diff --git a/.gitignore b/.gitignore index 1c1c8af..ef19f89 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.43.tar.bz2 +SOURCES/scap-security-guide-0.1.46.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index fd5976d..26ee133 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -9ccdd4a8e5f34af380aaef4348b206803f4ca075 SOURCES/scap-security-guide-0.1.43.tar.bz2 +05a9c42472d6918e10d25df002ab6b3c3d379016 SOURCES/scap-security-guide-0.1.46.tar.bz2 diff --git a/SOURCES/add-missing-tags-and-platforms.patch b/SOURCES/add-missing-tags-and-platforms.patch deleted file mode 100644 index 21f1aa6..0000000 --- a/SOURCES/add-missing-tags-and-platforms.patch +++ /dev/null @@ -1,768 +0,0 @@ -From a732c5c1d77f96438f866928839639f92df9f36f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 20 May 2019 15:36:17 +0200 -Subject: [PATCH] Add missing tags and platform assertions - -Some tasks were missing tags, but they were dependencies of -other tasks. When user run the generated playbook with --tags, -those dependent tasks weren't evaluated and then the whole -playbook failed. For example rhbz#1685950. ---- - .../sssd_enable_smartcards/ansible/shared.yml | 7 ++++++- - .../sssd_memcache_timeout/ansible/shared.yml | 7 ++++++- - .../ansible/shared.yml | 7 ++++++- - .../ansible/shared.yml | 7 ++++++- - .../ansible/shared.yml | 6 ++++-- - .../configure_opensc_nss_db/ansible/shared.yml | 11 +++++++---- - .../ansible/shared.yml | 6 ++++-- - .../no_direct_root_logins/ansible/shared.yml | 3 +++ - .../ansible/shared.yml | 14 ++++++++++++-- - .../ansible/shared.yml | 17 +++++++++++++++-- - .../ansible/shared.yml | 14 ++++++++++++-- - .../ansible/shared.yml | 14 ++++++++++++-- - .../ansible/shared.yml | 3 +++ - .../configure_crypto_policy/ansible/shared.yml | 3 +++ - .../ansible/shared.yml | 4 +++- - .../ansible/shared.yml | 4 +++- - .../ansible/shared.yml | 3 +++ - ...emplate_ANSIBLE_audit_rules_dac_modification | 14 ++++++++++++-- - ...ate_ANSIBLE_audit_rules_file_deletion_events | 14 ++++++++++++-- - .../template_ANSIBLE_audit_rules_login_events | 14 ++++++++++++-- - ...late_ANSIBLE_audit_rules_privileged_commands | 11 +++++++++-- - ...E_audit_rules_unsuccessful_file_modification | 14 ++++++++++++-- - ...e_ANSIBLE_audit_rules_usergroup_modification | 14 ++++++++++++-- - .../templates/template_ANSIBLE_file_groupowner | 3 +++ - shared/templates/template_ANSIBLE_file_owner | 3 +++ - .../templates/template_ANSIBLE_file_permissions | 5 ++++- - .../template_ANSIBLE_file_regex_permissions | 1 + - shared/templates/template_ANSIBLE_sebool_var | 2 ++ - 28 files changed, 190 insertions(+), 35 deletions(-) - -diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml -index f6dbdf4..2232b83 100644 ---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml -@@ -8,6 +8,9 @@ - register: test_grep_domain - ignore_errors: yes - changed_when: False -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: "Add default domain group (if no domain there)" - ini_file: -@@ -20,7 +23,9 @@ - with_items: - - { section: sssd, option: domains, value: default} - - { section: domain/default, option: id_provider, value: files } -- when: test_grep_domain.stdout == "" -+ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - name: "Enable Smartcards in SSSD" - ini_file: - dest: /etc/sssd/sssd.conf -diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml -index 3cf2af4..a5f7658 100644 ---- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml -@@ -10,6 +10,9 @@ - register: test_grep_domain - ignore_errors: yes - changed_when: False -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: "Add default domain group (if no domain there)" - ini_file: -@@ -22,7 +25,9 @@ - with_items: - - { section: sssd, option: domains, value: default} - - { section: domain/default, option: id_provider, value: files } -- when: test_grep_domain.stdout == "" -+ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: "Configure SSSD's Memory Cache to Expire" - ini_file: -diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml -index f2cddfd..f8d0b00 100644 ---- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml -@@ -8,6 +8,9 @@ - register: test_grep_domain - ignore_errors: yes - changed_when: False -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: "Add default domain group (if no domain there)" - ini_file: -@@ -20,7 +23,9 @@ - with_items: - - { section: sssd, option: domains, value: default} - - { section: domain/default, option: id_provider, value: files } -- when: test_grep_domain.stdout == "" -+ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: "Configure SSD to Expire Offline Credentials" - ini_file: -diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -index 61bd798..d7f246e 100644 ---- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -@@ -10,6 +10,9 @@ - register: test_grep_domain - ignore_errors: yes - changed_when: False -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: "Add default domain group (if no domain there)" - ini_file: -@@ -22,7 +25,9 @@ - with_items: - - { section: sssd, option: domains, value: default} - - { section: domain/default, option: id_provider, value: files } -- when: test_grep_domain.stdout == "" -+ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: "Configure SSSD to Expire SSH Known Hosts" - ini_file: -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml -index f4617b1..69f488a 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml -@@ -9,6 +9,9 @@ - stat: - path: /etc/opensc-{{ ansible_architecture }}.conf - register: opensc_conf_cd -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: "@RULE_TITLE@" - lineinfile: -@@ -16,7 +19,6 @@ - line: ' card_drivers = {{ var_smartcard_drivers }}' - regexp: '(^\s+#|^)\s+card_drivers\s+=\s+.*' - state: present -- when: opensc_conf_cd.stat.exists -+ when: opensc_conf_cd.stat.exists and @ANSIBLE_PLATFORM_CONDITION@ - tags: - @ANSIBLE_TAGS@ -- @ANSIBLE_ENSURE_PLATFORM@ -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml -index 1e1dee5..dcef0b6 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/ansible/shared.yml -@@ -3,10 +3,13 @@ - # strategy = configure - # complexity = low - # disruption = low --- name: Check existence of pkcs11-switch -- stat: -- path: /usr/bin/pkcs11-switch -- register: pkcs11switch -+- name: Check existence of pkcs11-switch -+ stat: -+ path: /usr/bin/pkcs11-switch -+ register: pkcs11switch -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: Get NSS database smart card configuration - command: /usr/bin/pkcs11-switch -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml -index 30452e8..a5da032 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml -@@ -9,6 +9,9 @@ - stat: - path: /etc/opensc-{{ ansible_architecture }}.conf - register: opensc_conf_fcd -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: "@RULE_TITLE@" - lineinfile: -@@ -16,7 +19,6 @@ - line: ' force_card_driver = {{ var_smartcard_drivers }}' - regexp: '(^\s+#|^)\s+force_card_driver\s+=\s+.*' - state: present -- when: opensc_conf_fcd.stat.exists -+ when: opensc_conf_fcd.stat.exists and @ANSIBLE_PLATFORM_CONDITION@ - tags: - @ANSIBLE_TAGS@ -- @ANSIBLE_ENSURE_PLATFORM@ -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -index 7b20eed..e4e5e0f 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -@@ -7,6 +7,9 @@ - stat: - path: /etc/securetty - register: securetty_empty -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: "Direct root Logins Not Allowed" - shell: echo > /etc/securetty -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/ansible/shared.yml -index bd42214..39f35f0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_create/ansible/shared.yml -@@ -7,6 +7,9 @@ - - name: Set architecture for audit create_module tasks - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - # Inserts/replaces the rule in /etc/audit/rules.d - -@@ -17,16 +20,23 @@ - contains: ^.*create_module.*$ - patterns: '*.rules' - register: find_create_module -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules -- when: find_create_module.matched == 0 -+ when: find_create_module.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_create_module.files | map(attribute=''path'') | list | first }}' -- when: find_create_module.matched > 0 -+ when: find_create_module.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - name: Inserts/replaces the create_module rule in rules.d - lineinfile: - path: '{{ all_files[0] }}' -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml -index 59df796..0f2b57f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml -@@ -7,6 +7,9 @@ - - name: Set architecture for audit delete_module tasks - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - # Inserts/replaces the rule in /etc/audit/rules.d - -@@ -17,16 +20,26 @@ - contains: ^.*delete_module.*$ - patterns: '*.rules' - register: find_delete_module -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ -+ - - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules -- when: find_delete_module.matched == 0 -+ when: find_delete_module.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ -+ - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_delete_module.files | map(attribute=''path'') | list | first }}' -- when: find_delete_module.matched > 0 -+ when: find_delete_module.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ -+ - - name: Inserts/replaces the delete_module rule in rules.d - lineinfile: - path: '{{ all_files[0] }}' -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml -index dbd6a8b..be89110 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml -@@ -7,6 +7,9 @@ - - name: Set architecture for audit finit_module tasks - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - # Inserts/replaces the rule in /etc/audit/rules.d - -@@ -17,16 +20,23 @@ - contains: ^.*finit_module.*$ - patterns: '*.rules' - register: find_finit_module -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules -- when: find_finit_module.matched == 0 -+ when: find_finit_module.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_finit_module.files | map(attribute=''path'') | list | first }}' -- when: find_finit_module.matched > 0 -+ when: find_finit_module.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - name: Inserts/replaces the finit_module rule in rules.d - lineinfile: - path: '{{ all_files[0] }}' -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml -index 7514401..dd41927 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml -@@ -7,6 +7,9 @@ - - name: Set architecture for audit init_module tasks - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - # Inserts/replaces the rule in /etc/audit/rules.d - -@@ -17,16 +20,23 @@ - contains: ^.*init_module.*$ - patterns: '*.rules' - register: find_init_module -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules -- when: find_init_module.matched == 0 -+ when: find_init_module.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - '{{ find_init_module.files | map(attribute=''path'') | list | first }}' -- when: find_init_module.matched > 0 -+ when: find_init_module.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - name: Inserts/replaces the init_module rule in rules.d - lineinfile: - path: '{{ all_files[0] }}' -diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/ansible/shared.yml -index b0de57f..19f5a14 100644 ---- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/ansible/shared.yml -+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/ansible/shared.yml -@@ -21,6 +21,9 @@ - option: gelocation - value: "false" - create: yes -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: "Prevent user modification of GNOME geolocation - location tracking" - lineinfile: -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml -index 2254249..c50753c 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml -@@ -17,3 +17,6 @@ - - - name: Verify that Crypto Policy is Set (runtime) - shell: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/shared.yml -index 551087e..8589950 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/shared.yml -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/shared.yml -@@ -8,7 +8,9 @@ - path: /etc/yum.conf - register: yum_config_file - check_mode: no -- when: ansible_distribution == "Fedora" -+ when: ansible_distribution == "Fedora" and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - # Old versions of Fedora use yum - -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/ansible/shared.yml -index cc61f4f..1313dc0 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/ansible/shared.yml -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/ansible/shared.yml -@@ -8,7 +8,9 @@ - path: /etc/yum.conf - register: yum_config_file - check_mode: no -- when: ansible_distribution == "Fedora" -+ when: ansible_distribution == "Fedora" and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - # Old versions of Fedora use yum - -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml -index 56050ef..500459f 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/ansible/shared.yml -@@ -10,6 +10,9 @@ - patterns: "*.repo" - contains: ^\[.+]$ - register: yum_find -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: Ensure gpgcheck Enabled For All {{{ pkg_manager }}} Package Repositories - with_items: "{{ yum_find.files }}" -diff --git a/shared/templates/template_ANSIBLE_audit_rules_dac_modification b/shared/templates/template_ANSIBLE_audit_rules_dac_modification -index 0f43d05..eb69f49 100644 ---- a/shared/templates/template_ANSIBLE_audit_rules_dac_modification -+++ b/shared/templates/template_ANSIBLE_audit_rules_dac_modification -@@ -10,6 +10,9 @@ - - name: Set architecture for audit {{{ ATTR }}} tasks - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - # - # Inserts/replaces the rule in /etc/audit/rules.d -@@ -21,18 +24,25 @@ - contains: "-F key=perm_mod$" - patterns: "*.rules" - register: find_{{{ ATTR }}} -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules -- when: find_{{{ ATTR }}}.matched == 0 -+ when: find_{{{ ATTR }}}.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_{{{ ATTR }}}.files | map(attribute='path') | list | first }}" -- when: find_{{{ ATTR }}}.matched > 0 -+ when: find_{{{ ATTR }}}.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: Inserts/replaces the {{{ ATTR }}} rule in rules.d when on x86 - lineinfile: -diff --git a/shared/templates/template_ANSIBLE_audit_rules_file_deletion_events b/shared/templates/template_ANSIBLE_audit_rules_file_deletion_events -index 1ccef80..c15c2cd 100644 ---- a/shared/templates/template_ANSIBLE_audit_rules_file_deletion_events -+++ b/shared/templates/template_ANSIBLE_audit_rules_file_deletion_events -@@ -10,6 +10,9 @@ - - name: Set architecture for audit {{{ NAME }}} tasks - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - # - # Inserts/replaces the rule in /etc/audit/rules.d -@@ -21,18 +24,25 @@ - contains: "-F key=delete$" - patterns: "*.rules" - register: find_{{{ NAME }}} -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/delete.rules -- when: find_{{{ NAME }}}.matched == 0 -+ when: find_{{{ NAME }}}.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" -- when: find_{{{ NAME }}}.matched > 0 -+ when: find_{{{ NAME }}}.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86 - lineinfile: -diff --git a/shared/templates/template_ANSIBLE_audit_rules_login_events b/shared/templates/template_ANSIBLE_audit_rules_login_events -index 835bf3a..cb319eb 100644 ---- a/shared/templates/template_ANSIBLE_audit_rules_login_events -+++ b/shared/templates/template_ANSIBLE_audit_rules_login_events -@@ -10,6 +10,9 @@ - - name: Set architecture for audit {{{ NAME }}} tasks - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - # - # Inserts/replaces the rule in /etc/audit/rules.d -@@ -21,18 +24,25 @@ - contains: "-k logins$" - patterns: "*.rules" - register: find_{{{ NAME }}} -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/logins.rules -- when: find_{{{ NAME }}}.matched == 0 -+ when: find_{{{ NAME }}}.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" -- when: find_{{{ NAME }}}.matched > 0 -+ when: find_{{{ NAME }}}.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86 - lineinfile: -diff --git a/shared/templates/template_ANSIBLE_audit_rules_privileged_commands b/shared/templates/template_ANSIBLE_audit_rules_privileged_commands -index a8bbc66..63a14d2 100644 ---- a/shared/templates/template_ANSIBLE_audit_rules_privileged_commands -+++ b/shared/templates/template_ANSIBLE_audit_rules_privileged_commands -@@ -13,18 +13,25 @@ - contains: "^.*path={{{ PATH }}}.*$" - patterns: "*.rules" - register: find_{{{ NAME }}} -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules -- when: find_{{{ NAME }}}.matched == 0 -+ when: find_{{{ NAME }}}.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" -- when: find_{{{ NAME }}}.matched > 0 -+ when: find_{{{ NAME }}}.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: Inserts/replaces the {{{ NAME }}} rule in rules.d - lineinfile: -diff --git a/shared/templates/template_ANSIBLE_audit_rules_unsuccessful_file_modification b/shared/templates/template_ANSIBLE_audit_rules_unsuccessful_file_modification -index 015a29b..99b7bdd 100644 ---- a/shared/templates/template_ANSIBLE_audit_rules_unsuccessful_file_modification -+++ b/shared/templates/template_ANSIBLE_audit_rules_unsuccessful_file_modification -@@ -10,6 +10,9 @@ - - name: Set architecture for audit {{{ NAME }}} tasks - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - # - # Inserts/replaces the rule in /etc/audit/rules.d -@@ -21,18 +24,25 @@ - contains: "-F key=perm_mod$" - patterns: "*.rules" - register: find_{{{ NAME }}} -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/access.rules -- when: find_{{{ NAME }}}.matched == 0 -+ when: find_{{{ NAME }}}.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" -- when: find_{{{ NAME }}}.matched > 0 -+ when: find_{{{ NAME }}}.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86 - lineinfile: -diff --git a/shared/templates/template_ANSIBLE_audit_rules_usergroup_modification b/shared/templates/template_ANSIBLE_audit_rules_usergroup_modification -index a4b3a0a..df71891 100644 ---- a/shared/templates/template_ANSIBLE_audit_rules_usergroup_modification -+++ b/shared/templates/template_ANSIBLE_audit_rules_usergroup_modification -@@ -10,6 +10,9 @@ - - name: Set architecture for audit {{{ NAME }}} tasks - set_fact: - audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}" -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - # - # Inserts/replaces the rule in /etc/audit/rules.d -@@ -21,18 +24,25 @@ - contains: "-k audit_rules_usergroup_modification$" - patterns: "*.rules" - register: find_{{{ NAME }}} -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules as the recipient for the rule - set_fact: - all_files: - - /etc/audit/rules.d/privileged.rules -- when: find_{{{ NAME }}}.matched == 0 -+ when: find_{{{ NAME }}}.matched == 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: Use matched file as the recipient for the rule - set_fact: - all_files: - - "{{ find_{{{ NAME }}}.files | map(attribute='path') | list | first }}" -- when: find_{{{ NAME }}}.matched > 0 -+ when: find_{{{ NAME }}}.matched > 0 and @ANSIBLE_PLATFORM_CONDITION@ -+ tags: -+ @ANSIBLE_TAGS@ - - - name: Inserts/replaces the {{{ NAME }}} rule in rules.d when on x86 - lineinfile: -diff --git a/shared/templates/template_ANSIBLE_file_groupowner b/shared/templates/template_ANSIBLE_file_groupowner -index 3c7335a..f9c7a9c 100644 ---- a/shared/templates/template_ANSIBLE_file_groupowner -+++ b/shared/templates/template_ANSIBLE_file_groupowner -@@ -7,6 +7,9 @@ - stat: - path: {{{ FILEPATH }}} - register: file_exists -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: Ensure group owner {{{ FILEGID }}} on {{{ FILEPATH }}} - file: -diff --git a/shared/templates/template_ANSIBLE_file_owner b/shared/templates/template_ANSIBLE_file_owner -index 13fd7dd..6eb0cff 100644 ---- a/shared/templates/template_ANSIBLE_file_owner -+++ b/shared/templates/template_ANSIBLE_file_owner -@@ -7,6 +7,9 @@ - stat: - path: {{{ FILEPATH }}} - register: file_exists -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: Ensure owner {{{ FILEUID }}} on {{{ FILEPATH }}} - file: -diff --git a/shared/templates/template_ANSIBLE_file_permissions b/shared/templates/template_ANSIBLE_file_permissions -index 57c8394..8d226a5 100644 ---- a/shared/templates/template_ANSIBLE_file_permissions -+++ b/shared/templates/template_ANSIBLE_file_permissions -@@ -7,7 +7,10 @@ - stat: - path: {{{ FILEPATH }}} - register: file_exists -- -+ tags: -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ -+ - - name: Ensure permission {{{ FILEMODE }}} on {{{ FILEPATH }}} - file: - path: {{{ FILEPATH }}} -diff --git a/shared/templates/template_ANSIBLE_file_regex_permissions b/shared/templates/template_ANSIBLE_file_regex_permissions -index 01e36e7..478d29b 100644 ---- a/shared/templates/template_ANSIBLE_file_regex_permissions -+++ b/shared/templates/template_ANSIBLE_file_regex_permissions -@@ -11,6 +11,7 @@ - register: files_found - tags: - @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: Set permissions for {{{ FILEPATH }}} file(s) - file: -diff --git a/shared/templates/template_ANSIBLE_sebool_var b/shared/templates/template_ANSIBLE_sebool_var -index ae6bee4..d48d1cf 100644 ---- a/shared/templates/template_ANSIBLE_sebool_var -+++ b/shared/templates/template_ANSIBLE_sebool_var -@@ -11,6 +11,8 @@ - state: latest - tags: - - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice -+ @ANSIBLE_TAGS@ -+ @ANSIBLE_ENSURE_PLATFORM@ - - - name: Set SELinux boolean {{{ SEBOOLID }}} accordingly - seboolean: --- -2.20.1 - diff --git a/SOURCES/centos-debranding.patch b/SOURCES/centos-debranding.patch deleted file mode 100644 index 183491b..0000000 --- a/SOURCES/centos-debranding.patch +++ /dev/null @@ -1,120 +0,0 @@ -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/C2S.profile scap-security-guide-0.1.40/rhel7/profiles/C2S.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/C2S.profile 2018-07-25 12:50:14.000000000 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/C2S.profile 2018-11-25 15:17:23.769888627 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'C2S for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile demonstrates compliance against the - U.S. Government Commercial Cloud Services (C2S) baseline. - -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/cjis.profile scap-security-guide-0.1.40/rhel7/profiles/cjis.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/cjis.profile 2018-07-25 12:50:14.000000000 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/cjis.profile 2018-11-25 15:29:55.671294215 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Criminal Justice Information Services (CJIS) Security Policy' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile is derived from FBI's CJIS v5.4 - Security Policy. A copy of this policy can be found at the CJIS Security - Policy Resource Center: -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/hipaa.profile scap-security-guide-0.1.40/rhel7/profiles/hipaa.