOURCES/scap-security-guide-0.1.44-fix_ansible_sssd_tasks.patch b/SOURCES/scap-security-guide-0.1.44-fix_ansible_sssd_tasks.patch
    new file mode 100644
    index 0000000..43034fb
    --- /dev/null
    +++ b/SOURCES/scap-security-guide-0.1.44-fix_ansible_sssd_tasks.patch
    @@ -0,0 +1,415 @@
    +From b3a0d725611897e2aa1577cc64c58572703f9d21 Mon Sep 17 00:00:00 2001
    +From: Watson Sato 
    +Date: Thu, 14 Mar 2019 17:07:13 +0100
    +Subject: [PATCH 1/5] Create /etc/sssd/sssd/conf with correct permissions
    +
    +Only owner of file should be able to access it.
    +---
    + .../sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 2 ++
    + .../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml       | 2 ++
    + .../services/sssd/sssd_enable_smartcards/ansible/shared.yml     | 1 +
    + .../services/sssd/sssd_memcache_timeout/ansible/shared.yml      | 1 +
    + .../sssd/sssd_offline_cred_expiration/ansible/shared.yml        | 1 +
    + .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml        | 1 +
    + 6 files changed, 8 insertions(+)
    +
    +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
    +index ecea440bf..171a3d1ac 100644
    +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
    +@@ -18,6 +18,7 @@
    +     path: /etc/sssd/sssd.conf
    +     create: yes
    +     line: "[domain/default]\nldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}\n"
    ++    mode: 0600
    +   when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
    +   tags:
    +     @ANSIBLE_TAGS@
    +@@ -28,6 +29,7 @@
    +     regexp: '^\s*ldap_tls_cacertdir'
    +     insertafter: '\s*\[domain\/[^]]*]'
    +     line: 'ldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}'
    ++    mode: 0600
    +   tags:
    +     @ANSIBLE_TAGS@
    +   @ANSIBLE_ENSURE_PLATFORM@
    +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
    +index 8941c953a..86915ae7d 100644
    +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
    +@@ -26,6 +26,7 @@
    +   lineinfile:
    +     path: /etc/sssd/sssd.conf
    +     line: "[domain/default]\nldap_id_use_start_tls = True\n"
    ++    mode: 0600
    +   when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
    +   tags:
    +     @ANSIBLE_TAGS@
    +@@ -36,6 +37,7 @@
    +     regexp: '^\s*ldap_id_use_start_tls'
    +     insertafter: '\s*\[domain\/[^]]*]'
    +     line: 'ldap_id_use_start_tls = True'
    ++    mode: 0600
    +   tags:
    +     @ANSIBLE_TAGS@
    +   @ANSIBLE_ENSURE_PLATFORM@
    +diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
    +index a42f8ec20..b4ec2b6a1 100644
    +--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
    +@@ -10,6 +10,7 @@
    +     option: pam_cert_auth
    +     value: true
    +     create: yes
    ++    mode: 0600
    +   tags:
    +     @ANSIBLE_TAGS@
    +   @ANSIBLE_ENSURE_PLATFORM@
    +diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
    +index 88abc9346..29d8bced6 100644
    +--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
    +@@ -12,6 +12,7 @@
    +     option: memcache_timeout
    +     value: "{{ var_sssd_memcache_timeout }}"
    +     create: yes
    ++    mode: 0600
    +   tags:
    +     @ANSIBLE_TAGS@
    +   @ANSIBLE_ENSURE_PLATFORM@
    +diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
    +index 01d8a94c2..e999417c6 100644
    +--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
    +@@ -10,6 +10,7 @@
    +     option: offline_credentials_expiration
    +     value: 1
    +     create: yes
    ++    mode: 0600
    +   tags:
    +     @ANSIBLE_TAGS@
    +   @ANSIBLE_ENSURE_PLATFORM@
    +diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
    +index 6f9673f75..f4d4d11da 100644
    +--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
    +@@ -10,6 +10,7 @@
    +     option: ssh_known_hosts_timeout
    +     value: 86400
    +     create: yes
    ++    mode: 0600
    +   tags:
    +     @ANSIBLE_TAGS@
    +   @ANSIBLE_ENSURE_PLATFORM@
    +-- 
    +2.20.1
    +
    +
    +From be5a09c6dc83f16654022a0c006b210020a5ba7c Mon Sep 17 00:00:00 2001
    +From: Watson Sato 
    +Date: Thu, 14 Mar 2019 17:12:39 +0100
    +Subject: [PATCH 2/5] Use ini_file to deal with sssd config file
    +
    +Much simpler then lineinfile module
    +---
    + .../sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 11 ++++++-----
    + .../sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml  | 11 ++++++-----
    + 2 files changed, 12 insertions(+), 10 deletions(-)
    +
    +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
    +index 171a3d1ac..1689e2b43 100644
    +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
    +@@ -24,13 +24,14 @@
    +     @ANSIBLE_TAGS@
    + 
    + - name: "Configure LDAPs path to CA directory"
    +-  lineinfile:
    ++  ini_file:
    +     path: /etc/sssd/sssd.conf
    +-    regexp: '^\s*ldap_tls_cacertdir'
    +-    insertafter: '\s*\[domain\/[^]]*]'
    +-    line: 'ldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}'
    ++    section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}"
    ++    option: ldap_tls_cacertdir
    ++    value: "{{ var_sssd_ldap_tls_ca_dir }}"
    ++    create: yes
    +     mode: 0600
    ++  when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
    +   tags:
    +     @ANSIBLE_TAGS@
    +-  @ANSIBLE_ENSURE_PLATFORM@
    + 
    +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
    +index 86915ae7d..dbf546013 100644
    +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
    +@@ -32,12 +32,13 @@
    +     @ANSIBLE_TAGS@
    + 
    + - name: "Configure LDAP to use STARTTLS"
    +-  lineinfile:
    ++  ini_file:
    +     path: /etc/sssd/sssd.conf
    +-    regexp: '^\s*ldap_id_use_start_tls'
    +-    insertafter: '\s*\[domain\/[^]]*]'
    +-    line: 'ldap_id_use_start_tls = True'
    ++    section: "{{ test_grep_domain.stdout | regex_replace('[(.*)]','\\1') }}"
    ++    option: ldap_id_use_start_tls
    ++    value: true
    ++    create: yes
    +     mode: 0600
    ++  when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
    +   tags:
    +     @ANSIBLE_TAGS@
    +-  @ANSIBLE_ENSURE_PLATFORM@
    +-- 
    +2.20.1
    +
    +
    +From 857818d224c97e9cda954b76126b2cd8055901fa Mon Sep 17 00:00:00 2001
    +From: Watson Sato 
    +Date: Thu, 14 Mar 2019 17:13:30 +0100
    +Subject: [PATCH 3/5] Use variable for ssh timeout
    +
    +---
    + .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml      | 4 +++-
    + 1 file changed, 3 insertions(+), 1 deletion(-)
    +
    +diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
    +index f4d4d11da..8f3d0029c 100644
    +--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
    +@@ -3,12 +3,14 @@
    + # strategy = unknown
    + # complexity = low
    + # disruption = medium
    ++- (xccdf-var sshd_idle_timeout_value)
    ++
    + - name: "Configure SSSD to Expire SSH Known Hosts"
    +   ini_file:
    +     dest: /etc/sssd/sssd.conf
    +     section: ssh
    +     option: ssh_known_hosts_timeout
    +-    value: 86400
    ++    value: "{{ sshd_idle_timeout_value }}"
    +     create: yes
    +     mode: 0600
    +   tags:
    +-- 
    +2.20.1
    +
    +
    +From 4192b0982084c057b594acc508a5e3dc66549d60 Mon Sep 17 00:00:00 2001
    +From: Watson Sato 
    +Date: Thu, 14 Mar 2019 17:23:30 +0100
    +Subject: [PATCH 4/5] Add minimal functional default/domain
    +
    +Add domain and its required keys with default value for sssd service to
    +start
    +---
    + .../ansible/shared.yml                        | 10 ++++++++--
    + .../sssd_ldap_start_tls/ansible/shared.yml    | 12 ++++++++++--
    + .../sssd_enable_smartcards/ansible/shared.yml | 18 ++++++++++++++++++
    + .../sssd_memcache_timeout/ansible/shared.yml  | 19 +++++++++++++++++++
    + .../ansible/shared.yml                        | 19 +++++++++++++++++++
    + .../ansible/shared.yml                        | 19 +++++++++++++++++++
    + 6 files changed, 93 insertions(+), 4 deletions(-)
    +
    +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
    +index 1689e2b43..fe1a9ac07 100644
    +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
    +@@ -14,11 +14,17 @@
    +   @ANSIBLE_ENSURE_PLATFORM@
    + 
    + - name: "Add default domain group and set CA directory (if no domain there)"
    +-  lineinfile:
    ++  ini_file:
    +     path: /etc/sssd/sssd.conf
    ++    section: "{{ item.section }}"
    ++    option: "{{ item.option }}"
    ++    value: "{{ item.value }}"
    +     create: yes
    +-    line: "[domain/default]\nldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}\n"
    +     mode: 0600
    ++  with_items:
    ++    - { section: sssd, option: domains, value: default}
    ++    - { section: domain/default, option: id_provider, value: files }
    ++    - { section: domain/default, option: ldap_tls_cacertdir, value: "{{ var_sssd_ldap_tls_ca_dir }}" }
    +   when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
    +   tags:
    +     @ANSIBLE_TAGS@
    +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
    +index dbf546013..9ebc53e0f 100644
    +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
    +@@ -23,10 +23,18 @@
    +   @ANSIBLE_ENSURE_PLATFORM@
    + 
    + - name: "Add default domain group and use STARTTLS (if no domain there)"
    +-  lineinfile:
    ++  ini_file:
    +     path: /etc/sssd/sssd.conf
    +-    line: "[domain/default]\nldap_id_use_start_tls = True\n"
    ++    section: domain/default
    ++    section: "{{ item.section }}"
    ++    option: "{{ item.option }}"
    ++    value: "{{ item.value }}"
    ++    create: yes
    +     mode: 0600
    ++  with_items:
    ++    - { section: sssd, option: domains, value: default}
    ++    - { section: domain/default, option: id_provider, value: files }
    ++    - { section: domain/default, option: ldap_id_use_start_tls, value: true}
    +   when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@
    +   tags:
    +     @ANSIBLE_TAGS@
    +diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
    +index b4ec2b6a1..f6dbdf429 100644
    +--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
    +@@ -3,6 +3,24 @@
    + # strategy = configure
    + # complexity = low
    + # disruption = medium
    ++- name: "Test for domain group"
    ++  shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
    ++  register: test_grep_domain
    ++  ignore_errors: yes
    ++  changed_when: False
    ++
    ++- name: "Add default domain group (if no domain there)"
    ++  ini_file:
    ++    path: /etc/sssd/sssd.conf
    ++    section: "{{ item.section }}"
    ++    option: "{{ item.option }}"
    ++    value: "{{ item.value }}"
    ++    create: yes
    ++    mode: 0600
    ++  with_items:
    ++    - { section: sssd, option: domains, value: default}
    ++    - { section: domain/default, option: id_provider, value: files }
    ++  when: test_grep_domain.stdout == ""
    + - name: "Enable Smartcards in SSSD"
    +   ini_file:
    +     dest: /etc/sssd/sssd.conf
    +diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
    +index 29d8bced6..3cf2af44e 100644
    +--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
    +@@ -5,6 +5,25 @@
    + # disruption = medium
    + - (xccdf-var var_sssd_memcache_timeout)
    + 
    ++- name: "Test for domain group"
    ++  shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
    ++  register: test_grep_domain
    ++  ignore_errors: yes
    ++  changed_when: False
    ++
    ++- name: "Add default domain group (if no domain there)"
    ++  ini_file:
    ++    path: /etc/sssd/sssd.conf
    ++    section: "{{ item.section }}"
    ++    option: "{{ item.option }}"
    ++    value: "{{ item.value }}"
    ++    create: yes
    ++    mode: 0600
    ++  with_items:
    ++    - { section: sssd, option: domains, value: default}
    ++    - { section: domain/default, option: id_provider, value: files }
    ++  when: test_grep_domain.stdout == ""
    ++
    + - name: "Configure SSSD's Memory Cache to Expire"
    +   ini_file:
    +     dest: /etc/sssd/sssd.conf
    +diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
    +index e999417c6..f2cddfd2a 100644
    +--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
    +@@ -3,6 +3,25 @@
    + # strategy = configure
    + # complexity = low
    + # disruption = medium
    ++- name: "Test for domain group"
    ++  shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
    ++  register: test_grep_domain
    ++  ignore_errors: yes
    ++  changed_when: False
    ++
    ++- name: "Add default domain group (if no domain there)"
    ++  ini_file:
    ++    path: /etc/sssd/sssd.conf
    ++    section: "{{ item.section }}"
    ++    option: "{{ item.option }}"
    ++    value: "{{ item.value }}"
    ++    create: yes
    ++    mode: 0600
    ++  with_items:
    ++    - { section: sssd, option: domains, value: default}
    ++    - { section: domain/default, option: id_provider, value: files }
    ++  when: test_grep_domain.stdout == ""
    ++
    + - name: "Configure SSD to Expire Offline Credentials"
    +   ini_file:
    +     dest: /etc/sssd/sssd.conf
    +diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
    +index 8f3d0029c..61bd79856 100644
    +--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
    +@@ -5,6 +5,25 @@
    + # disruption = medium
    + - (xccdf-var sshd_idle_timeout_value)
    + 
    ++- name: "Test for domain group"
    ++  shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
    ++  register: test_grep_domain
    ++  ignore_errors: yes
    ++  changed_when: False
    ++
    ++- name: "Add default domain group (if no domain there)"
    ++  ini_file:
    ++    path: /etc/sssd/sssd.conf
    ++    section: "{{ item.section }}"
    ++    option: "{{ item.option }}"
    ++    value: "{{ item.value }}"
    ++    create: yes
    ++    mode: 0600
    ++  with_items:
    ++    - { section: sssd, option: domains, value: default}
    ++    - { section: domain/default, option: id_provider, value: files }
    ++  when: test_grep_domain.stdout == ""
    ++
    + - name: "Configure SSSD to Expire SSH Known Hosts"
    +   ini_file:
    +     dest: /etc/sssd/sssd.conf
    +-- 
    +2.20.1
    +
    +
    +From 48a230730a07d8a496c5cfe050934f24e031818a Mon Sep 17 00:00:00 2001
    +From: Watson Sato 
    +Date: Fri, 15 Mar 2019 11:42:39 +0100
    +Subject: [PATCH 5/5] Escape square brackes in regex_replace
    +
    +---
    + .../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml       | 2 +-
    + 1 file changed, 1 insertion(+), 1 deletion(-)
    +
    +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
    +index 9ebc53e0f..d0ecf8590 100644
    +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
    ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
    +@@ -42,7 +42,7 @@
    + - name: "Configure LDAP to use STARTTLS"
    +   ini_file:
    +     path: /etc/sssd/sssd.conf
    +-    section: "{{ test_grep_domain.stdout | regex_replace('[(.*)]','\\1') }}"
    ++    section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}"
    +     option: ldap_id_use_start_tls
    +     value: true
    +     create: yes
    +-- 
    +2.20.1
    +
    diff --git a/SOURCES/scap-security-guide-0.1.44-fix_no_direct_root_logins_changed_when.patch b/SOURCES/scap-security-guide-0.1.44-fix_no_direct_root_logins_changed_when.patch
    new file mode 100644
    index 0000000..8fab28c
    --- /dev/null
    +++ b/SOURCES/scap-security-guide-0.1.44-fix_no_direct_root_logins_changed_when.patch
    @@ -0,0 +1,23 @@
    +From 568ef0aecb14fc7a12255f207e407130d2980c42 Mon Sep 17 00:00:00 2001
    +From: Watson Sato 
    +Date: Thu, 28 Feb 2019 16:08:41 +0100
    +Subject: [PATCH] Do not compare int and str
    +
    +securetty_empty.stat.size is int type.
    +---
    + .../root_logins/no_direct_root_logins/ansible/shared.yml        | 2 +-
    + 1 file changed, 1 insertion(+), 1 deletion(-)
    +
    +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
    +index 397420f979..cf35f07bb4 100644
    +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
    ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
    +@@ -10,7 +10,7 @@
    + 
    + - name: "Direct root Logins Not Allowed"
    +   shell: echo > /etc/securetty
    +-  changed_when: securetty_empty.stat.size > "1"
    ++  changed_when: securetty_empty.stat.size > 1
    +   tags:
    +     @ANSIBLE_TAGS@
    +   @ANSIBLE_ENSURE_PLATFORM@
    diff --git a/SOURCES/scap-security-guide-0.1.44-fix_removed_sebooleans.patch b/SOURCES/scap-security-guide-0.1.44-fix_removed_sebooleans.patch
    new file mode 100644
    index 0000000..2715316
    --- /dev/null
    +++ b/SOURCES/scap-security-guide-0.1.44-fix_removed_sebooleans.patch
    @@ -0,0 +1,707 @@
    +From ca2288e312d232d058d6985d541353719a1800e9 Mon Sep 17 00:00:00 2001
    +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
    +Date: Tue, 12 Mar 2019 08:47:50 +0100
    +Subject: [PATCH 1/6] Rename SELinux Boolean docker_connect_any
    +
    +The SELinux Boolean docker_connect_any has been renamed to
    +container_connect_any in both RHEL7 and RHEL8.
    +---
    + .../sebool_container_connect_any/rule.yml        | 16 ++++++++++++++++
    + .../sebool_docker_connect_any/rule.yml           | 16 ----------------
    + ...ect_any.var => var_container_connect_any.var} |  2 +-
    + rhel7/templates/csv/selinux_booleans.csv         |  2 +-
    + rhv4/templates/csv/selinux_booleans.csv          |  2 +-
    + 5 files changed, 19 insertions(+), 19 deletions(-)
    + create mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_container_connect_any/rule.yml
    + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_docker_connect_any/rule.yml
    + rename linux_os/guide/system/selinux/selinux-booleans/{var_docker_connect_any.var => var_container_connect_any.var} (86%)
    +
    +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_container_connect_any/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_container_connect_any/rule.yml
    +new file mode 100644
    +index 0000000000..cb715fa66e
    +--- /dev/null
    ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_container_connect_any/rule.yml
    +@@ -0,0 +1,16 @@
    ++documentation_complete: true
    ++
    ++prodtype: rhel7,rhel8
    ++
    ++title: 'Disable the container_connect_any SELinux Boolean'
    ++
    ++description: |-
    ++    By default, the SELinux boolean container_connect_any is disabled.
    ++    If this setting is enabled, it should be disabled.
    ++    {{{ describe_sebool_disable(sebool="container_connect_any") }}}
    ++
    ++rationale: ""
    ++
    ++severity: medium
    ++
    ++{{{ complete_ocil_entry_sebool_disabled(sebool="container_connect_any") }}}
    +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_docker_connect_any/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_docker_connect_any/rule.yml
    +deleted file mode 100644
    +index 7c2a65d076..0000000000
    +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_docker_connect_any/rule.yml
    ++++ /dev/null
    +@@ -1,16 +0,0 @@
    +-documentation_complete: true
    +-
    +-prodtype: rhel7,rhel8
    +-
    +-title: 'Disable the docker_connect_any SELinux Boolean'
    +-
    +-description: |-
    +-    By default, the SELinux boolean docker_connect_any is disabled.
    +-    If this setting is enabled, it should be disabled.
    +-    {{{ describe_sebool_disable(sebool="docker_connect_any") }}}
    +-
    +-rationale: ""
    +-
    +-severity: medium
    +-
    +-{{{ complete_ocil_entry_sebool_disabled(sebool="docker_connect_any") }}}
    +diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_docker_connect_any.var b/linux_os/guide/system/selinux/selinux-booleans/var_container_connect_any.var
    +similarity index 86%
    +rename from linux_os/guide/system/selinux/selinux-booleans/var_docker_connect_any.var
    +rename to linux_os/guide/system/selinux/selinux-booleans/var_container_connect_any.var
    +index 24af7183da..baad46a636 100644
    +--- a/linux_os/guide/system/selinux/selinux-booleans/var_docker_connect_any.var
    ++++ b/linux_os/guide/system/selinux/selinux-booleans/var_container_connect_any.var
    +@@ -1,6 +1,6 @@
    + documentation_complete: true
    + 
    +-title: 'docker_connect_any SELinux Boolean'
    ++title: 'container_connect_any SELinux Boolean'
    + 
    + description: |-
    +     default - Default SELinux boolean setting.
    +diff --git a/rhel7/templates/csv/selinux_booleans.csv b/rhel7/templates/csv/selinux_booleans.csv
    +index af220ed80a..fb0fc958c5 100644
    +--- a/rhel7/templates/csv/selinux_booleans.csv
    ++++ b/rhel7/templates/csv/selinux_booleans.csv
    +@@ -38,7 +38,7 @@ deny_execmem,use_var
    + deny_ptrace,use_var
    + dhcpc_exec_iptables,use_var
    + dhcpd_use_ldap,use_var
    +-docker_connect_any,use_var
    ++container_connect_any,use_var
    + docker_transition_unconfined,use_var
    + domain_fd_use,use_var
    + domain_kernel_load_modules,use_var
    +diff --git a/rhv4/templates/csv/selinux_booleans.csv b/rhv4/templates/csv/selinux_booleans.csv
    +index af220ed80a..fb0fc958c5 100644
    +--- a/rhv4/templates/csv/selinux_booleans.csv
    ++++ b/rhv4/templates/csv/selinux_booleans.csv
    +@@ -38,7 +38,7 @@ deny_execmem,use_var
    + deny_ptrace,use_var
    + dhcpc_exec_iptables,use_var
    + dhcpd_use_ldap,use_var
    +-docker_connect_any,use_var
    ++container_connect_any,use_var
    + docker_transition_unconfined,use_var
    + domain_fd_use,use_var
    + domain_kernel_load_modules,use_var
    +
    +From 8707ae7560c1a786b702281592968df28a743a01 Mon Sep 17 00:00:00 2001
    +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
    +Date: Tue, 12 Mar 2019 08:57:23 +0100
    +Subject: [PATCH 2/6] Remove SELinux boolean docker_transition_unconfined
    +
    +The SELinux boolean docker_transition_unconfined has been
    +completely removed from SELinux without any replacement.
    +---
    + .../rule.yml                                  | 16 ----------------
    + .../var_docker_transition_unconfined.var      | 19 -------------------
    + rhel7/templates/csv/selinux_booleans.csv      |  1 -
    + rhv4/templates/csv/selinux_booleans.csv       |  1 -
    + 4 files changed, 37 deletions(-)
    + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_docker_transition_unconfined/rule.yml
    + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_docker_transition_unconfined.var
    +
    +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_docker_transition_unconfined/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_docker_transition_unconfined/rule.yml
    +deleted file mode 100644
    +index 16792a395b..0000000000
    +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_docker_transition_unconfined/rule.yml
    ++++ /dev/null
    +@@ -1,16 +0,0 @@
    +-documentation_complete: true
    +-
    +-prodtype: rhel7,rhel8
    +-
    +-title: 'Enable the docker_transition_unconfined SELinux Boolean'
    +-
    +-description: |-
    +-    By default, the SELinux boolean docker_transition_unconfined is enabled.
    +-    If this setting is disabled, it should be enabled.
    +-    {{{ describe_sebool_enable(sebool="docker_transition_unconfined") }}}
    +-
    +-rationale: ""
    +-
    +-severity: medium
    +-
    +-{{{ complete_ocil_entry_sebool_enabled(sebool="docker_transition_unconfined") }}}
    +diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_docker_transition_unconfined.var b/linux_os/guide/system/selinux/selinux-booleans/var_docker_transition_unconfined.var
    +deleted file mode 100644
    +index cf66e5e915..0000000000
    +--- a/linux_os/guide/system/selinux/selinux-booleans/var_docker_transition_unconfined.var
    ++++ /dev/null
    +@@ -1,19 +0,0 @@
    +-documentation_complete: true
    +-
    +-title: 'docker_transition_unconfined SELinux Boolean'
    +-
    +-description: |-
    +-    default - Default SELinux boolean setting.