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/hipaa.profile 2018-07-25 12:50:14.000000000 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/hipaa.profile 2018-11-25 15:30:15.463278958 +0000 -@@ -3,6 +3,8 @@ documentation_complete: True - title: 'Health Insurance Portability and Accountability Act (HIPAA)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - The HIPAA Security Rule establishes U.S. national standards to protect individuals’ - electronic personal health information that is created, received, used, or - maintained by a covered entity. The Security Rule requires appropriate -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/ospp42.profile scap-security-guide-0.1.40/rhel7/profiles/ospp42.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/ospp42.profile 2018-11-25 12:23:46.255295645 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/ospp42.profile 2018-11-25 15:19:26.088789033 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'OSPP - Protection Profile for General Purpose Operating Systems v. 4.2' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile reflects mandatory configuration controls identified in the - NIAP Configuration Annex to the Protection Profile for General Purpose - Operating Systems (Protection Profile Version 4.2). -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/ospp.profile scap-security-guide-0.1.40/rhel7/profiles/ospp.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/ospp.profile 2018-11-25 12:23:46.255295645 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/ospp.profile 2018-11-25 15:21:23.225693654 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'United States Government Configuration Baseline' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This compliance profile reflects the core set of security - related configuration settings for deployment of Red Hat Enterprise - Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. -diff -uNrp scap-security-guide-0.1.40.orig/rhel7/profiles/standard.profile scap-security-guide-0.1.40/rhel7/profiles/standard.profile ---- scap-security-guide-0.1.40.orig/rhel7/profiles/standard.profile 2018-07-25 12:50:14.000000000 +0000 -+++ scap-security-guide-0.1.40/rhel7/profiles/standard.profile 2018-11-25 15:18:14.952846958 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Standard System Security Profile for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains rules to ensure standard security baseline - of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload - all of these checks should pass. -diff -uNrp scap-security-guide-0.1.43.orig/rhel7/profiles/nist-800-171-cui.profile scap-security-guide-0.1.43/rhel7/profiles/nist-800-171-cui.profile ---- scap-security-guide-0.1.43.orig/rhel7/profiles/nist-800-171-cui.profile 2019-02-18 13:15:54.000000000 +0000 -+++ scap-security-guide-0.1.43/rhel7/profiles/nist-800-171-cui.profile 2019-08-07 15:08:00.311568091 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - From NIST 800-171, Section 2.2: - Security requirements for protecting the confidentiality of CUI in non-federal - information systems and organizations have a well-defined structure that -diff -uNrp scap-security-guide-0.1.43.orig/rhel7/profiles/pci-dss.profile scap-security-guide-0.1.43/rhel7/profiles/pci-dss.profile ---- scap-security-guide-0.1.43.orig/rhel7/profiles/pci-dss.profile 2019-08-07 15:03:56.740656786 +0000 -+++ scap-security-guide-0.1.43/rhel7/profiles/pci-dss.profile 2019-08-07 15:09:12.666541739 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - Ensures PCI-DSS v3.2.1 related security configuration settings are applied. - - selections: -diff -uNrp scap-security-guide-0.1.43.orig/rhel7/profiles/rht-ccp.profile scap-security-guide-0.1.43/rhel7/profiles/rht-ccp.profile ---- scap-security-guide-0.1.43.orig/rhel7/profiles/rht-ccp.profile 2019-02-18 13:15:54.000000000 +0000 -+++ scap-security-guide-0.1.43/rhel7/profiles/rht-ccp.profile 2019-08-07 15:10:05.513522496 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains the minimum security relevant - configuration settings recommended by Red Hat, Inc for - Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified -diff -uNrp scap-security-guide-0.1.43.orig/rhel7/profiles/stig-rhel7-disa.profile scap-security-guide-0.1.43/rhel7/profiles/stig-rhel7-disa.profile ---- scap-security-guide-0.1.43.orig/rhel7/profiles/stig-rhel7-disa.profile 2019-08-07 15:03:56.741656785 +0000 -+++ scap-security-guide-0.1.43/rhel7/profiles/stig-rhel7-disa.profile 2019-08-07 15:11:05.638502204 +0000 -@@ -3,6 +3,8 @@ documentation_complete: true - title: 'DISA STIG for Red Hat Enterprise Linux 7' - - description: |- -+ **Not applicable to CentOS Linux, included for reference only** -+ - This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux V1R4. - diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch new file mode 100644 index 0000000..ae3d0dd --- /dev/null +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -0,0 +1,82 @@ +From c6c4eae7d085adb1571e5c45edb4bd982c242f4d Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 17 Dec 2018 13:30:06 +0100 +Subject: [PATCH] Disable profiles that are not in good shape for RHEL8. + +They raise too many errors and fails. +--- + rhel8/CMakeLists.txt | 3 ++- + rhel8/profiles/cjis.profile | 2 +- + rhel8/profiles/cui.profile | 2 +- + rhel8/profiles/hipaa.profile | 2 +- + rhel8/profiles/rht-ccp.profile | 2 +- + rhel8/profiles/standard.profile | 2 +- + 6 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt +index 99bccbed7..77f8ccaec 100644 +--- a/rhel8/CMakeLists.txt ++++ b/rhel8/CMakeLists.txt +@@ -14,7 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") + ssg_build_html_table_by_ref(${PRODUCT} "pcidss") + ssg_build_html_table_by_ref(${PRODUCT} "anssi") + +-ssg_build_html_nistrefs_table(${PRODUCT} "standard") ++# Standard profile is disabled for RHEL8 as it is not in good shape ++#ssg_build_html_nistrefs_table(${PRODUCT} "standard") + ssg_build_html_nistrefs_table(${PRODUCT} "ospp") + + # Uncomment when anssi profiles are marked documentation_complete: true +diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile +index a7f8c0b16..c460793be 100644 +--- a/rhel8/profiles/cjis.profile ++++ b/rhel8/profiles/cjis.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Criminal Justice Information Services (CJIS) Security Policy' + +diff --git a/rhel8/profiles/cui.profile b/rhel8/profiles/cui.profile +index eb62252a4..e8f369708 100644 +--- a/rhel8/profiles/cui.profile ++++ b/rhel8/profiles/cui.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' + +diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile +index feb98007c..0667f65ed 100644 +--- a/rhel8/profiles/hipaa.profile ++++ b/rhel8/profiles/hipaa.profile +@@ -1,4 +1,4 @@ +-documentation_complete: True ++documentation_complete: false + + title: 'Health Insurance Portability and Accountability Act (HIPAA)' + +diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile +index 023663b21..8b22bc711 100644 +--- a/rhel8/profiles/rht-ccp.profile ++++ b/rhel8/profiles/rht-ccp.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' + +diff --git a/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile +index a63ae2cf3..da669bb84 100644 +--- a/rhel8/profiles/standard.profile ++++ b/rhel8/profiles/standard.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' + +-- +2.19.2 + diff --git a/SOURCES/evaluate_new_package_cpes_to_true.patch b/SOURCES/evaluate_new_package_cpes_to_true.patch deleted file mode 100644 index 8915893..0000000 --- a/SOURCES/evaluate_new_package_cpes_to_true.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 40ced7704f5e6f8166cd4e7b0fa273854c7c53ba Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 10 May 2019 14:27:51 +0200 -Subject: [PATCH] Evaluate Ansible platform macro True package CPE - -Other platforms were introduced, like yum, pam, shadow-utils... -Let's handle the case when platform is machine normally, and evaluate -the other platforms to True. ---- - shared/transforms/xccdf-addremediations.xslt | 24 ++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/shared/transforms/xccdf-addremediations.xslt b/shared/transforms/xccdf-addremediations.xslt -index 360877b2f..6339c020e 100644 ---- a/shared/transforms/xccdf-addremediations.xslt -+++ b/shared/transforms/xccdf-addremediations.xslt -@@ -127,6 +127,9 @@ - - - -+ -+ -+ - - - -@@ -149,6 +152,27 @@ - - - -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - - - --- -2.20.1 - diff --git a/SOURCES/remove_dconf_use_text_backend_rule_from_profiles.patch b/SOURCES/remove_dconf_use_text_backend_rule_from_profiles.patch deleted file mode 100644 index 4bbb4a7..0000000 --- a/SOURCES/remove_dconf_use_text_backend_rule_from_profiles.patch +++ /dev/null @@ -1,572 +0,0 @@ -commit 23e988daddbaec48ad565eef28c45d858587a45c -Author: Gabriel Becker -Date: Fri May 24 13:56:54 2019 +0200 - - Remove dconf_use_text_backend rule from profiles. - - Rule is faulty and does not fix properly the dconf bugs. - -diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile -index f13f97a..f33d348 100644 ---- a/fedora/profiles/ospp.profile -+++ b/fedora/profiles/ospp.profile -@@ -43,7 +43,6 @@ selections: - - sysctl_kernel_kptr_restrict - - sysctl_kernel_kexec_load_disabled - - sysctl_kernel_dmesg_restrict -- - dconf_use_text_backend - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay -diff --git a/fedora/profiles/pci-dss.profile b/fedora/profiles/pci-dss.profile -index 0e6f543..5e47534 100644 ---- a/fedora/profiles/pci-dss.profile -+++ b/fedora/profiles/pci-dss.profile -@@ -98,7 +98,6 @@ selections: - - account_disable_post_pw_expiration - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_unlock_time -- - dconf_use_text_backend - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_lock_enabled -diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml -index c418384..28a39e8 100644 ---- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/rule.yml -@@ -28,10 +28,6 @@ rationale: |- - - severity: high - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - identifiers: - cce@rhel7: 80107-6 - -diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml -index 1b3a0d3..bc15a48 100644 ---- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/rule.yml -@@ -27,10 +27,6 @@ rationale: |- - - severity: medium - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - identifiers: - cce@rhel7: 80106-8 - -diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml -index a9d157d..e3f5e79 100644 ---- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml -@@ -26,10 +26,6 @@ rationale: |- - - severity: medium - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - identifiers: - cce@rhel7: 80108-4 - -diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml -index f4eed0d..7b02bc1 100644 ---- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/rule.yml -@@ -27,10 +27,6 @@ rationale: |- - - severity: medium - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - identifiers: - cce@rhel7: 80109-2 - cce@rhel8: 80771-9 -diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml -index 7caf212..fbf9578 100644 ---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml -@@ -31,10 +31,6 @@ rationale: |- - - severity: unknown - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - identifiers: - cce@rhel7: 80122-5 - -diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/rule.yml -index 6081267..e239b46 100644 ---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/rule.yml -@@ -30,10 +30,6 @@ rationale: |- - - severity: unknown - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - identifiers: - cce@rhel7: 80123-3 - -diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/rule.yml b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/rule.yml -index cbfaec0..9b1963b 100644 ---- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/rule.yml -@@ -24,10 +24,6 @@ rationale: |- - - severity: medium - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - identifiers: - cce@rhel7: 80118-3 - -diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/rule.yml b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/rule.yml -index 51f29ef..09f50e0 100644 ---- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/rule.yml -@@ -24,10 +24,6 @@ rationale: |- - Wireless network connections should not be allowed to be configured by general - users on a given system as it could open the system to backdoor attacks. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml -index a5927e7..872514b 100644 ---- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml -@@ -22,10 +22,6 @@ rationale: |- - Username and password prompting is required for remote access. Otherwise, non-authorized - and nefarious users can access the system freely. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml -index 825348f..101b148 100644 ---- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml -@@ -22,10 +22,6 @@ rationale: |- - Open X displays allow an attacker to capture keystrokes and to execute commands - remotely. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml -index 730844f..82a88d7 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml -@@ -29,10 +29,6 @@ rationale: |- - login session does not have administrator rights and the display station is located in a - controlled-access area. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/rule.yml -index da3f041..d2980f0 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/rule.yml -@@ -16,10 +16,6 @@ rationale: |- - A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity - of the information system but does not want to logout because of the temporary nature of the absense. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml -index ac6c968..db8dcbb 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml -@@ -26,10 +26,6 @@ rationale: |- - system session prior to vacating the vicinity, GNOME3 can be configured to identify when - a user's session has idled and take action to initiate a session lock. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml -index 42f0d11..a66c458 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml -@@ -21,10 +21,6 @@ rationale: |- - A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity - of the information system but does not want to logout because of the temporary nature of the absense. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml -index 842bcf4..bf007d3 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml -@@ -21,10 +21,6 @@ rationale: |- - A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity - of the information system but does not want to logout because of the temporary nature of the absense. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml -index da8cbe7..e6b459a 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/rule.yml -@@ -16,10 +16,6 @@ rationale: |- - A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity - of the information system but does not want to logout because of the temporary nature of the absense. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml -index e792620..c81ee8e 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml -@@ -21,10 +21,6 @@ rationale: |- - Setting the screensaver mode to blank-only conceals the - contents of the display from passersby. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml -index 3640d34..6ecf953 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/rule.yml -@@ -23,10 +23,6 @@ rationale: |- - Setting the splash screen to not reveal the logged in user's name - conceals who has access to the system from passersby. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml -index 30a29ea..87f690b 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml -@@ -19,10 +19,6 @@ rationale: |- - GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the - session lock. As such, users should not be allowed to change session settings. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml -index 9ca213d..0d094ca 100644 ---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml -@@ -19,10 +19,6 @@ rationale: |- - GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the - session lock. As such, users should not be allowed to change session settings. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml -index e7c5054..e1f3a95 100644 ---- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml -@@ -26,10 +26,6 @@ rationale: |- - the case of mixed OS environment, this can create the risk of short-term - loss of availability of systems due to unintentional reboot. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: high - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/rule.yml -index 647d024..083d81b 100644 ---- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/rule.yml -@@ -29,10 +29,6 @@ rationale: |- - Enabling power settings on non-mobile devices could have unintended processing - consequences on standard systems. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/rule.yml -index 5a62042..c983409 100644 ---- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/rule.yml -@@ -24,10 +24,6 @@ rationale: |- - Enabling power settings on non-mobile devices could have unintended processing - consequences on standard systems. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: medium - - identifiers: -diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml -index e521d91..28265ac 100644 ---- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml -+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/rule.yml -@@ -26,10 +26,6 @@ rationale: |- - unintended configuration changes as well as a nefarious user the capability to make system - changes such as adding new accounts, etc. - --warnings: -- - dependency: |- -- {{{ body_of_dconf_warning_about_dependent_rule() }}} -- - severity: high - - identifiers: -diff --git a/ol7/profiles/pci-dss.profile b/ol7/profiles/pci-dss.profile -index 8f2a5cc..acfe1be 100644 ---- a/ol7/profiles/pci-dss.profile -+++ b/ol7/profiles/pci-dss.profile -@@ -108,7 +108,6 @@ selections: - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_unlock_time - - account_unique_name -- - dconf_use_text_backend - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_enabled -diff --git a/ol7/profiles/stig-ol7-disa.profile b/ol7/profiles/stig-ol7-disa.profile -index 0c9cd56..f9d2f4c 100644 ---- a/ol7/profiles/stig-ol7-disa.profile -+++ b/ol7/profiles/stig-ol7-disa.profile -@@ -109,7 +109,6 @@ selections: - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow -- - dconf_use_text_backend - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_activation_locked - - dconf_gnome_screensaver_idle_delay -diff --git a/ol8/profiles/ospp.profile b/ol8/profiles/ospp.profile -index 9309177..9e5b245 100644 ---- a/ol8/profiles/ospp.profile -+++ b/ol8/profiles/ospp.profile -@@ -42,7 +42,6 @@ selections: - - sysctl_kernel_kptr_restrict - - sysctl_kernel_kexec_load_disabled - - sysctl_kernel_dmesg_restrict -- - dconf_use_text_backend - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay -diff --git a/ol8/profiles/pci-dss.profile b/ol8/profiles/pci-dss.profile -index d7d5909..ef6c60f 100644 ---- a/ol8/profiles/pci-dss.profile -+++ b/ol8/profiles/pci-dss.profile -@@ -122,7 +122,6 @@ selections: - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_unlock_time - - account_unique_name -- - dconf_use_text_backend - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_enabled -diff --git a/rhel7/profiles/C2S.profile b/rhel7/profiles/C2S.profile -index 3d6b4f3..6580595 100644 ---- a/rhel7/profiles/C2S.profile -+++ b/rhel7/profiles/C2S.profile -@@ -70,7 +70,6 @@ selections: - - selinux_confinement_of_daemons - - banner_etc_issue - - login_banner_text=usgcb_default -- - dconf_use_text_backend - - dconf_gnome_login_banner_text - - dconf_gnome_banner_enabled - - security_patches_up_to_date -diff --git a/rhel7/profiles/cjis.profile b/rhel7/profiles/cjis.profile -index 1bf4006..a7f8c0b 100644 ---- a/rhel7/profiles/cjis.profile -+++ b/rhel7/profiles/cjis.profile -@@ -86,7 +86,6 @@ selections: - - var_password_pam_retry=5 - - var_accounts_passwords_pam_faillock_deny=5 - - var_accounts_passwords_pam_faillock_unlock_time=600 -- - dconf_use_text_backend - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_lock_enabled -diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile -index 719093b..76fb4a8 100644 ---- a/rhel7/profiles/hipaa.profile -+++ b/rhel7/profiles/hipaa.profile -@@ -28,7 +28,6 @@ selections: - - service_debug-shell_disabled - - disable_ctrlaltdel_reboot - - disable_ctrlaltdel_burstaction -- - dconf_use_text_backend - - dconf_gnome_remote_access_credential_prompt - - dconf_gnome_remote_access_encryption - - sshd_disable_empty_passwords -diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile -index a4357a6..36e5d7e 100644 ---- a/rhel7/profiles/ospp.profile -+++ b/rhel7/profiles/ospp.profile -@@ -401,7 +401,6 @@ selections: - - network_sniffer_disabled - - network_ipv6_disable_rpc - - network_ipv6_privacy_extensions -- - dconf_use_text_backend - - dconf_gnome_banner_enabled - - dconf_gnome_disable_automount - - dconf_gnome_disable_ctrlaltdel_reboot -diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile -index e2173c9..dbd1935 100644 ---- a/rhel7/profiles/ospp42.profile -+++ b/rhel7/profiles/ospp42.profile -@@ -42,7 +42,6 @@ selections: - - sysctl_kernel_kptr_restrict - - sysctl_kernel_kexec_load_disabled - - sysctl_kernel_dmesg_restrict -- - dconf_use_text_backend - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay -diff --git a/rhel7/profiles/pci-dss.profile b/rhel7/profiles/pci-dss.profile -index 7ba7873..da56ff1 100644 ---- a/rhel7/profiles/pci-dss.profile -+++ b/rhel7/profiles/pci-dss.profile -@@ -79,7 +79,6 @@ selections: - - account_disable_post_pw_expiration - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_unlock_time -- - dconf_use_text_backend - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_lock_enabled -diff --git a/rhel7/profiles/stig-rhel7-disa.profile b/rhel7/profiles/stig-rhel7-disa.profile -index 9f8e9ab..245efd7 100644 ---- a/rhel7/profiles/stig-rhel7-disa.profile -+++ b/rhel7/profiles/stig-rhel7-disa.profile -@@ -56,7 +56,6 @@ selections: - - rpm_verify_permissions - - rpm_verify_ownership - - rpm_verify_hashes -- - dconf_use_text_backend - - dconf_gnome_banner_enabled - - dconf_gnome_login_banner_text - - banner_etc_issue -diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile -index 288fbf0..ec225d8 100644 ---- a/rhel8/profiles/cjis.profile -+++ b/rhel8/profiles/cjis.profile -@@ -86,7 +86,6 @@ selections: - - var_password_pam_retry=5 - - var_accounts_passwords_pam_faillock_deny=5 - - var_accounts_passwords_pam_faillock_unlock_time=600 -- - dconf_use_text_backend - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_lock_enabled -diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile -index f5533f1..d44960d 100644 ---- a/rhel8/profiles/hipaa.profile -+++ b/rhel8/profiles/hipaa.profile -@@ -28,7 +28,6 @@ selections: - - service_debug-shell_disabled - - disable_ctrlaltdel_reboot - - disable_ctrlaltdel_burstaction -- - dconf_use_text_backend - - dconf_gnome_remote_access_credential_prompt - - dconf_gnome_remote_access_encryption - - sshd_disable_empty_passwords -diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile -index 3c6e193..31b4be5 100644 ---- a/rhel8/profiles/ospp.profile -+++ b/rhel8/profiles/ospp.profile -@@ -219,7 +219,6 @@ selections: - ### FMT_MOF_EXT.1 / AC-11(a) - ### Enable Screen Lock - - package_tmux_installed -- - dconf_use_text_backend - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay -diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile -index 6b73cd8..3894da0 100644 ---- a/rhel8/profiles/pci-dss.profile -+++ b/rhel8/profiles/pci-dss.profile -@@ -98,7 +98,6 @@ selections: - - account_disable_post_pw_expiration - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_unlock_time -- - dconf_use_text_backend - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_lock_enabled diff --git a/SOURCES/scap-security-guide-0.1.44-cpe-gdm.patch b/SOURCES/scap-security-guide-0.1.44-cpe-gdm.patch deleted file mode 100644 index 6c09f2e..0000000 --- a/SOURCES/scap-security-guide-0.1.44-cpe-gdm.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 2e3cd7e8930b2456cbc6e182aa9a9f700ea9fa69 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 10 Apr 2019 15:41:56 +0200 -Subject: [PATCH] Add GDM CPE and mark GNOME group - ---- - .../gui_login_banner/group.yml | 2 + - .../guide/system/software/gnome/group.yml | 2 + - rhel7/cpe/rhel7-cpe-dictionary.xml | 5 +++ - .../oval/installed_env_has_gdm_package.xml | 37 +++++++++++++++++++ - ssg/constants.py | 1 + - 5 files changed, 47 insertions(+) - create mode 100644 shared/checks/oval/installed_env_has_gdm_package.xml - -diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/group.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/group.yml -index 3ee83be305..006177b16e 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/group.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/group.yml -@@ -9,3 +9,5 @@ description: |- - displayed in this graphical environment for these users. - The following sections describe how to configure the GDM login - banner. -+ -+platform: gdm -diff --git a/linux_os/guide/system/software/gnome/group.yml b/linux_os/guide/system/software/gnome/group.yml -index 914431adb1..54d9dc547a 100644 ---- a/linux_os/guide/system/software/gnome/group.yml -+++ b/linux_os/guide/system/software/gnome/group.yml -@@ -12,3 +12,5 @@ description: |- - Red Hat Graphical environment. -