    +-    
    on - SELinux boolean is enabled. +-
    off - SELinux boolean is disabled. +- +-type: boolean +- +-operator: equals +- +-interactive: false +- +-options: +- default: true +- off: false +- on: true +diff --git a/rhel7/templates/csv/selinux_booleans.csv b/rhel7/templates/csv/selinux_booleans.csv +index fb0fc958c5..8a5d34cffa 100644 +--- a/rhel7/templates/csv/selinux_booleans.csv ++++ b/rhel7/templates/csv/selinux_booleans.csv +@@ -39,7 +39,6 @@ deny_ptrace,use_var + dhcpc_exec_iptables,use_var + dhcpd_use_ldap,use_var + container_connect_any,use_var +-docker_transition_unconfined,use_var + domain_fd_use,use_var + domain_kernel_load_modules,use_var + entropyd_use_audio,use_var +diff --git a/rhv4/templates/csv/selinux_booleans.csv b/rhv4/templates/csv/selinux_booleans.csv +index fb0fc958c5..8a5d34cffa 100644 +--- a/rhv4/templates/csv/selinux_booleans.csv ++++ b/rhv4/templates/csv/selinux_booleans.csv +@@ -39,7 +39,6 @@ deny_ptrace,use_var + dhcpc_exec_iptables,use_var + dhcpd_use_ldap,use_var + container_connect_any,use_var +-docker_transition_unconfined,use_var + domain_fd_use,use_var + domain_kernel_load_modules,use_var + entropyd_use_audio,use_var + +From a794b4a365001fbe6b5aed4bf9b8169a6a9dea53 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 12 Mar 2019 09:02:59 +0100 +Subject: [PATCH 3/6] Remove SELinux boolean ftp_home_dir + +The SELinux boolean ftp_home_dir has been +completely removed from SELinux without any replacement. +--- + .../sebool_ftp_home_dir/rule.yml | 16 ---------------- + .../selinux-booleans/var_ftp_home_dir.var | 19 ------------------- + rhel7/templates/csv/selinux_booleans.csv | 1 - + rhv4/templates/csv/selinux_booleans.csv | 1 - + 4 files changed, 37 deletions(-) + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_ftp_home_dir/rule.yml + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_ftp_home_dir.var + +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ftp_home_dir/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ftp_home_dir/rule.yml +deleted file mode 100644 +index 1836bc059e..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ftp_home_dir/rule.yml ++++ /dev/null +@@ -1,16 +0,0 @@ +-documentation_complete: true +- +-prodtype: rhel7,rhel8 +- +-title: 'Disable the ftp_home_dir SELinux Boolean' +- +-description: |- +- By default, the SELinux boolean ftp_home_dir is disabled. +- If this setting is enabled, it should be disabled. +- {{{ describe_sebool_disable(sebool="ftp_home_dir") }}} +- +-rationale: "" +- +-severity: medium +- +-{{{ complete_ocil_entry_sebool_disabled(sebool="ftp_home_dir") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_ftp_home_dir.var b/linux_os/guide/system/selinux/selinux-booleans/var_ftp_home_dir.var +deleted file mode 100644 +index 5da7175f65..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/var_ftp_home_dir.var ++++ /dev/null +@@ -1,19 +0,0 @@ +-documentation_complete: true +- +-title: 'ftp_home_dir SELinux Boolean' +- +-description: |- +- default - Default SELinux boolean setting. +-
    on - SELinux boolean is enabled. +-
    off - SELinux boolean is disabled. +- +-type: boolean +- +-operator: equals +- +-interactive: false +- +-options: +- default: false +- off: false +- on: true +diff --git a/rhel7/templates/csv/selinux_booleans.csv b/rhel7/templates/csv/selinux_booleans.csv +index 8a5d34cffa..17a1f51403 100644 +--- a/rhel7/templates/csv/selinux_booleans.csv ++++ b/rhel7/templates/csv/selinux_booleans.csv +@@ -57,7 +57,6 @@ ftpd_use_cifs,use_var + ftpd_use_fusefs,use_var + ftpd_use_nfs,use_var + ftpd_use_passive_mode,use_var +-ftp_home_dir,use_var + git_cgi_enable_homedirs,use_var + git_cgi_use_cifs,use_var + git_cgi_use_nfs,use_var +diff --git a/rhv4/templates/csv/selinux_booleans.csv b/rhv4/templates/csv/selinux_booleans.csv +index 8a5d34cffa..17a1f51403 100644 +--- a/rhv4/templates/csv/selinux_booleans.csv ++++ b/rhv4/templates/csv/selinux_booleans.csv +@@ -57,7 +57,6 @@ ftpd_use_cifs,use_var + ftpd_use_fusefs,use_var + ftpd_use_nfs,use_var + ftpd_use_passive_mode,use_var +-ftp_home_dir,use_var + git_cgi_enable_homedirs,use_var + git_cgi_use_cifs,use_var + git_cgi_use_nfs,use_var + +From f71a5f81abad89505ac4e4404249cebc5cf39c89 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 12 Mar 2019 09:19:03 +0100 +Subject: [PATCH 4/6] Remove SELinux boolean virt_sandbox_use_nfs + +The SELinux boolean virt_sandbox_use_nfs has been removed and +is superseded by virt_use_nfs which we already have in other +rule. +--- + .../sebool_virt_sandbox_use_nfs/rule.yml | 16 ---------------- + .../var_virt_sandbox_use_nfs.var | 19 ------------------- + rhel7/templates/csv/selinux_booleans.csv | 1 - + rhv4/templates/csv/selinux_booleans.csv | 1 - + 4 files changed, 37 deletions(-) + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_nfs/rule.yml + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_nfs.var + +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_nfs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_nfs/rule.yml +deleted file mode 100644 +index 7d553a85de..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_nfs/rule.yml ++++ /dev/null +@@ -1,16 +0,0 @@ +-documentation_complete: true +- +-prodtype: rhel7,rhel8 +- +-title: 'Disable the virt_sandbox_use_nfs SELinux Boolean' +- +-description: |- +- By default, the SELinux boolean virt_sandbox_use_nfs is disabled. +- If this setting is enabled, it should be disabled. +- {{{ describe_sebool_disable(sebool="virt_sandbox_use_nfs") }}} +- +-rationale: "" +- +-severity: medium +- +-{{{ complete_ocil_entry_sebool_disabled(sebool="virt_sandbox_use_nfs") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_nfs.var b/linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_nfs.var +deleted file mode 100644 +index f7a0cd0679..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_nfs.var ++++ /dev/null +@@ -1,19 +0,0 @@ +-documentation_complete: true +- +-title: 'virt_sandbox_use_nfs SELinux Boolean' +- +-description: |- +- default - Default SELinux boolean setting. +-
    on - SELinux boolean is enabled. +-
    off - SELinux boolean is disabled. +- +-type: boolean +- +-operator: equals +- +-interactive: false +- +-options: +- default: false +- off: false +- on: true +diff --git a/rhel7/templates/csv/selinux_booleans.csv b/rhel7/templates/csv/selinux_booleans.csv +index 17a1f51403..aaf2e1a34f 100644 +--- a/rhel7/templates/csv/selinux_booleans.csv ++++ b/rhel7/templates/csv/selinux_booleans.csv +@@ -268,7 +268,6 @@ virt_sandbox_use_all_caps,use_var + virt_sandbox_use_audit,use_var + virt_sandbox_use_mknod,use_var + virt_sandbox_use_netlink,use_var +-virt_sandbox_use_nfs,use_var + virt_sandbox_use_samba,use_var + virt_sandbox_use_sys_admin,use_var + virt_transition_userdomain,use_var +diff --git a/rhv4/templates/csv/selinux_booleans.csv b/rhv4/templates/csv/selinux_booleans.csv +index 17a1f51403..aaf2e1a34f 100644 +--- a/rhv4/templates/csv/selinux_booleans.csv ++++ b/rhv4/templates/csv/selinux_booleans.csv +@@ -268,7 +268,6 @@ virt_sandbox_use_all_caps,use_var + virt_sandbox_use_audit,use_var + virt_sandbox_use_mknod,use_var + virt_sandbox_use_netlink,use_var +-virt_sandbox_use_nfs,use_var + virt_sandbox_use_samba,use_var + virt_sandbox_use_sys_admin,use_var + virt_transition_userdomain,use_var + +From 7afaf886cd99437a09b6aedd9e375ee1162155c6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 12 Mar 2019 09:27:35 +0100 +Subject: [PATCH 5/6] Remove SELinux boolean virt_sandbox_use_samba + +The SELinux boolean virt_sandbox_use_samba has been removed and +is superseded by virt_use_samba which we already have in other +rule. +--- + .../sebool_virt_sandbox_use_samba/rule.yml | 16 ---------------- + .../var_virt_sandbox_use_samba.var | 19 ------------------- + rhel7/templates/csv/selinux_booleans.csv | 1 - + rhv4/templates/csv/selinux_booleans.csv | 1 - + 4 files changed, 37 deletions(-) + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_samba/rule.yml + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_samba.var + +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_samba/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_samba/rule.yml +deleted file mode 100644 +index b3ce5feb9e..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_samba/rule.yml ++++ /dev/null +@@ -1,16 +0,0 @@ +-documentation_complete: true +- +-prodtype: rhel7,rhel8 +- +-title: 'Disable the virt_sandbox_use_samba SELinux Boolean' +- +-description: |- +- By default, the SELinux boolean virt_sandbox_use_samba is disabled. +- If this setting is enabled, it should be disabled. +- {{{ describe_sebool_disable(sebool="virt_sandbox_use_samba") }}} +- +-rationale: "" +- +-severity: medium +- +-{{{ complete_ocil_entry_sebool_disabled(sebool="virt_sandbox_use_samba") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_samba.var b/linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_samba.var +deleted file mode 100644 +index de370465dd..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_samba.var ++++ /dev/null +@@ -1,19 +0,0 @@ +-documentation_complete: true +- +-title: 'virt_sandbox_use_samba SELinux Boolean' +- +-description: |- +- default - Default SELinux boolean setting. +-
    on - SELinux boolean is enabled. +-
    off - SELinux boolean is disabled. +- +-type: boolean +- +-operator: equals +- +-interactive: false +- +-options: +- default: false +- off: false +- on: true +diff --git a/rhel7/templates/csv/selinux_booleans.csv b/rhel7/templates/csv/selinux_booleans.csv +index aaf2e1a34f..19a27493db 100644 +--- a/rhel7/templates/csv/selinux_booleans.csv ++++ b/rhel7/templates/csv/selinux_booleans.csv +@@ -268,7 +268,6 @@ virt_sandbox_use_all_caps,use_var + virt_sandbox_use_audit,use_var + virt_sandbox_use_mknod,use_var + virt_sandbox_use_netlink,use_var +-virt_sandbox_use_samba,use_var + virt_sandbox_use_sys_admin,use_var + virt_transition_userdomain,use_var + virt_use_comm,use_var +diff --git a/rhv4/templates/csv/selinux_booleans.csv b/rhv4/templates/csv/selinux_booleans.csv +index aaf2e1a34f..19a27493db 100644 +--- a/rhv4/templates/csv/selinux_booleans.csv ++++ b/rhv4/templates/csv/selinux_booleans.csv +@@ -268,7 +268,6 @@ virt_sandbox_use_all_caps,use_var + virt_sandbox_use_audit,use_var + virt_sandbox_use_mknod,use_var + virt_sandbox_use_netlink,use_var +-virt_sandbox_use_samba,use_var + virt_sandbox_use_sys_admin,use_var + virt_transition_userdomain,use_var + virt_use_comm,use_var + +From e0287da5af28c3357fa920a16d538ab424bd5392 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 12 Mar 2019 10:13:10 +0100 +Subject: [PATCH 6/6] Remove sftpd_.* SELinux booleans + +SELinux booleans sftpd_anon_write, sftpd_enable_homedirs, +sftpd_full_access, sftpd_write_ssh_home have been removed from SELinux +because they were useless because openssh doesn't use sftpd_t type +anymore and it uses user's type for sftpd sessions. They haven't been +superseded by anything else. +--- + .../sebool_sftpd_anon_write/rule.yml | 16 ---------------- + .../sebool_sftpd_enable_homedirs/rule.yml | 16 ---------------- + .../sebool_sftpd_full_access/rule.yml | 16 ---------------- + .../sebool_sftpd_write_ssh_home/rule.yml | 16 ---------------- + .../selinux-booleans/var_sftpd_anon_write.var | 19 ------------------- + .../var_sftpd_enable_homedirs.var | 19 ------------------- + .../var_sftpd_full_access.var | 19 ------------------- + .../var_sftpd_write_ssh_home.var | 19 ------------------- + rhel7/templates/csv/selinux_booleans.csv | 4 ---- + rhv4/templates/csv/selinux_booleans.csv | 4 ---- + 10 files changed, 148 deletions(-) + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_anon_write/rule.yml + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_enable_homedirs/rule.yml + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_full_access/rule.yml + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_write_ssh_home/rule.yml + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_sftpd_anon_write.var + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_sftpd_enable_homedirs.var + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_sftpd_full_access.var + delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_sftpd_write_ssh_home.var + +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_anon_write/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_anon_write/rule.yml +deleted file mode 100644 +index a5327110f8..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_anon_write/rule.yml ++++ /dev/null +@@ -1,16 +0,0 @@ +-documentation_complete: true +- +-prodtype: rhel7,rhel8 +- +-title: 'Disable the sftpd_anon_write SELinux Boolean' +- +-description: |- +- By default, the SELinux boolean sftpd_anon_write is disabled. +- If this setting is enabled, it should be disabled. +- {{{ describe_sebool_disable(sebool="sftpd_anon_write") }}} +- +-rationale: "" +- +-severity: medium +- +-{{{ complete_ocil_entry_sebool_disabled(sebool="sftpd_anon_write") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_enable_homedirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_enable_homedirs/rule.yml +deleted file mode 100644 +index ac52da2773..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_enable_homedirs/rule.yml ++++ /dev/null +@@ -1,16 +0,0 @@ +-documentation_complete: true +- +-prodtype: rhel7,rhel8 +- +-title: 'Disable the sftpd_enable_homedirs SELinux Boolean' +- +-description: |- +- By default, the SELinux boolean sftpd_enable_homedirs is disabled. +- If this setting is enabled, it should be disabled. +- {{{ describe_sebool_disable(sebool="sftpd_enable_homedirs") }}} +- +-rationale: "" +- +-severity: medium +- +-{{{ complete_ocil_entry_sebool_disabled(sebool="sftpd_enable_homedirs") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_full_access/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_full_access/rule.yml +deleted file mode 100644 +index fff440ff7e..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_full_access/rule.yml ++++ /dev/null +@@ -1,16 +0,0 @@ +-documentation_complete: true +- +-prodtype: rhel7,rhel8 +- +-title: 'Disable the sftpd_full_access SELinux Boolean' +- +-description: |- +- By default, the SELinux boolean sftpd_full_access is disabled. +- If this setting is enabled, it should be disabled. +- {{{ describe_sebool_disable(sebool="sftpd_full_access") }}} +- +-rationale: "" +- +-severity: medium +- +-{{{ complete_ocil_entry_sebool_disabled(sebool="sftpd_full_access") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_write_ssh_home/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_write_ssh_home/rule.yml +deleted file mode 100644 +index 7b67579eb5..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_write_ssh_home/rule.yml ++++ /dev/null +@@ -1,16 +0,0 @@ +-documentation_complete: true +- +-prodtype: rhel7,rhel8 +- +-title: 'Disable the sftpd_write_ssh_home SELinux Boolean' +- +-description: |- +- By default, the SELinux boolean sftpd_write_ssh_home is disabled. +- If this setting is enabled, it should be disabled. +- {{{ describe_sebool_disable(sebool="sftpd_write_ssh_home") }}} +- +-rationale: "" +- +-severity: medium +- +-{{{ complete_ocil_entry_sebool_disabled(sebool="sftpd_write_ssh_home") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_anon_write.var b/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_anon_write.var +deleted file mode 100644 +index ec43879c93..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_anon_write.var ++++ /dev/null +@@ -1,19 +0,0 @@ +-documentation_complete: true +- +-title: 'sftpd_anon_write SELinux Boolean' +- +-description: |- +- default - Default SELinux boolean setting. +-
    on - SELinux boolean is enabled. +-
    off - SELinux boolean is disabled. +- +-type: boolean +- +-operator: equals +- +-interactive: false +- +-options: +- default: false +- off: false +- on: true +diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_enable_homedirs.var b/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_enable_homedirs.var +deleted file mode 100644 +index 1ebd92f562..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_enable_homedirs.var ++++ /dev/null +@@ -1,19 +0,0 @@ +-documentation_complete: true +- +-title: 'sftpd_enable_homedirs SELinux Boolean' +- +-description: |- +- default - Default SELinux boolean setting. +-
    on - SELinux boolean is enabled. +-
    off - SELinux boolean is disabled. +- +-type: boolean +- +-operator: equals +- +-interactive: false +- +-options: +- default: false +- off: false +- on: true +diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_full_access.var b/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_full_access.var +deleted file mode 100644 +index a6d1fc9efc..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_full_access.var ++++ /dev/null +@@ -1,19 +0,0 @@ +-documentation_complete: true +- +-title: 'sftpd_full_access SELinux Boolean' +- +-description: |- +- default - Default SELinux boolean setting. +-
    on - SELinux boolean is enabled. +-
    off - SELinux boolean is disabled. +- +-type: boolean +- +-operator: equals +- +-interactive: false +- +-options: +- default: false +- off: false +- on: true +diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_write_ssh_home.var b/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_write_ssh_home.var +deleted file mode 100644 +index 67a3f00655..0000000000 +--- a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_write_ssh_home.var ++++ /dev/null +@@ -1,19 +0,0 @@ +-documentation_complete: true +- +-title: 'sftpd_write_ssh_home SELinux Boolean' +- +-description: |- +- default - Default SELinux boolean setting. +-
    on - SELinux boolean is enabled. +-
    off - SELinux boolean is disabled. +- +-type: boolean +- +-operator: equals +- +-interactive: false +- +-options: +- default: false +- off: false +- on: true +diff --git a/rhel7/templates/csv/selinux_booleans.csv b/rhel7/templates/csv/selinux_booleans.csv +index 19a27493db..1b55f6db31 100644 +--- a/rhel7/templates/csv/selinux_booleans.csv ++++ b/rhel7/templates/csv/selinux_booleans.csv +@@ -224,10 +224,6 @@ selinuxuser_share_music,use_var + selinuxuser_tcp_server,use_var + selinuxuser_udp_server,use_var + selinuxuser_use_ssh_chroot,use_var +-sftpd_anon_write,use_var +-sftpd_enable_homedirs,use_var +-sftpd_full_access,use_var +-sftpd_write_ssh_home,use_var + sge_domain_can_network_connect,use_var + sge_use_nfs,use_var + smartmon_3ware,use_var +diff --git a/rhv4/templates/csv/selinux_booleans.csv b/rhv4/templates/csv/selinux_booleans.csv +index 19a27493db..1b55f6db31 100644 +--- a/rhv4/templates/csv/selinux_booleans.csv ++++ b/rhv4/templates/csv/selinux_booleans.csv +@@ -224,10 +224,6 @@ selinuxuser_share_music,use_var + selinuxuser_tcp_server,use_var + selinuxuser_udp_server,use_var + selinuxuser_use_ssh_chroot,use_var +-sftpd_anon_write,use_var +-sftpd_enable_homedirs,use_var +-sftpd_full_access,use_var +-sftpd_write_ssh_home,use_var + sge_domain_can_network_connect,use_var + sge_use_nfs,use_var + smartmon_3ware,use_var diff --git a/SOURCES/scap-security-guide-0.1.44-fix_rpm_verify_permissions.patch b/SOURCES/scap-security-guide-0.1.44-fix_rpm_verify_permissions.patch new file mode 100644 index 0000000..7f3c29e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.44-fix_rpm_verify_permissions.patch @@ -0,0 +1,50 @@ +From df18c1e1c034cd0162747eb357efdcbbdf22ff1c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 Mar 2019 16:50:09 +0100 +Subject: [PATCH] Remove --quiet from rpm command + +It doesn't work with --setperms. +See https://bugzilla.redhat.com/show_bug.cgi?id=1690469. +--- + .../rpm_verification/rpm_verify_permissions/ansible/shared.yml | 2 +- + .../rpm_verification/rpm_verify_permissions/bash/shared.sh | 2 +- + .../rpm_verification/rpm_verify_permissions/rule.yml | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +index abce9e17f5..e05696d46c 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +@@ -13,7 +13,7 @@ + @ANSIBLE_ENSURE_PLATFORM@ + + - name: "Correct file permissions with RPM" +- shell: "rpm --quiet --setperms $(rpm -qf '{{ item }}')" ++ shell: "rpm --setperms $(rpm -qf '{{ item }}')" + args: + warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module + with_items: "{{ files_with_incorrect_permissions.stdout_lines }}" +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/bash/shared.sh +index 5689b6d84b..7705f0df3b 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/bash/shared.sh +@@ -28,5 +28,5 @@ SETPERMS_RPM_LIST=( $(echo "${SETPERMS_RPM_LIST[@]}" | tr ' ' '\n' | sort -u | t + # correct values + for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}" + do +- rpm --quiet --setperms "${RPM_PACKAGE}" ++ rpm --setperms "${RPM_PACKAGE}" + done +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +index e233c8b02f..1d5090894b 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +@@ -19,7 +19,7 @@ description: |- +
    + Next, run the following command to reset its permissions to + the correct values: +-
    $ sudo rpm --quiet --setperms PACKAGENAME
    ++
    $ sudo rpm --setperms PACKAGENAME
    + + rationale: |- + Permissions on system binaries and configuration files that are too generous diff --git a/SOURCES/scap-security-guide-0.1.44-fix_stig_duplicated_audit_rules.patch b/SOURCES/scap-security-guide-0.1.44-fix_stig_duplicated_audit_rules.patch new file mode 100644 index 0000000..d2ee75f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.44-fix_stig_duplicated_audit_rules.patch @@ -0,0 +1,410 @@ +From 2476a35d0ad4055d52c33c03bb82031f6f19c794 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 Mar 2019 17:11:37 +0100 +Subject: [PATCH 1/6] Enable privileged_commands test to run on Fedora + +Also create audit rules directory, to ensure scenario setup always +works. +--- + .../rhel7_augenrules_default.fail.sh | 2 +- + .../rhel7_augenrules_missing_rule.fail.sh | 3 ++- + .../rhel7_augenrules_one_rule.fail.sh | 1 + + .../rhel7_augenrules_rules_configured.pass.sh | 3 ++- + .../rhel7_augenrules_rules_configured_mixed_keys.pass.sh | 3 ++- + .../rhel7_augenrules_two_rules_mixed_keys.fail.sh | 3 ++- + .../rhel7_rules_with_own_key.pass.sh | 2 +- + .../rhel7_auditctl_4294967295_configured.pass.sh | 1 + + .../rhel7_auditctl_unset_configured.pass.sh | 1 + + .../rhel7_augenrules_4294967295_configured.pass.sh | 4 ++-- + .../rhel7_augenrules_remove_all_rules.fail.sh | 4 ++-- + .../rhel7_augenrules_substring_rule.fail.sh | 4 ++-- + .../rhel7_augenrules_superstring_rule.fail.sh | 4 ++-- + .../rhel7_augenrules_unset_configured.pass.sh | 4 ++-- + .../rhel7_rules_with_own_key.pass.sh | 3 +-- + 15 files changed, 24 insertions(+), 18 deletions(-) + +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_default.fail.sh +index 2442fc22f8..4713a53605 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_default.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_default.fail.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7,Fedora + + # augenrules is default for rhel7 +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_missing_rule.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_missing_rule.fail.sh +index 69e659d53c..c007f5dd24 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_missing_rule.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_missing_rule.fail.sh +@@ -1,7 +1,8 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7,Fedora + ++mkdir -p /etc/audit/rules.d + ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules + sed -i '/newgrp/d' /etc/audit/rules.d/privileged.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_one_rule.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_one_rule.fail.sh +index aa8e01cf11..591109a013 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_one_rule.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_one_rule.fail.sh +@@ -3,4 +3,5 @@ + # remediation = bash + # platform = Red Hat Enterprise Linux 7 + ++mkdir -p /etc/audit/rules.d + echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh +index fa1d72ff0a..913ca44025 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh +@@ -1,6 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7,Fedora + ++mkdir -p /etc/audit/rules.d + ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured_mixed_keys.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured_mixed_keys.pass.sh +index 40aea6c963..a0ba4fac7d 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured_mixed_keys.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured_mixed_keys.pass.sh +@@ -1,8 +1,9 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7,Fedora + ++mkdir -p /etc/audit/rules.d + ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules + # change key of rules for binaries in /usr/sbin + # A mixed conbination of -k and -F key= should be accepted +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_mixed_keys.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_mixed_keys.fail.sh +index eb2ae8cdc9..bc4a7c4bfe 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_mixed_keys.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_mixed_keys.fail.sh +@@ -1,7 +1,8 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7,Fedora + ++mkdir -p /etc/audit/rules.d + echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules + echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh +index 1b376d0e0f..c40fd133dd 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh +@@ -1,6 +1,6 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_pci-dss + # remediation = bash +-# platform = Red Hat Enterprise Linux 7 ++# platform = Red Hat Enterprise Linux 7,Fedora + + ./generate_privileged_commands_rule.sh 1000 own_key /etc/audit/rules.d/privileged.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_4294967295_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_4294967295_configured.pass.sh +index 93f90a1c5b..52b28d2c30 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_4294967295_configured.