- For more information on GNOME and the GNOME Project, see {{{ weblink(link="https://www.gnome.org") }}}. -+ -+platform: gdm -diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml -index d64c18e846..b6bc8b4e53 100644 ---- a/rhel7/cpe/rhel7-cpe-dictionary.xml -+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml -@@ -47,6 +47,11 @@ - - installed_env_is_a_machine - -+ -+ Package gdm is installed -+ -+ installed_env_has_gdm_package -+ - - Package libuser is installed - -diff --git a/shared/checks/oval/installed_env_has_gdm_package.xml b/shared/checks/oval/installed_env_has_gdm_package.xml -new file mode 100644 -index 0000000000..57fb7a655c ---- /dev/null -+++ b/shared/checks/oval/installed_env_has_gdm_package.xml -@@ -0,0 +1,37 @@ -+ -+ -+ -+ Package gdm is installed -+ -+ multi_platform_all -+ -+ Checks if package gdm is installed. -+ -+ -+ -+ -+ -+ -+ -+{{% if pkg_system == "rpm" %}} -+ -+ -+ -+ -+ gdm -+ -+{{% elif pkg_system == "dpkg" %}} -+ -+ -+ -+ -+ gdm -+ -+{{% endif %}} -+ -+ -diff --git a/ssg/constants.py b/ssg/constants.py -index 94d9d8c180..6e4fd3c741 100644 ---- a/ssg/constants.py -+++ b/ssg/constants.py -@@ -376,6 +376,7 @@ - XCCDF_PLATFORM_TO_CPE = { - "machine": "cpe:/a:machine", - "container": "cpe:/a:container", -+ "gdm": "cpe:/a:gdm", - "libuser": "cpe:/a:libuser", - "nss-pam-ldapd": "cpe:/a:nss-pam-ldapd", - "pam": "cpe:/a:pam", diff --git a/SOURCES/scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch b/SOURCES/scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch deleted file mode 100644 index 00baced..0000000 --- a/SOURCES/scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch +++ /dev/null @@ -1,842 +0,0 @@ -From 32caed89b5cf14f86e5d842569c4f73cdae6ed26 Mon Sep 17 00:00:00 2001 -From: Shawn Wells -Date: Wed, 3 Apr 2019 16:49:38 -0400 -Subject: [PATCH 01/11] create PAM package CPE - ---- - .../oval/installed_env_has_pam_package.xml | 25 +++++++++++++++++++ - 1 file changed, 25 insertions(+) - create mode 100644 shared/checks/oval/installed_env_has_pam_package.xml - -diff --git a/shared/checks/oval/installed_env_has_pam_package.xml b/shared/checks/oval/installed_env_has_pam_package.xml -new file mode 100644 -index 0000000000..b6376575b2 ---- /dev/null -+++ b/shared/checks/oval/installed_env_has_pam_package.xml -@@ -0,0 +1,25 @@ -+ -+ -+ -+ -+ Package pam is installed -+ -+ multi_platform_all -+ -+ Checks if package pam is installed. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ pam -+ -+ -+ - -From 213a472a89b3b591a4fd441bcf0f0f3ba633afe3 Mon Sep 17 00:00:00 2001 -From: Shawn Wells -Date: Wed, 3 Apr 2019 16:49:53 -0400 -Subject: [PATCH 02/11] add PAM CPE to constants - ---- - ssg/constants.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ssg/constants.py b/ssg/constants.py -index f96fd51790..e87eb7f43c 100644 ---- a/ssg/constants.py -+++ b/ssg/constants.py -@@ -376,6 +376,7 @@ - XCCDF_PLATFORM_TO_CPE = { - "machine": "cpe:/a:machine", - "container": "cpe:/a:container", -+ "pam": "cpe:/a:pam", - "shadow-utils": "cpe:/a:shadow-utils", - } - - -From 6afde50cf7a4a75829ed092c8e30116df7a99601 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 8 Apr 2019 15:43:04 +0200 -Subject: [PATCH 03/11] Update rules for PAM CPE check - ---- - .../accounts_password_pam_dcredit/rule.yml | 2 ++ - .../accounts_password_pam_difok/rule.yml | 2 ++ - .../accounts_password_pam_maxclassrepeat/rule.yml | 2 ++ - .../accounts_password_pam_minclass/rule.yml | 2 ++ - .../accounts_password_pam_minlen/rule.yml | 2 ++ - .../accounts_max_concurrent_login_sessions/rule.yml | 2 ++ - 6 files changed, 12 insertions(+) - -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml -index 72fc5970ea..fe997d97c8 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml -@@ -52,3 +52,5 @@ ocil: |- -
$ grep dcredit /etc/security/pwquality.conf
- The dcredit parameter (as a negative number) will indicate how many digits are required. - The DoD requires at least one digit in a password. This would appear as dcredit = -1. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml -index 931f0aa9e4..d1855a2cf4 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml -@@ -53,3 +53,5 @@ ocil: |- - To check how many characters must differ during a password change, run the following command: -
$ grep difok /etc/security/pwquality.conf
- The difok parameter will indicate how many characters must differ. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml -index 35de1318d5..d964a5e3ea 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml -@@ -43,3 +43,5 @@ ocil: |- - To check the value for maximum consecutive repeating characters, run the following command: -
$ grep maxclassrepeat /etc/security/pwquality.conf
- For DoD systems, the output should show maxclassrepeat=4. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml -index 7f99aba143..dc3377de0b 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml -@@ -60,3 +60,5 @@ ocil: |- - The minclass parameter will indicate how many character classes must be used. If - the requirement was for the password to contain characters from three different categories, - then this would appear as minclass = 3. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml -index d6462579fe..0799aecf01 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml -@@ -49,3 +49,5 @@ ocil: |- - To check how many characters are required in a password, run the following command: -
$ grep minlen /etc/security/pwquality.conf
- Your output should contain minlen = -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml -index bd53c19c08..f9d9a08706 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml -@@ -45,3 +45,5 @@ ocil: |- -
# grep "maxlogins" /etc/security/limits.conf
- You should receive output similar to the following: -
*\t\thard\tmaxlogins\t
-+ -+platform: pam - -From 351ee6945df37a28cc4f4589b17eb4c35066b00b Mon Sep 17 00:00:00 2001 -From: Shawn Wells -Date: Wed, 3 Apr 2019 17:17:40 -0400 -Subject: [PATCH 04/11] add libuser CPE - ---- - .../installed_env_has_libuser_package.xml | 24 +++++++++++++++++++ - 1 file changed, 24 insertions(+) - create mode 100644 shared/checks/oval/installed_env_has_libuser_package.xml - -diff --git a/shared/checks/oval/installed_env_has_libuser_package.xml b/shared/checks/oval/installed_env_has_libuser_package.xml -new file mode 100644 -index 0000000000..ee79b19f8a ---- /dev/null -+++ b/shared/checks/oval/installed_env_has_libuser_package.xml -@@ -0,0 +1,24 @@ -+ -+ -+ -+ Package libuser is installed -+ -+ multi_platform_all -+ -+ Checks if package libuser is installed. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ libuser -+ -+ -+ - -From e0b2db79f718b2f64ec25c39f01b53d4e9a80b00 Mon Sep 17 00:00:00 2001 -From: Shawn Wells -Date: Wed, 3 Apr 2019 17:17:50 -0400 -Subject: [PATCH 05/11] add systemd CPE - ---- - .../installed_env_has_systemd_package.xml | 24 +++++++++++++++++++ - 1 file changed, 24 insertions(+) - create mode 100644 shared/checks/oval/installed_env_has_systemd_package.xml - -diff --git a/shared/checks/oval/installed_env_has_systemd_package.xml b/shared/checks/oval/installed_env_has_systemd_package.xml -new file mode 100644 -index 0000000000..99706ee1c6 ---- /dev/null -+++ b/shared/checks/oval/installed_env_has_systemd_package.xml -@@ -0,0 +1,24 @@ -+ -+ -+ -+ Package systemd is installed -+ -+ multi_platform_all -+ -+ Checks if package systemd is installed. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ systemd -+ -+ -+ - -From 2ec6e5654ef63232c973d91cdee6f8eb9156eb9b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 8 Apr 2019 15:45:01 +0200 -Subject: [PATCH 06/11] Update rules with package CPEs - ---- - .../accounts/accounts-pam/display_login_attempts/rule.yml | 2 ++ - .../accounts_password_pam_unix_remember/rule.yml | 2 ++ - .../accounts_passwords_pam_faillock_deny/rule.yml | 2 ++ - .../accounts_passwords_pam_faillock_deny_root/rule.yml | 2 ++ - .../accounts_passwords_pam_faillock_interval/rule.yml | 2 ++ - .../accounts_passwords_pam_faillock_unlock_time/rule.yml | 2 ++ - .../accounts_password_pam_lcredit/rule.yml | 2 ++ - .../accounts_password_pam_ocredit/rule.yml | 2 ++ - .../accounts_password_pam_retry/rule.yml | 2 ++ - .../accounts_password_pam_ucredit/rule.yml | 2 ++ - .../set_password_hashing_algorithm_libuserconf/rule.yml | 2 ++ - .../set_password_hashing_algorithm_logindefs/rule.yml | 2 ++ - .../set_password_hashing_algorithm_systemauth/rule.yml | 2 ++ - .../accounts-physical/disable_ctrlaltdel_burstaction/rule.yml | 2 ++ - .../user_umask/accounts_umask_etc_login_defs/rule.yml | 2 ++ - ssg/constants.py | 2 ++ - 16 files changed, 32 insertions(+) - -diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml -index 5c2287a4d3..baeece4b59 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml -@@ -47,3 +47,5 @@ ocil: |- - the following command: -
$ grep pam_lastlog.so /etc/pam.d/postlogin
- The output should show output showfailed. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml -index dcde239e85..a63e0e6d1d 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml -@@ -56,3 +56,5 @@ ocil: |- -
$ grep remember /etc/pam.d/system-auth
- The output should show the following at the end of the line: -
remember=
-+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml -index c8147e7c17..e10b0a1b67 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml -@@ -56,3 +56,5 @@ ocil: |- - To ensure the failed password attempt policy is configured correctly, run the following command: -
$ grep pam_faillock /etc/pam.d/system-auth
- The output should show deny=. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml -index b5283b052e..b4c4df7186 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml -@@ -50,3 +50,5 @@ ocil: |- - attempts, run the following command: -
$ grep even_deny_root /etc/pam.d/system-auth
- The output should show even_deny_root. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml -index 485fb7970d..ac21fe4c81 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml -@@ -65,3 +65,5 @@ ocil: |- - For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is or greater. - If the fail_interval parameter is not set, the default setting - of 900 seconds is acceptable. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml -index 9abd02feea..f4bfaec622 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml -@@ -59,3 +59,5 @@ ocil: |- - To ensure the failed password attempt policy is configured correctly, run the following command: -
$ grep pam_faillock /etc/pam.d/system-auth
- The output should show unlock_time=<some-large-number> or never. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml -index ba0be4ebeb..21d86585ed 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml -@@ -51,3 +51,5 @@ ocil: |- -
$ grep lcredit /etc/security/pwquality.conf
- The lcredit parameter (as a negative number) will indicate how many special characters are required. - The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit = -1. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml -index c39cc2a09b..d7f7083d27 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml -@@ -53,3 +53,5 @@ ocil: |- - The ocredit parameter (as a negative number) will indicate how many special characters are required. - The DoD and FISMA require at least one special character in a password. - This would appear as ocredit = -1. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -index c0f8ed8d6d..fea35e37a3 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -@@ -46,3 +46,5 @@ ocil: |- - The retry parameter will indicate how many attempts are permitted. - The DoD required value is less than or equal to 3. - This would appear as retry=3, or a lower value. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml -index 2222ac2297..a4ecdf969d 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml -@@ -50,3 +50,5 @@ ocil: |- - The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. - The DoD and FISMA require at least one uppercase character in a password. - This would appear as ucredit = -1. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml -index 0f6cf57e57..397bad4ea6 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml -@@ -55,3 +55,5 @@ ocil: |- - Inspect /etc/libuser.conf and ensure the following line appears - in the [default] section: -
crypt_style = sha512
-+ -+platform: libuser -diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml -index a23a7863c9..84212c7648 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml -@@ -47,3 +47,5 @@ ocil_clause: 'it does not' - ocil: |- - Inspect /etc/login.defs and ensure the following line appears: -
ENCRYPT_METHOD SHA512
-+ -+platform: shadow-utils -diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -index 070e65fc3a..48e8ac427d 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -@@ -65,3 +65,5 @@ ocil: |- - ensure that the pam_unix.so module includes the argument - sha512: -
$ grep sha512 /etc/pam.d/system-auth
-+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml -index e215a41a91..d68bf2be38 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml -@@ -53,3 +53,5 @@ warnings: - key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The - Ctrl-Alt-Del key sequence will only be disabled if running in - the non-graphical runlevel 3. -+ -+platform: systemd -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml -index e9e327352b..a087ca8f6a 100644 ---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml -@@ -41,3 +41,5 @@ ocil: |- - All output must show the value of umask set as shown in the below: -
# grep -i "UMASK" /etc/login.defs
-     umask 
-+ -+platform: shadow-utils -diff --git a/ssg/constants.py b/ssg/constants.py -index e87eb7f43c..8b3a792f10 100644 ---- a/ssg/constants.py -+++ b/ssg/constants.py -@@ -376,8 +376,10 @@ - XCCDF_PLATFORM_TO_CPE = { - "machine": "cpe:/a:machine", - "container": "cpe:/a:container", -+ "libuser": "cpe:/a:libuser", - "pam": "cpe:/a:pam", - "shadow-utils": "cpe:/a:shadow-utils", -+ "systemd": "cpe:/a:systemd", - } - - # Application constants - -From e884c6f090bf4a7963721b4948f18b05193cc0bb Mon Sep 17 00:00:00 2001 -From: Shawn Wells -Date: Wed, 3 Apr 2019 17:45:31 -0400 -Subject: [PATCH 07/11] Update LDAP check to evaluate for nss-pam-ldapd CPE - ---- - .../ldap_client_start_tls/rule.yml | 2 ++ - ...nstalled_env_has_nss-pam-ldapd_package.xml | 24 +++++++++++++++++++ - ssg/constants.py | 1 + - 3 files changed, 27 insertions(+) - create mode 100644 shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml - -diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml -index c4839d7de5..22a9fd60d9 100644 ---- a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml -+++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml -@@ -48,3 +48,5 @@ ocil: |- -
$ grep start_tls /etc/pam_ldap.conf
- The result should contain: -
ssl start_tls
-+ -+platform: nss-pam-ldapd -diff --git a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml -new file mode 100644 -index 0000000000..0637e4a64e ---- /dev/null -+++ b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml -@@ -0,0 +1,24 @@ -+ -+ -+ -+ Package nss-pam-ldapd is installed -+ -+ multi_platform_all -+ -+ Checks if package nss-pam-ldapd is installed. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ nss-pam-ldapd -+ -+ -+ -diff --git a/ssg/constants.py b/ssg/constants.py -index 8b3a792f10..8d7a4cc290 100644 ---- a/ssg/constants.py -+++ b/ssg/constants.py -@@ -377,6 +377,7 @@ - "machine": "cpe:/a:machine", - "container": "cpe:/a:container", - "libuser": "cpe:/a:libuser", -+ "nss-pam-ldapd": "cpe:/a:nss-pam-ldapd", - "pam": "cpe:/a:pam", - "shadow-utils": "cpe:/a:shadow-utils", - "systemd": "cpe:/a:systemd", - -From 7cbbe94a051f3978592edb207b5fb178fd6d0e2f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 8 Apr 2019 15:55:08 +0200 -Subject: [PATCH 08/11] Update FIPS checks to evaluate if in machine - environment - ---- - .../software/integrity/fips/enable_dracut_fips_module/rule.yml | 2 ++ - .../integrity/fips/grub_legacy_enable_fips_mode/rule.yml | 2 ++ - .../integrity/fips/package_dracut-fips_installed/rule.yml | 2 ++ - 3 files changed, 6 insertions(+) - -diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml -index 08faf42259..dbdf64d526 100644 ---- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml -+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml -@@ -48,3 +48,5 @@ warnings: -

- See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} - for a list of FIPS certified vendors. -+ -+platform: machine -diff --git a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml -index f112bddacd..6761b8736d 100644 ---- a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml -+++ b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml -@@ -50,3 +50,5 @@ warnings: -

- See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} - for a list of FIPS certified vendors. -+ -+platform: machine -diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml -index c1f6e515e6..055ec8f774 100644 ---- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml -+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml -@@ -37,3 +37,5 @@ references: - ocil_clause: 'the package is not installed' - - ocil: '{{{ ocil_package(package="dracut-fips") }}}' -+ -+platform: machine - -From 86704595eb3500a8ef15f5fc0c1412d000c201d1 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 8 Apr 2019 16:15:45 +0200 -Subject: [PATCH 09/11] Update CPE package check to handle deb packages - ---- - .../oval/installed_env_has_libuser_package.xml | 15 ++++++++++++++- - .../installed_env_has_nss-pam-ldapd_package.xml | 15 ++++++++++++++- - .../checks/oval/installed_env_has_pam_package.xml | 15 ++++++++++++++- - .../installed_env_has_shadow-utils_package.xml | 15 ++++++++++++++- - .../oval/installed_env_has_systemd_package.xml | 15 ++++++++++++++- - 5 files changed, 70 insertions(+), 5 deletions(-) - -diff --git a/shared/checks/oval/installed_env_has_libuser_package.xml b/shared/checks/oval/installed_env_has_libuser_package.xml -index ee79b19f8a..b848337b0e 100644 ---- a/shared/checks/oval/installed_env_has_libuser_package.xml -+++ b/shared/checks/oval/installed_env_has_libuser_package.xml -@@ -14,11 +14,24 @@ - - - -- -+{{% if pkg_system == "rpm" %}} -+ - - - - libuser - -+{{% elif pkg_system == "dpkg" %}} -+ -+ -+ -+ -+ libuser -+ -+{{% endif %}} - - -diff --git a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml -index 0637e4a64e..748f68f60f 100644 ---- a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml -+++ b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml -@@ -14,11 +14,24 @@ - - - -- -+{{% if pkg_system == "rpm" %}} -+ - - - - nss-pam-ldapd - -+{{% elif pkg_system == "dpkg" %}} -+ -+ -+ -+ -+ nss-pam-ldapd -+ -+{{% endif %}} - - -diff --git a/shared/checks/oval/installed_env_has_pam_package.xml b/shared/checks/oval/installed_env_has_pam_package.xml -index b6376575b2..dee3bcd26f 100644 ---- a/shared/checks/oval/installed_env_has_pam_package.xml -+++ b/shared/checks/oval/installed_env_has_pam_package.xml -@@ -15,11 +15,24 @@ - - - -- -+{{% if pkg_system == "rpm" %}} -+ - - - - pam - -+{{% elif pkg_system == "dpkg" %}} -+ -+ -+ -+ -+ pam -+ -+{{% endif %}} - - -diff --git a/shared/checks/oval/installed_env_has_shadow-utils_package.xml b/shared/checks/oval/installed_env_has_shadow-utils_package.xml -index 12dd5bd565..11f40a324f 100644 ---- a/shared/checks/oval/installed_env_has_shadow-utils_package.xml -+++ b/shared/checks/oval/installed_env_has_shadow-utils_package.xml -@@ -14,11 +14,24 @@ - - - -- -+{{% if pkg_system == "rpm" %}} -+ - - - - shadow-utils - -+{{% elif pkg_system == "dpkg" %}} -+ -+ -+ -+ -+ shadow-utils -+ -+{{% endif %}} - - -diff --git a/shared/checks/oval/installed_env_has_systemd_package.xml b/shared/checks/oval/installed_env_has_systemd_package.xml -index 99706ee1c6..2dfdff10cc 100644 ---- a/shared/checks/oval/installed_env_has_systemd_package.xml -+++ b/shared/checks/oval/installed_env_has_systemd_package.xml -@@ -14,11 +14,24 @@ - - - -- -+{{% if pkg_system == "rpm" %}} -+ - - - - systemd - -+{{% elif pkg_system == "dpkg" %}} -+ -+ -+ -+ -+ systemd -+ -+{{% endif %}} - - - -From d8dfd5c10412bc3ecd180325c4a1cc997e6e2b8f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 8 Apr 2019 16:25:27 +0200 -Subject: [PATCH 10/11] Add yum CPE and update rules plaforms - ---- - .../clean_components_post_updating/rule.yml | 2 + - .../rule.yml | 2 + - .../ensure_gpgcheck_local_packages/rule.yml | 2 + - .../ensure_gpgcheck_repo_metadata/rule.yml | 2 + - .../oval/installed_env_has_yum_package.xml | 37 +++++++++++++++++++ - ssg/constants.py | 1 + - 6 files changed, 46 insertions(+) - create mode 100644 shared/checks/oval/installed_env_has_yum_package.xml - -diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml -index d5f0756c2a..9bbcadea11 100644 ---- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml -+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml -@@ -40,3 +40,5 @@ ocil: |- -
$ grep clean_requirements_on_remove {{{ pkg_manager_config_file }}}
- The output should return something similar to: -
clean_requirements_on_remove=1
-+ -+platform: yum -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml -index 73e29ae1a5..b19e178026 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml -@@ -67,3 +67,5 @@ ocil: |- - A value of 1 indicates that gpgcheck is enabled. Absence of a - gpgcheck line or a setting of 0 indicates that it is - disabled. -+ -+platform: yum -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml -index 7d94688af4..d1ffba4d4e 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml -@@ -47,3 +47,5 @@ ocil: |- -
$ grep localpkg_gpgcheck {{{ pkg_manager_config_file }}}
- The output should return something similar to: -
localpkg_gpgcheck=1
-+ -+platform: yum -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml -index aa3aa83f70..4f8a76652c 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml -@@ -55,3 +55,5 @@ ocil: |- -
$ grep repo_gpgcheck {{{ pkg_manager_config_file }}}
- The output should return something similar to: -
repo_gpgcheck=1
-+ -+platform: yum -diff --git a/shared/checks/oval/installed_env_has_yum_package.xml b/shared/checks/oval/installed_env_has_yum_package.xml -new file mode 100644 -index 0000000000..916d568062 ---- /dev/null -+++ b/shared/checks/oval/installed_env_has_yum_package.xml -@@ -0,0 +1,37 @@ -+ -+ -+ -+ Package yum is installed -+ -+ multi_platform_all -+ -+ Checks if package yum is installed. -+ -+ -+ -+ -+ -+ -+ -+{{% if pkg_system == "rpm" %}} -+ -+ -+ -+ -+ yum -+ -+{{% elif pkg_system == "dpkg" %}} -+ -+ -+ -+ -+ yum -+ -+{{% endif %}} -+ -+ -diff --git a/ssg/constants.py b/ssg/constants.py -index 8d7a4cc290..94d9d8c180 100644 ---- a/ssg/constants.py -+++ b/ssg/constants.py -@@ -381,6 +381,7 @@ - "pam": "cpe:/a:pam", - "shadow-utils": "cpe:/a:shadow-utils", - "systemd": "cpe:/a:systemd", -+ "yum": "cpe:/a:yum", - } - - # Application constants - -From b7250b641c3d533d10a8e633094cf6421b0c34dc Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 8 Apr 2019 18:00:19 +0200 -Subject: [PATCH 11/11] Update rhel7 cpe-dictionary - ---- - rhel7/cpe/rhel7-cpe-dictionary.xml | 25 +++++++++++++++++++++++++ - 1 file changed, 25 insertions(+) - -diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml -index 44fe06f103..d64c18e846 100644 ---- a/rhel7/cpe/rhel7-cpe-dictionary.xml -+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml -@@ -47,9 +47,34 @@ - - installed_env_is_a_machine -
-+ -+ Package libuser is installed -+ -+ installed_env_has_libuser_package -+ -+ -+ Package nss-pam-ldapd is installed -+ -+ installed_env_has_nss-pam-ldapd_package -+ -+ -+ Package pam is installed -+ -+ installed_env_has_pam_package -+ - - Package shadow-utils is installed - - installed_env_has_shadow-utils_package - -+ -+ Package systemd is installed -+ -+ installed_env_has_systemd_package -+ -+ -+ Package yum is installed -+ -+ installed_env_has_yum_package -+ - diff --git a/SOURCES/scap-security-guide-0.1.44-cpe-remaining.patch b/SOURCES/scap-security-guide-0.1.44-cpe-remaining.patch deleted file mode 100644 index bdb3fed..0000000 --- a/SOURCES/scap-security-guide-0.1.44-cpe-remaining.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 51b6c4c3476608e298c65d402f6d897f1dd6b1aa Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 10 Apr 2019 17:57:39 +0200 -Subject: [PATCH] Set various platform package CPE - ---- - .../accounts_password_pam_maxrepeat/rule.yml | 2 ++ - .../accounts-session/accounts_have_homedir_login_defs/rule.yml | 2 ++ - .../restrictions/coredumps/disable_users_coredumps/rule.yml | 2 ++ - 3 files changed, 6 insertions(+) - -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml -index d23b1d99d0..925288b4f3 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml -@@ -46,3 +46,5 @@ ocil: |- -
$ grep maxrepeat /etc/security/pwquality.conf
- Look for the value of the maxrepeat parameter. The DoD requirement is 3, which would appear as - maxrepeat=3. -+ -+platform: pam -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml -index 300f409ca3..215565460c 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml -@@ -32,3 +32,5 @@ ocil: |- -

-
$ sudo grep create_home /etc/login.defs
-

-+ -+platform: shadow-utils -diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml -index 99c2521afa..0e30d0d7ee 100644 ---- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml -@@ -37,3 +37,5 @@ ocil: |- -
$ grep core /etc/security/limits.conf
- The output should be: -
*     hard   core    0
-+ -+platform: pam diff --git a/SOURCES/scap-security-guide-0.1.44-cpe-shadow-utils.patch b/SOURCES/scap-security-guide-0.1.44-cpe-shadow-utils.patch deleted file mode 100644 index bc99269..0000000 --- a/SOURCES/scap-security-guide-0.1.44-cpe-shadow-utils.patch +++ /dev/null @@ -1,158 +0,0 @@ -From 2e618f9239de966ec167f7b43ae854650a3421ad Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 3 Apr 2019 18:05:15 +0200 -Subject: [PATCH 1/3] Introduce CPE shadow-utils - -- Add inventory OVAL check for shadow-utils package installed -- Add shadow-utils CPE to RHEL7 dictionary ---- - rhel7/cpe/rhel7-cpe-dictionary.xml | 5 ++++ - ...installed_env_has_shadow-utils_package.xml | 24 +++++++++++++++++++ - 2 files changed, 29 insertions(+) - create mode 100644 shared/checks/oval/installed_env_has_shadow-utils_package.xml - -diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml -index 23541378f8..44fe06f103 100644 ---- a/rhel7/cpe/rhel7-cpe-dictionary.xml -+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml -@@ -47,4 +47,9 @@ - - installed_env_is_a_machine - -+ -+ Package shadow-utils is installed -+ -+ installed_env_has_shadow-utils_package -+ - -diff --git a/shared/checks/oval/installed_env_has_shadow-utils_package.xml b/shared/checks/oval/installed_env_has_shadow-utils_package.xml -new file mode 100644 -index 0000000000..12dd5bd565 ---- /dev/null -+++ b/shared/checks/oval/installed_env_has_shadow-utils_package.xml -@@ -0,0 +1,24 @@ -+ -+ -+ -+ Package shadow-utils is installed -+ -+ multi_platform_all -+ -+ Checks if package shadow-utils is installed. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ shadow-utils -+ -+ -+ - -From 06650f96e4e880c90a23eaf565e70d37a175aa47 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 3 Apr 2019 18:10:33 +0200 -Subject: [PATCH 2/3] Rules are applicable when shadow-utils installed - -If package shadow-utils is not installed, the rule will result in -notapplicable. ---- - .../account_disable_post_pw_expiration/rule.yml | 2 ++ - .../accounts_maximum_age_login_defs/rule.yml | 2 ++ - .../accounts_minimum_age_login_defs/rule.yml | 2 ++ - .../accounts_password_minlen_login_defs/rule.yml | 2 ++ - .../accounts_password_warn_age_login_defs/rule.yml | 2 ++ - .../accounts-session/accounts_logon_fail_delay/rule.yml | 2 ++ - 6 files changed, 12 insertions(+) - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml -index 9d19274f1c..d8b29b6436 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml -@@ -62,3 +62,5 @@ ocil: |- - to an appropriate integer as shown in the example below: -
$ grep "INACTIVE" /etc/default/useradd
-     INACTIVE=
-+ -+platform: shadow-utils -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -index 90dc1b4f2b..de322bc787 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -@@ -55,3 +55,5 @@ ocil: |- -
$ grep PASS_MAX_DAYS /etc/login.defs
- The DoD and FISMA requirement is 60. - A value of 180 days is sufficient for many environments. -+ -+platform: shadow-utils -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml -index 88706c8b3e..dd7030cd0a 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml -@@ -49,3 +49,5 @@ ocil_clause: 'it is not equal to or greater than the required value' - ocil: |- - To check the minimum password age, run the command: -
$ grep PASS_MIN_DAYS /etc/login.defs
-+ -+platform: shadow-utils -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml -index 814fda94b9..d38ee253fb 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml -@@ -51,3 +51,5 @@ ocil: |- - To check the minimum password length, run the command: -
$ grep PASS_MIN_LEN /etc/login.defs
- The DoD requirement is 15. -+ -+platform: shadow-utils -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml -index d8947ad9fd..85b5cd762f 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml -@@ -40,3 +40,5 @@ ocil: |- - To check the password warning age, run the command: -
$ grep PASS_WARN_AGE /etc/login.defs
- The DoD requirement is 7. -+ -+platform: shadow-utils -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml -index 171051e138..33fc873e97 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml -@@ -37,3 +37,5 @@ ocil: |- - All output must show the value of FAIL_DELAY set as shown in the below: -
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
-     fail_delay 
-+ -+platform: shadow-utils - -From 63ab7328a57c185734037a124eab2ab8ac740e82 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 3 Apr 2019 18:14:58 +0200 -Subject: [PATCH 3/3] Map shadow-utils platform to CPE name - ---- - ssg/constants.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ssg/constants.py b/ssg/constants.py -index b80382be3d..f96fd51790 100644 ---- a/ssg/constants.py -+++ b/ssg/constants.py -@@ -375,7 +375,8 @@ - - XCCDF_PLATFORM_TO_CPE = { - "machine": "cpe:/a:machine", -- "container": "cpe:/a:container" -+ "container": "cpe:/a:container", -+ "shadow-utils": "cpe:/a:shadow-utils", - } - - # Application constants diff --git a/SOURCES/scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules.patch b/SOURCES/scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules.patch deleted file mode 100644 index 3ca8f90..0000000 --- a/SOURCES/scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules.patch +++ /dev/null @@ -1,97 +0,0 @@ -commit 270af4a39fe2688fafbe3f91c383673f0fdcb2f2 -Author: Gabriel Becker -Date: Thu Apr 25 16:43:30 2019 +0200 - - Remove duplicated assigned CCEs from rules and assign new ones to them. - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml -index 0b2e278..72b5f77 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml -@@ -29,7 +29,7 @@ severity: unknown - - identifiers: - cce@rhel6: 27474-6 -- cce@rhel7: 27498-5 -+ cce@rhel7: 81000-2 - - references: - stigid@rhel6: RHEL-06-000297 -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml -index c25cfbb..31338ea 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml -@@ -26,7 +26,7 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: 27206-2 -+ cce@rhel7: 80995-4 - cce@rhel8: 80703-2 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml -index 5b1ff7b..b11acd8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml -@@ -26,7 +26,7 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: 27206-2 -+ cce@rhel7: 80996-2 - cce@rhel8: 80706-5 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml -index 26c31e9..397e0cf 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml -@@ -25,7 +25,7 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: 80382-5 -+ cce@rhel7: 80994-7 - cce@rhel8: 80720-6 - - references: -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml -index 92564b9..f0e2d2e 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml -@@ -28,7 +28,7 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: 80381-7 -+ cce@rhel7: 80997-0 - cce@rhel8: 80744-6 - - references: -diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -index edc747c..6309aee 100644 ---- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -@@ -14,7 +14,7 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: 27361-5 -+ cce@rhel7: 80998-8 - cce@rhel8: 80877-4 - - references: -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml -index 44174ba..45db89d 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml -@@ -17,7 +17,7 @@ severity: medium - - identifiers: - cce@rhel6: 27001-7 -- cce@rhel7: 80156-3 -+ cce@rhel7: 80999-6 - cce@rhel8: 80921-0 - - references: diff --git a/SOURCES/scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules2.patch b/SOURCES/scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules2.patch deleted file mode 100644 index 4decb97..0000000 --- a/SOURCES/scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules2.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 74177471031fb6c4348c28b2bdda72999d9f52bf Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 9 May 2019 17:23:36 +0200 -Subject: [PATCH] Deduplicate CCE from rule force_opensc_card_drivers. - ---- - .../smart_card_login/force_opensc_card_drivers/rule.yml | 2 +- - shared/references/cce-rhel-avail.txt | 1 - - 2 files changed, 1 insertion(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml -index 717b570f05..cc934eb0cb 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml -@@ -27,7 +27,7 @@ rationale: |- - severity: medium - - identifiers: -- cce@rhel7: 80207-4 -+ cce@rhel7: 81002-8 - cce@rhel8: 80821-2 - - references: -diff --git a/shared/references/cce-rhel-avail.txt b/shared/references/cce-rhel-avail.txt -index a08b2ed5dc..3cc6d0a916 100644 ---- a/shared/references/cce-rhel-avail.txt -+++ b/shared/references/cce-rhel-avail.txt -@@ -1,52 +1,3 @@ --CCE-80954-1 --CCE-80955-8 --CCE-80956-6 --CCE-80957-4 --CCE-80958-2 --CCE-80959-0 --CCE-80960-8 --CCE-80961-6 --CCE-80962-4 --CCE-80963-2 --CCE-80964-0 --CCE-80965-7 --CCE-80966-5 --CCE-80967-3 --CCE-80968-1 --CCE-80969-9 --CCE-80970-7 --CCE-80971-5 --CCE-80972-3 --CCE-80973-1 --CCE-80974-9 --CCE-80975-6 --CCE-80976-4 --CCE-80977-2 --CCE-80978-0 --CCE-80979-8 --CCE-80980-6 --CCE-80981-4 --CCE-80982-2 --CCE-80983-0 --CCE-80984-8 --CCE-80985-5 --CCE-80986-3 --CCE-80987-1 --CCE-80988-9 --CCE-80989-7 --CCE-80990-5 --CCE-80991-3 --CCE-80992-1 --CCE-80993-9 --CCE-80994-7 --CCE-80995-4 --CCE-80996-2 --CCE-80997-0 --CCE-80998-8 --CCE-80999-6 --CCE-81000-2 --CCE-81001-0 --CCE-81002-8 - CCE-81003-6 - CCE-81004-4 - CCE-81005-1 diff --git a/SOURCES/scap-security-guide-0.1.44-fix_ansible_sssd_tasks.patch b/SOURCES/scap-security-guide-0.1.44-fix_ansible_sssd_tasks.patch deleted file mode 100644 index 43034fb..0000000 --- a/SOURCES/scap-security-guide-0.1.44-fix_ansible_sssd_tasks.patch +++ /dev/null @@ -1,415 +0,0 @@ -From b3a0d725611897e2aa1577cc64c58572703f9d21 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 14 Mar 2019 17:07:13 +0100 -Subject: [PATCH 1/5] Create /etc/sssd/sssd/conf with correct permissions - -Only owner of file should be able to access it. ---- - .../sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 2 ++ - .../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 2 ++ - .../services/sssd/sssd_enable_smartcards/ansible/shared.yml | 1 + - .../services/sssd/sssd_memcache_timeout/ansible/shared.yml | 1 + - .../sssd/sssd_offline_cred_expiration/ansible/shared.yml | 1 + - .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 1 + - 6 files changed, 8 insertions(+) - -diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml -index ecea440bf..171a3d1ac 100644 ---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml -@@ -18,6 +18,7 @@ - path: /etc/sssd/sssd.conf - create: yes - line: "[domain/default]\nldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}\n" -+ mode: 0600 - when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ - tags: - @ANSIBLE_TAGS@ -@@ -28,6 +29,7 @@ - regexp: '^\s*ldap_tls_cacertdir' - insertafter: '\s*\[domain\/[^]]*]' - line: 'ldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}' -+ mode: 0600 - tags: - @ANSIBLE_TAGS@ - @ANSIBLE_ENSURE_PLATFORM@ -diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -index 8941c953a..86915ae7d 100644 ---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -@@ -26,6 +26,7 @@ - lineinfile: - path: /etc/sssd/sssd.conf - line: "[domain/default]\nldap_id_use_start_tls = True\n" -+ mode: 0600 - when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ - tags: - @ANSIBLE_TAGS@ -@@ -36,6 +37,7 @@ - regexp: '^\s*ldap_id_use_start_tls' - insertafter: '\s*\[domain\/[^]]*]' - line: 'ldap_id_use_start_tls = True' -+ mode: 0600 - tags: - @ANSIBLE_TAGS@ - @ANSIBLE_ENSURE_PLATFORM@ -diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml -index a42f8ec20..b4ec2b6a1 100644 ---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml -@@ -10,6 +10,7 @@ - option: pam_cert_auth - value: true - create: yes -+ mode: 0600 - tags: - @ANSIBLE_TAGS@ - @ANSIBLE_ENSURE_PLATFORM@ -diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml -index 88abc9346..29d8bced6 100644 ---- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml -@@ -12,6 +12,7 @@ - option: memcache_timeout - value: "{{ var_sssd_memcache_timeout }}" - create: yes -+ mode: 0600 - tags: - @ANSIBLE_TAGS@ - @ANSIBLE_ENSURE_PLATFORM@ -diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml -index 01d8a94c2..e999417c6 100644 ---- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml -@@ -10,6 +10,7 @@ - option: offline_credentials_expiration - value: 1 - create: yes -+ mode: 0600 - tags: - @ANSIBLE_TAGS@ - @ANSIBLE_ENSURE_PLATFORM@ -diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -index 6f9673f75..f4d4d11da 100644 ---- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -@@ -10,6 +10,7 @@ - option: ssh_known_hosts_timeout - value: 86400 - create: yes -+ mode: 0600 - tags: - @ANSIBLE_TAGS@ - @ANSIBLE_ENSURE_PLATFORM@ --- -2.20.1 - - -From be5a09c6dc83f16654022a0c006b210020a5ba7c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 14 Mar 2019 17:12:39 +0100 -Subject: [PATCH 2/5] Use ini_file to deal with sssd config file - -Much simpler then lineinfile module ---- - .../sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 11 ++++++----- - .../sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 11 ++++++----- - 2 files changed, 12 insertions(+), 10 deletions(-) - -diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml -index 171a3d1ac..1689e2b43 100644 ---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml -@@ -24,13 +24,14 @@ - @ANSIBLE_TAGS@ - - - name: "Configure LDAPs path to CA directory" -- lineinfile: -+ ini_file: - path: /etc/sssd/sssd.conf -- regexp: '^\s*ldap_tls_cacertdir' -- insertafter: '\s*\[domain\/[^]]*]' -- line: 'ldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}' -+ section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}" -+ option: ldap_tls_cacertdir -+ value: "{{ var_sssd_ldap_tls_ca_dir }}" -+ create: yes - mode: 0600 -+ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ - tags: - @ANSIBLE_TAGS@ -- @ANSIBLE_ENSURE_PLATFORM@ - -diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -index 86915ae7d..dbf546013 100644 ---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -@@ -32,12 +32,13 @@ - @ANSIBLE_TAGS@ - - - name: "Configure LDAP to use STARTTLS" -- lineinfile: -+ ini_file: - path: /etc/sssd/sssd.conf -- regexp: '^\s*ldap_id_use_start_tls' -- insertafter: '\s*\[domain\/[^]]*]' -- line: 'ldap_id_use_start_tls = True' -+ section: "{{ test_grep_domain.stdout | regex_replace('[(.*)]','\\1') }}" -+ option: ldap_id_use_start_tls -+ value: true -+ create: yes - mode: 0600 -+ when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ - tags: - @ANSIBLE_TAGS@ -- @ANSIBLE_ENSURE_PLATFORM@ --- -2.20.1 - - -From 857818d224c97e9cda954b76126b2cd8055901fa Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 14 Mar 2019 17:13:30 +0100 -Subject: [PATCH 3/5] Use variable for ssh timeout - ---- - .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -index f4d4d11da..8f3d0029c 100644 ---- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -@@ -3,12 +3,14 @@ - # strategy = unknown - # complexity = low - # disruption = medium -+- (xccdf-var sshd_idle_timeout_value) -+ - - name: "Configure SSSD to Expire SSH Known Hosts" - ini_file: - dest: /etc/sssd/sssd.conf - section: ssh - option: ssh_known_hosts_timeout -- value: 86400 -+ value: "{{ sshd_idle_timeout_value }}" - create: yes - mode: 0600 - tags: --- -2.20.1 - - -From 4192b0982084c057b594acc508a5e3dc66549d60 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 14 Mar 2019 17:23:30 +0100 -Subject: [PATCH 4/5] Add minimal functional default/domain - -Add domain and its required keys with default value for sssd service to -start ---- - .../ansible/shared.yml | 10 ++++++++-- - .../sssd_ldap_start_tls/ansible/shared.yml | 12 ++++++++++-- - .../sssd_enable_smartcards/ansible/shared.yml | 18 ++++++++++++++++++ - .../sssd_memcache_timeout/ansible/shared.yml | 19 +++++++++++++++++++ - .../ansible/shared.yml | 19 +++++++++++++++++++ - .../ansible/shared.yml | 19 +++++++++++++++++++ - 6 files changed, 93 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml -index 1689e2b43..fe1a9ac07 100644 ---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml -@@ -14,11 +14,17 @@ - @ANSIBLE_ENSURE_PLATFORM@ - - - name: "Add default domain group and set CA directory (if no domain there)" -- lineinfile: -+ ini_file: - path: /etc/sssd/sssd.conf -+ section: "{{ item.section }}" -+ option: "{{ item.option }}" -+ value: "{{ item.value }}" - create: yes -- line: "[domain/default]\nldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}\n" - mode: 0600 -+ with_items: -+ - { section: sssd, option: domains, value: default} -+ - { section: domain/default, option: id_provider, value: files } -+ - { section: domain/default, option: ldap_tls_cacertdir, value: "{{ var_sssd_ldap_tls_ca_dir }}" } - when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ - tags: - @ANSIBLE_TAGS@ -diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -index dbf546013..9ebc53e0f 100644 ---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -@@ -23,10 +23,18 @@ - @ANSIBLE_ENSURE_PLATFORM@ - - - name: "Add default domain group and use STARTTLS (if no domain there)" -- lineinfile: -+ ini_file: - path: /etc/sssd/sssd.conf -- line: "[domain/default]\nldap_id_use_start_tls = True\n" -+ section: domain/default -+ section: "{{ item.section }}" -+ option: "{{ item.option }}" -+ value: "{{ item.value }}" -+ create: yes - mode: 0600 -+ with_items: -+ - { section: sssd, option: domains, value: default} -+ - { section: domain/default, option: id_provider, value: files } -+ - { section: domain/default, option: ldap_id_use_start_tls, value: true} - when: test_grep_domain.stdout == "" and @ANSIBLE_PLATFORM_CONDITION@ - tags: - @ANSIBLE_TAGS@ -diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml -index b4ec2b6a1..f6dbdf429 100644 ---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml -@@ -3,6 +3,24 @@ - # strategy = configure - # complexity = low - # disruption = medium -+- name: "Test for domain group" -+ shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf -+ register: test_grep_domain -+ ignore_errors: yes -+ changed_when: False -+ -+- name: "Add default domain group (if no domain there)" -+ ini_file: -+ path: /etc/sssd/sssd.conf -+ section: "{{ item.section }}" -+ option: "{{ item.option }}" -+ value: "{{ item.value }}" -+ create: yes -+ mode: 0600 -+ with_items: -+ - { section: sssd, option: domains, value: default} -+ - { section: domain/default, option: id_provider, value: files } -+ when: test_grep_domain.stdout == "" - - name: "Enable Smartcards in SSSD" - ini_file: - dest: /etc/sssd/sssd.conf -diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml -index 29d8bced6..3cf2af44e 100644 ---- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml -@@ -5,6 +5,25 @@ - # disruption = medium - - (xccdf-var var_sssd_memcache_timeout) - -+- name: "Test for domain group" -+ shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf -+ register: test_grep_domain -+ ignore_errors: yes -+ changed_when: False -+ -+- name: "Add default domain group (if no domain there)" -+ ini_file: -+ path: /etc/sssd/sssd.conf -+ section: "{{ item.section }}" -+ option: "{{ item.option }}" -+ value: "{{ item.value }}" -+ create: yes -+ mode: 0600 -+ with_items: -+ - { section: sssd, option: domains, value: default} -+ - { section: domain/default, option: id_provider, value: files } -+ when: test_grep_domain.stdout == "" -+ - - name: "Configure SSSD's Memory Cache to Expire" - ini_file: - dest: /etc/sssd/sssd.conf -diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml -index e999417c6..f2cddfd2a 100644 ---- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml -@@ -3,6 +3,25 @@ - # strategy = configure - # complexity = low - # disruption = medium -+- name: "Test for domain group" -+ shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf -+ register: test_grep_domain -+ ignore_errors: yes -+ changed_when: False -+ -+- name: "Add default domain group (if no domain there)" -+ ini_file: -+ path: /etc/sssd/sssd.conf -+ section: "{{ item.section }}" -+ option: "{{ item.option }}" -+ value: "{{ item.value }}" -+ create: yes -+ mode: 0600 -+ with_items: -+ - { section: sssd, option: domains, value: default} -+ - { section: domain/default, option: id_provider, value: files } -+ when: test_grep_domain.stdout == "" -+ - - name: "Configure SSD to Expire Offline Credentials" - ini_file: - dest: /etc/sssd/sssd.conf -diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -index 8f3d0029c..61bd79856 100644 ---- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -@@ -5,6 +5,25 @@ - # disruption = medium - - (xccdf-var sshd_idle_timeout_value) - -+- name: "Test for domain group" -+ shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf -+ register: test_grep_domain -+ ignore_errors: yes -+ changed_when: False -+ -+- name: "Add default domain group (if no domain there)" -+ ini_file: -+ path: /etc/sssd/sssd.conf -+ section: "{{ item.section }}" -+ option: "{{ item.option }}" -+ value: "{{ item.value }}" -+ create: yes -+ mode: 0600 -+ with_items: -+ - { section: sssd, option: domains, value: default} -+ - { section: domain/default, option: id_provider, value: files } -+ when: test_grep_domain.stdout == "" -+ - - name: "Configure SSSD to Expire SSH Known Hosts" - ini_file: - dest: /etc/sssd/sssd.conf --- -2.20.1 - - -From 48a230730a07d8a496c5cfe050934f24e031818a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 Mar 2019 11:42:39 +0100 -Subject: [PATCH 5/5] Escape square brackes in regex_replace - ---- - .../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -index 9ebc53e0f..d0ecf8590 100644 ---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml -@@ -42,7 +42,7 @@ - - name: "Configure LDAP to use STARTTLS" - ini_file: - path: /etc/sssd/sssd.conf -- section: "{{ test_grep_domain.stdout | regex_replace('[(.