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_4294967295_configured.pass.sh +@@ -1,6 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_ospp + # remediation = bash ++# platform = Red Hat Enterprise Linux 7 + + echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/audit.rules + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_unset_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_unset_configured.pass.sh +index bda4011950..4a8627e1be 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_unset_configured.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_unset_configured.pass.sh +@@ -1,6 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_ospp + # remediation = bash ++# platform = Red Hat Enterprise Linux 7 + + echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_4294967295_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_4294967295_configured.pass.sh +index c1385fe491..13054c36d4 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_4294967295_configured.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_4294967295_configured.pass.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_ospp + # remediation = bash ++# platform = Red Hat Enterprise Linux 7,Fedora + ++mkdir -p /etc/audit/rules.d + echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules +-# This is a trick to fail setup of this test in rhel6 systems +-ls /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_remove_all_rules.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_remove_all_rules.fail.sh +index 7ef3deb40b..8a05910a39 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_remove_all_rules.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_remove_all_rules.fail.sh +@@ -1,8 +1,8 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_ospp + # remediation = bash ++# platform = Red Hat Enterprise Linux 7,Fedora + ++mkdir -p /etc/audit/rules.d + rm -f /etc/audit/rules.d/* + > /etc/audit/audit.rules +-# This is a trick to fail setup of this test in rhel6 systems +-ls /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_substring_rule.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_substring_rule.fail.sh +index 54df301ec7..8cc460e965 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_substring_rule.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_substring_rule.fail.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_ospp + # remediation = bash ++# platform = Red Hat Enterprise Linux 7,Fedora + ++mkdir -p /etc/audit/rules.d + echo "-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules +-# This is a trick to fail setup of this test in rhel6 systems +-ls /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_superstring_rule.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_superstring_rule.fail.sh +index 5de32da121..0c72b90456 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_superstring_rule.fail.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_superstring_rule.fail.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_ospp + # remediation = bash ++# platform = Red Hat Enterprise Linux 7,Fedora + ++mkdir -p /etc/audit/rules.d + echo "-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules +-# This is a trick to fail setup of this test in rhel6 systems +-ls /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_unset_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_unset_configured.pass.sh +index 4aa01afad9..0cf6de31a3 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_unset_configured.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_unset_configured.pass.sh +@@ -1,7 +1,7 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_ospp + # remediation = bash ++# platform = Red Hat Enterprise Linux 7,Fedora + ++mkdir -p /etc/audit/rules.d + echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules +-# This is a trick to fail setup of this test in rhel6 systems +-ls /usr/lib/systemd/system/auditd.service +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_rules_with_own_key.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_rules_with_own_key.pass.sh +index e267050ae1..a264144bd2 100644 +--- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_rules_with_own_key.pass.sh ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_rules_with_own_key.pass.sh +@@ -1,7 +1,6 @@ + #!/bin/bash + # profiles = xccdf_org.ssgproject.content_profile_ospp + # remediation = bash ++# platform = Red Hat Enterprise Linux 7,Fedora + + echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key" >> /etc/audit/rules.d/privileged.rules +-# This is a trick to fail setup of this test in rhel6 systems +-ls /usr/lib/systemd/system/auditd.service + +From 6ac52cb2183484685c2632cecdfc5724767b1f79 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 Mar 2019 16:01:37 +0100 +Subject: [PATCH 2/6] Add test for duplicated audit rules + +The rules don't need to be exactly the same to be considered duplicates. +- auid unset and auid 4294967295 are equivalent +- "-k" and "-F key=" are equivalent +--- + .../rhel7_augenrules_duplicated.fail.sh | 11 +++++++++++ + .../rhel7_augenrules_duplicated.fail.sh | 8 ++++++++ + 2 files changed, 19 insertions(+) + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_duplicated.fail.sh + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_duplicated.fail.sh + +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_duplicated.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_duplicated.fail.sh +new file mode 100644 +index 0000000000..19b12d0906 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_duplicated.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp,xccdf_org.ssgproject.content_profile_pci-dss ++# Remediation for this rule cannot remove the duplicates ++# remediation = none ++# platform = Red Hat Enterprise Linux 7,Fedora ++ ++mkdir -p /etc/audit/rules.d ++./generate_privileged_commands_rule.sh 1000 privileged /tmp/privileged.rules ++ ++cp /tmp/privileged.rules /etc/audit/rules.d/privileged.rules ++sed 's/unset/4294967295/' /tmp/privileged.rules >> /etc/audit/rules.d/privileged.rules +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_duplicated.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_duplicated.fail.sh +new file mode 100644 +index 0000000000..c3a0e1dbb3 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_duplicated.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++# remediation = bash ++# platform = Red Hat Enterprise Linux 7,Fedora ++ ++mkdir -p /etc/audit/rules.d ++echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules ++echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules + +From 160ddfa6b662dfc129f308ba239e87339e4adbf6 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 Mar 2019 16:00:24 +0100 +Subject: [PATCH 3/6] Fail check when there is more than one audit rule for a + given path + +Duplicated rules cause loading of audit rules to fail. +- There should exist only one match +- Examine all instances (objects found) +- Do not capture key of rule (we don't use it) +--- + .../template_OVAL_audit_rules_privileged_commands | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/shared/templates/template_OVAL_audit_rules_privileged_commands b/shared/templates/template_OVAL_audit_rules_privileged_commands +index 602f29de5d..b738cdfa54 100644 +--- a/shared/templates/template_OVAL_audit_rules_privileged_commands ++++ b/shared/templates/template_OVAL_audit_rules_privileged_commands +@@ -28,22 +28,22 @@ + + + +- ++ + + + + ^/etc/audit/rules\.d/.*\.rules$ +- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ +- 1 ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 + + +- ++ + + + + /etc/audit/audit.rules +- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ +- 1 ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 + + + + +From 08a30fe02fc60c63a2057382ce5cd9de9d0fd877 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 Mar 2019 15:56:42 +0100 +Subject: [PATCH 4/6] Reset ARCH + +The variable should be reset so that we don't use a value set +by some previous remediation. +--- + shared/templates/template_BASH_audit_rules_privileged_commands | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/shared/templates/template_BASH_audit_rules_privileged_commands b/shared/templates/template_BASH_audit_rules_privileged_commands +index 90807084e8..612f8a0826 100644 +--- a/shared/templates/template_BASH_audit_rules_privileged_commands ++++ b/shared/templates/template_BASH_audit_rules_privileged_commands +@@ -5,6 +5,8 @@ + + PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*" + GROUP="privileged" ++# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation ++ARCH="" + FULL_RULE="-a always,exit -F path={{{ PATH }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +From 8e83eb070f6cc7931e8c1005cd8eb7674e1bf186 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 Mar 2019 16:31:20 +0100 +Subject: [PATCH 5/6] Test if remediation can handle rules in separate files + +--- + .../rhel7_augenrules_two_rules_sep_files.fail.sh | 8 ++++++++ + 1 file changed, 8 insertions(+) + create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_sep_files.fail.sh + +diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_sep_files.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_sep_files.fail.sh +new file mode 100644 +index 0000000000..0e70910537 +--- /dev/null ++++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_sep_files.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = bash ++# platform = Red Hat Enterprise Linux 7,Fedora ++ ++mkdir -p /etc/audit/rules.d ++echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/priv.rules ++echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules + +From d706bdbebb8e2ffbd4872ea7870ac5f1e2f6a00e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 Mar 2019 15:56:11 +0100 +Subject: [PATCH 6/6] Do not add rule if it was handled in another file + +--- + ..._audit_rules_privileged_commands_remediation.sh | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh +index d824e5debb..91eeedb545 100644 +--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh ++++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh +@@ -71,7 +71,7 @@ declare -a sbinaries_to_skip=() + for sbinary in "${privileged_binaries[@]}" + do + +- # Check if this sbinary wasn't already handled in some of the previous iterations ++ # Check if this sbinary wasn't already handled in some of the previous sbinary iterations + # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) + if [[ $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]] + then +@@ -169,9 +169,15 @@ do + elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]] + then + +- # Current audit rules file's content doesn't contain expected rule for this +- # SUID/SGID binary yet => append it +- echo "$expected_rule" >> "$output_audit_file" ++ # Check if this sbinary wasn't already handled in some of the previous afile iterations ++ # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) ++ if [[ ! $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]] ++ then ++ # Current audit rules file's content doesn't contain expected rule for this ++ # SUID/SGID binary yet => append it ++ echo "$expected_rule" >> "$output_audit_file" ++ fi ++ + continue + fi + diff --git a/SOURCES/scap-security-guide-0.1.44-mark_selinux_rules_as_machine_only.patch b/SOURCES/scap-security-guide-0.1.44-mark_selinux_rules_as_machine_only.patch new file mode 100644 index 0000000..bbc43f3 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.44-mark_selinux_rules_as_machine_only.patch @@ -0,0 +1,82 @@ +From 9c3d35d9c3e1a884fa9e5cd0223172f1c8621b10 Mon Sep 17 00:00:00 2001 +From: Matus Marhefka +Date: Tue, 16 Apr 2019 13:28:30 +0200 +Subject: [PATCH] All SELinux related rules marked as not applicable to + containers + +* The rule docker_selinux_enabled moved from system/selinux to services/docker. +* SELinux is not namespaced which means that containers do not have their own + separate SELinux policies. SELinux will always appear to be disabled when + inside a container (https://danwalsh.livejournal.com/73099.html). Therefore, + all the rules from the system/selinux were marked with 'platform: machine' + which will make them not applicable when scanning container filesystems. +--- + .../docker}/docker_selinux_enabled/oval/rhel7.xml | 0 + .../selinux => services/docker}/docker_selinux_enabled/rule.yml | 0 + linux_os/guide/system/selinux/group.yml | 2 ++ + .../system/selinux/selinux_confinement_of_daemons/rule.yml | 2 -- + linux_os/guide/system/selinux/selinux_policytype/rule.yml | 2 -- + linux_os/guide/system/selinux/selinux_state/rule.yml | 2 -- + linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml | 2 -- + 7 files changed, 2 insertions(+), 8 deletions(-) + rename linux_os/guide/{system/selinux => services/docker}/docker_selinux_enabled/oval/rhel7.xml (100%) + rename linux_os/guide/{system/selinux => services/docker}/docker_selinux_enabled/rule.yml (100%) + +diff --git a/linux_os/guide/system/selinux/docker_selinux_enabled/oval/rhel7.xml b/linux_os/guide/services/docker/docker_selinux_enabled/oval/rhel7.xml +similarity index 100% +rename from linux_os/guide/system/selinux/docker_selinux_enabled/oval/rhel7.xml +rename to linux_os/guide/services/docker/docker_selinux_enabled/oval/rhel7.xml +diff --git a/linux_os/guide/system/selinux/docker_selinux_enabled/rule.yml b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml +similarity index 100% +rename from linux_os/guide/system/selinux/docker_selinux_enabled/rule.yml +rename to linux_os/guide/services/docker/docker_selinux_enabled/rule.yml +diff --git a/linux_os/guide/system/selinux/group.yml b/linux_os/guide/system/selinux/group.yml +index e1863d4d03..6525cb4919 100644 +--- a/linux_os/guide/system/selinux/group.yml ++++ b/linux_os/guide/system/selinux/group.yml +@@ -29,3 +29,5 @@ description: |- + {{% elif product == "ol7" %}} + For more information on SELinux, see {{{ weblink(link="https://docs.oracle.com/cd/E52668_01/E54669/html/ol7-s1-syssec.html") }}}. + {{% endif %}} ++ ++platform: machine +diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml +index 35c47fbd08..9f224c9340 100644 +--- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml +@@ -42,5 +42,3 @@ warnings: + Automatic remediation of this control is not available. Remediation + can be achieved by amending SELinux policy or stopping the unconfined + daemons as outlined above. +- +-platform: machine +diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +index 934c0dfa17..e8c82a147a 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +@@ -56,5 +56,3 @@ ocil_clause: 'it does not' + ocil: |- + Check the file /etc/selinux/config and ensure the following line appears: +
    SELINUXTYPE=
    +- +-platform: machine +diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml +index df0295e043..d993398060 100644 +--- a/linux_os/guide/system/selinux/selinux_state/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_state/rule.yml +@@ -47,5 +47,3 @@ ocil_clause: 'SELINUX is not set to enforcing' + ocil: |- + Check the file /etc/selinux/config and ensure the following line appears: +
    SELINUX=
    +- +-platform: machine +diff --git a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml +index 80844cad14..fc1f87b410 100644 +--- a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml +@@ -54,5 +54,3 @@ ocil: |- + All authorized non-administrative + users must be mapped to the user_u role or the appropriate domain + (user_t). +- +-platform: machine diff --git a/SOURCES/scap-security-guide-0.1.44-mark_service_disabled_rules_as_machine_only.patch b/SOURCES/scap-security-guide-0.1.44-mark_service_disabled_rules_as_machine_only.patch new file mode 100644 index 0000000..c33659a --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.44-mark_service_disabled_rules_as_machine_only.patch @@ -0,0 +1,536 @@ +From 8f2e794f58b75311153609cd57c56dfa104f3ef1 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 17 Apr 2019 11:42:05 +0200 +Subject: [PATCH] Mark service rules as machine only. + +--- + .../disable_avahi_group/service_avahi-daemon_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_abrtd_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_acpid_disabled/rule.yml | 2 ++ + .../guide/services/base/service_certmonger_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_cgconfig_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_cgred_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_cpupower_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_cpuspeed_disabled/rule.yml | 2 ++ + .../guide/services/base/service_haldaemon_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_kdump_disabled/rule.yml | 2 ++ + .../guide/services/base/service_mdmonitor_disabled/rule.yml | 2 ++ + .../guide/services/base/service_messagebus_disabled/rule.yml | 2 ++ + .../guide/services/base/service_netconsole_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_ntpdate_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_oddjobd_disabled/rule.yml | 2 ++ + .../guide/services/base/service_portreserve_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_psacct_enabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_qpidd_disabled/rule.yml | 2 ++ + .../guide/services/base/service_quota_nld_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_rdisc_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_rhnsd_disabled/rule.yml | 2 ++ + .../guide/services/base/service_rhsmcertd_disabled/rule.yml | 2 ++ + .../guide/services/base/service_saslauthd_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_smartd_disabled/rule.yml | 2 ++ + linux_os/guide/services/base/service_sysstat_disabled/rule.yml | 2 ++ + .../guide/services/cron_and_at/service_atd_disabled/rule.yml | 2 ++ + .../dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml | 2 ++ + .../dns/disabling_dns_server/service_named_disabled/rule.yml | 2 ++ + .../ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml | 2 ++ + .../http/disabling_httpd/service_httpd_disabled/rule.yml | 2 ++ + .../imap/disabling_dovecot/service_dovecot_disabled/rule.yml | 2 ++ + .../disabling_nfs_services/service_rpcbind_disabled/rule.yml | 2 ++ + .../disabling_nfsd/service_nfs_disabled/rule.yml | 2 ++ + .../disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml | 2 ++ + .../obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml | 2 ++ + .../services/obsolete/nis/service_ypbind_disabled/rule.yml | 2 ++ + .../obsolete/r_services/service_rexec_disabled/rule.yml | 2 ++ + .../obsolete/r_services/service_rlogin_disabled/rule.yml | 2 ++ + .../services/obsolete/r_services/service_rsh_disabled/rule.yml | 2 ++ + .../services/obsolete/telnet/service_telnet_disabled/rule.yml | 2 ++ + .../guide/services/obsolete/tftp/service_tftp_disabled/rule.yml | 2 ++ + linux_os/guide/services/printing/service_cups_disabled/rule.yml | 2 ++ + .../proxy/disabling_squid/service_squid_disabled/rule.yml | 2 ++ + .../routing/disabling_quagga/service_zebra_disabled/rule.yml | 2 ++ + .../services/smb/disabling_samba/service_smb_disabled/rule.yml | 2 ++ + .../snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml | 2 ++ + .../wireless_software/service_bluetooth_disabled/rule.yml | 2 ++ + .../permissions/mounting/service_autofs_disabled/rule.yml | 2 ++ + 48 files changed, 96 insertions(+) + +diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +index 43f81254ac..40b88f8c36 100644 +--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml ++++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml +@@ -32,3 +32,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="avahi-daemon") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml +index d3f4547161..df51ab91b7 100644 +--- a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml +@@ -37,3 +37,5 @@ references: + cis-csc: 11,12,14,15,3,8,9 + + ocil: '{{{ ocil_service_disabled(service="abrtd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_acpid_disabled/rule.yml b/linux_os/guide/services/base/service_acpid_disabled/rule.yml +index 1cde23c55b..e28d36139e 100644 +--- a/linux_os/guide/services/base/service_acpid_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_acpid_disabled/rule.yml +@@ -32,3 +32,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="acpid") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_certmonger_disabled/rule.yml b/linux_os/guide/services/base/service_certmonger_disabled/rule.yml +index c8b9d7ecf8..37f67ac757 100644 +--- a/linux_os/guide/services/base/service_certmonger_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_certmonger_disabled/rule.yml +@@ -32,3 +32,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="certmonger") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_cgconfig_disabled/rule.yml b/linux_os/guide/services/base/service_cgconfig_disabled/rule.yml +index fc88b03f05..74592ec803 100644 +--- a/linux_os/guide/services/base/service_cgconfig_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_cgconfig_disabled/rule.yml +@@ -30,3 +30,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="cgconfig") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_cgred_disabled/rule.yml b/linux_os/guide/services/base/service_cgred_disabled/rule.yml +index b7bc04cb3c..95136a34aa 100644 +--- a/linux_os/guide/services/base/service_cgred_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_cgred_disabled/rule.yml +@@ -29,3 +29,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="cgred") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_cpupower_disabled/rule.yml b/linux_os/guide/services/base/service_cpupower_disabled/rule.yml +index dd6dd4572e..2ceef1df38 100644 +--- a/linux_os/guide/services/base/service_cpupower_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_cpupower_disabled/rule.yml +@@ -30,3 +30,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="cpupower") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_cpuspeed_disabled/rule.yml b/linux_os/guide/services/base/service_cpuspeed_disabled/rule.yml +index fed0d57a25..24ad5469db 100644 +--- a/linux_os/guide/services/base/service_cpuspeed_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_cpuspeed_disabled/rule.yml +@@ -30,3 +30,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="cpuspeed") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_haldaemon_disabled/rule.yml b/linux_os/guide/services/base/service_haldaemon_disabled/rule.yml +index 9ffe62f2fb..1f9debf286 100644 +--- a/linux_os/guide/services/base/service_haldaemon_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_haldaemon_disabled/rule.yml +@@ -31,3 +31,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="haldaemon") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml +index 0dc8bcd117..d3aa88b0a0 100644 +--- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml +@@ -38,3 +38,5 @@ references: + cis-csc: 11,12,14,15,3,8,9 + + ocil: '{{{ ocil_service_disabled(service="kdump") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_mdmonitor_disabled/rule.yml b/linux_os/guide/services/base/service_mdmonitor_disabled/rule.yml +index 7c3cf3ce54..e6e43136be 100644 +--- a/linux_os/guide/services/base/service_mdmonitor_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_mdmonitor_disabled/rule.yml +@@ -29,3 +29,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="mdmonitor") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_messagebus_disabled/rule.yml b/linux_os/guide/services/base/service_messagebus_disabled/rule.yml +index 5935ac3d05..2de1412908 100644 +--- a/linux_os/guide/services/base/service_messagebus_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_messagebus_disabled/rule.yml +@@ -33,3 +33,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="messagebus") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_netconsole_disabled/rule.yml b/linux_os/guide/services/base/service_netconsole_disabled/rule.yml +index 4579994ffa..db75a5b409 100644 +--- a/linux_os/guide/services/base/service_netconsole_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_netconsole_disabled/rule.yml +@@ -34,3 +34,5 @@ references: + cis-csc: 11,12,14,15,3,8,9 + + ocil: '{{{ ocil_service_disabled(service="netconsole") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml +index 86b0faa459..1a20f8f3e0 100644 +--- a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml +@@ -38,3 +38,5 @@ references: + cis-csc: 11,12,14,15,3,8,9 + + ocil: '{{{ ocil_service_disabled(service="ntpdate") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml +index bc7087f0be..68a3f5f2ab 100644 +--- a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml +@@ -37,3 +37,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="oddjobd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_portreserve_disabled/rule.yml b/linux_os/guide/services/base/service_portreserve_disabled/rule.yml +index 64cab85593..2238268d3d 100644 +--- a/linux_os/guide/services/base/service_portreserve_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_portreserve_disabled/rule.yml +@@ -31,3 +31,5 @@ references: + cis-csc: 11,12,14,15,3,8,9 + + ocil: '{{{ ocil_service_disabled(service="portreserve") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_psacct_enabled/rule.yml b/linux_os/guide/services/base/service_psacct_enabled/rule.yml +index 4dc88a4176..b53bf84469 100644 +--- a/linux_os/guide/services/base/service_psacct_enabled/rule.yml ++++ b/linux_os/guide/services/base/service_psacct_enabled/rule.yml +@@ -32,3 +32,5 @@ references: + cis-csc: 1,11,12,13,14,15,16,2,3,5,6,7,8,9 + + ocil: '{{{ ocil_service_disabled(service="psacct") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml +index b31327d2d0..21e3468237 100644 +--- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml +@@ -38,3 +38,5 @@ references: + cis-csc: 11,12,14,15,3,8,9 + + ocil: '{{{ ocil_service_disabled(service="qpidd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_quota_nld_disabled/rule.yml b/linux_os/guide/services/base/service_quota_nld_disabled/rule.yml +index b6352e831a..78242b5c7b 100644 +--- a/linux_os/guide/services/base/service_quota_nld_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_quota_nld_disabled/rule.yml +@@ -35,3 +35,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="quota_nld") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml +index 9fcc4ba207..8265d182ef 100644 +--- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml +@@ -37,3 +37,5 @@ references: + cis-csc: 1,11,12,13,14,15,16,18,3,4,6,8,9 + + ocil: '{{{ ocil_service_disabled(service="rdisc") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml +index 14b0ab18e0..3bf89d899f 100644 +--- a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml +@@ -37,3 +37,5 @@ references: + cis-csc: 11,12,14,15,3,8,9 + + ocil: '{{{ ocil_service_disabled(service="rhnsd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml b/linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml +index 92ed4fed4d..a4d11dba3c 100644 +--- a/linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml +@@ -33,3 +33,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="rhsmcertd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_saslauthd_disabled/rule.yml b/linux_os/guide/services/base/service_saslauthd_disabled/rule.yml +index 367530f511..53254f294d 100644 +--- a/linux_os/guide/services/base/service_saslauthd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_saslauthd_disabled/rule.yml +@@ -34,3 +34,5 @@ references: + cis-csc: 11,12,14,15,3,8,9 + + ocil: '{{{ ocil_service_disabled(service="saslauthd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_smartd_disabled/rule.yml b/linux_os/guide/services/base/service_smartd_disabled/rule.yml +index 9c4345f56f..8c12d2bfb7 100644 +--- a/linux_os/guide/services/base/service_smartd_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_smartd_disabled/rule.yml +@@ -32,3 +32,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="smartd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/base/service_sysstat_disabled/rule.yml b/linux_os/guide/services/base/service_sysstat_disabled/rule.yml +index 33378cab86..2e62cab258 100644 +--- a/linux_os/guide/services/base/service_sysstat_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_sysstat_disabled/rule.yml +@@ -32,3 +32,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="sysstat") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml +index 7b960f517d..71dab756f2 100644 +--- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml ++++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml +@@ -38,3 +38,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="atd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +index af16c87fff..bb0b895d93 100644 +--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml ++++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +@@ -32,3 +32,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="dhcpd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +index f47b4c29ee..d69cb94bd2 100644 +--- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml ++++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +@@ -28,3 +28,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="named") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml +index ce7c66175d..721572fd1b 100644 +--- a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml ++++ b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml +@@ -30,3 +30,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="vsftpd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml +index de74f1e720..cdec6ac161 100644 +--- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml ++++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml +@@ -27,3 +27,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="httpd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml +index bd255dc91e..c6d16decf0 100644 +--- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml ++++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml +@@ -20,3 +20,5 @@ references: + cis: 2.2.11 + + ocil: '{{{ ocil_service_disabled(service="dovecot") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +index 0f565ab669..8e716c4890 100644 +--- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +@@ -23,3 +23,5 @@ identifiers: + + references: + cis: 2.2.7 ++ ++platform: machine +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +index 4da6b1de32..77b9cb19eb 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml +@@ -31,3 +31,5 @@ references: + ocil_clause: 'it does not' + + ocil: '{{{ ocil_service_disabled(service="nfs") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml +index dfa0d0a8c7..e8d3a81270 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml +@@ -20,3 +20,5 @@ identifiers: + cce@rhel7: 80238-9 + + ocil: '{{{ ocil_service_disabled(service="rpcsvcgssd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml +index 2b224eec65..e86a1620ef 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml +@@ -38,3 +38,5 @@ ocil: |- + If network services are using the xinetd service, this is not applicable. +

    + {{{ ocil_service_disabled(service="xinetd") }}} ++ ++platform: machine +diff --git a/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml b/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml +index 8020867c28..9444832e16 100644 +--- a/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml +@@ -34,3 +34,5 @@ references: + cis-csc: 11,12,14,15,3,8,9 + + ocil: '{{{ ocil_service_disabled(service="ypbind") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml b/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml +index 847304d1fc..65d6cc7a36 100644 +--- a/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml +@@ -39,3 +39,5 @@ references: + cis-csc: 11,12,14,15,3,8,9 + + {{{ complete_ocil_entry_socket_and_service_disabled("rexec") }}} ++ ++platform: machine +diff --git a/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml b/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml +index 295c3e6c7a..4864112e97 100644 +--- a/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml +@@ -40,3 +40,5 @@ references: + cis-csc: 1,11,12,14,15,16,3,5,8,9 + + {{{ complete_ocil_entry_socket_and_service_disabled("rlogin") }}} ++ ++platform: machine +diff --git a/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml b/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml +index 17740862f2..5bd43b0e6e 100644 +--- a/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml +@@ -39,3 +39,5 @@ references: + cis-csc: 1,11,12,14,15,16,3,5,8,9 + + {{{ complete_ocil_entry_socket_and_service_disabled("rsh") }}} ++ ++platform: machine +diff --git a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml +index 09e6d48a82..b4ca1f46de 100644 +--- a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml +@@ -59,3 +59,5 @@ references: + cis-csc: 1,11,12,14,15,16,3,5,8,9 + + {{{ complete_ocil_entry_socket_and_service_disabled("telnet") }}} ++ ++platform: machine +diff --git a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml +index dc94742526..2f1671ef88 100644 +--- a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml ++++ b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml +@@ -32,3 +32,5 @@ references: + cis-csc: 11,12,14,15,3,8,9 + + ocil: '{{{ ocil_service_disabled(service="tftp") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml +index 5b0cc60bfd..3728484a62 100644 +--- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml ++++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml +@@ -25,3 +25,5 @@ references: + cis-csc: 11,14,3,9 + + ocil: '{{{ ocil_service_disabled(service="cups") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml +index a8c1e00d78..990726e40d 100644 +--- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml ++++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml +@@ -20,3 +20,5 @@ references: + cis: 2.2.13 + + ocil: '{{{ ocil_service_disabled(service="squid") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml +index c3bb80abd8..e9c9a56f77 100644 +--- a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml ++++ b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml +@@ -30,3 +30,5 @@ references: + cis-csc: 12,15,8 + + ocil: '{{{ ocil_service_disabled(service="zebra") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +index f00944b9fa..13769d9ff2 100644 +--- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml ++++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +@@ -21,3 +21,5 @@ references: + disa: "1436" + + ocil: '{{{ ocil_service_disabled(service="smb") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml +index 64f509be20..96a52bc3c9 100644 +--- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml ++++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml +@@ -21,3 +21,5 @@ references: + cis: 2.2.14 + + ocil: '{{{ ocil_service_disabled(service="snmpd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml +index 05b11ecbc1..fb2eeecfc1 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml +@@ -34,3 +34,5 @@ references: + cis-csc: 11,12,14,15,3,8,9 + + ocil: '{{{ ocil_service_disabled(service="bluetooth") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +index 9de5b25a74..fa4c8e1a48 100644 +--- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +@@ -47,3 +47,5 @@ references: + cis-csc: 1,12,15,16,5 + + ocil: '{{{ ocil_service_disabled(service="autofs") }}}' ++ ++platform: machine diff --git a/SOURCES/scap-security-guide-0.1.44-remove_gpgcheck_repo_from_profiles.patch b/SOURCES/scap-security-guide-0.1.44-remove_gpgcheck_repo_from_profiles.patch new file mode 100644 index 0000000..75080a4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.44-remove_gpgcheck_repo_from_profiles.patch @@ -0,0 +1,54 @@ +commit 0fa953ada3356994ddc5a42bd93423c4b95adab8 +Author: Gabriel Becker +Date: Thu Apr 25 16:27:58 2019 +0200 + + Remove ensure_gpgcheck_repo_metadata check from rhel profiles. + +diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile +index 8323245..719093b 100644 +--- a/rhel7/profiles/hipaa.profile ++++ b/rhel7/profiles/hipaa.profile +@@ -88,7 +88,6 @@ selections: + - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_never_disabled +- - ensure_gpgcheck_repo_metadata + - ensure_gpgcheck_local_packages + - grub2_audit_argument + - service_auditd_enabled +diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile +index 166de67..a4357a6 100644 +--- a/rhel7/profiles/ospp.profile ++++ b/rhel7/profiles/ospp.profile +@@ -397,7 +397,6 @@ selections: + - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_never_disabled +- - ensure_gpgcheck_repo_metadata + - ensure_gpgcheck_local_packages + - network_sniffer_disabled + - network_ipv6_disable_rpc +diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile +index 5819474..f5533f1 100644 +--- a/rhel8/profiles/hipaa.profile ++++ b/rhel8/profiles/hipaa.profile +@@ -83,7 +83,6 @@ selections: + - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_never_disabled +- - ensure_gpgcheck_repo_metadata + - ensure_gpgcheck_local_packages + - grub2_audit_argument + - service_auditd_enabled +diff --git a/rhv4/profiles/rhvh-stig.profile b/rhv4/profiles/rhvh-stig.profile +index f55098b..f708198 100644 +--- a/rhv4/profiles/rhvh-stig.profile ++++ b/rhv4/profiles/rhvh-stig.profile +@@ -371,7 +371,6 @@ selections: + - ensure_redhat_gpgkey_installed + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_never_disabled +- - ensure_gpgcheck_repo_metadata + - ensure_gpgcheck_local_packages + - network_sniffer_disabled + - network_ipv6_disable_rpc diff --git a/SOURCES/scap-security-guide-0.1.44-rule_pcsc-lite_installed.patch b/SOURCES/scap-security-guide-0.1.44-rule_pcsc-lite_installed.patch new file mode 100644 index 0000000..6cdf6be --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.44-rule_pcsc-lite_installed.patch @@ -0,0 +1,141 @@ +From 57e3dba57c5a9e9172476ea254fae2a8fa4e9591 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 1 Mar 2019 10:22:19 +0100 +Subject: [PATCH 1/2] Add rule for package pcsc-lite installed + +Select the rule in profiles that select service_pcscd_enabled. +--- + .../package_pcsc-lite_installed/rule.yml | 23 +++++++++++++++++++ + rhel7/profiles/ospp.profile | 1 + + rhel7/profiles/rhelh-stig.profile | 1 + + rhel7/profiles/rhelh-vpp.profile | 1 + + rhel8/profiles/pci-dss.profile | 1 + + rhv4/profiles/rhvh-stig.profile | 1 + + rhv4/profiles/rhvh-vpp.profile | 1 + + 7 files changed, 29 insertions(+) + create mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +new file mode 100644 +index 0000000000..6baf31bbe1 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +@@ -0,0 +1,23 @@ ++documentation_complete: true ++ ++prodtype: rhel7,rhel8,fedora,rhv4 ++ ++title: 'Install pcsc-lite' ++ ++description: |- ++ {{{ describe_package_install(package="pcsc-lite") }}} ++ ++rationale: |- ++ The pcsc-lite package must be installed if it is to be available for ++ multifactor authentication using smartcards. ++ ++severity: medium ++ ++references: ++ disa: "1954" ++ srg: SRG-OS-000375-GPOS-00160 ++ vmmsrg: SRG-OS-000377-VMM-001530 ++ ++ocil_clause: 'the package is not installed' ++ ++ocil: '{{{ ocil_package(package="pcsc-lite") }}}' +diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile +index 64f54c3945..166de67169 100644 +--- a/rhel7/profiles/ospp.profile ++++ b/rhel7/profiles/ospp.profile +@@ -387,6 +387,7 @@ selections: + - configure_opensc_nss_db + - configure_opensc_card_drivers + - force_opensc_card_drivers ++ - package_pcsc-lite_installed + - service_pcscd_enabled + - sssd_enable_smartcards + - sssd_memcache_timeout +diff --git a/rhel7/profiles/rhelh-stig.profile b/rhel7/profiles/rhelh-stig.profile +index cf387e4a25..f88f4026b0 100644 +--- a/rhel7/profiles/rhelh-stig.profile ++++ b/rhel7/profiles/rhelh-stig.profile +@@ -361,6 +361,7 @@ selections: + - configure_opensc_nss_db + - configure_opensc_card_drivers + - force_opensc_card_drivers ++ - package_pcsc-lite_installed + - service_pcscd_enabled + - sssd_enable_smartcards + - sssd_memcache_timeout +diff --git a/rhel7/profiles/rhelh-vpp.profile b/rhel7/profiles/rhelh-vpp.profile +index b26e523f6d..2b4a5805ef 100644 +--- a/rhel7/profiles/rhelh-vpp.profile ++++ b/rhel7/profiles/rhelh-vpp.profile +@@ -178,6 +178,7 @@ selections: + - configure_opensc_nss_db + - configure_opensc_card_drivers + - force_opensc_card_drivers ++ - package_pcsc-lite_installed + - service_pcscd_enabled + - sssd_enable_smartcards + +diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile +index 934622c456..5990e9e00d 100644 +--- a/rhel8/profiles/pci-dss.profile ++++ b/rhel8/profiles/pci-dss.profile +@@ -119,6 +119,7 @@ selections: + - configure_opensc_nss_db + - configure_opensc_card_drivers + - force_opensc_card_drivers ++ - package_pcsc-lite_installed + - service_pcscd_enabled + - sssd_enable_smartcards + - set_password_hashing_algorithm_systemauth +diff --git a/rhv4/profiles/rhvh-stig.profile b/rhv4/profiles/rhvh-stig.profile +index 47f0052756..f55098b276 100644 +--- a/rhv4/profiles/rhvh-stig.profile ++++ b/rhv4/profiles/rhvh-stig.profile +@@ -361,6 +361,7 @@ selections: + - configure_opensc_nss_db + - configure_opensc_card_drivers + - force_opensc_card_drivers ++ - package_pcsc-lite_installed + - service_pcscd_enabled + - sssd_enable_smartcards + - sssd_memcache_timeout +diff --git a/rhv4/profiles/rhvh-vpp.profile b/rhv4/profiles/rhvh-vpp.profile +index 5b9dee7590..ecc6fce5e0 100644 +--- a/rhv4/profiles/rhvh-vpp.profile ++++ b/rhv4/profiles/rhvh-vpp.profile +@@ -178,6 +178,7 @@ selections: + - configure_opensc_nss_db + - configure_opensc_card_drivers + - force_opensc_card_drivers ++ - package_pcsc-lite_installed + - service_pcscd_enabled + - sssd_enable_smartcards + + +From d8ffcfed9a1e97e18b02bc6be8d7918b6a994a95 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 1 Mar 2019 16:58:19 +0100 +Subject: [PATCH 2/2] Update title of rule package_pcsc-lite_installed + +--- + .../smart_card_login/package_pcsc-lite_installed/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +index 6baf31bbe1..b2a243db84 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +@@ -2,7 +2,7 @@ documentation_complete: true + + prodtype: rhel7,rhel8,fedora,rhv4 + +-title: 'Install pcsc-lite' ++title: 'Install the pcsc-lite package' + + description: |- + {{{ describe_package_install(package="pcsc-lite") }}} diff --git a/SOURCES/scap-security-guide-0.1.44-rules_docker_psacct_installed.patch b/SOURCES/scap-security-guide-0.1.44-rules_docker_psacct_installed.patch new file mode 100644 index 0000000..79286d9 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.44-rules_docker_psacct_installed.patch @@ -0,0 +1,179 @@ +From 6b9120f959480a230579f31d3b428d2d7f99f488 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 5 Mar 2019 15:31:03 +0100 +Subject: [PATCH 1/4] Add rule package_docker_installed + +There is a rule service_docker_enabled, but the Ansible remediation +for this rule failed, because there was no rule that contained +an Ansible task to install the Docker package. +--- + .../docker/package_docker_installed/rule.yml | 22 +++++++++++++++++++ + 1 file changed, 22 insertions(+) + create mode 100644 linux_os/guide/services/docker/package_docker_installed/rule.yml + +diff --git a/linux_os/guide/services/docker/package_docker_installed/rule.yml b/linux_os/guide/services/docker/package_docker_installed/rule.yml +new file mode 100644 +index 0000000000..69fc172c34 +--- /dev/null ++++ b/linux_os/guide/services/docker/package_docker_installed/rule.yml +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++prodtype: rhel7 ++ ++title: 'Install the docker Package' ++ ++description: |- ++ The docker package provides necessary software to create containers, which ++ are self-sufficient and self-contained applications using the resource ++ isolation features of the kernel. ++ {{{ describe_package_install(package="docker") }}} ++ ++rationale: |- ++ To be able to run the docker service, the docker package has to be installed. ++ ++severity: medium ++ ++ocil_clause: 'the package is not installed' ++ ++ocil: '{{{ ocil_package(package="docker") }}}' ++ ++platform: machine + +From bdcbb9bf073c915b86a8619b0a1f82307d34f82b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 5 Mar 2019 15:33:07 +0100 +Subject: [PATCH 2/4] Remove Docker rules from RHEL8 Benchmark + +Docker isn't available on RHEL8. +--- + .../guide/services/docker/docker_storage_configured/rule.yml | 2 +- + linux_os/guide/services/docker/service_docker_enabled/rule.yml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/docker/docker_storage_configured/rule.yml b/linux_os/guide/services/docker/docker_storage_configured/rule.yml +index d0000f70f5..a1c90e60f9 100644 +--- a/linux_os/guide/services/docker/docker_storage_configured/rule.yml ++++ b/linux_os/guide/services/docker/docker_storage_configured/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8 ++prodtype: rhel7 + + title: 'Use direct-lvm with the Device Mapper Storage Driver' + +diff --git a/linux_os/guide/services/docker/service_docker_enabled/rule.yml b/linux_os/guide/services/docker/service_docker_enabled/rule.yml +index f0f408b655..309771b828 100644 +--- a/linux_os/guide/services/docker/service_docker_enabled/rule.yml ++++ b/linux_os/guide/services/docker/service_docker_enabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel7,rhel8 ++prodtype: rhel7 + + title: 'Enable the Docker service' + + +From 9d20a9f87bc3e3992bd86728de9bd05988a35a8a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 5 Mar 2019 15:48:37 +0100 +Subject: [PATCH 3/4] Add rule package_docker_installed to Docker host profile + +--- + rhel7/profiles/docker-host.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rhel7/profiles/docker-host.profile b/rhel7/profiles/docker-host.profile +index 894b78930b..0d1207bcfa 100644 +--- a/rhel7/profiles/docker-host.profile ++++ b/rhel7/profiles/docker-host.profile +@@ -10,6 +10,7 @@ description: |- + and scap-security-guide@lists.fedorahosted.org. + + selections: ++ - package_docker_installed + - service_docker_enabled + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing + +From b34bdcf3ddd10542b8e989069779c6ff45385c96 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 5 Mar 2019 15:49:01 +0100 +Subject: [PATCH 4/4] Add rule package_psacct_installed + +There is a rule service_psacct_enabled, but the Ansible remediation +for this rule failed, because there was no rule that contained +an Ansible task to install the psacct package. +Also adds the rule package_psacct_installed to all profiles +where rule service_psacct_enabled is included. +--- + .../base/package_psacct_installed/rule.yml | 32 +++++++++++++++++++ + rhel6/profiles/CSCF-RHEL6-MLS.profile | 1 + + rhel6/profiles/nist-CL-IL-AL.profile | 1 + + 3 files changed, 34 insertions(+) + create mode 100644 linux_os/guide/services/base/package_psacct_installed/rule.yml + +diff --git a/linux_os/guide/services/base/package_psacct_installed/rule.yml b/linux_os/guide/services/base/package_psacct_installed/rule.yml +new file mode 100644 +index 0000000000..abf2a720ee +--- /dev/null ++++ b/linux_os/guide/services/base/package_psacct_installed/rule.yml +@@ -0,0 +1,32 @@ ++documentation_complete: true ++ ++prodtype: rhel6,rhel7,rhel8 ++ ++title: 'Install the psacct package' ++ ++description: |- ++ The process accounting service, psacct, works with programs ++ including acct and ac to allow system administrators to view ++ user activity, such as commands issued by users of the system. ++ {{{ describe_package_install(package="psacct") }}} ++ ++rationale: |- ++ The psacct service can provide administrators a convenient ++ view into some user activities. However, it should be noted that the auditing ++ system and its audit records provide more authoritative and comprehensive ++ records. ++ ++severity: unknown ++ ++references: ++ nist: AU-12,CM-7 ++ nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.IP-1,PR.PT-1,PR.PT-3 ++ isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 6.1,SR 6.2,SR 7.6' ++ isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 ++ cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.06,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 ++ iso27001-2013: A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1,A.15.2.2,A.9.1.2 ++ cis-csc: 1,11,12,13,14,15,16,2,3,5,6,7,8,9 ++ ++ocil_clause: 'the package is not installed' ++ ++ocil: '{{{ ocil_package(package="psacct") }}}' +diff --git a/rhel6/profiles/CSCF-RHEL6-MLS.profile b/rhel6/profiles/CSCF-RHEL6-MLS.profile +index 104ebeadca..49568247cc 100644 +--- a/rhel6/profiles/CSCF-RHEL6-MLS.profile ++++ b/rhel6/profiles/CSCF-RHEL6-MLS.profile +@@ -207,6 +207,7 @@ selections: + - service_ntpdate_disabled + - service_oddjobd_disabled + - service_portreserve_disabled ++ - package_psacct_installed + - service_psacct_enabled + - service_qpidd_disabled + - service_quota_nld_disabled +diff --git a/rhel6/profiles/nist-CL-IL-AL.profile b/rhel6/profiles/nist-CL-IL-AL.profile +index 9f8718329b..8a6e21a106 100644 +--- a/rhel6/profiles/nist-CL-IL-AL.profile ++++ b/rhel6/profiles/nist-CL-IL-AL.profile +@@ -164,6 +164,7 @@ selections: + - service_ntpd_enabled + - ntpd_specify_remote_server + - ntpd_specify_multiple_servers ++ - package_psacct_installed + - service_psacct_enabled + - package_aide_installed + - disable_prelink diff --git a/SOURCES/scap-security-guide-0.1.44-template_file_permissions_use_regex.patch b/SOURCES/scap-security-guide-0.1.44-template_file_permissions_use_regex.patch new file mode 100644 index 0000000..b404d63 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.44-template_file_permissions_use_regex.patch @@ -0,0 +1,47 @@ +From 1732e962e1157832e77a5471a4cd9ebeb6da83a5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 Mar 2019 16:34:37 +0100 +Subject: [PATCH 1/2] Set use_regex to true + +The specified pattern is a regular expression +--- + shared/templates/template_ANSIBLE_file_regex_permissions | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/shared/templates/template_ANSIBLE_file_regex_permissions b/shared/templates/template_ANSIBLE_file_regex_permissions +index cfa6073347..6be3b0db2e 100644 +--- a/shared/templates/template_ANSIBLE_file_regex_permissions ++++ b/shared/templates/template_ANSIBLE_file_regex_permissions +@@ -7,6 +7,7 @@ + find: + paths: "{{{ FILEPATH }}}" + patterns: "{{{ FILENAME }}}" ++ use_regex: yes + register: files_found + tags: + @ANSIBLE_TAGS@ + +From 64c07573e7b30bed581e1765f0964d8934b5ee58 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 19 Mar 2019 16:35:27 +0100 +Subject: [PATCH 2/2] Add test for multiple ssh keys + +--- + .../multiple_keys.fail.sh | 8 ++++++++ + 1 file changed, 8 insertions(+) + create mode 100644 tests/data/group_services/group_ssh/rule_file_permissions_sshd_private_key/multiple_keys.fail.sh + +diff --git a/tests/data/group_services/group_ssh/rule_file_permissions_sshd_private_key/multiple_keys.fail.sh b/tests/data/group_services/group_ssh/rule_file_permissions_sshd_private_key/multiple_keys.fail.sh +new file mode 100644 +index 0000000000..7942950dda +--- /dev/null ++++ b/tests/data/group_services/group_ssh/rule_file_permissions_sshd_private_key/multiple_keys.