*)]','\\1') }}" -+ section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}" - option: ldap_id_use_start_tls - value: true - create: yes --- -2.20.1 - diff --git a/SOURCES/scap-security-guide-0.1.44-fix_no_direct_root_logins_changed_when.patch b/SOURCES/scap-security-guide-0.1.44-fix_no_direct_root_logins_changed_when.patch deleted file mode 100644 index 8fab28c..0000000 --- a/SOURCES/scap-security-guide-0.1.44-fix_no_direct_root_logins_changed_when.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 568ef0aecb14fc7a12255f207e407130d2980c42 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 28 Feb 2019 16:08:41 +0100 -Subject: [PATCH] Do not compare int and str - -securetty_empty.stat.size is int type. ---- - .../root_logins/no_direct_root_logins/ansible/shared.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -index 397420f979..cf35f07bb4 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -@@ -10,7 +10,7 @@ - - - name: "Direct root Logins Not Allowed" - shell: echo > /etc/securetty -- changed_when: securetty_empty.stat.size > "1" -+ changed_when: securetty_empty.stat.size > 1 - tags: - @ANSIBLE_TAGS@ - @ANSIBLE_ENSURE_PLATFORM@ diff --git a/SOURCES/scap-security-guide-0.1.44-fix_removed_sebooleans.patch b/SOURCES/scap-security-guide-0.1.44-fix_removed_sebooleans.patch deleted file mode 100644 index 2715316..0000000 --- a/SOURCES/scap-security-guide-0.1.44-fix_removed_sebooleans.patch +++ /dev/null @@ -1,707 +0,0 @@ -From ca2288e312d232d058d6985d541353719a1800e9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 12 Mar 2019 08:47:50 +0100 -Subject: [PATCH 1/6] Rename SELinux Boolean docker_connect_any - -The SELinux Boolean docker_connect_any has been renamed to -container_connect_any in both RHEL7 and RHEL8. ---- - .../sebool_container_connect_any/rule.yml | 16 ++++++++++++++++ - .../sebool_docker_connect_any/rule.yml | 16 ---------------- - ...ect_any.var => var_container_connect_any.var} | 2 +- - rhel7/templates/csv/selinux_booleans.csv | 2 +- - rhv4/templates/csv/selinux_booleans.csv | 2 +- - 5 files changed, 19 insertions(+), 19 deletions(-) - create mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_container_connect_any/rule.yml - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_docker_connect_any/rule.yml - rename linux_os/guide/system/selinux/selinux-booleans/{var_docker_connect_any.var => var_container_connect_any.var} (86%) - -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_container_connect_any/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_container_connect_any/rule.yml -new file mode 100644 -index 0000000000..cb715fa66e ---- /dev/null -+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_container_connect_any/rule.yml -@@ -0,0 +1,16 @@ -+documentation_complete: true -+ -+prodtype: rhel7,rhel8 -+ -+title: 'Disable the container_connect_any SELinux Boolean' -+ -+description: |- -+ By default, the SELinux boolean container_connect_any is disabled. -+ If this setting is enabled, it should be disabled. -+ {{{ describe_sebool_disable(sebool="container_connect_any") }}} -+ -+rationale: "" -+ -+severity: medium -+ -+{{{ complete_ocil_entry_sebool_disabled(sebool="container_connect_any") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_docker_connect_any/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_docker_connect_any/rule.yml -deleted file mode 100644 -index 7c2a65d076..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_docker_connect_any/rule.yml -+++ /dev/null -@@ -1,16 +0,0 @@ --documentation_complete: true -- --prodtype: rhel7,rhel8 -- --title: 'Disable the docker_connect_any SELinux Boolean' -- --description: |- -- By default, the SELinux boolean docker_connect_any is disabled. -- If this setting is enabled, it should be disabled. -- {{{ describe_sebool_disable(sebool="docker_connect_any") }}} -- --rationale: "" -- --severity: medium -- --{{{ complete_ocil_entry_sebool_disabled(sebool="docker_connect_any") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_docker_connect_any.var b/linux_os/guide/system/selinux/selinux-booleans/var_container_connect_any.var -similarity index 86% -rename from linux_os/guide/system/selinux/selinux-booleans/var_docker_connect_any.var -rename to linux_os/guide/system/selinux/selinux-booleans/var_container_connect_any.var -index 24af7183da..baad46a636 100644 ---- a/linux_os/guide/system/selinux/selinux-booleans/var_docker_connect_any.var -+++ b/linux_os/guide/system/selinux/selinux-booleans/var_container_connect_any.var -@@ -1,6 +1,6 @@ - documentation_complete: true - --title: 'docker_connect_any SELinux Boolean' -+title: 'container_connect_any SELinux Boolean' - - description: |- - default - Default SELinux boolean setting. -diff --git a/rhel7/templates/csv/selinux_booleans.csv b/rhel7/templates/csv/selinux_booleans.csv -index af220ed80a..fb0fc958c5 100644 ---- a/rhel7/templates/csv/selinux_booleans.csv -+++ b/rhel7/templates/csv/selinux_booleans.csv -@@ -38,7 +38,7 @@ deny_execmem,use_var - deny_ptrace,use_var - dhcpc_exec_iptables,use_var - dhcpd_use_ldap,use_var --docker_connect_any,use_var -+container_connect_any,use_var - docker_transition_unconfined,use_var - domain_fd_use,use_var - domain_kernel_load_modules,use_var -diff --git a/rhv4/templates/csv/selinux_booleans.csv b/rhv4/templates/csv/selinux_booleans.csv -index af220ed80a..fb0fc958c5 100644 ---- a/rhv4/templates/csv/selinux_booleans.csv -+++ b/rhv4/templates/csv/selinux_booleans.csv -@@ -38,7 +38,7 @@ deny_execmem,use_var - deny_ptrace,use_var - dhcpc_exec_iptables,use_var - dhcpd_use_ldap,use_var --docker_connect_any,use_var -+container_connect_any,use_var - docker_transition_unconfined,use_var - domain_fd_use,use_var - domain_kernel_load_modules,use_var - -From 8707ae7560c1a786b702281592968df28a743a01 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 12 Mar 2019 08:57:23 +0100 -Subject: [PATCH 2/6] Remove SELinux boolean docker_transition_unconfined - -The SELinux boolean docker_transition_unconfined has been -completely removed from SELinux without any replacement. ---- - .../rule.yml | 16 ---------------- - .../var_docker_transition_unconfined.var | 19 ------------------- - rhel7/templates/csv/selinux_booleans.csv | 1 - - rhv4/templates/csv/selinux_booleans.csv | 1 - - 4 files changed, 37 deletions(-) - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_docker_transition_unconfined/rule.yml - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_docker_transition_unconfined.var - -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_docker_transition_unconfined/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_docker_transition_unconfined/rule.yml -deleted file mode 100644 -index 16792a395b..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_docker_transition_unconfined/rule.yml -+++ /dev/null -@@ -1,16 +0,0 @@ --documentation_complete: true -- --prodtype: rhel7,rhel8 -- --title: 'Enable the docker_transition_unconfined SELinux Boolean' -- --description: |- -- By default, the SELinux boolean docker_transition_unconfined is enabled. -- If this setting is disabled, it should be enabled. -- {{{ describe_sebool_enable(sebool="docker_transition_unconfined") }}} -- --rationale: "" -- --severity: medium -- --{{{ complete_ocil_entry_sebool_enabled(sebool="docker_transition_unconfined") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_docker_transition_unconfined.var b/linux_os/guide/system/selinux/selinux-booleans/var_docker_transition_unconfined.var -deleted file mode 100644 -index cf66e5e915..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/var_docker_transition_unconfined.var -+++ /dev/null -@@ -1,19 +0,0 @@ --documentation_complete: true -- --title: 'docker_transition_unconfined SELinux Boolean' -- --description: |- -- default - Default SELinux boolean setting. --
on - SELinux boolean is enabled. --
off - SELinux boolean is disabled. -- --type: boolean -- --operator: equals -- --interactive: false -- --options: -- default: true -- off: false -- on: true -diff --git a/rhel7/templates/csv/selinux_booleans.csv b/rhel7/templates/csv/selinux_booleans.csv -index fb0fc958c5..8a5d34cffa 100644 ---- a/rhel7/templates/csv/selinux_booleans.csv -+++ b/rhel7/templates/csv/selinux_booleans.csv -@@ -39,7 +39,6 @@ deny_ptrace,use_var - dhcpc_exec_iptables,use_var - dhcpd_use_ldap,use_var - container_connect_any,use_var --docker_transition_unconfined,use_var - domain_fd_use,use_var - domain_kernel_load_modules,use_var - entropyd_use_audio,use_var -diff --git a/rhv4/templates/csv/selinux_booleans.csv b/rhv4/templates/csv/selinux_booleans.csv -index fb0fc958c5..8a5d34cffa 100644 ---- a/rhv4/templates/csv/selinux_booleans.csv -+++ b/rhv4/templates/csv/selinux_booleans.csv -@@ -39,7 +39,6 @@ deny_ptrace,use_var - dhcpc_exec_iptables,use_var - dhcpd_use_ldap,use_var - container_connect_any,use_var --docker_transition_unconfined,use_var - domain_fd_use,use_var - domain_kernel_load_modules,use_var - entropyd_use_audio,use_var - -From a794b4a365001fbe6b5aed4bf9b8169a6a9dea53 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 12 Mar 2019 09:02:59 +0100 -Subject: [PATCH 3/6] Remove SELinux boolean ftp_home_dir - -The SELinux boolean ftp_home_dir has been -completely removed from SELinux without any replacement. ---- - .../sebool_ftp_home_dir/rule.yml | 16 ---------------- - .../selinux-booleans/var_ftp_home_dir.var | 19 ------------------- - rhel7/templates/csv/selinux_booleans.csv | 1 - - rhv4/templates/csv/selinux_booleans.csv | 1 - - 4 files changed, 37 deletions(-) - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_ftp_home_dir/rule.yml - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_ftp_home_dir.var - -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ftp_home_dir/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ftp_home_dir/rule.yml -deleted file mode 100644 -index 1836bc059e..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ftp_home_dir/rule.yml -+++ /dev/null -@@ -1,16 +0,0 @@ --documentation_complete: true -- --prodtype: rhel7,rhel8 -- --title: 'Disable the ftp_home_dir SELinux Boolean' -- --description: |- -- By default, the SELinux boolean ftp_home_dir is disabled. -- If this setting is enabled, it should be disabled. -- {{{ describe_sebool_disable(sebool="ftp_home_dir") }}} -- --rationale: "" -- --severity: medium -- --{{{ complete_ocil_entry_sebool_disabled(sebool="ftp_home_dir") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_ftp_home_dir.var b/linux_os/guide/system/selinux/selinux-booleans/var_ftp_home_dir.var -deleted file mode 100644 -index 5da7175f65..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/var_ftp_home_dir.var -+++ /dev/null -@@ -1,19 +0,0 @@ --documentation_complete: true -- --title: 'ftp_home_dir SELinux Boolean' -- --description: |- -- default - Default SELinux boolean setting. --
on - SELinux boolean is enabled. --
off - SELinux boolean is disabled. -- --type: boolean -- --operator: equals -- --interactive: false -- --options: -- default: false -- off: false -- on: true -diff --git a/rhel7/templates/csv/selinux_booleans.csv b/rhel7/templates/csv/selinux_booleans.csv -index 8a5d34cffa..17a1f51403 100644 ---- a/rhel7/templates/csv/selinux_booleans.csv -+++ b/rhel7/templates/csv/selinux_booleans.csv -@@ -57,7 +57,6 @@ ftpd_use_cifs,use_var - ftpd_use_fusefs,use_var - ftpd_use_nfs,use_var - ftpd_use_passive_mode,use_var --ftp_home_dir,use_var - git_cgi_enable_homedirs,use_var - git_cgi_use_cifs,use_var - git_cgi_use_nfs,use_var -diff --git a/rhv4/templates/csv/selinux_booleans.csv b/rhv4/templates/csv/selinux_booleans.csv -index 8a5d34cffa..17a1f51403 100644 ---- a/rhv4/templates/csv/selinux_booleans.csv -+++ b/rhv4/templates/csv/selinux_booleans.csv -@@ -57,7 +57,6 @@ ftpd_use_cifs,use_var - ftpd_use_fusefs,use_var - ftpd_use_nfs,use_var - ftpd_use_passive_mode,use_var --ftp_home_dir,use_var - git_cgi_enable_homedirs,use_var - git_cgi_use_cifs,use_var - git_cgi_use_nfs,use_var - -From f71a5f81abad89505ac4e4404249cebc5cf39c89 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 12 Mar 2019 09:19:03 +0100 -Subject: [PATCH 4/6] Remove SELinux boolean virt_sandbox_use_nfs - -The SELinux boolean virt_sandbox_use_nfs has been removed and -is superseded by virt_use_nfs which we already have in other -rule. ---- - .../sebool_virt_sandbox_use_nfs/rule.yml | 16 ---------------- - .../var_virt_sandbox_use_nfs.var | 19 ------------------- - rhel7/templates/csv/selinux_booleans.csv | 1 - - rhv4/templates/csv/selinux_booleans.csv | 1 - - 4 files changed, 37 deletions(-) - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_nfs/rule.yml - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_nfs.var - -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_nfs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_nfs/rule.yml -deleted file mode 100644 -index 7d553a85de..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_nfs/rule.yml -+++ /dev/null -@@ -1,16 +0,0 @@ --documentation_complete: true -- --prodtype: rhel7,rhel8 -- --title: 'Disable the virt_sandbox_use_nfs SELinux Boolean' -- --description: |- -- By default, the SELinux boolean virt_sandbox_use_nfs is disabled. -- If this setting is enabled, it should be disabled. -- {{{ describe_sebool_disable(sebool="virt_sandbox_use_nfs") }}} -- --rationale: "" -- --severity: medium -- --{{{ complete_ocil_entry_sebool_disabled(sebool="virt_sandbox_use_nfs") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_nfs.var b/linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_nfs.var -deleted file mode 100644 -index f7a0cd0679..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_nfs.var -+++ /dev/null -@@ -1,19 +0,0 @@ --documentation_complete: true -- --title: 'virt_sandbox_use_nfs SELinux Boolean' -- --description: |- -- default - Default SELinux boolean setting. --
on - SELinux boolean is enabled. --
off - SELinux boolean is disabled. -- --type: boolean -- --operator: equals -- --interactive: false -- --options: -- default: false -- off: false -- on: true -diff --git a/rhel7/templates/csv/selinux_booleans.csv b/rhel7/templates/csv/selinux_booleans.csv -index 17a1f51403..aaf2e1a34f 100644 ---- a/rhel7/templates/csv/selinux_booleans.csv -+++ b/rhel7/templates/csv/selinux_booleans.csv -@@ -268,7 +268,6 @@ virt_sandbox_use_all_caps,use_var - virt_sandbox_use_audit,use_var - virt_sandbox_use_mknod,use_var - virt_sandbox_use_netlink,use_var --virt_sandbox_use_nfs,use_var - virt_sandbox_use_samba,use_var - virt_sandbox_use_sys_admin,use_var - virt_transition_userdomain,use_var -diff --git a/rhv4/templates/csv/selinux_booleans.csv b/rhv4/templates/csv/selinux_booleans.csv -index 17a1f51403..aaf2e1a34f 100644 ---- a/rhv4/templates/csv/selinux_booleans.csv -+++ b/rhv4/templates/csv/selinux_booleans.csv -@@ -268,7 +268,6 @@ virt_sandbox_use_all_caps,use_var - virt_sandbox_use_audit,use_var - virt_sandbox_use_mknod,use_var - virt_sandbox_use_netlink,use_var --virt_sandbox_use_nfs,use_var - virt_sandbox_use_samba,use_var - virt_sandbox_use_sys_admin,use_var - virt_transition_userdomain,use_var - -From 7afaf886cd99437a09b6aedd9e375ee1162155c6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 12 Mar 2019 09:27:35 +0100 -Subject: [PATCH 5/6] Remove SELinux boolean virt_sandbox_use_samba - -The SELinux boolean virt_sandbox_use_samba has been removed and -is superseded by virt_use_samba which we already have in other -rule. ---- - .../sebool_virt_sandbox_use_samba/rule.yml | 16 ---------------- - .../var_virt_sandbox_use_samba.var | 19 ------------------- - rhel7/templates/csv/selinux_booleans.csv | 1 - - rhv4/templates/csv/selinux_booleans.csv | 1 - - 4 files changed, 37 deletions(-) - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_samba/rule.yml - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_samba.var - -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_samba/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_samba/rule.yml -deleted file mode 100644 -index b3ce5feb9e..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_virt_sandbox_use_samba/rule.yml -+++ /dev/null -@@ -1,16 +0,0 @@ --documentation_complete: true -- --prodtype: rhel7,rhel8 -- --title: 'Disable the virt_sandbox_use_samba SELinux Boolean' -- --description: |- -- By default, the SELinux boolean virt_sandbox_use_samba is disabled. -- If this setting is enabled, it should be disabled. -- {{{ describe_sebool_disable(sebool="virt_sandbox_use_samba") }}} -- --rationale: "" -- --severity: medium -- --{{{ complete_ocil_entry_sebool_disabled(sebool="virt_sandbox_use_samba") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_samba.var b/linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_samba.var -deleted file mode 100644 -index de370465dd..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_samba.var -+++ /dev/null -@@ -1,19 +0,0 @@ --documentation_complete: true -- --title: 'virt_sandbox_use_samba SELinux Boolean' -- --description: |- -- default - Default SELinux boolean setting. --
on - SELinux boolean is enabled. --
off - SELinux boolean is disabled. -- --type: boolean -- --operator: equals -- --interactive: false -- --options: -- default: false -- off: false -- on: true -diff --git a/rhel7/templates/csv/selinux_booleans.csv b/rhel7/templates/csv/selinux_booleans.csv -index aaf2e1a34f..19a27493db 100644 ---- a/rhel7/templates/csv/selinux_booleans.csv -+++ b/rhel7/templates/csv/selinux_booleans.csv -@@ -268,7 +268,6 @@ virt_sandbox_use_all_caps,use_var - virt_sandbox_use_audit,use_var - virt_sandbox_use_mknod,use_var - virt_sandbox_use_netlink,use_var --virt_sandbox_use_samba,use_var - virt_sandbox_use_sys_admin,use_var - virt_transition_userdomain,use_var - virt_use_comm,use_var -diff --git a/rhv4/templates/csv/selinux_booleans.csv b/rhv4/templates/csv/selinux_booleans.csv -index aaf2e1a34f..19a27493db 100644 ---- a/rhv4/templates/csv/selinux_booleans.csv -+++ b/rhv4/templates/csv/selinux_booleans.csv -@@ -268,7 +268,6 @@ virt_sandbox_use_all_caps,use_var - virt_sandbox_use_audit,use_var - virt_sandbox_use_mknod,use_var - virt_sandbox_use_netlink,use_var --virt_sandbox_use_samba,use_var - virt_sandbox_use_sys_admin,use_var - virt_transition_userdomain,use_var - virt_use_comm,use_var - -From e0287da5af28c3357fa920a16d538ab424bd5392 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 12 Mar 2019 10:13:10 +0100 -Subject: [PATCH 6/6] Remove sftpd_.* SELinux booleans - -SELinux booleans sftpd_anon_write, sftpd_enable_homedirs, -sftpd_full_access, sftpd_write_ssh_home have been removed from SELinux -because they were useless because openssh doesn't use sftpd_t type -anymore and it uses user's type for sftpd sessions. They haven't been -superseded by anything else. ---- - .../sebool_sftpd_anon_write/rule.yml | 16 ---------------- - .../sebool_sftpd_enable_homedirs/rule.yml | 16 ---------------- - .../sebool_sftpd_full_access/rule.yml | 16 ---------------- - .../sebool_sftpd_write_ssh_home/rule.yml | 16 ---------------- - .../selinux-booleans/var_sftpd_anon_write.var | 19 ------------------- - .../var_sftpd_enable_homedirs.var | 19 ------------------- - .../var_sftpd_full_access.var | 19 ------------------- - .../var_sftpd_write_ssh_home.var | 19 ------------------- - rhel7/templates/csv/selinux_booleans.csv | 4 ---- - rhv4/templates/csv/selinux_booleans.csv | 4 ---- - 10 files changed, 148 deletions(-) - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_anon_write/rule.yml - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_enable_homedirs/rule.yml - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_full_access/rule.yml - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_write_ssh_home/rule.yml - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_sftpd_anon_write.var - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_sftpd_enable_homedirs.var - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_sftpd_full_access.var - delete mode 100644 linux_os/guide/system/selinux/selinux-booleans/var_sftpd_write_ssh_home.var - -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_anon_write/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_anon_write/rule.yml -deleted file mode 100644 -index a5327110f8..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_anon_write/rule.yml -+++ /dev/null -@@ -1,16 +0,0 @@ --documentation_complete: true -- --prodtype: rhel7,rhel8 -- --title: 'Disable the sftpd_anon_write SELinux Boolean' -- --description: |- -- By default, the SELinux boolean sftpd_anon_write is disabled. -- If this setting is enabled, it should be disabled. -- {{{ describe_sebool_disable(sebool="sftpd_anon_write") }}} -- --rationale: "" -- --severity: medium -- --{{{ complete_ocil_entry_sebool_disabled(sebool="sftpd_anon_write") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_enable_homedirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_enable_homedirs/rule.yml -deleted file mode 100644 -index ac52da2773..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_enable_homedirs/rule.yml -+++ /dev/null -@@ -1,16 +0,0 @@ --documentation_complete: true -- --prodtype: rhel7,rhel8 -- --title: 'Disable the sftpd_enable_homedirs SELinux Boolean' -- --description: |- -- By default, the SELinux boolean sftpd_enable_homedirs is disabled. -- If this setting is enabled, it should be disabled. -- {{{ describe_sebool_disable(sebool="sftpd_enable_homedirs") }}} -- --rationale: "" -- --severity: medium -- --{{{ complete_ocil_entry_sebool_disabled(sebool="sftpd_enable_homedirs") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_full_access/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_full_access/rule.yml -deleted file mode 100644 -index fff440ff7e..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_full_access/rule.yml -+++ /dev/null -@@ -1,16 +0,0 @@ --documentation_complete: true -- --prodtype: rhel7,rhel8 -- --title: 'Disable the sftpd_full_access SELinux Boolean' -- --description: |- -- By default, the SELinux boolean sftpd_full_access is disabled. -- If this setting is enabled, it should be disabled. -- {{{ describe_sebool_disable(sebool="sftpd_full_access") }}} -- --rationale: "" -- --severity: medium -- --{{{ complete_ocil_entry_sebool_disabled(sebool="sftpd_full_access") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_write_ssh_home/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_write_ssh_home/rule.yml -deleted file mode 100644 -index 7b67579eb5..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/sebool_sftpd_write_ssh_home/rule.yml -+++ /dev/null -@@ -1,16 +0,0 @@ --documentation_complete: true -- --prodtype: rhel7,rhel8 -- --title: 'Disable the sftpd_write_ssh_home SELinux Boolean' -- --description: |- -- By default, the SELinux boolean sftpd_write_ssh_home is disabled. -- If this setting is enabled, it should be disabled. -- {{{ describe_sebool_disable(sebool="sftpd_write_ssh_home") }}} -- --rationale: "" -- --severity: medium -- --{{{ complete_ocil_entry_sebool_disabled(sebool="sftpd_write_ssh_home") }}} -diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_anon_write.var b/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_anon_write.var -deleted file mode 100644 -index ec43879c93..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_anon_write.var -+++ /dev/null -@@ -1,19 +0,0 @@ --documentation_complete: true -- --title: 'sftpd_anon_write SELinux Boolean' -- --description: |- -- default - Default SELinux boolean setting. --
on - SELinux boolean is enabled. --
off - SELinux boolean is disabled. -- --type: boolean -- --operator: equals -- --interactive: false -- --options: -- default: false -- off: false -- on: true -diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_enable_homedirs.var b/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_enable_homedirs.var -deleted file mode 100644 -index 1ebd92f562..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_enable_homedirs.var -+++ /dev/null -@@ -1,19 +0,0 @@ --documentation_complete: true -- --title: 'sftpd_enable_homedirs SELinux Boolean' -- --description: |- -- default - Default SELinux boolean setting. --
on - SELinux boolean is enabled. --
off - SELinux boolean is disabled. -- --type: boolean -- --operator: equals -- --interactive: false -- --options: -- default: false -- off: false -- on: true -diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_full_access.var b/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_full_access.var -deleted file mode 100644 -index a6d1fc9efc..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_full_access.var -+++ /dev/null -@@ -1,19 +0,0 @@ --documentation_complete: true -- --title: 'sftpd_full_access SELinux Boolean' -- --description: |- -- default - Default SELinux boolean setting. --
on - SELinux boolean is enabled. --
off - SELinux boolean is disabled. -- --type: boolean -- --operator: equals -- --interactive: false -- --options: -- default: false -- off: false -- on: true -diff --git a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_write_ssh_home.var b/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_write_ssh_home.var -deleted file mode 100644 -index 67a3f00655..0000000000 ---- a/linux_os/guide/system/selinux/selinux-booleans/var_sftpd_write_ssh_home.var -+++ /dev/null -@@ -1,19 +0,0 @@ --documentation_complete: true -- --title: 'sftpd_write_ssh_home SELinux Boolean' -- --description: |- -- default - Default SELinux boolean setting. --
on - SELinux boolean is enabled. --
off - SELinux boolean is disabled. -- --type: boolean -- --operator: equals -- --interactive: false -- --options: -- default: false -- off: false -- on: true -diff --git a/rhel7/templates/csv/selinux_booleans.csv b/rhel7/templates/csv/selinux_booleans.csv -index 19a27493db..1b55f6db31 100644 ---- a/rhel7/templates/csv/selinux_booleans.csv -+++ b/rhel7/templates/csv/selinux_booleans.csv -@@ -224,10 +224,6 @@ selinuxuser_share_music,use_var - selinuxuser_tcp_server,use_var - selinuxuser_udp_server,use_var - selinuxuser_use_ssh_chroot,use_var --sftpd_anon_write,use_var --sftpd_enable_homedirs,use_var --sftpd_full_access,use_var --sftpd_write_ssh_home,use_var - sge_domain_can_network_connect,use_var - sge_use_nfs,use_var - smartmon_3ware,use_var -diff --git a/rhv4/templates/csv/selinux_booleans.csv b/rhv4/templates/csv/selinux_booleans.csv -index 19a27493db..1b55f6db31 100644 ---- a/rhv4/templates/csv/selinux_booleans.csv -+++ b/rhv4/templates/csv/selinux_booleans.csv -@@ -224,10 +224,6 @@ selinuxuser_share_music,use_var - selinuxuser_tcp_server,use_var - selinuxuser_udp_server,use_var - selinuxuser_use_ssh_chroot,use_var --sftpd_anon_write,use_var --sftpd_enable_homedirs,use_var --sftpd_full_access,use_var --sftpd_write_ssh_home,use_var - sge_domain_can_network_connect,use_var - sge_use_nfs,use_var - smartmon_3ware,use_var diff --git a/SOURCES/scap-security-guide-0.1.44-fix_rpm_verify_permissions.patch b/SOURCES/scap-security-guide-0.1.44-fix_rpm_verify_permissions.patch deleted file mode 100644 index 7f3c29e..0000000 --- a/SOURCES/scap-security-guide-0.1.44-fix_rpm_verify_permissions.patch +++ /dev/null @@ -1,50 +0,0 @@ -From df18c1e1c034cd0162747eb357efdcbbdf22ff1c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 Mar 2019 16:50:09 +0100 -Subject: [PATCH] Remove --quiet from rpm command - -It doesn't work with --setperms. -See https://bugzilla.redhat.com/show_bug.cgi?id=1690469. ---- - .../rpm_verification/rpm_verify_permissions/ansible/shared.yml | 2 +- - .../rpm_verification/rpm_verify_permissions/bash/shared.sh | 2 +- - .../rpm_verification/rpm_verify_permissions/rule.yml | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml -index abce9e17f5..e05696d46c 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml -@@ -13,7 +13,7 @@ - @ANSIBLE_ENSURE_PLATFORM@ - - - name: "Correct file permissions with RPM" -- shell: "rpm --quiet --setperms $(rpm -qf '{{ item }}')" -+ shell: "rpm --setperms $(rpm -qf '{{ item }}')" - args: - warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module - with_items: "{{ files_with_incorrect_permissions.stdout_lines }}" -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/bash/shared.sh -index 5689b6d84b..7705f0df3b 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/bash/shared.sh -@@ -28,5 +28,5 @@ SETPERMS_RPM_LIST=( $(echo "${SETPERMS_RPM_LIST[@]}" | tr ' ' '\n' | sort -u | t - # correct values - for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}" - do -- rpm --quiet --setperms "${RPM_PACKAGE}" -+ rpm --setperms "${RPM_PACKAGE}" - done -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -index e233c8b02f..1d5090894b 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -@@ -19,7 +19,7 @@ description: |- -
- Next, run the following command to reset its permissions to - the correct values: --
$ sudo rpm --quiet --setperms PACKAGENAME
-+
$ sudo rpm --setperms PACKAGENAME
- - rationale: |- - Permissions on system binaries and configuration files that are too generous diff --git a/SOURCES/scap-security-guide-0.1.44-fix_stig_duplicated_audit_rules.patch b/SOURCES/scap-security-guide-0.1.44-fix_stig_duplicated_audit_rules.patch deleted file mode 100644 index d2ee75f..0000000 --- a/SOURCES/scap-security-guide-0.1.44-fix_stig_duplicated_audit_rules.patch +++ /dev/null @@ -1,410 +0,0 @@ -From 2476a35d0ad4055d52c33c03bb82031f6f19c794 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 Mar 2019 17:11:37 +0100 -Subject: [PATCH 1/6] Enable privileged_commands test to run on Fedora - -Also create audit rules directory, to ensure scenario setup always -works. ---- - .../rhel7_augenrules_default.fail.sh | 2 +- - .../rhel7_augenrules_missing_rule.fail.sh | 3 ++- - .../rhel7_augenrules_one_rule.fail.sh | 1 + - .../rhel7_augenrules_rules_configured.pass.sh | 3 ++- - .../rhel7_augenrules_rules_configured_mixed_keys.pass.sh | 3 ++- - .../rhel7_augenrules_two_rules_mixed_keys.fail.sh | 3 ++- - .../rhel7_rules_with_own_key.pass.sh | 2 +- - .../rhel7_auditctl_4294967295_configured.pass.sh | 1 + - .../rhel7_auditctl_unset_configured.pass.sh | 1 + - .../rhel7_augenrules_4294967295_configured.pass.sh | 4 ++-- - .../rhel7_augenrules_remove_all_rules.fail.sh | 4 ++-- - .../rhel7_augenrules_substring_rule.fail.sh | 4 ++-- - .../rhel7_augenrules_superstring_rule.fail.sh | 4 ++-- - .../rhel7_augenrules_unset_configured.pass.sh | 4 ++-- - .../rhel7_rules_with_own_key.pass.sh | 3 +-- - 15 files changed, 24 insertions(+), 18 deletions(-) - -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_default.fail.sh -index 2442fc22f8..4713a53605 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_default.fail.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_default.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7 -+# platform = Red Hat Enterprise Linux 7,Fedora - - # augenrules is default for rhel7 -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_missing_rule.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_missing_rule.fail.sh -index 69e659d53c..c007f5dd24 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_missing_rule.fail.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_missing_rule.fail.sh -@@ -1,7 +1,8 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7 -+# platform = Red Hat Enterprise Linux 7,Fedora - -+mkdir -p /etc/audit/rules.d - ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules - sed -i '/newgrp/d' /etc/audit/rules.d/privileged.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_one_rule.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_one_rule.fail.sh -index aa8e01cf11..591109a013 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_one_rule.fail.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_one_rule.fail.sh -@@ -3,4 +3,5 @@ - # remediation = bash - # platform = Red Hat Enterprise Linux 7 - -+mkdir -p /etc/audit/rules.d - echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh -index fa1d72ff0a..913ca44025 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured.pass.sh -@@ -1,6 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7 -+# platform = Red Hat Enterprise Linux 7,Fedora - -+mkdir -p /etc/audit/rules.d - ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured_mixed_keys.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured_mixed_keys.pass.sh -index 40aea6c963..a0ba4fac7d 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured_mixed_keys.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_rules_configured_mixed_keys.pass.sh -@@ -1,8 +1,9 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7 -+# platform = Red Hat Enterprise Linux 7,Fedora - -+mkdir -p /etc/audit/rules.d - ./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules - # change key of rules for binaries in /usr/sbin - # A mixed conbination of -k and -F key= should be accepted -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_mixed_keys.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_mixed_keys.fail.sh -index eb2ae8cdc9..bc4a7c4bfe 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_mixed_keys.fail.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_mixed_keys.fail.sh -@@ -1,7 +1,8 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7 -+# platform = Red Hat Enterprise Linux 7,Fedora - -+mkdir -p /etc/audit/rules.d - echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules - echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh -index 1b376d0e0f..c40fd133dd 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_rules_with_own_key.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - # remediation = bash --# platform = Red Hat Enterprise Linux 7 -+# platform = Red Hat Enterprise Linux 7,Fedora - - ./generate_privileged_commands_rule.sh 1000 own_key /etc/audit/rules.d/privileged.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_4294967295_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_4294967295_configured.pass.sh -index 93f90a1c5b..52b28d2c30 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_4294967295_configured.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_4294967295_configured.pass.sh -@@ -1,6 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_ospp - # remediation = bash -+# platform = Red Hat Enterprise Linux 7 - - echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/audit.rules - sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_unset_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_unset_configured.pass.sh -index bda4011950..4a8627e1be 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_unset_configured.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_auditctl_unset_configured.pass.sh -@@ -1,6 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_ospp - # remediation = bash -+# platform = Red Hat Enterprise Linux 7 - - echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules - sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_4294967295_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_4294967295_configured.pass.sh -index c1385fe491..13054c36d4 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_4294967295_configured.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_4294967295_configured.pass.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_ospp - # remediation = bash -+# platform = Red Hat Enterprise Linux 7,Fedora - -+mkdir -p /etc/audit/rules.d - echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules --# This is a trick to fail setup of this test in rhel6 systems --ls /usr/lib/systemd/system/auditd.service -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_remove_all_rules.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_remove_all_rules.fail.sh -index 7ef3deb40b..8a05910a39 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_remove_all_rules.fail.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_remove_all_rules.fail.sh -@@ -1,8 +1,8 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_ospp - # remediation = bash -+# platform = Red Hat Enterprise Linux 7,Fedora - -+mkdir -p /etc/audit/rules.d - rm -f /etc/audit/rules.d/* - > /etc/audit/audit.rules --# This is a trick to fail setup of this test in rhel6 systems --ls /usr/lib/systemd/system/auditd.service -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_substring_rule.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_substring_rule.fail.sh -index 54df301ec7..8cc460e965 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_substring_rule.fail.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_substring_rule.fail.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_ospp - # remediation = bash -+# platform = Red Hat Enterprise Linux 7,Fedora - -+mkdir -p /etc/audit/rules.d - echo "-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules --# This is a trick to fail setup of this test in rhel6 systems --ls /usr/lib/systemd/system/auditd.service -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_superstring_rule.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_superstring_rule.fail.sh -index 5de32da121..0c72b90456 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_superstring_rule.fail.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_superstring_rule.fail.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_ospp - # remediation = bash -+# platform = Red Hat Enterprise Linux 7,Fedora - -+mkdir -p /etc/audit/rules.d - echo "-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules --# This is a trick to fail setup of this test in rhel6 systems --ls /usr/lib/systemd/system/auditd.service -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_unset_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_unset_configured.pass.sh -index 4aa01afad9..0cf6de31a3 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_unset_configured.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_unset_configured.pass.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_ospp - # remediation = bash -+# platform = Red Hat Enterprise Linux 7,Fedora - -+mkdir -p /etc/audit/rules.d - echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules --# This is a trick to fail setup of this test in rhel6 systems --ls /usr/lib/systemd/system/auditd.service -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_rules_with_own_key.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_rules_with_own_key.pass.sh -index e267050ae1..a264144bd2 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_rules_with_own_key.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_rules_with_own_key.pass.sh -@@ -1,7 +1,6 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_ospp - # remediation = bash -+# platform = Red Hat Enterprise Linux 7,Fedora - - echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key" >> /etc/audit/rules.d/privileged.rules --# This is a trick to fail setup of this test in rhel6 systems --ls /usr/lib/systemd/system/auditd.service - -From 6ac52cb2183484685c2632cecdfc5724767b1f79 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 Mar 2019 16:01:37 +0100 -Subject: [PATCH 2/6] Add test for duplicated audit rules - -The rules don't need to be exactly the same to be considered duplicates. -- auid unset and auid 4294967295 are equivalent -- "-k" and "-F key=" are equivalent ---- - .../rhel7_augenrules_duplicated.fail.sh | 11 +++++++++++ - .../rhel7_augenrules_duplicated.fail.sh | 8 ++++++++ - 2 files changed, 19 insertions(+) - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_duplicated.fail.sh - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_duplicated.fail.sh - -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_duplicated.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_duplicated.fail.sh -new file mode 100644 -index 0000000000..19b12d0906 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_duplicated.fail.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp,xccdf_org.ssgproject.content_profile_pci-dss -+# Remediation for this rule cannot remove the duplicates -+# remediation = none -+# platform = Red Hat Enterprise Linux 7,Fedora -+ -+mkdir -p /etc/audit/rules.d -+./generate_privileged_commands_rule.sh 1000 privileged /tmp/privileged.rules -+ -+cp /tmp/privileged.rules /etc/audit/rules.d/privileged.rules -+sed 's/unset/4294967295/' /tmp/privileged.rules >> /etc/audit/rules.d/privileged.rules -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_duplicated.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_duplicated.fail.sh -new file mode 100644 -index 0000000000..c3a0e1dbb3 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands_sudo/rhel7_augenrules_duplicated.fail.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+# remediation = bash -+# platform = Red Hat Enterprise Linux 7,Fedora -+ -+mkdir -p /etc/audit/rules.d -+echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" >> /etc/audit/rules.d/privileged.rules -+echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules - -From 160ddfa6b662dfc129f308ba239e87339e4adbf6 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 Mar 2019 16:00:24 +0100 -Subject: [PATCH 3/6] Fail check when there is more than one audit rule for a - given path - -Duplicated rules cause loading of audit rules to fail. -- There should exist only one match -- Examine all instances (objects found) -- Do not capture key of rule (we don't use it) ---- - .../template_OVAL_audit_rules_privileged_commands | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/shared/templates/template_OVAL_audit_rules_privileged_commands b/shared/templates/template_OVAL_audit_rules_privileged_commands -index 602f29de5d..b738cdfa54 100644 ---- a/shared/templates/template_OVAL_audit_rules_privileged_commands -+++ b/shared/templates/template_OVAL_audit_rules_privileged_commands -@@ -28,22 +28,22 @@ - - - -- -+ - - - - ^/etc/audit/rules\.d/.*\.rules$ -- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -- 1 -+ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ 1 - - -- -+ - - - - /etc/audit/audit.rules -- ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -- 1 -+ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path={{{ PATH }}}[\s]+-F[\s]+perm=x[\s]+-F[\s]+auid>={{{ auid }}}[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -+ 1 - - - - -From 08a30fe02fc60c63a2057382ce5cd9de9d0fd877 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 Mar 2019 15:56:42 +0100 -Subject: [PATCH 4/6] Reset ARCH - -The variable should be reset so that we don't use a value set -by some previous remediation. ---- - shared/templates/template_BASH_audit_rules_privileged_commands | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/shared/templates/template_BASH_audit_rules_privileged_commands b/shared/templates/template_BASH_audit_rules_privileged_commands -index 90807084e8..612f8a0826 100644 ---- a/shared/templates/template_BASH_audit_rules_privileged_commands -+++ b/shared/templates/template_BASH_audit_rules_privileged_commands -@@ -5,6 +5,8 @@ - - PATTERN="-a always,exit -F path={{{ PATH }}}\\s\\+.*" - GROUP="privileged" -+# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation -+ARCH="" - FULL_RULE="-a always,exit -F path={{{ PATH }}} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged" - # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' - fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" - -From 8e83eb070f6cc7931e8c1005cd8eb7674e1bf186 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 Mar 2019 16:31:20 +0100 -Subject: [PATCH 5/6] Test if remediation can handle rules in separate files - ---- - .../rhel7_augenrules_two_rules_sep_files.fail.sh | 8 ++++++++ - 1 file changed, 8 insertions(+) - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_sep_files.fail.sh - -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_sep_files.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_sep_files.fail.sh -new file mode 100644 -index 0000000000..0e70910537 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rhel7_augenrules_two_rules_sep_files.fail.