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key) ++chmod 0777 $FAKE_KEY ++FAKE_KEY2=$(mktemp -p /etc/ssh/ XXXX_key) ++chmod 0640 $FAKE_KEY2 diff --git a/SOURCES/scap-security-guide-0.1.44-update-cpe-dictionary.patch b/SOURCES/scap-security-guide-0.1.44-update-cpe-dictionary.patch index 95b0180..31239b1 100644 --- a/SOURCES/scap-security-guide-0.1.44-update-cpe-dictionary.patch +++ b/SOURCES/scap-security-guide-0.1.44-update-cpe-dictionary.patch @@ -5,6 +5,8 @@ Subject: [PATCH 1/5] Update rhel dictionaries --- rhel6/cpe/rhel6-cpe-dictionary.xml | 35 ++++++++++++++++++++++++++++++ + rhel8/cpe/rhel8-cpe-dictionary.xml | 35 ++++++++++++++++++++++++++++++ + rhv4/cpe/rhv4-cpe-dictionary.xml | 35 ++++++++++++++++++++++++++++++ 3 files changed, 105 insertions(+) diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml @@ -51,3 +53,91 @@ index b5aa6f2b35..7e1f711459 100644 + installed_env_has_yum_package + +diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml +index 020fe80fbc..990e7f452c 100644 +--- a/rhel8/cpe/rhel8-cpe-dictionary.xml ++++ b/rhel8/cpe/rhel8-cpe-dictionary.xml +@@ -27,4 +27,39 @@ + + installed_env_is_a_machine + ++ ++ Package gdm is installed ++ ++ installed_env_has_gdm_package ++ ++ ++ Package libuser is installed ++ ++ installed_env_has_libuser_package ++ ++ ++ Package nss-pam-ldapd is installed ++ ++ installed_env_has_nss-pam-ldapd_package ++ ++ ++ Package pam is installed ++ ++ installed_env_has_pam_package ++ ++ ++ Package shadow-utils is installed ++ ++ installed_env_has_shadow-utils_package ++ ++ ++ Package systemd is installed ++ ++ installed_env_has_systemd_package ++ ++ ++ Package yum is installed ++ ++ installed_env_has_yum_package ++ + +diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml +index 22ddb9e5aa..577f8169b8 100644 +--- a/rhv4/cpe/rhv4-cpe-dictionary.xml ++++ b/rhv4/cpe/rhv4-cpe-dictionary.xml +@@ -22,4 +22,39 @@ + + installed_env_is_a_machine + ++ ++ Package gdm is installed ++ ++ installed_env_has_gdm_package ++ ++ ++ Package libuser is installed ++ ++ installed_env_has_libuser_package ++ ++ ++ Package nss-pam-ldapd is installed ++ ++ installed_env_has_nss-pam-ldapd_package ++ ++ ++ Package pam is installed ++ ++ installed_env_has_pam_package ++ ++ ++ Package shadow-utils is installed ++ ++ installed_env_has_shadow-utils_package ++ ++ ++ Package systemd is installed ++ ++ installed_env_has_systemd_package ++ ++ ++ Package yum is installed ++ ++ installed_env_has_yum_package ++ + diff --git a/SOURCES/scap-security-guide-0.1.45-add_rule_dconf_db_up_to_date.patch b/SOURCES/scap-security-guide-0.1.45-add_rule_dconf_db_up_to_date.patch new file mode 100644 index 0000000..29eb02a --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.45-add_rule_dconf_db_up_to_date.patch @@ -0,0 +1,1336 @@ +From 89f967ca5598cab539fe66560534207b45ff9734 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 30 May 2019 13:22:30 +0200 +Subject: [PATCH 1/9] Introduced the "DConf System DBs are in sync with + keyfiles" rule. + +--- + fedora/profiles/ospp.profile | 1 + + .../gnome/dconf_db_up_to_date/bash/shared.sh | 3 + + .../gnome/dconf_db_up_to_date/oval/shared.xml | 63 +++++++++++++++++++ + .../gnome/dconf_db_up_to_date/rule.yml | 30 +++++++++ + rhel7/profiles/ospp.profile | 1 + + shared/references/cce-rhel-avail.txt | 2 - + 6 files changed, 98 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh + create mode 100644 linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml + create mode 100644 linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml + +diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile +index b5e8fe097c..92cf738385 100644 +--- a/fedora/profiles/ospp.profile ++++ b/fedora/profiles/ospp.profile +@@ -43,6 +43,7 @@ selections: + - sysctl_kernel_kptr_restrict + - sysctl_kernel_kexec_load_disabled + - sysctl_kernel_dmesg_restrict ++ - dconf_db_up_to_date + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay +diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh +new file mode 100644 +index 0000000000..db06c9f5aa +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol ++ ++dconf update +diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml +new file mode 100644 +index 0000000000..b3b5b0358b +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml +@@ -0,0 +1,63 @@ ++ ++ ++ {{% macro check_db_is_up_to_date(db_name) %}} ++ ++ /etc/dconf/db/{{{ db_name }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/dconf/db/{{{ db_name }}}.d/ ++ .* ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ var_dconf_{{{ db_name }}}_db_modified_time ++ ++ ++ ++ ++ ++ ++ {{% endmacro %}} ++ ++ ++ ++ Configure the GNOME3 GUI Screen locking ++ ++ Red Hat Enterprise Linux 7 ++ Red Hat Enterprise Linux 8 ++ multi_platform_fedora ++ multi_platform_ol ++ ++ The allowed period of inactivity before the screensaver is activated. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{{ check_db_is_up_to_date("local") }}} ++ {{{ check_db_is_up_to_date("gdm") }}} ++ ++ +diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml +new file mode 100644 +index 0000000000..3017b789f8 +--- /dev/null ++++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml +@@ -0,0 +1,30 @@ ++documentation_complete: true ++ ++prodtype: rhel7,rhel8,fedora,ol7,ol8 ++ ++title: 'Make sure that the dconf databases are up-to-date with regards to respective keyfiles' ++ ++description: |- ++ By default, DConf uses a binary database as a data backend. ++ The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the
    dconf update
    command. ++ ++rationale: |- ++ Unlike text-based keyfiles, the binary database is impossible to check by OVAL. ++ Therefore, in order to evaluate dconf configuration, both have to be true at the same time - ++ configuration files have to be compliant, and the database needs to be more recent than those keyfiles, ++ which gives confidence that it reflects them. ++ ++severity: high ++ ++identifiers: ++ cce@rhel8: 81003-6 ++ cce@rhel7: 81004-4 ++ ++ocil_clause: 'The system-wide dconf databases are up-to-date with regards to respective keyfiles' ++ ++ocil: |- ++ In order to be sure that the databases are up-to-date, run the ++
    dconf update
    ++ command as the administrator. ++ ++platform: machine +diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile +index 36e5d7ee90..d551465f70 100644 +--- a/rhel7/profiles/ospp.profile ++++ b/rhel7/profiles/ospp.profile +@@ -401,6 +401,7 @@ selections: + - network_sniffer_disabled + - network_ipv6_disable_rpc + - network_ipv6_privacy_extensions ++ - dconf_db_up_to_date + - dconf_gnome_banner_enabled + - dconf_gnome_disable_automount + - dconf_gnome_disable_ctrlaltdel_reboot +diff --git a/shared/references/cce-rhel-avail.txt b/shared/references/cce-rhel-avail.txt +index 3cc6d0a916..d6e8161225 100644 +--- a/shared/references/cce-rhel-avail.txt ++++ b/shared/references/cce-rhel-avail.txt +@@ -1,5 +1,3 @@ +-CCE-81003-6 +-CCE-81004-4 + CCE-81005-1 + CCE-81006-9 + CCE-81007-7 + +From 5a857f490e914078b610eb3d05e390861c30eef4 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 29 May 2019 17:31:02 +0200 +Subject: [PATCH 2/9] Add test scenarios for dconf gnome rules. + +--- + .../correct_value.pass.sh | 18 ++++++++++++++++ + .../wrong_value.fail.sh | 18 ++++++++++++++++ + .../correct_value.pass.sh | 21 +++++++++++++++++++ + .../wrong_value.fail.sh | 21 +++++++++++++++++++ + .../correct_value.pass.sh | 18 ++++++++++++++++ + .../wrong_value.fail.sh | 18 ++++++++++++++++ + .../correct_value.pass.sh | 18 ++++++++++++++++ + .../wrong_value.fail.sh | 18 ++++++++++++++++ + .../correct_value.pass.sh | 18 ++++++++++++++++ + .../wrong_value.fail.sh | 18 ++++++++++++++++ + .../correct_value.pass.sh | 18 ++++++++++++++++ + .../wrong_value.fail.sh | 18 ++++++++++++++++ + 12 files changed, 222 insertions(+) + create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh + create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh + create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh + create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh + create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh + create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh + create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh + create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh + create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh + create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh + create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh + create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh + +diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh +new file mode 100644 +index 0000000000..d6f11373d0 +--- /dev/null ++++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../../../../group_software/group_gnome/dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "true" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings" ++ ++dconf update +diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh +new file mode 100644 +index 0000000000..f1e97fea20 +--- /dev/null ++++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../../../../group_software/group_gnome/dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "false" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings" ++ ++dconf update +diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh +new file mode 100644 +index 0000000000..e161691aa7 +--- /dev/null ++++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh +@@ -0,0 +1,21 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../../../../group_software/group_gnome/dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++login_banner_text="--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials." ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}''" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock" ++ ++dconf update +diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh +new file mode 100644 +index 0000000000..b45c5b193f +--- /dev/null ++++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh +@@ -0,0 +1,21 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../../../../group_software/group_gnome/dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++login_banner_text="Wrong Banner Text" ++expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock" ++ ++dconf update +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh +new file mode 100644 +index 0000000000..a5a207b80a +--- /dev/null ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../../dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "true" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "disable-restart-buttons" "gdm.d" "00-security-settings-lock" ++ ++dconf update +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh +new file mode 100644 +index 0000000000..04d3e9eca2 +--- /dev/null ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../../dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "false" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "disable-restart-buttons" "gdm.d" "00-security-settings-lock" ++ ++dconf update +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh +new file mode 100644 +index 0000000000..9a3d60d9f6 +--- /dev/null ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../../dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "disable-user-list" "true" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "disable-user-list" "gdm.d" "00-security-settings-lock" ++ ++dconf update +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh +new file mode 100644 +index 0000000000..11e3cbfa9b +--- /dev/null ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../../dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "disable-user-list" "false" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "disable-user-list" "gdm.d" "00-security-settings-lock" ++ ++dconf update +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh +new file mode 100644 +index 0000000000..58703799f6 +--- /dev/null ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../../dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "true" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "enable-smartcard-authentication" "gdm.d" "00-security-settings-lock" ++ ++dconf update +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh +new file mode 100644 +index 0000000000..18f89c182e +--- /dev/null ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../../dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "false" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "enable-smartcard-authentication" "gdm.d" "00-security-settings-lock" ++ ++dconf update +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh +new file mode 100644 +index 0000000000..0cc2a80762 +--- /dev/null ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../../dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "allowed-failures" "3" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "allowed-failures" "gdm.d" "00-security-settings-lock" ++ ++dconf update +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh +new file mode 100644 +index 0000000000..f89a9d74b9 +--- /dev/null ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh +@@ -0,0 +1,18 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../../dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "allowed-failures" "99" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "allowed-failures" "gdm.d" "00-security-settings-lock" ++ ++dconf update + +From d2facf408c5f011449539fc3edeaed90a72af04d Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 30 May 2019 15:39:36 +0200 +Subject: [PATCH 3/9] Add test scenarios for dconf_db_up_to_date. + +--- + .../group_gnome/dconf_test_functions.sh | 7 ++++- + .../db_not_up_to_date.fail.sh | 26 +++++++++++++++++++ + .../db_up_to_date.pass.sh | 21 +++++++++++++++ + .../no_db_files.fail.sh | 23 ++++++++++++++++ + 4 files changed, 76 insertions(+), 1 deletion(-) + create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh + create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh + create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh + +diff --git a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh +index 07940ea272..d975ea0715 100644 +--- a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh ++++ b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh +@@ -4,6 +4,11 @@ clean_dconf_settings(){ + rm -rf /etc/dconf/db/* + } + ++# Wipes out dconf db files ++remove_dconf_databases(){ ++ rm -f /etc/dconf/db/* ++} ++ + # Adds a new dconf setting + # $1 _path + # $2 _setting +@@ -12,7 +17,7 @@ clean_dconf_settings(){ + # $5 _settingFile + add_dconf_setting() { + local _path=$1 _setting=$2 _value=$3 _db=$4 _settingFile=$5 +- mkdir /etc/dconf/db/${_db} ++ mkdir -p /etc/dconf/db/${_db} || true + echo "[${_path}]" > /etc/dconf/db/${_db}/${_settingFile} + echo "${_setting}=${_value}" >> /etc/dconf/db/${_db}/${_settingFile} + } +diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh +new file mode 100644 +index 0000000000..bb8b1d42ff +--- /dev/null ++++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh +@@ -0,0 +1,26 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock" ++ ++add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-security-settings-lock" ++ ++dconf update ++ ++sleep 3 ++ ++# make static files newer than the database ++add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" +diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh +new file mode 100644 +index 0000000000..66ed76e4fa +--- /dev/null ++++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh +@@ -0,0 +1,21 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++clean_dconf_settings ++add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock" ++ ++add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-security-settings-lock" ++ ++dconf update +diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh +new file mode 100644 +index 0000000000..a7bc04efac +--- /dev/null ++++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh +@@ -0,0 +1,23 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../dconf_test_functions.sh ++ ++if ! rpm -q dconf; then ++ yum -y install dconf ++fi ++ ++if ! rpm -q gdm; then ++ yum -y install gdm ++fi ++ ++# remove all database files ++remove_dconf_databases ++ ++sleep 3 ++ ++add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock" ++ ++add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings" ++add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-security-settings-lock" + +From d57e981a45e88a9e28b621ed5d9cbf64c17f3592 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 30 May 2019 16:45:35 +0200 +Subject: [PATCH 4/9] Add dconf_db_up_to_date to profiles which use gnome + config. + +--- + fedora/profiles/pci-dss.profile | 1 + + ol7/profiles/pci-dss.profile | 1 + + ol7/profiles/stig-ol7-disa.profile | 1 + + ol8/profiles/ospp.profile | 1 + + ol8/profiles/pci-dss.profile | 1 + + rhel7/profiles/C2S.profile | 1 + + rhel7/profiles/hipaa.profile | 1 + + rhel7/profiles/ospp42.profile | 1 + + rhel7/profiles/pci-dss.profile | 1 + + rhel7/profiles/stig-rhel7-disa.profile | 1 + + rhel8/profiles/cjis.profile | 1 + + rhel8/profiles/hipaa.profile | 1 + + rhel8/profiles/ospp.profile | 1 + + rhel8/profiles/pci-dss.profile | 1 + + 14 files changed, 14 insertions(+) + +diff --git a/fedora/profiles/pci-dss.profile b/fedora/profiles/pci-dss.profile +index 5e47534e81..dea9efe685 100644 +--- a/fedora/profiles/pci-dss.profile ++++ b/fedora/profiles/pci-dss.profile +@@ -98,6 +98,7 @@ selections: + - account_disable_post_pw_expiration + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_unlock_time ++ - dconf_db_up_to_date + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_lock_enabled +diff --git a/ol7/profiles/pci-dss.profile b/ol7/profiles/pci-dss.profile +index 1648129066..01fcda6031 100644 +--- a/ol7/profiles/pci-dss.profile ++++ b/ol7/profiles/pci-dss.profile +@@ -121,6 +121,7 @@ selections: + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_unlock_time + - account_unique_name ++ - dconf_db_up_to_date + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_enabled +diff --git a/ol7/profiles/stig-ol7-disa.profile b/ol7/profiles/stig-ol7-disa.profile +index f9d2f4c900..9ae23a41be 100644 +--- a/ol7/profiles/stig-ol7-disa.profile ++++ b/ol7/profiles/stig-ol7-disa.profile +@@ -109,6 +109,7 @@ selections: + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow ++ - dconf_db_up_to_date + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_activation_locked + - dconf_gnome_screensaver_idle_delay +diff --git a/ol8/profiles/ospp.profile b/ol8/profiles/ospp.profile +index 5c13575f72..8506713cc1 100644 +--- a/ol8/profiles/ospp.profile ++++ b/ol8/profiles/ospp.profile +@@ -42,6 +42,7 @@ selections: + - sysctl_kernel_kptr_restrict + - sysctl_kernel_kexec_load_disabled + - sysctl_kernel_dmesg_restrict ++ - dconf_db_up_to_date + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay +diff --git a/ol8/profiles/pci-dss.profile b/ol8/profiles/pci-dss.profile +index 6920cf9b7d..237757c523 100644 +--- a/ol8/profiles/pci-dss.profile ++++ b/ol8/profiles/pci-dss.profile +@@ -126,6 +126,7 @@ selections: + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_unlock_time + - account_unique_name ++ - dconf_db_up_to_date + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_enabled +diff --git a/rhel7/profiles/C2S.profile b/rhel7/profiles/C2S.profile +index 65805957af..031b0247df 100644 +--- a/rhel7/profiles/C2S.profile ++++ b/rhel7/profiles/C2S.profile +@@ -70,6 +70,7 @@ selections: + - selinux_confinement_of_daemons + - banner_etc_issue + - login_banner_text=usgcb_default ++ - dconf_db_up_to_date + - dconf_gnome_login_banner_text + - dconf_gnome_banner_enabled + - security_patches_up_to_date +diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile +index 76fb4a8269..a58f625309 100644 +--- a/rhel7/profiles/hipaa.profile ++++ b/rhel7/profiles/hipaa.profile +@@ -28,6 +28,7 @@ selections: + - service_debug-shell_disabled + - disable_ctrlaltdel_reboot + - disable_ctrlaltdel_burstaction ++ - dconf_db_up_to_date + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption + - sshd_disable_empty_passwords +diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile +index de4827afaf..3f59466477 100644 +--- a/rhel7/profiles/ospp42.profile ++++ b/rhel7/profiles/ospp42.profile +@@ -42,6 +42,7 @@ selections: + - sysctl_kernel_kptr_restrict + - sysctl_kernel_kexec_load_disabled + - sysctl_kernel_dmesg_restrict ++ - dconf_db_up_to_date + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay +diff --git a/rhel7/profiles/pci-dss.profile b/rhel7/profiles/pci-dss.profile +index b4e4786ce9..0d9a51c42b 100644 +--- a/rhel7/profiles/pci-dss.profile ++++ b/rhel7/profiles/pci-dss.profile +@@ -79,6 +79,7 @@ selections: + - account_disable_post_pw_expiration + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_unlock_time ++ - dconf_db_up_to_date + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_lock_enabled +diff --git a/rhel7/profiles/stig-rhel7-disa.profile b/rhel7/profiles/stig-rhel7-disa.profile +index 4edae36b0c..1d558f0068 100644 +--- a/rhel7/profiles/stig-rhel7-disa.profile ++++ b/rhel7/profiles/stig-rhel7-disa.profile +@@ -57,6 +57,7 @@ selections: + - rpm_verify_permissions + - rpm_verify_ownership + - rpm_verify_hashes ++ - dconf_db_up_to_date + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text + - banner_etc_issue +diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile +index ec225d89a4..8d173d257f 100644 +--- a/rhel8/profiles/cjis.profile ++++ b/rhel8/profiles/cjis.profile +@@ -86,6 +86,7 @@ selections: + - var_password_pam_retry=5 + - var_accounts_passwords_pam_faillock_deny=5 + - var_accounts_passwords_pam_faillock_unlock_time=600 ++ - dconf_db_up_to_date + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_lock_enabled +diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile +index d44960d84c..3debc739fc 100644 +--- a/rhel8/profiles/hipaa.profile ++++ b/rhel8/profiles/hipaa.profile +@@ -28,6 +28,7 @@ selections: + - service_debug-shell_disabled + - disable_ctrlaltdel_reboot + - disable_ctrlaltdel_burstaction ++ - dconf_db_up_to_date + - dconf_gnome_remote_access_credential_prompt + - dconf_gnome_remote_access_encryption + - sshd_disable_empty_passwords +diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile +index f9f7cd04dc..c5a7ee5ed5 100644 +--- a/rhel8/profiles/ospp.profile ++++ b/rhel8/profiles/ospp.profile +@@ -219,6 +219,7 @@ selections: + ### FMT_MOF_EXT.1 / AC-11(a) + ### Enable Screen Lock + - package_tmux_installed ++ - dconf_db_up_to_date + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_lock_delay +diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile +index bdca65b4fa..89abad1338 100644 +--- a/rhel8/profiles/pci-dss.profile ++++ b/rhel8/profiles/pci-dss.profile +@@ -98,6 +98,7 @@ selections: + - account_disable_post_pw_expiration + - accounts_passwords_pam_faillock_deny + - accounts_passwords_pam_faillock_unlock_time ++ - dconf_db_up_to_date + - dconf_gnome_screensaver_idle_delay + - dconf_gnome_screensaver_idle_activation_enabled + - dconf_gnome_screensaver_lock_enabled + +From 42cb1e23c1c39dd19d99628d133fae60b06f078c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 30 May 2019 17:26:11 +0200 +Subject: [PATCH 5/9] Added an OVAL customization for Fedora + (dconf_db_up_to_date). + +--- + .../gnome/dconf_db_up_to_date/oval/shared.xml | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml +index b3b5b0358b..6b34446487 100644 +--- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml ++++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml +@@ -37,6 +37,10 @@ + + {{% endmacro %}} + ++ {{% macro check_db_criterion(db_name) %}} ++ ++ {{% endmacro %}} ++ + + + Configure the GNOME3 GUI Screen locking +@@ -50,14 +54,18 @@ + + + +- +- +- ++ ++ {{% if product != 'fedora' %}} ++ {{{ check_db_criterion("gdm") }}} ++ {{% endif %}} ++ {{{ check_db_criterion("local") }}} + + + + ++ {{% if product != 'fedora' %}} ++ {{{ check_db_is_up_to_date("gdm") }}} ++ {{% endif %}} + {{{ check_db_is_up_to_date("local") }}} +- {{{ check_db_is_up_to_date("gdm") }}} + + + +From 758e239c798620038216c554a05cba9bd95a93c1 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 30 May 2019 17:37:36 +0200 +Subject: [PATCH 6/9] Create helper function to install gdm and dconf to be + used within test scenarios. + +Fix test scenario when dconf db is not up to date. +--- + .../correct_value.pass.sh | 8 +------- + .../wrong_value.fail.sh | 8 +------- + .../correct_value.pass.sh | 8 +------- + .../wrong_value.fail.sh | 8 +------- + .../group_gnome/dconf_test_functions.sh | 11 +++++++++++ + .../correct_value.pass.sh | 8 +------- + .../wrong_value.fail.sh | 8 +------- + .../correct_value.pass.sh | 8 +------- + .../wrong_value.fail.sh | 8 +------- + .../correct_value.pass.sh | 8 +------- + .../wrong_value.fail.sh | 8 +------- + .../correct_value.pass.sh | 8 +------- + .../wrong_value.fail.sh | 8 +------- + .../db_not_up_to_date.fail.sh | 14 +++++--------- + .../rule_dconf_db_up_to_date/db_up_to_date.pass.sh | 8 +------- + .../rule_dconf_db_up_to_date/no_db_files.fail.sh | 11 +++-------- + 16 files changed, 32 insertions(+), 108 deletions(-) + +diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh +index d6f11373d0..285c9474d4 100644 +--- a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh ++++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh +@@ -3,13 +3,7 @@ + + . ../../../../group_software/group_gnome/dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + clean_dconf_settings + add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "true" "gdm.d" "00-security-settings" +diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh +index f1e97fea20..9408a5c3bb 100644 +--- a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh ++++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh +@@ -3,13 +3,7 @@ + + . ../../../../group_software/group_gnome/dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + clean_dconf_settings + add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "false" "gdm.d" "00-security-settings" +diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh +index e161691aa7..c39f919959 100644 +--- a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh ++++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh +@@ -3,13 +3,7 @@ + + . ../../../../group_software/group_gnome/dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + login_banner_text="--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials." + expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh +index b45c5b193f..b9e7fc8661 100644 +--- a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh ++++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh +@@ -3,13 +3,7 @@ + + . ../../../../group_software/group_gnome/dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + login_banner_text="Wrong Banner Text" + expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +diff --git a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh +index d975ea0715..a218f1f8e7 100644 +--- a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh ++++ b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh +@@ -1,4 +1,15 @@ + ++# Check if gdm and dconf are installed, if not then install them ++install_dconf_and_gdm_if_needed(){ ++ if ! rpm -q dconf; then ++ yum -y install dconf ++ fi ++ ++ if ! rpm -q gdm; then ++ yum -y install gdm ++ fi ++} ++ + # Wipes out dconf db settings directory + clean_dconf_settings(){ + rm -rf /etc/dconf/db/* +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh +index a5a207b80a..9aea0b74cf 100644 +--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh +@@ -3,13 +3,7 @@ + + . ../../dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + clean_dconf_settings + add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "true" "gdm.d" "00-security-settings" +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh +index 04d3e9eca2..d8c571fc0a 100644 +--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh +@@ -3,13 +3,7 @@ + + . ../../dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + clean_dconf_settings + add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "false" "gdm.d" "00-security-settings" +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh +index 9a3d60d9f6..776f9e7c23 100644 +--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh +@@ -3,13 +3,7 @@ + + . ../../dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + clean_dconf_settings + add_dconf_setting "org/gnome/login-screen" "disable-user-list" "true" "gdm.d" "00-security-settings" +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh +index 11e3cbfa9b..571bd75f22 100644 +--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh +@@ -3,13 +3,7 @@ + + . ../../dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + clean_dconf_settings + add_dconf_setting "org/gnome/login-screen" "disable-user-list" "false" "gdm.d" "00-security-settings" +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh +index 58703799f6..13562cfa1d 100644 +--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh +@@ -3,13 +3,7 @@ + + . ../../dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + clean_dconf_settings + add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "true" "gdm.d" "00-security-settings" +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh +index 18f89c182e..666ce2c21c 100644 +--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh +@@ -3,13 +3,7 @@ + + . ../../dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + clean_dconf_settings + add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "false" "gdm.d" "00-security-settings" +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh +index 0cc2a80762..59d005967a 100644 +--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh +@@ -3,13 +3,7 @@ + + . ../../dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + clean_dconf_settings + add_dconf_setting "org/gnome/login-screen" "allowed-failures" "3" "gdm.d" "00-security-settings" +diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh +index f89a9d74b9..c6d31f5b8a 100644 +--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh ++++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh +@@ -3,13 +3,7 @@ + + . ../../dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + clean_dconf_settings + add_dconf_setting "org/gnome/login-screen" "allowed-failures" "99" "gdm.d" "00-security-settings" +diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh +index bb8b1d42ff..db6e7138aa 100644 +--- a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh ++++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh +@@ -3,13 +3,7 @@ + + . ../dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + clean_dconf_settings + add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" +@@ -20,7 +14,9 @@ add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-se + + dconf update + +-sleep 3 ++# ensure that the modification happens a reasonable amount of time after running dconf update ++sleep 5 + +-# make static files newer than the database ++# make static keyfiles newer than the database + add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" ++add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings" +diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh +index 66ed76e4fa..5a6c2f0a43 100644 +--- a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh ++++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh +@@ -3,13 +3,7 @@ + + . ../dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + clean_dconf_settings + add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" +diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh +index a7bc04efac..3fdbed905e 100644 +--- a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh ++++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh +@@ -3,18 +3,13 @@ + + . ../dconf_test_functions.sh + +-if ! rpm -q dconf; then +- yum -y install dconf +-fi +- +-if ! rpm -q gdm; then +- yum -y install gdm +-fi ++install_dconf_and_gdm_if_needed + + # remove all database files + remove_dconf_databases + +-sleep 3 ++# ensure that the modification happens a reasonable amount of time after running dconf update ++sleep 5 + + add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" + add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock" + +From 68e3f056a723ceb170fd81105d354e390e3ea00a Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 31 May 2019 10:06:03 +0200 +Subject: [PATCH 7/9] Update dconf_db_up_to_date OVAL metadata. + +--- + .../system/software/gnome/dconf_db_up_to_date/oval/shared.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml +index 6b34446487..499bb4db60 100644 +--- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml ++++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml +@@ -43,14 +43,14 @@ + + + +- Configure the GNOME3 GUI Screen locking ++ The dconf databases are up-to-date. + + Red Hat Enterprise Linux 7 + Red Hat Enterprise Linux 8 + multi_platform_fedora + multi_platform_ol + +- The allowed period of inactivity before the screensaver is activated. ++ Make sure that the dconf databases are up-to-date with regards to respective keyfiles. + + + + +From f86c4b314cc7d4d3922cf424a77674f9332eced9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 31 May 2019 15:59:11 +0200 +Subject: [PATCH 8/9] Made the gdm.d keyfile tree relevant only for RHEL7. + +--- + .../system/software/gnome/dconf_db_up_to_date/oval/shared.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml +index 499bb4db60..bc31a6cb7e 100644 +--- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml ++++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml +@@ -55,7 +55,7 @@ + + + +- {{% if product != 'fedora' %}} ++ {{% if product == 'rhel7' %}} + {{{ check_db_criterion("gdm") }}} + {{% endif %}} + {{{ check_db_criterion("local") }}} +@@ -63,7 +63,7 @@ + + + +- {{% if product != 'fedora' %}} ++ {{% if product == 'rhel7' %}} + {{{ check_db_is_up_to_date("gdm") }}} + {{% endif %}} + {{{ check_db_is_up_to_date("local") }}} + +From 64a53ece4ffea9f9d4017955433a251493649175 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Mon, 3 Jun 2019 14:39:09 +0200 +Subject: [PATCH 9/9] Added support for missing keyfiles. + +--- + .../gnome/dconf_db_up_to_date/oval/shared.xml | 12 +++++++++--- + .../rule_dconf_db_up_to_date/no_keyfiles.pass.sh | 8 ++++++++ + 2 files changed, 17 insertions(+), 3 deletions(-) + create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_keyfiles.pass.sh + +diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml +index bc31a6cb7e..f073268762 100644 +--- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml ++++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml +@@ -12,8 +12,7 @@ + + + +- /etc/dconf/db/{{{ db_name }}}.d/ +- .* ++ ^/etc/dconf/db/{{{ db_name }}}.d/.* + + + +@@ -35,10 +34,17 @@ + + + ++ ++ ++ ++ + {{% endmacro %}} + + {{% macro check_db_criterion(db_name) %}} +- ++ ++ ++ ++ + {{% endmacro %}} + + +diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_keyfiles.pass.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_keyfiles.pass.sh +new file mode 100644 +index 0000000000..06945575f1 +--- /dev/null ++++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_keyfiles.pass.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++. ../dconf_test_functions.sh ++ ++install_dconf_and_gdm_if_needed ++ ++clean_dconf_settings diff --git a/SOURCES/scap-security-guide-0.1.45-aide_not_applicable_to_containers.patch b/SOURCES/scap-security-guide-0.1.45-aide_not_applicable_to_containers.patch new file mode 100644 index 0000000..e25c6e9 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.45-aide_not_applicable_to_containers.patch @@ -0,0 +1,31 @@ +From 6418fbbce4050ec84836b4fa6855a2699d86a6ac Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Mon, 20 May 2019 12:54:15 +0200 +Subject: [PATCH] AIDE rules not applicable to containers + +AIDE is tool to assess changes in the system. As containers have this capability by definition, there is no need have AIDE to duplicate it. +--- + .../aide/aide_periodic_cron_checking/rule.yml | 2 -- + .../system/software/integrity/software-integrity/aide/group.yml | 2 ++ + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +index 7fc8d96b04..68ea7937bd 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +@@ -63,5 +63,3 @@ ocil: |- +
    05 4 * * * root /usr/sbin/aide --check
    + + NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. +- +-platform: machine +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/group.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/group.yml +index 69d2f0fb56..faa2458657 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/group.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/group.yml +@@ -8,3 +8,5 @@ description: |- + created immediately after initial system configuration, and then again after any + software update. AIDE is highly configurable, with further configuration + information located in /usr/share/doc/aide-VERSION. ++ ++platform: machine diff --git a/SOURCES/scap-security-guide-0.1.45-fix_ansible_sssd_ssh_known_hosts_timeout.patch b/SOURCES/scap-security-guide-0.1.45-fix_ansible_sssd_ssh_known_hosts_timeout.patch new file mode 100644 index 0000000..6845269 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.45-fix_ansible_sssd_ssh_known_hosts_timeout.patch @@ -0,0 +1,32 @@ +From 25af71b8262a2a320652feb2d47235f81f2aa213 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 21 May 2019 17:15:21 +0200 +Subject: [PATCH] Use right variable for ansible remediation in + sssd_ssh_known_hosts_timeout rule. + +--- + .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +index d7f246e..92bdf8f 100644 +--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml ++++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +@@ -3,7 +3,7 @@ + # strategy = unknown + # complexity = low + # disruption = medium +-- (xccdf-var sshd_idle_timeout_value) ++- (xccdf-var var_sssd_ssh_known_hosts_timeout) + + - name: "Test for domain group" + shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf +@@ -34,7 +34,7 @@ + dest: /etc/sssd/sssd.conf + section: ssh + option: ssh_known_hosts_timeout +- value: "{{ sshd_idle_timeout_value }}" ++ value: "{{ var_sssd_ssh_known_hosts_timeout }}" + create: yes + mode: 0600 + tags: diff --git a/SOURCES/scap-security-guide-0.1.45-fix_dconf_remediation.patch b/SOURCES/scap-security-guide-0.1.45-fix_dconf_remediation.patch new file mode 100644 index 0000000..7fbeb08 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.45-fix_dconf_remediation.patch @@ -0,0 +1,22 @@ +From 8ea989799f6d69c4a80ca8e4bf0d08177e916571 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Wed, 12 Jun 2019 15:48:39 +0200 +Subject: [PATCH] Call dconf update in all dconf-related shared remediation + functions. + +--- + shared/bash_remediation_functions/include_dconf_settings.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/shared/bash_remediation_functions/include_dconf_settings.sh b/shared/bash_remediation_functions/include_dconf_settings.sh +index 02f9877e97..9cfce467f8 100644 +--- a/shared/bash_remediation_functions/include_dconf_settings.sh ++++ b/shared/bash_remediation_functions/include_dconf_settings.sh +@@ -70,5 +70,7 @@ function dconf_lock { + then + echo "/${_key}/${_setting}" >> "/etc/dconf/db/${_db}/locks/${_lockFile}" + fi ++ ++ dconf update + } + diff --git a/SOURCES/scap-security-guide-0.1.45-fix_rule_sssd_ssh_known_hosts_timeout.patch b/SOURCES/scap-security-guide-0.1.45-fix_rule_sssd_ssh_known_hosts_timeout.patch new file mode 100644 index 0000000..87112fd --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.45-fix_rule_sssd_ssh_known_hosts_timeout.patch @@ -0,0 +1,377 @@ +From 15488aa8ae05def7d6e967170e550b3f764204e4 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 16 May 2019 17:38:17 +0200 +Subject: [PATCH 1/4] Add bash remediation, fix oval and add test scenarios for + sssd_ssh_known_hosts_timeout. + +--- + .../bash/shared.sh | 23 +++++++++++++++++++ + .../oval/shared.xml | 2 +- + .../sssd_ssh_known_hosts_timeout/rule.yml | 2 +- + .../comment.fail.sh | 12 ++++++++++ + .../correct_value.pass.sh | 12 ++++++++++ + .../wrong_section.fail.sh | 12 ++++++++++ + .../wrong_value.fail.sh | 15 ++++++++++++ + 7 files changed, 76 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh + create mode 100644 tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh + create mode 100644 tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh + create mode 100644 tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh + create mode 100644 tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh + +diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh +new file mode 100644 +index 0000000000..33ebf544e3 +--- /dev/null ++++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh +@@ -0,0 +1,23 @@ ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++populate var_sssd_ssh_known_hosts_timeout ++ ++SSSD_CONF="/etc/sssd/sssd.conf" ++SSH_KNOWN_HOSTS_TIMEOUT_REGEX="[[:space:]]*\[ssh]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" ++SSH_REGEX="[[:space:]]*\[ssh]" ++ ++# Try find [ssh] and ssh_known_hosts_timeout in sssd.conf, if it exists, set to ++# var_sssd_ssh_known_hosts_timeout, if it isn't here, add it, if [ssh] doesn't ++# exist, add it there ++if grep -qzosP $SSH_KNOWN_HOSTS_TIMEOUT_REGEX $SSSD_CONF; then ++ sed -i "s/ssh_known_hosts_timeout[^(\n)]*/ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout/" $SSSD_CONF ++elif grep -qs $SSH_REGEX $SSSD_CONF; then ++ sed -i "/$SSH_REGEX/a ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" $SSSD_CONF ++else ++ mkdir -p /etc/sssd ++ touch $SSSD_CONF ++ echo -e "[ssh]\nssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" >> $SSSD_CONF ++fi +diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml +index 5bfdeee99e..d98934d294 100644 +--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml ++++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml +@@ -27,7 +27,7 @@ +
    + + /etc/sssd/sssd.conf +- ^\[ssh]([^\n]*\n+)+?ssh_known_hosts_timeout[\s]+=[\s]+(\d+)$ ++ ^[\s]*\[ssh](?:[^\n\[]*\n+)+?[\s]*ssh_known_hosts_timeout[\s]*=[\s]*(\d+)$ + 1 + + +diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml +index ada49bd662..d041029264 100644 +--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml ++++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8 ++prodtype: rhel6,rhel7,rhel8,fedora,rhv4 + + title: 'Configure SSSD to Expire SSH Known Hosts' + +diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh +new file mode 100644 +index 0000000000..5092f147c6 +--- /dev/null ++++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++SSSD_CONF="/etc/sssd/sssd.conf" ++TIMEOUT="180" ++ ++dnf -y install sssd ++systemctl enable sssd ++mkdir -p /etc/sssd ++touch $SSSD_CONF ++echo -e "[ssh]\n#ssh_known_hosts_timeout = $TIMEOUT" >> $SSSD_CONF +diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh +new file mode 100644 +index 0000000000..84a93b955f +--- /dev/null ++++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++SSSD_CONF="/etc/sssd/sssd.conf" ++TIMEOUT="180" ++ ++dnf -y install sssd ++systemctl enable sssd ++mkdir -p /etc/sssd ++touch $SSSD_CONF ++echo -e "[ssh]\nssh_known_hosts_timeout = $TIMEOUT" >> $SSSD_CONF +diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh +new file mode 100644 +index 0000000000..da720151dc +--- /dev/null ++++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++SSSD_CONF="/etc/sssd/sssd.conf" ++TIMEOUT="180" ++ ++dnf -y install sssd ++systemctl enable sssd ++mkdir -p /etc/sssd ++touch $SSSD_CONF ++echo -e "[ssh]\nsomething = wrong\n[pam]\nssh_known_hosts_timeout = $TIMEOUT" >> $SSSD_CONF +diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh +new file mode 100644 +index 0000000000..fcba0e0019 +--- /dev/null ++++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh +@@ -0,0 +1,15 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++SSSD_CONF="/etc/sssd/sssd.conf" ++ ++# The rule sssd_memcache_timeout requires memcache_timeout = 86400 ++# Let's put there a different value to fail ++TIMEOUT="99999" ++ ++dnf -y install sssd ++systemctl enable sssd ++mkdir -p /etc/sssd ++touch $SSSD_CONF ++echo -e "[ssh]\nssh_known_hosts_timeout = $TIMEOUT" >> $SSSD_CONF + +From 4737fa82aaed8ad9f305b9900c992f80d37b3fb6 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 17 May 2019 13:55:23 +0200 +Subject: [PATCH 2/4] Change values in timeout test scenarios so it has better + accuracy in test results. + +--- + .../group_sssd/rule_sssd_memcache_timeout/comment.fail.sh | 2 +- + .../rule_sssd_memcache_timeout/correct_value.pass.sh | 4 +++- + .../rule_sssd_memcache_timeout/wrong_section.fail.sh | 2 +- + .../group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh | 4 ++-- + .../rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh | 2 ++ + 5 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh +index 8d68ec3a05..d4f2cd99aa 100644 +--- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh ++++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh +@@ -3,7 +3,7 @@ + # profiles = xccdf_org.ssgproject.content_profile_ospp + + SSSD_CONF="/etc/sssd/sssd.conf" +-TIMEOUT="86400" ++TIMEOUT="180" + + dnf -y install sssd + systemctl enable sssd +diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh +index 7320a79564..25c6593a7f 100644 +--- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh ++++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh +@@ -3,7 +3,9 @@ + # profiles = xccdf_org.ssgproject.content_profile_ospp + + SSSD_CONF="/etc/sssd/sssd.conf" +-TIMEOUT="86400" ++# The smallest variable value for sssd_memcache_timeout is 180 so ++# this should pass for every product which contains ospp profile ++TIMEOUT="180" + + dnf -y install sssd + systemctl enable sssd +diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh +index b3326721e4..7b78532d92 100644 +--- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh ++++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh +@@ -3,7 +3,7 @@ + # profiles = xccdf_org.ssgproject.content_profile_ospp + + SSSD_CONF="/etc/sssd/sssd.conf" +-TIMEOUT="86400" ++TIMEOUT="180" + + dnf -y install sssd + systemctl enable sssd +diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh +index 1e378ef034..a5ac22077e 100644 +--- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh ++++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh +@@ -4,8 +4,8 @@ + + SSSD_CONF="/etc/sssd/sssd.conf" + +-# The rule sssd_memcache_timeout requires memcache_timeout = 86400 +-# Let's put there a different value to fail ++# The highest variable value for sssd_memcache_timeout is 86400 so ++# Let's put there a higher value to fail + TIMEOUT="99999" + + dnf -y install sssd +diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh +index 84a93b955f..cb0462d9a7 100644 +--- a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh ++++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh +@@ -3,6 +3,8 @@ + # profiles = xccdf_org.ssgproject.content_profile_ospp + + SSSD_CONF="/etc/sssd/sssd.conf" ++# The smallest variable value for sssd_memcache_timeout is 180 so ++# this should pass for every product which contains ospp profile + TIMEOUT="180" + + dnf -y install sssd + +From f5ca4d6be1eeac477be9ba8c3e5764c33d17ffe9 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 17 May 2019 14:30:34 +0200 +Subject: [PATCH 3/4] Use yum to install packages in test scenarios. + +--- + .../group_sssd/rule_sssd_memcache_timeout/comment.fail.sh | 2 +- + .../group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh | 2 +- + .../group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh | 2 +- + .../group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh | 2 +- + .../rule_sssd_ssh_known_hosts_timeout/comment.fail.sh | 2 +- + .../rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh | 2 +- + .../rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh | 2 +- + .../rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh | 2 +- + 8 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh +index d4f2cd99aa..d6ce9eedec 100644 +--- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh ++++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh +@@ -5,7 +5,7 @@ + SSSD_CONF="/etc/sssd/sssd.conf" + TIMEOUT="180" + +-dnf -y install sssd ++yum -y install sssd + systemctl enable sssd + mkdir -p /etc/sssd + touch $SSSD_CONF +diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh +index 25c6593a7f..7d492a5a37 100644 +--- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh ++++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh +@@ -7,7 +7,7 @@ SSSD_CONF="/etc/sssd/sssd.conf" + # this should pass for every product which contains ospp profile + TIMEOUT="180" + +-dnf -y install sssd ++yum -y install sssd + systemctl enable sssd + mkdir -p /etc/sssd + touch $SSSD_CONF +diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh +index 7b78532d92..e46427a391 100644 +--- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh ++++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh +@@ -5,7 +5,7 @@ + SSSD_CONF="/etc/sssd/sssd.conf" + TIMEOUT="180" + +-dnf -y install sssd ++yum -y install sssd + systemctl enable sssd + mkdir -p /etc/sssd + touch $SSSD_CONF +diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh +index a5ac22077e..440ae8d404 100644 +--- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh ++++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh +@@ -8,7 +8,7 @@ SSSD_CONF="/etc/sssd/sssd.conf" + # Let's put there a higher value to fail + TIMEOUT="99999" + +-dnf -y install sssd ++yum -y install sssd + systemctl enable sssd + mkdir -p /etc/sssd + touch $SSSD_CONF +diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh +index 5092f147c6..4c40dedb8a 100644 +--- a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh ++++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh +@@ -5,7 +5,7 @@ + SSSD_CONF="/etc/sssd/sssd.conf" + TIMEOUT="180" + +-dnf -y install sssd ++yum -y install sssd + systemctl enable sssd + mkdir -p /etc/sssd + touch $SSSD_CONF +diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh +index cb0462d9a7..0610144030 100644 +--- a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh ++++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh +@@ -7,7 +7,7 @@ SSSD_CONF="/etc/sssd/sssd.conf" + # this should pass for every product which contains ospp profile + TIMEOUT="180" + +-dnf -y install sssd ++yum -y install sssd + systemctl enable sssd + mkdir -p /etc/sssd + touch $SSSD_CONF +diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh +index da720151dc..c35754881c 100644 +--- a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh ++++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh +@@ -5,7 +5,7 @@ + SSSD_CONF="/etc/sssd/sssd.conf" + TIMEOUT="180" + +-dnf -y install sssd ++yum -y install sssd + systemctl enable sssd + mkdir -p /etc/sssd + touch $SSSD_CONF +diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh +index fcba0e0019..2422bb70fe 100644 +--- a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh ++++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh +@@ -8,7 +8,7 @@ SSSD_CONF="/etc/sssd/sssd.conf" + # Let's put there a different value to fail + TIMEOUT="99999" + +-dnf -y install sssd ++yum -y install sssd + systemctl enable sssd + mkdir -p /etc/sssd + touch $SSSD_CONF + +From 42f536cfdb0898e56ac6a4e9ba8eefcce81ae17a Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 17 May 2019 14:30:59 +0200 +Subject: [PATCH 4/4] Remove unused variable from rhel7/stig-rhel7-disa.profile. + +--- + rhel7/profiles/stig-rhel7-disa.profile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/rhel7/profiles/stig-rhel7-disa.profile b/rhel7/profiles/stig-rhel7-disa.profile +index 85dfda0ad2..9f8e9ab156 100644 +--- a/rhel7/profiles/stig-rhel7-disa.profile ++++ b/rhel7/profiles/stig-rhel7-disa.profile +@@ -18,7 +18,6 @@ description: |- + selections: + - login_banner_text=dod_banners + - inactivity_timeout_value=15_minutes +- - var_sssd_ssh_known_hosts_timeout=5_minutes + - var_screensaver_lock_delay=5_seconds + - sshd_idle_timeout_value=10_minutes + - var_accounts_fail_delay=4 diff --git a/SOURCES/scap-security-guide-0.1.45-mark_rules_as_machine_only.patch b/SOURCES/scap-security-guide-0.1.45-mark_rules_as_machine_only.patch new file mode 100644 index 0000000..8568afb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.45-mark_rules_as_machine_only.patch @@ -0,0 +1,1060 @@ +commit 167d69498e13516f345dd0581e72720211760476 +Author: Gabriel Becker +Date: Mon Apr 8 12:43:30 2019 +0200 + + Mark as machine only rules which are not applicable for containers. + +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml +index 07f6351..3c98479 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml +@@ -8,3 +8,5 @@ description: |- + controls and perform some logging. It has been largely obsoleted by other + features, and it is not installed by default. The older Inetd service + is not even available as part of {{{ full_name }}}. ++ ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +index 6b01ddb..d6feb28 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +@@ -37,5 +37,3 @@ ocil: |- + To verify the operating system has the packages required for multifactor + authentication installed, run the following command: +
    $ sudo yum list installed esc pam_pkcs11 authconfig-gtk
    +- +-platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml +index a49f9e7..03e37fd 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml +@@ -33,3 +33,5 @@ references: + ocil_clause: 'the pcscd service is not enabled' + + ocil: '{{{ ocil_service_enabled(service="pcscd") }}}' ++ ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml +index a5e92fe..d8aa9ec 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml +@@ -70,5 +70,3 @@ ocil: |- + network and system components from outside the protection boundary + documented in the IATT. + +- +-platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml +index 56af0e3..a2c4bd9 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml +@@ -42,5 +42,3 @@ ocil: |- +
    cert_policy = ca, ocsp_on, signature;
    +     cert_policy = ca, ocsp_on, signature;
    +     cert_policy = ca, ocsp_on, signature;
    +- +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +index 968820f..0741629 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +@@ -64,4 +64,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +index 3803b04..f5ec6e6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +index 13ecde1..a66c91e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +index 982e8e6..26e17b8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +index 16eac8a..27d325c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +index 6db400e..2aa77fa 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +index 56528dd..02ac1db 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +@@ -68,4 +68,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +index 88e8429..545889e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +index 81ea227..de20307 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +index 49d6959..726791b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +@@ -68,4 +68,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +index 79c16c7..5305faf 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +index 6659e81..273abda 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +@@ -67,4 +67,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +index 10c8001..5282707 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml +index 719044f..791b8c8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml +@@ -20,4 +20,3 @@ description: |- + -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod + -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +index 80f412b..cf741ed 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +@@ -55,4 +55,3 @@ ocil: |- + The output should return something similar to: +
    -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged-priv_change
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml +index d24fa07..bb9a502 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml +@@ -54,4 +54,3 @@ ocil: |- + The output should return something similar to: +
    -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged-priv_change
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +index 3d9b812..4a7b768 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml +@@ -55,4 +55,3 @@ ocil: |- + The output should return something similar to: +
    -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged-priv_change
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +index 39eb75d..5971f64 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml +@@ -55,4 +55,3 @@ ocil: |- + The output should return something similar to: +
    -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged-priv_change
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml +index a6ef8d4..cfb5e3b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml +@@ -68,4 +68,3 @@ warnings: +
  • audit_rules_file_deletion_events_unlinkat
  • + + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +index 13e7da6..c25cfbb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml +@@ -48,4 +48,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="rename") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +index d2facfa..769527b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml +@@ -48,4 +48,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="renameat") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +index c68afdc..29a0d77 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml +@@ -48,4 +48,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +index 4d79c16..5b1ff7b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml +@@ -48,4 +48,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="unlink") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +index e330ec2..f8ca887 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml +@@ -48,4 +48,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="unlinkat") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml +index 551ca92..3a5cad0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml +@@ -71,4 +71,3 @@ warnings: +
  • audit_rules_kernel_module_loading_modprobe
  • + + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +index 5797736..50b57ff 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +@@ -46,4 +46,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="delete_module") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +index a98abfb..da9702d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +@@ -46,4 +46,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="finit_module") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +index 8e098d8..ea3b126 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +@@ -45,4 +45,3 @@ references: + + {{{ complete_ocil_entry_audit_syscall(syscall="init_module") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod/rule.yml +index 5bf3012..b3c0d36 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod/rule.yml +@@ -49,4 +49,3 @@ ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/usr/sbin/insmod\|-w /usr/sbin/insmod"
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe/rule.yml +index c734c5b..3a39469 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe/rule.yml +@@ -49,4 +49,3 @@ ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/usr/sbin/modprobe\|-w /usr/sbin/modprobe"
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod/rule.yml +index bd0cd78..c1554c3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod/rule.yml +@@ -49,4 +49,3 @@ ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/usr/sbin/rmmod\|-w /usr/sbin/rmmod"
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml +index e9de60b..5bcd7cf 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml +@@ -58,4 +58,3 @@ warnings: +
  • audit_rules_login_events_lastlog
  • + + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +index 015ad9c..508bbe1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml +@@ -51,4 +51,3 @@ ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/var/run/faillock\|-w /var/run/faillock"
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +index 5e3795c..5fae020 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +@@ -51,4 +51,3 @@ ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/var/log/lastlog\|-w /var/log/lastlog"
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +index 7ea479d..26c31e9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +@@ -51,4 +51,3 @@ ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/var/log/tallylog\|-w /var/log/tallylog"
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml +index 83dbbdd..7debab8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml +@@ -86,4 +86,3 @@ warnings: +
  • audit_rules_privileged_commands_passwd
  • + + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +index f5e8b11..c655fa1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +@@ -56,4 +56,3 @@ ocil: |- +
    $ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +index c5f7dd3..3884282 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +@@ -56,4 +56,3 @@ ocil: |- +
    $ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +index a9bff8b..28fe87c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +@@ -56,4 +56,3 @@ ocil: |- +
    $ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +index 2a77c28..5254306 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +@@ -57,4 +57,3 @@ ocil: |- +
    $ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +index cb92e81..e4138c0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +@@ -57,4 +57,3 @@ ocil: |- +
    $ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +index 6249290..61e54af 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +@@ -56,4 +56,3 @@ ocil: |- +
    $ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +index 7a41823..6ff660a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +@@ -57,4 +57,3 @@ ocil: |- +
    $ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +index 053ea23..cab809e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml +@@ -56,4 +56,3 @@ ocil: |- +
    $ sudo grep postdrop /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +index 0b5188f..206606a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml +@@ -56,4 +56,3 @@ ocil: |- +
    $ sudo grep postqueue /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml +index dd3a189..fd231b8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml +@@ -54,4 +54,3 @@ ocil: |- +
    $ sudo grep pt_chown /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +index d27edda..89b09f2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +@@ -57,4 +57,3 @@ ocil: |- +
    $ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +index 10b060f..8587f72 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +@@ -57,4 +57,3 @@ ocil: |- +
    $ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +index e1366d3..b6865ab 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +@@ -57,4 +57,3 @@ ocil: |- +
    $ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml +index 7b33ea2..0289b75 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml +@@ -57,4 +57,3 @@ ocil: |- +
    $ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +index 5c35c29..aa029ef 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +@@ -56,4 +56,3 @@ ocil: |- +
    $ sudo grep umount /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +index dbda1c3..8bfc971 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +@@ -57,4 +57,3 @@ ocil: |- +
    $ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +index d6ff871..1508def 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml +@@ -57,4 +57,3 @@ ocil: |- +
    $ sudo grep userhelper /etc/audit/audit.rules /etc/audit/rules.d/*
    + It should return a relevant line in the audit rules. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +index 3fe0463..619bed8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +@@ -43,4 +43,3 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml +index 4f54a47..1814663 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml +@@ -54,4 +54,3 @@ ocil: |- + configuration, a line should be returned (including + perm=wa indicating permissions that are watched). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +index 740d7c6..d0c39af 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +@@ -57,4 +57,3 @@ ocil: |- + To verify that auditing is configured for all media exportation events, run the following command: +
    $ sudo auditctl -l | grep syscall | grep mount
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml +index af42de6..6d9efc2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml +@@ -62,4 +62,3 @@ ocil: |- + If the system is configured to watch for network configuration changes, a line should be returned for + each file specified (and perm=wa should be indicated for each). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml +index b0b3c5f..792d64c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml +@@ -48,4 +48,3 @@ references: + iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2 + cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +index 436d093..03beb79 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +@@ -54,4 +54,3 @@ ocil: |- + To verify that auditing is configured for system administrator actions, run the following command: +
    $ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d"
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml +index 21f5b25..92564b9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml +@@ -54,4 +54,3 @@ ocil: |- + The output should contain: +
    -f 2
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml +index 5dc997b..7ff82bf 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml +@@ -77,4 +77,3 @@ warnings: +
  • audit_rules_usergroup_modification_passwd
  • + + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +index 7639721..5604748 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +@@ -60,4 +60,3 @@ ocil: |- + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +index 4dd886e..0fb6873 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +@@ -60,4 +60,3 @@ ocil: |- + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +index aeb9241..22e8114 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +@@ -60,4 +60,3 @@ ocil: |- + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +index e1dc4d0..e07a77f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +@@ -60,4 +60,3 @@ ocil: |- + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +index 2bbba00..18294e2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +@@ -60,4 +60,3 @@ ocil: |- + If the system is configured to watch for account changes, lines should be returned for + each file specified (and with perm=wa for each). + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml +index f250c07..e511b12 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml +@@ -58,4 +58,3 @@ ocil_clause: 'the system is not configured to audit time changes' + + {{{ complete_ocil_entry_audit_syscall(syscall="adjtimex") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml +index d0371e2..52544e7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml +@@ -58,4 +58,3 @@ ocil_clause: 'the system is not configured to audit time changes' + + {{{ complete_ocil_entry_audit_syscall(syscall="clock_settime") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml +index 9d21d98..a7b87b2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml +@@ -58,4 +58,3 @@ ocil_clause: 'the system is not configured to audit time changes' + + {{{ complete_ocil_entry_audit_syscall(syscall="settimeofday") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml +index 09dd535..4f069dc 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml +@@ -64,4 +64,3 @@ ocil: |- + If the system is 64-bit only, this is not applicable
    + {{{ complete_ocil_entry_audit_syscall(syscall="stime") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml +index ed393a4..8e2b77f 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml +@@ -57,4 +57,3 @@ ocil: |- +
    $ sudo auditctl -l | grep "watch=/etc/localtime"
    + If the system is configured to audit this activity, it will return a line. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification/rule.yml +index ae079ab..30780c7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification/rule.yml +@@ -72,4 +72,3 @@ warnings: +
  • audit_rules_unsuccessful_file_modification_creat
  • + + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +index f797fa7..7d1fee5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +index d737fcd..5186f7a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +index a5f1d03..9cf0a90 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +index 6571e87..6f523f1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +index eec216c..0ed0a60 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +index d6c3608..ce91925 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +@@ -62,4 +62,3 @@ warnings: + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml +index 90e5181..5981689 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml +@@ -34,3 +34,5 @@ ocil: |- + /var/log/audit directory, run the following command: +
    $ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules
    + If the system is configured to audit this activity, it will return a line. ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +index e0ba2a5..41a0ae9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +@@ -39,4 +39,3 @@ ocil: |- + {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} + {{{ describe_file_owner(file="/var/log/audit/*", owner="root") }}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +index b9ae2ef..851d1bb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +@@ -43,4 +43,3 @@ ocil: |- +
    $ sudo ls -l /var/log/audit
    + Audit logs must be mode 0640 or less permissive. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml +index e97f2d8..d760406 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml +@@ -51,4 +51,3 @@ ocil: |- + is an IP address or hostname: +
    remote_server = REMOTE_SYSTEM
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +index 0635d1e..664b988 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +@@ -41,4 +41,3 @@ ocil: |- + Acceptable values also include syslog and + halt. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml +index 484464c..9327ca6 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml +@@ -48,4 +48,3 @@ ocil: |- +
    enable_krb5 = yes
    + {{% endif %}} + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml +index c8699c7..874df40 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml +@@ -41,4 +41,3 @@ ocil: |- + Acceptable values also include syslog and + halt. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml +index 20bc9d2..e5a783b 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml +@@ -57,4 +57,3 @@ ocil: |- + {{% endif %}} + If the plugin is active, the output will show yes. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +index 19347e9..01a3b57 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +@@ -48,4 +48,3 @@ ocil: |- + account when it needs to notify an administrator: +
    action_mail_acct = root
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml +index abb19df..cbd1ae6 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml +@@ -53,4 +53,3 @@ ocil: |- + or halt when disk space has run low: +
    admin_space_left_action single
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml +index 9b8dff7..e26cab6 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml +@@ -45,4 +45,3 @@ ocil: |- + Acceptable values are DATA, and SYNC. The setting is + case-insensitive. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml +index fa9de00..66b30c2 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml +@@ -46,4 +46,3 @@ ocil: |- + $ sudo grep max_log_file /etc/audit/auditd.conf +
    max_log_file = 6
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml +index 70d95ff..5d685bb 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml +@@ -56,4 +56,3 @@ ocil: |- + $ sudo grep max_log_file_action /etc/audit/auditd.conf +
    max_log_file_action rotate
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml +index 76ca34b..3f88969 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml +@@ -45,4 +45,3 @@ ocil: |- + $ sudo grep num_logs /etc/audit/auditd.conf +
    num_logs = 5
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +index 884f5dc..b185f06 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +@@ -46,4 +46,3 @@ ocil: |- + determine if the system is configured correctly: +
    space_left SIZE_in_MB
    + +-platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +index 5f1c0c9..015b1c6 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +@@ -63,4 +63,3 @@ ocil: |- +
    space_left_action
    + Acceptable values are email, suspend, single, and halt. + +-platform: machine +diff --git a/linux_os/guide/system/auditing/group.yml b/linux_os/guide/system/auditing/group.yml +index 586caa9..82f87e8 100644 +--- a/linux_os/guide/system/auditing/group.yml ++++ b/linux_os/guide/system/auditing/group.yml +@@ -101,3 +101,6 @@ description: |- + the process, which in this case, is exe="/usr/sbin/httpd". + + ++ ++platform: machine ++ +diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +index 3e63c36..d8c5495 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +@@ -69,4 +69,3 @@ warnings: + {{% endif %}} + + +-platform: machine +diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +index b61c67d..ad03a9c 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +@@ -52,3 +52,5 @@ warnings: +
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    + {{% endif %}} + ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +index b181588..91a4e67 100644 +--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml ++++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +@@ -48,4 +48,3 @@ references: + + ocil: '{{{ ocil_service_enabled(service="auditd") }}}' + +-platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +index e5c8052..0c8992e 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +@@ -22,3 +22,5 @@ references: + nist: SC-39 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml +index c2d4f7a..8431198 100644 +--- a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml +@@ -50,3 +50,5 @@ warnings: +
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    + {{% endif %}} + ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +index bedc3d4..97aa564 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +@@ -53,3 +53,5 @@ warnings: +
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    + {{% endif %}} + ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +index bee9f1a..7762bfe 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +@@ -53,3 +53,5 @@ warnings: +
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    + {{% endif %}} + ++ ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml +index 1213164..e359566 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml +@@ -17,3 +17,4 @@ identifiers: + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}} + ++platform: machine +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +index 86f0748..ad39585 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +@@ -19,3 +19,4 @@ identifiers: + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}} + ++platform: machine +diff --git a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml +index fc1f87b..80844ca 100644 +--- a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml +@@ -54,3 +54,5 @@ ocil: |- + All authorized non-administrative + users must be mapped to the user_u role or the appropriate domain + (user_t). ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +index b1315e1..94ebc4a 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +@@ -53,5 +53,3 @@ warnings: +

    + See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} + for a list of FIPS certified vendors. +- +-platform: machine +diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml +index 303119f..c640718 100644 +--- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml +@@ -41,5 +41,3 @@ warnings: +

    + See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} + for a list of FIPS certified vendors. +- +-platform: machine +diff --git a/linux_os/guide/system/software/integrity/fips/group.yml b/linux_os/guide/system/software/integrity/fips/group.yml +index d8719f6..abcfc29 100644 +--- a/linux_os/guide/system/software/integrity/fips/group.yml ++++ b/linux_os/guide/system/software/integrity/fips/group.yml +@@ -14,3 +14,5 @@ description: |- + Security Levels 1, 2, 3, or 4 for use on {{{ full_name }}}. +

    + See {{{ weblink(link="http://csrc.nist.gov/publications/PubsFIPS.html") }}} for more information. ++ ++platform: machine +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +index 21687ed..1395d85 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +@@ -70,5 +70,3 @@ warnings: +

    + See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} + for a list of FIPS certified vendors. +- +-platform: machine +diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +index dac5329..f27dd2f 100644 +--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +@@ -49,5 +49,3 @@ warnings: +

    + See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} + for a list of FIPS certified vendors. +- +-platform: machine diff --git a/SOURCES/scap-security-guide-0.1.45-mark_rules_as_machine_only_v2.patch b/SOURCES/scap-security-guide-0.1.45-mark_rules_as_machine_only_v2.patch deleted file mode 100644 index 7e5961c..0000000 --- a/SOURCES/scap-security-guide-0.1.45-mark_rules_as_machine_only_v2.patch +++ /dev/null @@ -1,1007 +0,0 @@ -commit 470fb4275710c828f3cdd91ce65c69f78e2e6451 -Author: Gabriel Becker -Date: Fri Apr 5 16:28:44 2019 +0200 - - Mark rules not applicable for container as machine only. - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml -index 6acdd02..79d7023 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml -@@ -10,3 +10,5 @@ description: |- - controls and perform some logging. It has been largely obsoleted by other - features, and it is not installed by default. The older Inetd service - is not even available as part of {{{ full_name }}}. -+ -+platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule -index 5c58455..815097b 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages.rule -@@ -37,5 +37,3 @@ ocil: |- - To verify the operating system has the packages required for multifactor - authentication installed, run the following command: -
    $ sudo yum list installed esc pam_pkcs11 authconfig-gtk
    -- --platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule -index e4c0870..5b01b62 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth.rule -@@ -41,5 +41,3 @@ references: - ocil_clause: 'non-exempt accounts are not using CAC authentication' - - ocil: "Interview the SA to determine if all accounts not exempted by policy are\nusing CAC authentication.\nFor DoD systems, the following systems and accounts are exempt from using\nsmart card (CAC) authentication:\n
      \n
    • SIPRNET systems
    • \n
    • Standalone systems
    • \n
    • Application accounts
    • \n
    • Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV
    • \n
    • Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT
    • \n
    • Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT.