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = bash -+# platform = Red Hat Enterprise Linux 7,Fedora -+ -+mkdir -p /etc/audit/rules.d -+echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/priv.rules -+echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules - -From d706bdbebb8e2ffbd4872ea7870ac5f1e2f6a00e Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 Mar 2019 15:56:11 +0100 -Subject: [PATCH 6/6] Do not add rule if it was handled in another file - ---- - ..._audit_rules_privileged_commands_remediation.sh | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh -index d824e5debb..91eeedb545 100644 ---- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh -+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh -@@ -71,7 +71,7 @@ declare -a sbinaries_to_skip=() - for sbinary in "${privileged_binaries[@]}" - do - -- # Check if this sbinary wasn't already handled in some of the previous iterations -+ # Check if this sbinary wasn't already handled in some of the previous sbinary iterations - # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) - if [[ $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]] - then -@@ -169,9 +169,15 @@ do - elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]] - then - -- # Current audit rules file's content doesn't contain expected rule for this -- # SUID/SGID binary yet => append it -- echo "$expected_rule" >> "$output_audit_file" -+ # Check if this sbinary wasn't already handled in some of the previous afile iterations -+ # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) -+ if [[ ! $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]] -+ then -+ # Current audit rules file's content doesn't contain expected rule for this -+ # SUID/SGID binary yet => append it -+ echo "$expected_rule" >> "$output_audit_file" -+ fi -+ - continue - fi - diff --git a/SOURCES/scap-security-guide-0.1.44-mark_selinux_rules_as_machine_only.patch b/SOURCES/scap-security-guide-0.1.44-mark_selinux_rules_as_machine_only.patch deleted file mode 100644 index bbc43f3..0000000 --- a/SOURCES/scap-security-guide-0.1.44-mark_selinux_rules_as_machine_only.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 9c3d35d9c3e1a884fa9e5cd0223172f1c8621b10 Mon Sep 17 00:00:00 2001 -From: Matus Marhefka -Date: Tue, 16 Apr 2019 13:28:30 +0200 -Subject: [PATCH] All SELinux related rules marked as not applicable to - containers - -* The rule docker_selinux_enabled moved from system/selinux to services/docker. -* SELinux is not namespaced which means that containers do not have their own - separate SELinux policies. SELinux will always appear to be disabled when - inside a container (https://danwalsh.livejournal.com/73099.html). Therefore, - all the rules from the system/selinux were marked with 'platform: machine' - which will make them not applicable when scanning container filesystems. ---- - .../docker}/docker_selinux_enabled/oval/rhel7.xml | 0 - .../selinux => services/docker}/docker_selinux_enabled/rule.yml | 0 - linux_os/guide/system/selinux/group.yml | 2 ++ - .../system/selinux/selinux_confinement_of_daemons/rule.yml | 2 -- - linux_os/guide/system/selinux/selinux_policytype/rule.yml | 2 -- - linux_os/guide/system/selinux/selinux_state/rule.yml | 2 -- - linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml | 2 -- - 7 files changed, 2 insertions(+), 8 deletions(-) - rename linux_os/guide/{system/selinux => services/docker}/docker_selinux_enabled/oval/rhel7.xml (100%) - rename linux_os/guide/{system/selinux => services/docker}/docker_selinux_enabled/rule.yml (100%) - -diff --git a/linux_os/guide/system/selinux/docker_selinux_enabled/oval/rhel7.xml b/linux_os/guide/services/docker/docker_selinux_enabled/oval/rhel7.xml -similarity index 100% -rename from linux_os/guide/system/selinux/docker_selinux_enabled/oval/rhel7.xml -rename to linux_os/guide/services/docker/docker_selinux_enabled/oval/rhel7.xml -diff --git a/linux_os/guide/system/selinux/docker_selinux_enabled/rule.yml b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml -similarity index 100% -rename from linux_os/guide/system/selinux/docker_selinux_enabled/rule.yml -rename to linux_os/guide/services/docker/docker_selinux_enabled/rule.yml -diff --git a/linux_os/guide/system/selinux/group.yml b/linux_os/guide/system/selinux/group.yml -index e1863d4d03..6525cb4919 100644 ---- a/linux_os/guide/system/selinux/group.yml -+++ b/linux_os/guide/system/selinux/group.yml -@@ -29,3 +29,5 @@ description: |- - {{% elif product == "ol7" %}} - For more information on SELinux, see {{{ weblink(link="https://docs.oracle.com/cd/E52668_01/E54669/html/ol7-s1-syssec.html") }}}. - {{% endif %}} -+ -+platform: machine -diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml -index 35c47fbd08..9f224c9340 100644 ---- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml -+++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/rule.yml -@@ -42,5 +42,3 @@ warnings: - Automatic remediation of this control is not available. Remediation - can be achieved by amending SELinux policy or stopping the unconfined - daemons as outlined above. -- --platform: machine -diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml -index 934c0dfa17..e8c82a147a 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml -+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml -@@ -56,5 +56,3 @@ ocil_clause: 'it does not' - ocil: |- - Check the file /etc/selinux/config and ensure the following line appears: -
SELINUXTYPE=
-- --platform: machine -diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml -index df0295e043..d993398060 100644 ---- a/linux_os/guide/system/selinux/selinux_state/rule.yml -+++ b/linux_os/guide/system/selinux/selinux_state/rule.yml -@@ -47,5 +47,3 @@ ocil_clause: 'SELINUX is not set to enforcing' - ocil: |- - Check the file /etc/selinux/config and ensure the following line appears: -
SELINUX=
-- --platform: machine -diff --git a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml -index 80844cad14..fc1f87b410 100644 ---- a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml -+++ b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml -@@ -54,5 +54,3 @@ ocil: |- - All authorized non-administrative - users must be mapped to the user_u role or the appropriate domain - (user_t). -- --platform: machine diff --git a/SOURCES/scap-security-guide-0.1.44-mark_service_disabled_rules_as_machine_only.patch b/SOURCES/scap-security-guide-0.1.44-mark_service_disabled_rules_as_machine_only.patch deleted file mode 100644 index c33659a..0000000 --- a/SOURCES/scap-security-guide-0.1.44-mark_service_disabled_rules_as_machine_only.patch +++ /dev/null @@ -1,536 +0,0 @@ -From 8f2e794f58b75311153609cd57c56dfa104f3ef1 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Wed, 17 Apr 2019 11:42:05 +0200 -Subject: [PATCH] Mark service rules as machine only. - ---- - .../disable_avahi_group/service_avahi-daemon_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_abrtd_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_acpid_disabled/rule.yml | 2 ++ - .../guide/services/base/service_certmonger_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_cgconfig_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_cgred_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_cpupower_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_cpuspeed_disabled/rule.yml | 2 ++ - .../guide/services/base/service_haldaemon_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_kdump_disabled/rule.yml | 2 ++ - .../guide/services/base/service_mdmonitor_disabled/rule.yml | 2 ++ - .../guide/services/base/service_messagebus_disabled/rule.yml | 2 ++ - .../guide/services/base/service_netconsole_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_ntpdate_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_oddjobd_disabled/rule.yml | 2 ++ - .../guide/services/base/service_portreserve_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_psacct_enabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_qpidd_disabled/rule.yml | 2 ++ - .../guide/services/base/service_quota_nld_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_rdisc_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_rhnsd_disabled/rule.yml | 2 ++ - .../guide/services/base/service_rhsmcertd_disabled/rule.yml | 2 ++ - .../guide/services/base/service_saslauthd_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_smartd_disabled/rule.yml | 2 ++ - linux_os/guide/services/base/service_sysstat_disabled/rule.yml | 2 ++ - .../guide/services/cron_and_at/service_atd_disabled/rule.yml | 2 ++ - .../dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml | 2 ++ - .../dns/disabling_dns_server/service_named_disabled/rule.yml | 2 ++ - .../ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml | 2 ++ - .../http/disabling_httpd/service_httpd_disabled/rule.yml | 2 ++ - .../imap/disabling_dovecot/service_dovecot_disabled/rule.yml | 2 ++ - .../disabling_nfs_services/service_rpcbind_disabled/rule.yml | 2 ++ - .../disabling_nfsd/service_nfs_disabled/rule.yml | 2 ++ - .../disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml | 2 ++ - .../obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml | 2 ++ - .../services/obsolete/nis/service_ypbind_disabled/rule.yml | 2 ++ - .../obsolete/r_services/service_rexec_disabled/rule.yml | 2 ++ - .../obsolete/r_services/service_rlogin_disabled/rule.yml | 2 ++ - .../services/obsolete/r_services/service_rsh_disabled/rule.yml | 2 ++ - .../services/obsolete/telnet/service_telnet_disabled/rule.yml | 2 ++ - .../guide/services/obsolete/tftp/service_tftp_disabled/rule.yml | 2 ++ - linux_os/guide/services/printing/service_cups_disabled/rule.yml | 2 ++ - .../proxy/disabling_squid/service_squid_disabled/rule.yml | 2 ++ - .../routing/disabling_quagga/service_zebra_disabled/rule.yml | 2 ++ - .../services/smb/disabling_samba/service_smb_disabled/rule.yml | 2 ++ - .../snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml | 2 ++ - .../wireless_software/service_bluetooth_disabled/rule.yml | 2 ++ - .../permissions/mounting/service_autofs_disabled/rule.yml | 2 ++ - 48 files changed, 96 insertions(+) - -diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -index 43f81254ac..40b88f8c36 100644 ---- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -@@ -32,3 +32,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="avahi-daemon") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml -index d3f4547161..df51ab91b7 100644 ---- a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml -@@ -37,3 +37,5 @@ references: - cis-csc: 11,12,14,15,3,8,9 - - ocil: '{{{ ocil_service_disabled(service="abrtd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_acpid_disabled/rule.yml b/linux_os/guide/services/base/service_acpid_disabled/rule.yml -index 1cde23c55b..e28d36139e 100644 ---- a/linux_os/guide/services/base/service_acpid_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_acpid_disabled/rule.yml -@@ -32,3 +32,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="acpid") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_certmonger_disabled/rule.yml b/linux_os/guide/services/base/service_certmonger_disabled/rule.yml -index c8b9d7ecf8..37f67ac757 100644 ---- a/linux_os/guide/services/base/service_certmonger_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_certmonger_disabled/rule.yml -@@ -32,3 +32,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="certmonger") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_cgconfig_disabled/rule.yml b/linux_os/guide/services/base/service_cgconfig_disabled/rule.yml -index fc88b03f05..74592ec803 100644 ---- a/linux_os/guide/services/base/service_cgconfig_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_cgconfig_disabled/rule.yml -@@ -30,3 +30,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="cgconfig") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_cgred_disabled/rule.yml b/linux_os/guide/services/base/service_cgred_disabled/rule.yml -index b7bc04cb3c..95136a34aa 100644 ---- a/linux_os/guide/services/base/service_cgred_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_cgred_disabled/rule.yml -@@ -29,3 +29,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="cgred") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_cpupower_disabled/rule.yml b/linux_os/guide/services/base/service_cpupower_disabled/rule.yml -index dd6dd4572e..2ceef1df38 100644 ---- a/linux_os/guide/services/base/service_cpupower_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_cpupower_disabled/rule.yml -@@ -30,3 +30,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="cpupower") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_cpuspeed_disabled/rule.yml b/linux_os/guide/services/base/service_cpuspeed_disabled/rule.yml -index fed0d57a25..24ad5469db 100644 ---- a/linux_os/guide/services/base/service_cpuspeed_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_cpuspeed_disabled/rule.yml -@@ -30,3 +30,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="cpuspeed") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_haldaemon_disabled/rule.yml b/linux_os/guide/services/base/service_haldaemon_disabled/rule.yml -index 9ffe62f2fb..1f9debf286 100644 ---- a/linux_os/guide/services/base/service_haldaemon_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_haldaemon_disabled/rule.yml -@@ -31,3 +31,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="haldaemon") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml -index 0dc8bcd117..d3aa88b0a0 100644 ---- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml -@@ -38,3 +38,5 @@ references: - cis-csc: 11,12,14,15,3,8,9 - - ocil: '{{{ ocil_service_disabled(service="kdump") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_mdmonitor_disabled/rule.yml b/linux_os/guide/services/base/service_mdmonitor_disabled/rule.yml -index 7c3cf3ce54..e6e43136be 100644 ---- a/linux_os/guide/services/base/service_mdmonitor_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_mdmonitor_disabled/rule.yml -@@ -29,3 +29,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="mdmonitor") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_messagebus_disabled/rule.yml b/linux_os/guide/services/base/service_messagebus_disabled/rule.yml -index 5935ac3d05..2de1412908 100644 ---- a/linux_os/guide/services/base/service_messagebus_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_messagebus_disabled/rule.yml -@@ -33,3 +33,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="messagebus") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_netconsole_disabled/rule.yml b/linux_os/guide/services/base/service_netconsole_disabled/rule.yml -index 4579994ffa..db75a5b409 100644 ---- a/linux_os/guide/services/base/service_netconsole_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_netconsole_disabled/rule.yml -@@ -34,3 +34,5 @@ references: - cis-csc: 11,12,14,15,3,8,9 - - ocil: '{{{ ocil_service_disabled(service="netconsole") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml -index 86b0faa459..1a20f8f3e0 100644 ---- a/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_ntpdate_disabled/rule.yml -@@ -38,3 +38,5 @@ references: - cis-csc: 11,12,14,15,3,8,9 - - ocil: '{{{ ocil_service_disabled(service="ntpdate") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml -index bc7087f0be..68a3f5f2ab 100644 ---- a/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_oddjobd_disabled/rule.yml -@@ -37,3 +37,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="oddjobd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_portreserve_disabled/rule.yml b/linux_os/guide/services/base/service_portreserve_disabled/rule.yml -index 64cab85593..2238268d3d 100644 ---- a/linux_os/guide/services/base/service_portreserve_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_portreserve_disabled/rule.yml -@@ -31,3 +31,5 @@ references: - cis-csc: 11,12,14,15,3,8,9 - - ocil: '{{{ ocil_service_disabled(service="portreserve") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_psacct_enabled/rule.yml b/linux_os/guide/services/base/service_psacct_enabled/rule.yml -index 4dc88a4176..b53bf84469 100644 ---- a/linux_os/guide/services/base/service_psacct_enabled/rule.yml -+++ b/linux_os/guide/services/base/service_psacct_enabled/rule.yml -@@ -32,3 +32,5 @@ references: - cis-csc: 1,11,12,13,14,15,16,2,3,5,6,7,8,9 - - ocil: '{{{ ocil_service_disabled(service="psacct") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml -index b31327d2d0..21e3468237 100644 ---- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml -@@ -38,3 +38,5 @@ references: - cis-csc: 11,12,14,15,3,8,9 - - ocil: '{{{ ocil_service_disabled(service="qpidd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_quota_nld_disabled/rule.yml b/linux_os/guide/services/base/service_quota_nld_disabled/rule.yml -index b6352e831a..78242b5c7b 100644 ---- a/linux_os/guide/services/base/service_quota_nld_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_quota_nld_disabled/rule.yml -@@ -35,3 +35,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="quota_nld") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml -index 9fcc4ba207..8265d182ef 100644 ---- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml -@@ -37,3 +37,5 @@ references: - cis-csc: 1,11,12,13,14,15,16,18,3,4,6,8,9 - - ocil: '{{{ ocil_service_disabled(service="rdisc") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml -index 14b0ab18e0..3bf89d899f 100644 ---- a/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_rhnsd_disabled/rule.yml -@@ -37,3 +37,5 @@ references: - cis-csc: 11,12,14,15,3,8,9 - - ocil: '{{{ ocil_service_disabled(service="rhnsd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml b/linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml -index 92ed4fed4d..a4d11dba3c 100644 ---- a/linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_rhsmcertd_disabled/rule.yml -@@ -33,3 +33,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="rhsmcertd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_saslauthd_disabled/rule.yml b/linux_os/guide/services/base/service_saslauthd_disabled/rule.yml -index 367530f511..53254f294d 100644 ---- a/linux_os/guide/services/base/service_saslauthd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_saslauthd_disabled/rule.yml -@@ -34,3 +34,5 @@ references: - cis-csc: 11,12,14,15,3,8,9 - - ocil: '{{{ ocil_service_disabled(service="saslauthd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_smartd_disabled/rule.yml b/linux_os/guide/services/base/service_smartd_disabled/rule.yml -index 9c4345f56f..8c12d2bfb7 100644 ---- a/linux_os/guide/services/base/service_smartd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_smartd_disabled/rule.yml -@@ -32,3 +32,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="smartd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/base/service_sysstat_disabled/rule.yml b/linux_os/guide/services/base/service_sysstat_disabled/rule.yml -index 33378cab86..2e62cab258 100644 ---- a/linux_os/guide/services/base/service_sysstat_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_sysstat_disabled/rule.yml -@@ -32,3 +32,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="sysstat") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml -index 7b960f517d..71dab756f2 100644 ---- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml -+++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml -@@ -38,3 +38,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="atd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -index af16c87fff..bb0b895d93 100644 ---- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -@@ -32,3 +32,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="dhcpd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -index f47b4c29ee..d69cb94bd2 100644 ---- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -+++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -@@ -28,3 +28,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="named") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml -index ce7c66175d..721572fd1b 100644 ---- a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml -+++ b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml -@@ -30,3 +30,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="vsftpd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml -index de74f1e720..cdec6ac161 100644 ---- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml -+++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml -@@ -27,3 +27,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="httpd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml -index bd255dc91e..c6d16decf0 100644 ---- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml -+++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml -@@ -20,3 +20,5 @@ references: - cis: 2.2.11 - - ocil: '{{{ ocil_service_disabled(service="dovecot") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -index 0f565ab669..8e716c4890 100644 ---- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -@@ -23,3 +23,5 @@ identifiers: - - references: - cis: 2.2.7 -+ -+platform: machine -diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -index 4da6b1de32..77b9cb19eb 100644 ---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -@@ -31,3 +31,5 @@ references: - ocil_clause: 'it does not' - - ocil: '{{{ ocil_service_disabled(service="nfs") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml -index dfa0d0a8c7..e8d3a81270 100644 ---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_rpcsvcgssd_disabled/rule.yml -@@ -20,3 +20,5 @@ identifiers: - cce@rhel7: 80238-9 - - ocil: '{{{ ocil_service_disabled(service="rpcsvcgssd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml -index 2b224eec65..e86a1620ef 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/service_xinetd_disabled/rule.yml -@@ -38,3 +38,5 @@ ocil: |- - If network services are using the xinetd service, this is not applicable. -