    • \n
    " -- --platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule -index c68db6d..9af1126 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking.rule -@@ -42,5 +42,3 @@ ocil: |- -
    cert_policy = ca, ocsp_on, signature;
    -     cert_policy = ca, ocsp_on, signature;
    -     cert_policy = ca, ocsp_on, signature;
    -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule -index 98fb3f8..b3bba5b 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod.rule -@@ -58,4 +58,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule -index 77be3c4..c3e5036 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown.rule -@@ -56,4 +56,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule -index e530ea9..76bb69d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod.rule -@@ -56,4 +56,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule -index 2410fc9..502e3a0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat.rule -@@ -56,4 +56,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule -index 4f0c7e7..d980704 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown.rule -@@ -56,4 +56,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule -index 12d51f8..99d2083 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat.rule -@@ -56,4 +56,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule -index b0ff227..bda4448 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr.rule -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule -index 4e19015..e5ba297 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr.rule -@@ -56,4 +56,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule -index 39fb8bd..d88a48f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown.rule -@@ -56,4 +56,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule -index 52d0c85..0b0100e 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr.rule -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule -index f7ffae4..07222b0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr.rule -@@ -56,4 +56,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule -index 3ff38cf..f27667d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr.rule -@@ -61,4 +61,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule -index da633bd..ccc90e8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr.rule -@@ -56,4 +56,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule -index f2c7891..8e40014 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon.rule -@@ -47,5 +47,3 @@ ocil: |- -
    $ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/*
    - The output should return something similar to: -
    -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
    -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule -index ea42555..2a97b84 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon.rule -@@ -46,5 +46,3 @@ ocil: |- -
    $ sudo grep "path=/usr/sbin/restorecon" /etc/audit/audit.rules /etc/audit/rules.d/*
    - The output should return something similar to: -
    -a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
    -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule -index dd62afa..c2aedce 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage.rule -@@ -47,5 +47,3 @@ ocil: |- -
    $ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/*
    - The output should return something similar to: -
    -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
    -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule -index 2804b8d..247453e 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool.rule -@@ -47,5 +47,3 @@ ocil: |- -
    $ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/*
    - The output should return something similar to: -
    -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
    -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule -index d110f8a..916af4c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events.rule -@@ -66,4 +66,3 @@ warnings: -
  • audit_rules_file_deletion_events_unlinkat
  • - - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule -index 51b1d54..80eb011 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename.rule -@@ -41,4 +41,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="rename") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule -index 96133fc..b219eda 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat.rule -@@ -41,4 +41,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="renameat") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule -index 21abd3a..37e7fb2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir.rule -@@ -41,4 +41,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule -index 25c2ec2..7c392bc 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink.rule -@@ -41,4 +41,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="unlink") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule -index 390a4e5..793f9b0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat.rule -@@ -41,4 +41,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="unlinkat") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule -index 370fbab..58e81a1 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete.rule -@@ -39,4 +39,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="delete_module") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule -index d86680d..992bce9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit.rule -@@ -37,4 +37,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="finit_module") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule -index 01de6c8..7631ecd 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init.rule -@@ -38,4 +38,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="init_module") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule -index 9610d30..3c4e05f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod.rule -@@ -41,5 +41,3 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/usr/sbin/insmod"
    -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule -index bd266b8..8ce37aa 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe.rule -@@ -41,5 +41,3 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/usr/sbin/modprobe"
    -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule -index b913129..7ab7824 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod.rule -@@ -41,5 +41,3 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"
    -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule -index 11d187d..20edbdf 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events.rule -@@ -54,4 +54,3 @@ warnings: -
  • audit_rules_login_events_lastlog
  • - - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule -index b730fdd..78f9d91 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock.rule -@@ -43,5 +43,3 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/var/log/faillock"
    -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule -index 83c5cb7..6c1919d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog.rule -@@ -43,5 +43,3 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/var/log/lastlog"
    -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule -index 9a9770a..b0eed40 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog.rule -@@ -43,5 +43,3 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/var/log/tallylog"
    -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule -index 3815429..b6ec543 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands.rule -@@ -82,4 +82,3 @@ warnings: -
  • audit_rules_privileged_commands_passwd
  • - - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule -index 9d6c828..5d0478a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage.rule -@@ -49,4 +49,3 @@ ocil: |- -
    $ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule -index ac5c38a..e89b93f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh.rule -@@ -49,4 +49,3 @@ ocil: |- -
    $ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule -index 03bcb6c..dfffee9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab.rule -@@ -49,4 +49,3 @@ ocil: |- -
    $ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule -index 5c8c407..7d77eb9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd.rule -@@ -50,4 +50,3 @@ ocil: |- -
    $ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule -index b8f8e5c..e97e83c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp.rule -@@ -50,4 +50,3 @@ ocil: |- -
    $ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule -index fda2e0c..6398885 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check.rule -@@ -49,4 +49,3 @@ ocil: |- -
    $ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule -index cb41772..fc955cd 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd.rule -@@ -50,4 +50,3 @@ ocil: |- -
    $ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule -index 6f3f787..1f55e04 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop.rule -@@ -49,4 +49,3 @@ ocil: |- -
    $ sudo grep postdrop /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule -index d6f4eeb..91a9d64 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue.rule -@@ -49,4 +49,3 @@ ocil: |- -
    $ sudo grep postqueue /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule -index 21e0a11..293a033 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown.rule -@@ -47,4 +47,3 @@ ocil: |- -
    $ sudo grep pt_chown /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule -index fa7ff2b..4bb59ae 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign.rule -@@ -50,4 +50,3 @@ ocil: |- -
    $ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule -index d791805..7c2e986 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su.rule -@@ -50,4 +50,3 @@ ocil: |- -
    $ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule -index e8b3585..4103c8a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo.rule -@@ -50,4 +50,3 @@ ocil: |- -
    $ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule -index 8984a84..6f2fd62 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit.rule -@@ -50,4 +50,3 @@ ocil: |- -
    $ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule -index 5b636ea..db6d4db 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount.rule -@@ -49,4 +49,3 @@ ocil: |- -
    $ sudo grep umount /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule -index 205bf97..743ea9f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd.rule -@@ -50,4 +50,3 @@ ocil: |- -
    $ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule -index 91f31f3..97c3683 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper.rule -@@ -50,4 +50,3 @@ ocil: |- -
    $ sudo grep userhelper /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule -index 2c42c74..991abcf 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable.rule -@@ -37,5 +37,3 @@ references: - hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.310(a)(2)(iv),164.312(d),164.310(d)(2)(iii),164.312(b),164.312(e) - nist: AC-6,AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5 - pcidss: Req-10.5.2 -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule -index 5952dbb..0636d42 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification.rule -@@ -48,4 +48,3 @@ ocil: |- - configuration, a line should be returned (including - perm=wa indicating permissions that are watched). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule -index 28c64ca..2ec5b8d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export.rule -@@ -51,4 +51,3 @@ ocil: |- - To verify that auditing is configured for all media exportation events, run the following command: -
    $ sudo auditctl -l | grep syscall | grep mount
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule -index 55e1893..9ee65de 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification.rule -@@ -56,4 +56,3 @@ ocil: |- - If the system is configured to watch for network configuration changes, a line should be returned for - each file specified (and perm=wa should be indicated for each). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule -index 017a053..e63f61a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events.rule -@@ -41,5 +41,3 @@ references: - nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 - ospp@rhel7: FAU_GEN.1.1.c - pcidss: Req-10.2.3 -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule -index 3be1932..15c33a2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions.rule -@@ -47,5 +47,3 @@ ocil_clause: 'there is not output' - ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d"
    -- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule -index d40c9df..7be7503 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown.rule -@@ -47,4 +47,3 @@ ocil: |- - The output should contain: -
    -f 2
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule -index 2838470..2278906 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification.rule -@@ -69,4 +69,3 @@ warnings: -
  • audit_rules_usergroup_modification_passwd
  • - - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule -index 143e63b..1a5251f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group.rule -@@ -53,4 +53,3 @@ ocil: |- - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule -index 5e14989..0d54b2f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow.rule -@@ -53,4 +53,3 @@ ocil: |- - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule -index 9e7ce3d..0567184 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd.rule -@@ -53,4 +53,3 @@ ocil: |- - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule -index 76bce57..1c97a40 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd.rule -@@ -53,4 +53,3 @@ ocil: |- - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule -index 74819f5..4076bac 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow.rule -@@ -53,4 +53,3 @@ ocil: |- - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule -index 9dc2ceb..6e86964 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex.rule -@@ -52,4 +52,3 @@ ocil_clause: 'the system is not configured to audit time changes' - - {{{ complete_ocil_entry_audit_syscall(syscall="adjtimex") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule -index 436f5f0..66e7f7c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime.rule -@@ -52,4 +52,3 @@ ocil_clause: 'the system is not configured to audit time changes' - - {{{ complete_ocil_entry_audit_syscall(syscall="clock_settime") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule -index 22ec976..654fd13 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday.rule -@@ -52,4 +52,3 @@ ocil_clause: 'the system is not configured to audit time changes' - - {{{ complete_ocil_entry_audit_syscall(syscall="settimeofday") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule -index 0572156..4c0ca3c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime.rule -@@ -58,4 +58,3 @@ ocil: |- - If the system is 64-bit only, this is not applicable
    - {{{ complete_ocil_entry_audit_syscall(syscall="stime") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule -index 2fb8f7d..d4c02a2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime.rule -@@ -51,4 +51,3 @@ ocil: |- -
    $ sudo auditctl -l | grep "watch=/etc/localtime"
    - If the system is configured to audit this activity, it will return a line. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule -index ea42793..1e2437a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification.rule -@@ -70,4 +70,3 @@ warnings: -
  • audit_rules_unsuccessful_file_modification_creat
  • - - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule -index a328ff9..bd91a9f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat.rule -@@ -55,4 +55,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule -index 6229398..8fadeaa 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate.rule -@@ -55,4 +55,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule -index 13f12fe..656de99 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open.rule -@@ -55,4 +55,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule -index ce4193a..30ee748 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at.rule -@@ -55,4 +55,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule -index 6f3c38a..532f355 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat.rule -@@ -55,4 +55,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule -index f6e0263..d7d37ac 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate.rule -@@ -55,4 +55,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule -index acf6fc6..b892c5a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit.rule -@@ -31,3 +31,5 @@ ocil: |- - /var/log/audit directory, run the following command: -
    $ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules
    - If the system is configured to audit this activity, it will return a line. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule -index 14d41d0..543f887 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit.rule -@@ -34,4 +34,3 @@ ocil: |- - {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} - {{{ describe_file_owner(file="/var/log/audit/*", owner="root") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule -index 319b1bb..39ddc5b 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit.rule -@@ -36,4 +36,3 @@ ocil: |- -
    $ sudo ls -l /var/log/audit
    - Audit logs must be mode 0640 or less permissive. - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule -index 94af473..c5cf669 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server.rule -@@ -38,4 +38,3 @@ ocil: |- - is an IP address or hostname: -
    remote_server = REMOTE_SYSTEM
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule -index 502843d..e4e96d4 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule -@@ -41,4 +41,3 @@ ocil: |- - Acceptable values also include syslog and - halt. - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule -index 07d36df..94292ff 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records.rule -@@ -34,5 +34,3 @@ ocil: |- -
    $ sudo grep -i enable_krb5 /etc/audisp/audisp-remote.conf
    - The output should return the following: -
    enable_krb5 = yes
    -- --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule -index 7fc5566..79b8909 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action.rule -@@ -41,4 +41,3 @@ ocil: |- - Acceptable values also include syslog and - halt. - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule -index c2891ab..75edf6a 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated.rule -@@ -40,5 +40,3 @@ ocil: |- - To verify the audispd's syslog plugin is active, run the following command: -
    $ sudo grep active /etc/audisp/plugins.d/syslog.conf
    - If the plugin is active, the output will show yes. -- --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule -index cabdc03..3b45bc2 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct.rule -@@ -44,4 +44,3 @@ ocil: |- - account when it needs to notify an administrator: -
    action_mail_acct = root
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule -index 7bad632..46102a1 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action.rule -@@ -49,4 +49,3 @@ ocil: |- - or halt when disk space has run low: -
    admin_space_left_action single
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule -index 5475a85..a070c4a 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush.rule -@@ -38,4 +38,3 @@ ocil: |- - Acceptable values are DATA, and SYNC. The setting is - case-insensitive. - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule -index 06ec11d..b123481 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file.rule -@@ -41,4 +41,3 @@ ocil: |- - $ sudo grep max_log_file /etc/audit/auditd.conf -
    max_log_file = 6
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule -index 609ca46..1c90f9e 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action.rule -@@ -52,4 +52,3 @@ ocil: |- - $ sudo grep max_log_file_action /etc/audit/auditd.conf -
    max_log_file_action rotate
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule -index 5b1debc..619b19e 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs.rule -@@ -40,4 +40,3 @@ ocil: |- - $ sudo grep num_logs /etc/audit/auditd.conf -
    num_logs = 5
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule -index d86ae02..c6fd4ea 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left.rule -@@ -40,4 +40,3 @@ ocil: |- - determine if the system is configured correctly: -
    space_left SIZE_in_MB
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule -index 7b4360f..65523e0 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action.rule -@@ -58,4 +58,3 @@ ocil: |- -
    space_left_action
    - Acceptable values are email, suspend, single, and halt. - --platform: machine -diff --git a/linux_os/guide/system/auditing/grub2_audit_argument.rule b/linux_os/guide/system/auditing/grub2_audit_argument.rule -index 29c451c..68d4f49 100644 ---- a/linux_os/guide/system/auditing/grub2_audit_argument.rule -+++ b/linux_os/guide/system/auditing/grub2_audit_argument.rule -@@ -57,5 +57,3 @@ warnings: -
  • On UEFI-based machines, issue the following command as root: -
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  • - -- --platform: machine -diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule -index 361a6b9..82cd257 100644 ---- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule -+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule -@@ -49,3 +49,5 @@ warnings: -
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    - {{% endif %}} - -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/service_auditd_enabled.rule b/linux_os/guide/system/auditing/service_auditd_enabled.rule -index ce32390..058a689 100644 ---- a/linux_os/guide/system/auditing/service_auditd_enabled.rule -+++ b/linux_os/guide/system/auditing/service_auditd_enabled.rule -@@ -42,4 +42,3 @@ references: - - ocil: '{{{ ocil_service_enabled(service="auditd") }}}' - --platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict.rule b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict.rule -index 492d2e7..eb56d1c 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict.rule -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict.rule -@@ -17,3 +17,5 @@ references: - anssi: NT28(R23) - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule -index 8773f24..d9d53c2 100644 ---- a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule -+++ b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule -@@ -47,3 +47,5 @@ warnings: -
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    - {{% endif %}} - -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule -index 9056613..b72c6b5 100644 ---- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule -+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule -@@ -50,3 +50,5 @@ warnings: -
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    - {{% endif %}} - -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule -index ea982ee..970025d 100644 ---- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule -+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule -@@ -50,3 +50,5 @@ warnings: -
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    - {{% endif %}} - -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule -index a8fc871..463cda6 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled.rule -@@ -15,3 +15,4 @@ severity: unknown - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}} - -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule -index 67b7ff8..44febe9 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope.rule -@@ -17,3 +17,4 @@ severity: unknown - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}} - -+platform: machine -diff --git a/linux_os/guide/system/selinux/selinux_user_login_roles.rule b/linux_os/guide/system/selinux/selinux_user_login_roles.rule -index 47690e0..65cbf1f 100644 ---- a/linux_os/guide/system/selinux/selinux_user_login_roles.rule -+++ b/linux_os/guide/system/selinux/selinux_user_login_roles.rule -@@ -54,3 +54,5 @@ ocil: |- - All authorized non-administrative - users must be mapped to the user_u role or the appropriate domain - (user_t). -+ -+platform: machine -diff --git a/linux_os/guide/system/software/integrity/fips/group.yml b/linux_os/guide/system/software/integrity/fips/group.yml -index 75916e9..e9ff7cb 100644 ---- a/linux_os/guide/system/software/integrity/fips/group.yml -+++ b/linux_os/guide/system/software/integrity/fips/group.yml -@@ -14,3 +14,5 @@ description: |- - Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux. -

    - See {{{ weblink(link="http://csrc.nist.gov/publications/PubsFIPS.html") }}} for more information. -+ -+platform: machine -diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule -index c1223d6..4f70107 100644 ---- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule -+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule -@@ -60,5 +60,3 @@ warnings: -

    - See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} - for a list of FIPS certified vendors. -- --platform: machine diff --git a/SOURCES/scap-security-guide-0.1.45-smartcards_not_applicable_to_containers.patch b/SOURCES/scap-security-guide-0.1.45-smartcards_not_applicable_to_containers.patch new file mode 100644 index 0000000..2f8b167 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.45-smartcards_not_applicable_to_containers.patch @@ -0,0 +1,31 @@ +From eebf6eaae22d6d993b9351a0ccaad55ca2bff3d6 Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Fri, 24 May 2019 12:33:57 +0200 +Subject: [PATCH] Smartcard not applicable to containers + +Smartcard configuration make sense on the host, not in general container base. +--- + .../accounts-physical/screen_locking/smart_card_login/group.yml | 2 ++ + .../smart_card_login/service_pcscd_enabled/rule.yml | 2 -- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/group.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/group.yml +index e1ee1122bd..5a2b0728cb 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/group.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/group.yml +@@ -11,3 +11,5 @@ description: |- + In Red Hat Enterprise Linux servers and workstations, hardware token login + {{% endif %}} + is not enabled by default and must be enabled in the system settings. ++ ++platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml +index 03e37fd889..a49f9e755f 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml +@@ -33,5 +33,3 @@ references: + ocil_clause: 'the pcscd service is not enabled' + + ocil: '{{{ ocil_service_enabled(service="pcscd") }}}' +- +-platform: machine diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 52a097d..7104577 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,4 +1,4 @@ -%global redhatssgversion 40 +%global redhatssgversion 43 # Somehow, _pkgdocdir is already defined and points to unversioned docs dir # RHEL 7.X uses versioned docs dir, hence the definition below @@ -11,52 +11,36 @@ Summary: Security guidance and baselines in SCAP formats Group: System Environment/Base License: BSD-3-Clause -URL: https://github.com/OpenSCAP/scap-security-guide +URL: https://github.com/ComplianceAsCode/content Source0: %{name}-%{version}.tar.bz2 -Patch1: scap-security-guide-0.1.33-update-upstream-manual-page.patch -Patch2: scap-security-guide-0.1.41-restrict-remediation-for-dev-shm.patch -Patch3: scap-security-guide-0.1.41-drop-dev-cdrom-fix.patch -Patch4: scap-security-guide-0.1.41-install-dracut-fips.patch -Patch5: scap-security-guide-0.1.41-audit_unset_4294967295.patch -Patch6: scap-security-guide-0.1.41-audit_file_deletion.patch -Patch7: scap-security-guide-0.1.41-audit_misc_improvements.patch -Patch8: scap-security-guide-0.1.41-audit_file_ownership.patch -Patch9: scap-security-guide-0.1.41-audit_file_permission.patch -Patch10: scap-security-guide-0.1.41-audit_log_access.patch -Patch11: scap-security-guide-0.1.41-audit_privileged_commands.patch -Patch12: scap-security-guide-0.1.41-audit_file_open.patch -Patch13: scap-security-guide-0.1.41-audit_file_open_ospp.patch -Patch14: scap-security-guide-0.1.41-audit_passwd_log_writes.patch -Patch15: scap-security-guide-0.1.41-ospp_enable.patch -Patch16: scap-security-guide-0.1.41-template_syscall_rules.patch -Patch17: scap-security-guide-0.1.41-template_syscall_rules_ospp.patch -Patch18: scap-security-guide-0.1.41-template_watch_path.patch -Patch19: scap-security-guide-0.1.41-template_watch_path_build_templates.patch -Patch20: scap-security-guide-0.1.41-fix_audit_rules_unsuccessful_file_modification_regex.patch -Patch21: scap-security-guide-0.1.41-fix_unauthorized_syscall_regex.patch -Patch22: scap-security-guide-0.1.41-fix_syscall_in_last_position.patch -Patch23: scap-security-guide-0.1.41-fix_dconf_gnome_screensaver_lock_enabled.patch -Patch24: scap-security-guide-0.1.41-untemplate_var_tmp.patch -Patch25: scap-security-guide-0.1.41-bash_and_tests_for_grub2_audit_argument.patch -Patch26: scap-security-guide-0.1.41-small_bash_fix_for_gnome_screensaver_lock_delay.patch -Patch27: scap-security-guide-0.1.41-select_missing_arpc_for_OSPP42.patch -Patch28: scap-security-guide-0.1.41-fix_owners_groups.patch -Patch29: scap-security-guide-0.1.41-packages_abrt_sendmail_removed.patch -Patch30: scap-security-guide-0.1.41-dev_shm_mount_option.patch -Patch31: scap-security-guide-0.1.41-sysctl_kernel.patch -Patch32: scap-security-guide-0.1.41-kptr_restrict.patch -Patch33: scap-security-guide-0.1.41-grub2_bootloader_arguments.patch -Patch34: scap-security-guide-0.1.41-profile_title_rename_etc.patch -Patch35: scap-security-guide-0.1.42-rule_yml_platform_tag_support.patch -Patch36: scap-security-guide-0.1.42-mark_rules_as_machine_only.patch -Patch37: scap-security-guide-0.1.45-mark_rules_as_machine_only_v2.patch -Patch38: scap-security-guide-0.1.44-cpe-shadow-utils.patch -Patch39: scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch -Patch40: scap-security-guide-0.1.44-cpe-gdm.patch -Patch41: scap-security-guide-0.1.44-cpe-remaining.patch -Patch42: scap-security-guide-0.1.44-update-cpe-dictionary.patch -Patch999: centos-debranding.patch - +Patch1: scap-security-guide-0.1.44-rule_pcsc-lite_installed.patch +Patch2: scap-security-guide-0.1.44-fix_no_direct_root_logins_changed_when.patch +Patch3: scap-security-guide-0.1.44-rules_docker_psacct_installed.patch +Patch4: scap-security-guide-0.1.44-fix_removed_sebooleans.patch +Patch5: scap-security-guide-0.1.44-fix_ansible_sssd_tasks.patch +Patch6: scap-security-guide-0.1.44-template_file_permissions_use_regex.patch +Patch7: scap-security-guide-0.1.44-fix_rpm_verify_permissions.patch +Patch8: scap-security-guide-0.1.44-fix_stig_duplicated_audit_rules.patch +Patch9: scap-security-guide-0.1.45-mark_rules_as_machine_only.patch +Patch10: scap-security-guide-0.1.44-cpe-shadow-utils.patch +Patch11: scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch +Patch12: scap-security-guide-0.1.44-cpe-gdm.patch +Patch13: scap-security-guide-0.1.44-cpe-remaining.patch +Patch14: scap-security-guide-0.1.44-update-cpe-dictionary.patch +Patch15: scap-security-guide-0.1.44-mark_selinux_rules_as_machine_only.patch +Patch16: scap-security-guide-0.1.44-mark_service_disabled_rules_as_machine_only.patch +Patch17: scap-security-guide-0.1.44-remove_gpgcheck_repo_from_profiles.patch +Patch18: scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules.patch +Patch19: evaluate_new_package_cpes_to_true.patch +Patch20: scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules2.patch +Patch21: scap-security-guide-0.1.45-fix_rule_sssd_ssh_known_hosts_timeout.patch +Patch22: add-missing-tags-and-platforms.patch +Patch23: scap-security-guide-0.1.45-fix_ansible_sssd_ssh_known_hosts_timeout.patch +Patch24: remove_dconf_use_text_backend_rule_from_profiles.patch +Patch25: scap-security-guide-0.1.45-aide_not_applicable_to_containers.patch +Patch26: scap-security-guide-0.1.45-smartcards_not_applicable_to_containers.patch +Patch27: scap-security-guide-0.1.45-add_rule_dconf_db_up_to_date.patch +Patch28: scap-security-guide-0.1.45-fix_dconf_remediation.patch BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.16, python-jinja2, cmake >= 2.8, PyYAML @@ -84,12 +68,14 @@ been generated from XCCDF benchmarks present in %{name} package. %prep %setup -q -n %{name}-%{version} +# Workaround to remove Python byte cache files from the upstream sources +# See https://github.com/ComplianceAsCode/content/issues/4042 +find . -name '*.pyc' -exec rm -f {} ';' mkdir build -# Update manual page to drop the part dedicated to Fedora content -%patch1 -p1 -b .man_page_update -%patch2 -p1 -b .remediation_for_dev_shm -%patch3 -p1 -b .remediation_for_dev_cdrom -%patch4 -p1 -b .install_dracut_fips +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 @@ -114,40 +100,34 @@ mkdir build %patch26 -p1 %patch27 -p1 %patch28 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 -%patch33 -p1 -%patch34 -p1 -%patch35 -p1 -%patch36 -p1 -%patch37 -p1 -%patch38 -p1 -%patch39 -p1 -%patch40 -p1 -%patch41 -p1 -%patch42 -p1 -%patch999 -p1 %build mkdir -p build && cd build %cmake -D CMAKE_INSTALL_DOCDIR=%{_pkgdocdir} \ +-DSSG_PRODUCT_EXAMPLE:BOOL=OFF \ -DSSG_PRODUCT_CHROMIUM:BOOL=OFF \ -DSSG_PRODUCT_DEBIAN8:BOOL=OFF \ -DSSG_PRODUCT_FEDORA:BOOL=OFF \ +-DSSG_PRODUCT_FIREFOX:BOOL=ON \ -DSSG_PRODUCT_JBOSS_EAP6:BOOL=OFF \ -DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF \ +-DSSG_PRODUCT_JBOSS_JRE:BOOL=ON \ -DSSG_PRODUCT_OCP3:BOOL=OFF \ -DSSG_PRODUCT_OPENSUSE:BOOL=OFF \ --DSSG_PRODUCT_OSP7:BOOL=OFF \ +-DSSG_PRODUCT_OSP13:BOOL=OFF \ +-DSSG_PRODUCT_RHEL6:BOOL=ON \ +-DSSG_PRODUCT_RHEL7:BOOL=ON \ +-DSSG_PRODUCT_RHEL8:BOOL=OFF \ +-DSSG_PRODUCT_RHV4:BOOL=OFF \ -DSSG_PRODUCT_SUSE11:BOOL=OFF \ -DSSG_PRODUCT_SUSE12:BOOL=OFF \ -DSSG_PRODUCT_UBUNTU14:BOOL=OFF \ -DSSG_PRODUCT_UBUNTU16:BOOL=OFF \ +-DSSG_PRODUCT_UBUNTU18:BOOL=OFF \ -DSSG_PRODUCT_WRLINUX:BOOL=OFF \ -DSSG_PRODUCT_OL7:BOOL=OFF \ --DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \ +-DSSG_PRODUCT_OL8:BOOL=OFF \ +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \ ../ make %{?_smp_mflags} @@ -178,12 +158,51 @@ cd build %doc build/guides/ssg-*-guide-*.html %changelog -* Tue Apr 23 2019 Johnny Hughes -- Manual CentOS Debranding +* Wed Jun 12 2019 Matěj Týč - 0.1.43-13 +- Fixed the shared dconf bash remediation (RHBZ#1631378) + +* Mon Jun 03 2019 Jan Černý - 0.1.43-12 +- Make aide and smart card rules not applicable to containers (RHBZ#1711893) +- Added rule dconf_db_up_to_date to ensure dconf databases are up-to-date (RHBZ#1631378) + +* Fri May 24 2019 Gabriel Becker - 0.1.43-11 +- Remove faulty dconf_use_text_backend rule from all profiles (Reverts RHBZ#1631378) + +* Thu May 23 2019 Gabriel Becker - 0.1.43-10 +- Fixed Ansible remediation for sssd_ssh_known_hosts_timeout (RHBZ#1599179) + +* Mon May 20 2019 Jan Černý - 0.1.43-9 +- Fixed missing Ansible tags and platform checks (RHBZ#1685950) + +* Fri May 17 2019 Gabriel Becker - 0.1.43-8 +- Fixed OVAL check for sssd_ssh_known_hosts_timeout and added bash remediation (RHBZ#1599179) + +* Fri May 10 2019 Watson Yuuma Sato - 0.1.43-7 +- Fix handling of package CPE during generation of Ansible playbooks (RHBZ#1647189) + +* Fri May 10 2019 Watson Yuuma Sato - 0.1.43-6 +- Deduplicated more CCEs assigned to rules (RHBZ#1703092) + +* Thu Apr 25 2019 Gabriel Becker - 0.1.43-5 +- Remove ensure_gpgcheck_repo_metadata rule from profiles (RHBZ#1703010) +- Deduplicate CCE assigned to rules (RHBZ#1703092) + +* Tue Apr 23 2019 Gabriel Becker - 0.1.43-4 +- Mark SELinux rules as machine only (RHBZ#1630739) +- Mark service disabled rules as machine only (RHBZ#1630739) + +* Mon Apr 08 2019 Gabriel Becker - 0.1.43-3 +- Mark rules which were not applicable for containers as machine only (RHBZ#1630739) +- Fix content support for UBI-Minimal (RHBZ#1695213) + +* Mon Mar 25 2019 Watson Yuuma Sato - 0.1.43-2 +- Fixes for smooth Ansible playbooks run (RHBZ#1647189) +- Fix Ansible template for file permissions (RHBZ#1686007) +- Fix remediation of rule rpm_verify_permissions (RHBZ#1686005) +- Fix remediation of audit rules for privileged commands (RHBZ#1687826) -* Thu Apr 11 2019 Gabriel Becker - 0.1.40-13 -- Added support to platform tag and mark rules as machine only (RHBZ#1698752) -- Fix content support for UBI-Minimal (RHBZ#1698751) +* Fri Mar 01 2019 Jan Černý - 0.1.43-1 +- Update to the latest upstream release (RHBZ#1684545) * Tue Sep 25 2018 Watson Yuuma Sato - 0.1.40-12 - Fix malformed patch for removal of abrt and sendmail (RHBZ#1619689)