- {{{ ocil_service_disabled(service="xinetd") }}} -+ -+platform: machine -diff --git a/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml b/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml -index 8020867c28..9444832e16 100644 ---- a/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/service_ypbind_disabled/rule.yml -@@ -34,3 +34,5 @@ references: - cis-csc: 11,12,14,15,3,8,9 - - ocil: '{{{ ocil_service_disabled(service="ypbind") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml b/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml -index 847304d1fc..65d6cc7a36 100644 ---- a/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/r_services/service_rexec_disabled/rule.yml -@@ -39,3 +39,5 @@ references: - cis-csc: 11,12,14,15,3,8,9 - - {{{ complete_ocil_entry_socket_and_service_disabled("rexec") }}} -+ -+platform: machine -diff --git a/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml b/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml -index 295c3e6c7a..4864112e97 100644 ---- a/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/r_services/service_rlogin_disabled/rule.yml -@@ -40,3 +40,5 @@ references: - cis-csc: 1,11,12,14,15,16,3,5,8,9 - - {{{ complete_ocil_entry_socket_and_service_disabled("rlogin") }}} -+ -+platform: machine -diff --git a/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml b/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml -index 17740862f2..5bd43b0e6e 100644 ---- a/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/r_services/service_rsh_disabled/rule.yml -@@ -39,3 +39,5 @@ references: - cis-csc: 1,11,12,14,15,16,3,5,8,9 - - {{{ complete_ocil_entry_socket_and_service_disabled("rsh") }}} -+ -+platform: machine -diff --git a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml -index 09e6d48a82..b4ca1f46de 100644 ---- a/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/telnet/service_telnet_disabled/rule.yml -@@ -59,3 +59,5 @@ references: - cis-csc: 1,11,12,14,15,16,3,5,8,9 - - {{{ complete_ocil_entry_socket_and_service_disabled("telnet") }}} -+ -+platform: machine -diff --git a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml -index dc94742526..2f1671ef88 100644 ---- a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml -@@ -32,3 +32,5 @@ references: - cis-csc: 11,12,14,15,3,8,9 - - ocil: '{{{ ocil_service_disabled(service="tftp") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml -index 5b0cc60bfd..3728484a62 100644 ---- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml -+++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml -@@ -25,3 +25,5 @@ references: - cis-csc: 11,14,3,9 - - ocil: '{{{ ocil_service_disabled(service="cups") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml -index a8c1e00d78..990726e40d 100644 ---- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml -+++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml -@@ -20,3 +20,5 @@ references: - cis: 2.2.13 - - ocil: '{{{ ocil_service_disabled(service="squid") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml -index c3bb80abd8..e9c9a56f77 100644 ---- a/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml -+++ b/linux_os/guide/services/routing/disabling_quagga/service_zebra_disabled/rule.yml -@@ -30,3 +30,5 @@ references: - cis-csc: 12,15,8 - - ocil: '{{{ ocil_service_disabled(service="zebra") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml -index f00944b9fa..13769d9ff2 100644 ---- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml -+++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml -@@ -21,3 +21,5 @@ references: - disa: "1436" - - ocil: '{{{ ocil_service_disabled(service="smb") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml -index 64f509be20..96a52bc3c9 100644 ---- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml -+++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml -@@ -21,3 +21,5 @@ references: - cis: 2.2.14 - - ocil: '{{{ ocil_service_disabled(service="snmpd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml -index 05b11ecbc1..fb2eeecfc1 100644 ---- a/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-wireless/wireless_software/service_bluetooth_disabled/rule.yml -@@ -34,3 +34,5 @@ references: - cis-csc: 11,12,14,15,3,8,9 - - ocil: '{{{ ocil_service_disabled(service="bluetooth") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml -index 9de5b25a74..fa4c8e1a48 100644 ---- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml -@@ -47,3 +47,5 @@ references: - cis-csc: 1,12,15,16,5 - - ocil: '{{{ ocil_service_disabled(service="autofs") }}}' -+ -+platform: machine diff --git a/SOURCES/scap-security-guide-0.1.44-remove_gpgcheck_repo_from_profiles.patch b/SOURCES/scap-security-guide-0.1.44-remove_gpgcheck_repo_from_profiles.patch deleted file mode 100644 index 75080a4..0000000 --- a/SOURCES/scap-security-guide-0.1.44-remove_gpgcheck_repo_from_profiles.patch +++ /dev/null @@ -1,54 +0,0 @@ -commit 0fa953ada3356994ddc5a42bd93423c4b95adab8 -Author: Gabriel Becker -Date: Thu Apr 25 16:27:58 2019 +0200 - - Remove ensure_gpgcheck_repo_metadata check from rhel profiles. - -diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile -index 8323245..719093b 100644 ---- a/rhel7/profiles/hipaa.profile -+++ b/rhel7/profiles/hipaa.profile -@@ -88,7 +88,6 @@ selections: - - ensure_redhat_gpgkey_installed - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_never_disabled -- - ensure_gpgcheck_repo_metadata - - ensure_gpgcheck_local_packages - - grub2_audit_argument - - service_auditd_enabled -diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile -index 166de67..a4357a6 100644 ---- a/rhel7/profiles/ospp.profile -+++ b/rhel7/profiles/ospp.profile -@@ -397,7 +397,6 @@ selections: - - ensure_redhat_gpgkey_installed - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_never_disabled -- - ensure_gpgcheck_repo_metadata - - ensure_gpgcheck_local_packages - - network_sniffer_disabled - - network_ipv6_disable_rpc -diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile -index 5819474..f5533f1 100644 ---- a/rhel8/profiles/hipaa.profile -+++ b/rhel8/profiles/hipaa.profile -@@ -83,7 +83,6 @@ selections: - - ensure_redhat_gpgkey_installed - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_never_disabled -- - ensure_gpgcheck_repo_metadata - - ensure_gpgcheck_local_packages - - grub2_audit_argument - - service_auditd_enabled -diff --git a/rhv4/profiles/rhvh-stig.profile b/rhv4/profiles/rhvh-stig.profile -index f55098b..f708198 100644 ---- a/rhv4/profiles/rhvh-stig.profile -+++ b/rhv4/profiles/rhvh-stig.profile -@@ -371,7 +371,6 @@ selections: - - ensure_redhat_gpgkey_installed - - ensure_gpgcheck_globally_activated - - ensure_gpgcheck_never_disabled -- - ensure_gpgcheck_repo_metadata - - ensure_gpgcheck_local_packages - - network_sniffer_disabled - - network_ipv6_disable_rpc diff --git a/SOURCES/scap-security-guide-0.1.44-rule_pcsc-lite_installed.patch b/SOURCES/scap-security-guide-0.1.44-rule_pcsc-lite_installed.patch deleted file mode 100644 index 6cdf6be..0000000 --- a/SOURCES/scap-security-guide-0.1.44-rule_pcsc-lite_installed.patch +++ /dev/null @@ -1,141 +0,0 @@ -From 57e3dba57c5a9e9172476ea254fae2a8fa4e9591 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 1 Mar 2019 10:22:19 +0100 -Subject: [PATCH 1/2] Add rule for package pcsc-lite installed - -Select the rule in profiles that select service_pcscd_enabled. ---- - .../package_pcsc-lite_installed/rule.yml | 23 +++++++++++++++++++ - rhel7/profiles/ospp.profile | 1 + - rhel7/profiles/rhelh-stig.profile | 1 + - rhel7/profiles/rhelh-vpp.profile | 1 + - rhel8/profiles/pci-dss.profile | 1 + - rhv4/profiles/rhvh-stig.profile | 1 + - rhv4/profiles/rhvh-vpp.profile | 1 + - 7 files changed, 29 insertions(+) - create mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml - -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml -new file mode 100644 -index 0000000000..6baf31bbe1 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml -@@ -0,0 +1,23 @@ -+documentation_complete: true -+ -+prodtype: rhel7,rhel8,fedora,rhv4 -+ -+title: 'Install pcsc-lite' -+ -+description: |- -+ {{{ describe_package_install(package="pcsc-lite") }}} -+ -+rationale: |- -+ The pcsc-lite package must be installed if it is to be available for -+ multifactor authentication using smartcards. -+ -+severity: medium -+ -+references: -+ disa: "1954" -+ srg: SRG-OS-000375-GPOS-00160 -+ vmmsrg: SRG-OS-000377-VMM-001530 -+ -+ocil_clause: 'the package is not installed' -+ -+ocil: '{{{ ocil_package(package="pcsc-lite") }}}' -diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile -index 64f54c3945..166de67169 100644 ---- a/rhel7/profiles/ospp.profile -+++ b/rhel7/profiles/ospp.profile -@@ -387,6 +387,7 @@ selections: - - configure_opensc_nss_db - - configure_opensc_card_drivers - - force_opensc_card_drivers -+ - package_pcsc-lite_installed - - service_pcscd_enabled - - sssd_enable_smartcards - - sssd_memcache_timeout -diff --git a/rhel7/profiles/rhelh-stig.profile b/rhel7/profiles/rhelh-stig.profile -index cf387e4a25..f88f4026b0 100644 ---- a/rhel7/profiles/rhelh-stig.profile -+++ b/rhel7/profiles/rhelh-stig.profile -@@ -361,6 +361,7 @@ selections: - - configure_opensc_nss_db - - configure_opensc_card_drivers - - force_opensc_card_drivers -+ - package_pcsc-lite_installed - - service_pcscd_enabled - - sssd_enable_smartcards - - sssd_memcache_timeout -diff --git a/rhel7/profiles/rhelh-vpp.profile b/rhel7/profiles/rhelh-vpp.profile -index b26e523f6d..2b4a5805ef 100644 ---- a/rhel7/profiles/rhelh-vpp.profile -+++ b/rhel7/profiles/rhelh-vpp.profile -@@ -178,6 +178,7 @@ selections: - - configure_opensc_nss_db - - configure_opensc_card_drivers - - force_opensc_card_drivers -+ - package_pcsc-lite_installed - - service_pcscd_enabled - - sssd_enable_smartcards - -diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile -index 934622c456..5990e9e00d 100644 ---- a/rhel8/profiles/pci-dss.profile -+++ b/rhel8/profiles/pci-dss.profile -@@ -119,6 +119,7 @@ selections: - - configure_opensc_nss_db - - configure_opensc_card_drivers - - force_opensc_card_drivers -+ - package_pcsc-lite_installed - - service_pcscd_enabled - - sssd_enable_smartcards - - set_password_hashing_algorithm_systemauth -diff --git a/rhv4/profiles/rhvh-stig.profile b/rhv4/profiles/rhvh-stig.profile -index 47f0052756..f55098b276 100644 ---- a/rhv4/profiles/rhvh-stig.profile -+++ b/rhv4/profiles/rhvh-stig.profile -@@ -361,6 +361,7 @@ selections: - - configure_opensc_nss_db - - configure_opensc_card_drivers - - force_opensc_card_drivers -+ - package_pcsc-lite_installed - - service_pcscd_enabled - - sssd_enable_smartcards - - sssd_memcache_timeout -diff --git a/rhv4/profiles/rhvh-vpp.profile b/rhv4/profiles/rhvh-vpp.profile -index 5b9dee7590..ecc6fce5e0 100644 ---- a/rhv4/profiles/rhvh-vpp.profile -+++ b/rhv4/profiles/rhvh-vpp.profile -@@ -178,6 +178,7 @@ selections: - - configure_opensc_nss_db - - configure_opensc_card_drivers - - force_opensc_card_drivers -+ - package_pcsc-lite_installed - - service_pcscd_enabled - - sssd_enable_smartcards - - -From d8ffcfed9a1e97e18b02bc6be8d7918b6a994a95 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 1 Mar 2019 16:58:19 +0100 -Subject: [PATCH 2/2] Update title of rule package_pcsc-lite_installed - ---- - .../smart_card_login/package_pcsc-lite_installed/rule.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml -index 6baf31bbe1..b2a243db84 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - prodtype: rhel7,rhel8,fedora,rhv4 - --title: 'Install pcsc-lite' -+title: 'Install the pcsc-lite package' - - description: |- - {{{ describe_package_install(package="pcsc-lite") }}} diff --git a/SOURCES/scap-security-guide-0.1.44-rules_docker_psacct_installed.patch b/SOURCES/scap-security-guide-0.1.44-rules_docker_psacct_installed.patch deleted file mode 100644 index 79286d9..0000000 --- a/SOURCES/scap-security-guide-0.1.44-rules_docker_psacct_installed.patch +++ /dev/null @@ -1,179 +0,0 @@ -From 6b9120f959480a230579f31d3b428d2d7f99f488 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 5 Mar 2019 15:31:03 +0100 -Subject: [PATCH 1/4] Add rule package_docker_installed - -There is a rule service_docker_enabled, but the Ansible remediation -for this rule failed, because there was no rule that contained -an Ansible task to install the Docker package. ---- - .../docker/package_docker_installed/rule.yml | 22 +++++++++++++++++++ - 1 file changed, 22 insertions(+) - create mode 100644 linux_os/guide/services/docker/package_docker_installed/rule.yml - -diff --git a/linux_os/guide/services/docker/package_docker_installed/rule.yml b/linux_os/guide/services/docker/package_docker_installed/rule.yml -new file mode 100644 -index 0000000000..69fc172c34 ---- /dev/null -+++ b/linux_os/guide/services/docker/package_docker_installed/rule.yml -@@ -0,0 +1,22 @@ -+documentation_complete: true -+ -+prodtype: rhel7 -+ -+title: 'Install the docker Package' -+ -+description: |- -+ The docker package provides necessary software to create containers, which -+ are self-sufficient and self-contained applications using the resource -+ isolation features of the kernel. -+ {{{ describe_package_install(package="docker") }}} -+ -+rationale: |- -+ To be able to run the docker service, the docker package has to be installed. -+ -+severity: medium -+ -+ocil_clause: 'the package is not installed' -+ -+ocil: '{{{ ocil_package(package="docker") }}}' -+ -+platform: machine - -From bdcbb9bf073c915b86a8619b0a1f82307d34f82b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 5 Mar 2019 15:33:07 +0100 -Subject: [PATCH 2/4] Remove Docker rules from RHEL8 Benchmark - -Docker isn't available on RHEL8. ---- - .../guide/services/docker/docker_storage_configured/rule.yml | 2 +- - linux_os/guide/services/docker/service_docker_enabled/rule.yml | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/docker/docker_storage_configured/rule.yml b/linux_os/guide/services/docker/docker_storage_configured/rule.yml -index d0000f70f5..a1c90e60f9 100644 ---- a/linux_os/guide/services/docker/docker_storage_configured/rule.yml -+++ b/linux_os/guide/services/docker/docker_storage_configured/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8 -+prodtype: rhel7 - - title: 'Use direct-lvm with the Device Mapper Storage Driver' - -diff --git a/linux_os/guide/services/docker/service_docker_enabled/rule.yml b/linux_os/guide/services/docker/service_docker_enabled/rule.yml -index f0f408b655..309771b828 100644 ---- a/linux_os/guide/services/docker/service_docker_enabled/rule.yml -+++ b/linux_os/guide/services/docker/service_docker_enabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7,rhel8 -+prodtype: rhel7 - - title: 'Enable the Docker service' - - -From 9d20a9f87bc3e3992bd86728de9bd05988a35a8a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 5 Mar 2019 15:48:37 +0100 -Subject: [PATCH 3/4] Add rule package_docker_installed to Docker host profile - ---- - rhel7/profiles/docker-host.profile | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/rhel7/profiles/docker-host.profile b/rhel7/profiles/docker-host.profile -index 894b78930b..0d1207bcfa 100644 ---- a/rhel7/profiles/docker-host.profile -+++ b/rhel7/profiles/docker-host.profile -@@ -10,6 +10,7 @@ description: |- - and scap-security-guide@lists.fedorahosted.org. - - selections: -+ - package_docker_installed - - service_docker_enabled - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing - -From b34bdcf3ddd10542b8e989069779c6ff45385c96 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 5 Mar 2019 15:49:01 +0100 -Subject: [PATCH 4/4] Add rule package_psacct_installed - -There is a rule service_psacct_enabled, but the Ansible remediation -for this rule failed, because there was no rule that contained -an Ansible task to install the psacct package. -Also adds the rule package_psacct_installed to all profiles -where rule service_psacct_enabled is included. ---- - .../base/package_psacct_installed/rule.yml | 32 +++++++++++++++++++ - rhel6/profiles/CSCF-RHEL6-MLS.profile | 1 + - rhel6/profiles/nist-CL-IL-AL.profile | 1 + - 3 files changed, 34 insertions(+) - create mode 100644 linux_os/guide/services/base/package_psacct_installed/rule.yml - -diff --git a/linux_os/guide/services/base/package_psacct_installed/rule.yml b/linux_os/guide/services/base/package_psacct_installed/rule.yml -new file mode 100644 -index 0000000000..abf2a720ee ---- /dev/null -+++ b/linux_os/guide/services/base/package_psacct_installed/rule.yml -@@ -0,0 +1,32 @@ -+documentation_complete: true -+ -+prodtype: rhel6,rhel7,rhel8 -+ -+title: 'Install the psacct package' -+ -+description: |- -+ The process accounting service, psacct, works with programs -+ including acct and ac to allow system administrators to view -+ user activity, such as commands issued by users of the system. -+ {{{ describe_package_install(package="psacct") }}} -+ -+rationale: |- -+ The psacct service can provide administrators a convenient -+ view into some user activities. However, it should be noted that the auditing -+ system and its audit records provide more authoritative and comprehensive -+ records. -+ -+severity: unknown -+ -+references: -+ nist: AU-12,CM-7 -+ nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.IP-1,PR.PT-1,PR.PT-3 -+ isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 6.1,SR 6.2,SR 7.6' -+ isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 -+ cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.06,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 -+ iso27001-2013: A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1,A.15.2.2,A.9.1.2 -+ cis-csc: 1,11,12,13,14,15,16,2,3,5,6,7,8,9 -+ -+ocil_clause: 'the package is not installed' -+ -+ocil: '{{{ ocil_package(package="psacct") }}}' -diff --git a/rhel6/profiles/CSCF-RHEL6-MLS.profile b/rhel6/profiles/CSCF-RHEL6-MLS.profile -index 104ebeadca..49568247cc 100644 ---- a/rhel6/profiles/CSCF-RHEL6-MLS.profile -+++ b/rhel6/profiles/CSCF-RHEL6-MLS.profile -@@ -207,6 +207,7 @@ selections: - - service_ntpdate_disabled - - service_oddjobd_disabled - - service_portreserve_disabled -+ - package_psacct_installed - - service_psacct_enabled - - service_qpidd_disabled - - service_quota_nld_disabled -diff --git a/rhel6/profiles/nist-CL-IL-AL.profile b/rhel6/profiles/nist-CL-IL-AL.profile -index 9f8718329b..8a6e21a106 100644 ---- a/rhel6/profiles/nist-CL-IL-AL.profile -+++ b/rhel6/profiles/nist-CL-IL-AL.profile -@@ -164,6 +164,7 @@ selections: - - service_ntpd_enabled - - ntpd_specify_remote_server - - ntpd_specify_multiple_servers -+ - package_psacct_installed - - service_psacct_enabled - - package_aide_installed - - disable_prelink diff --git a/SOURCES/scap-security-guide-0.1.44-template_file_permissions_use_regex.patch b/SOURCES/scap-security-guide-0.1.44-template_file_permissions_use_regex.patch deleted file mode 100644 index b404d63..0000000 --- a/SOURCES/scap-security-guide-0.1.44-template_file_permissions_use_regex.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 1732e962e1157832e77a5471a4cd9ebeb6da83a5 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 Mar 2019 16:34:37 +0100 -Subject: [PATCH 1/2] Set use_regex to true - -The specified pattern is a regular expression ---- - shared/templates/template_ANSIBLE_file_regex_permissions | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/shared/templates/template_ANSIBLE_file_regex_permissions b/shared/templates/template_ANSIBLE_file_regex_permissions -index cfa6073347..6be3b0db2e 100644 ---- a/shared/templates/template_ANSIBLE_file_regex_permissions -+++ b/shared/templates/template_ANSIBLE_file_regex_permissions -@@ -7,6 +7,7 @@ - find: - paths: "{{{ FILEPATH }}}" - patterns: "{{{ FILENAME }}}" -+ use_regex: yes - register: files_found - tags: - @ANSIBLE_TAGS@ - -From 64c07573e7b30bed581e1765f0964d8934b5ee58 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 Mar 2019 16:35:27 +0100 -Subject: [PATCH 2/2] Add test for multiple ssh keys - ---- - .../multiple_keys.fail.sh | 8 ++++++++ - 1 file changed, 8 insertions(+) - create mode 100644 tests/data/group_services/group_ssh/rule_file_permissions_sshd_private_key/multiple_keys.fail.sh - -diff --git a/tests/data/group_services/group_ssh/rule_file_permissions_sshd_private_key/multiple_keys.fail.sh b/tests/data/group_services/group_ssh/rule_file_permissions_sshd_private_key/multiple_keys.fail.sh -new file mode 100644 -index 0000000000..7942950dda ---- /dev/null -+++ b/tests/data/group_services/group_ssh/rule_file_permissions_sshd_private_key/multiple_keys.fail.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key) -+chmod 0777 $FAKE_KEY -+FAKE_KEY2=$(mktemp -p /etc/ssh/ XXXX_key) -+chmod 0640 $FAKE_KEY2 diff --git a/SOURCES/scap-security-guide-0.1.44-update-cpe-dictionary.patch b/SOURCES/scap-security-guide-0.1.44-update-cpe-dictionary.patch deleted file mode 100644 index 31239b1..0000000 --- a/SOURCES/scap-security-guide-0.1.44-update-cpe-dictionary.patch +++ /dev/null @@ -1,143 +0,0 @@ -From f984d1cee639ddc2d1249f07151687f552400e3a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 11 Apr 2019 13:49:44 +0200 -Subject: [PATCH 1/5] Update rhel dictionaries - ---- - rhel6/cpe/rhel6-cpe-dictionary.xml | 35 ++++++++++++++++++++++++++++++ - rhel8/cpe/rhel8-cpe-dictionary.xml | 35 ++++++++++++++++++++++++++++++ - rhv4/cpe/rhv4-cpe-dictionary.xml | 35 ++++++++++++++++++++++++++++++ - 3 files changed, 105 insertions(+) - -diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml -index b5aa6f2b35..7e1f711459 100644 ---- a/rhel6/cpe/rhel6-cpe-dictionary.xml -+++ b/rhel6/cpe/rhel6-cpe-dictionary.xml -@@ -37,4 +37,39 @@ - - installed_env_is_a_machine - -+ -+ Package gdm is installed -+ -+ installed_env_has_gdm_package -+ -+ -+ Package libuser is installed -+ -+ installed_env_has_libuser_package -+ -+ -+ Package nss-pam-ldapd is installed -+ -+ installed_env_has_nss-pam-ldapd_package -+ -+ -+ Package pam is installed -+ -+ installed_env_has_pam_package -+ -+ -+ Package shadow-utils is installed -+ -+ installed_env_has_shadow-utils_package -+ -+ -+ Package systemd is installed -+ -+ installed_env_has_systemd_package -+ -+ -+ Package yum is installed -+ -+ installed_env_has_yum_package -+ - -diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml -index 020fe80fbc..990e7f452c 100644 ---- a/rhel8/cpe/rhel8-cpe-dictionary.xml -+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml -@@ -27,4 +27,39 @@ - - installed_env_is_a_machine - -+ -+ Package gdm is installed -+ -+ installed_env_has_gdm_package -+ -+ -+ Package libuser is installed -+ -+ installed_env_has_libuser_package -+ -+ -+ Package nss-pam-ldapd is installed -+ -+ installed_env_has_nss-pam-ldapd_package -+ -+ -+ Package pam is installed -+ -+ installed_env_has_pam_package -+ -+ -+ Package shadow-utils is installed -+ -+ installed_env_has_shadow-utils_package -+ -+ -+ Package systemd is installed -+ -+ installed_env_has_systemd_package -+ -+ -+ Package yum is installed -+ -+ installed_env_has_yum_package -+ - -diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml -index 22ddb9e5aa..577f8169b8 100644 ---- a/rhv4/cpe/rhv4-cpe-dictionary.xml -+++ b/rhv4/cpe/rhv4-cpe-dictionary.xml -@@ -22,4 +22,39 @@ - - installed_env_is_a_machine - -+ -+ Package gdm is installed -+ -+ installed_env_has_gdm_package -+ -+ -+ Package libuser is installed -+ -+ installed_env_has_libuser_package -+ -+ -+ Package nss-pam-ldapd is installed -+ -+ installed_env_has_nss-pam-ldapd_package -+ -+ -+ Package pam is installed -+ -+ installed_env_has_pam_package -+ -+ -+ Package shadow-utils is installed -+ -+ installed_env_has_shadow-utils_package -+ -+ -+ Package systemd is installed -+ -+ installed_env_has_systemd_package -+ -+ -+ Package yum is installed -+ -+ installed_env_has_yum_package -+ - diff --git a/SOURCES/scap-security-guide-0.1.45-add_rule_dconf_db_up_to_date.patch b/SOURCES/scap-security-guide-0.1.45-add_rule_dconf_db_up_to_date.patch deleted file mode 100644 index 29eb02a..0000000 --- a/SOURCES/scap-security-guide-0.1.45-add_rule_dconf_db_up_to_date.patch +++ /dev/null @@ -1,1336 +0,0 @@ -From 89f967ca5598cab539fe66560534207b45ff9734 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 30 May 2019 13:22:30 +0200 -Subject: [PATCH 1/9] Introduced the "DConf System DBs are in sync with - keyfiles" rule. - ---- - fedora/profiles/ospp.profile | 1 + - .../gnome/dconf_db_up_to_date/bash/shared.sh | 3 + - .../gnome/dconf_db_up_to_date/oval/shared.xml | 63 +++++++++++++++++++ - .../gnome/dconf_db_up_to_date/rule.yml | 30 +++++++++ - rhel7/profiles/ospp.profile | 1 + - shared/references/cce-rhel-avail.txt | 2 - - 6 files changed, 98 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh - create mode 100644 linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml - create mode 100644 linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml - -diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile -index b5e8fe097c..92cf738385 100644 ---- a/fedora/profiles/ospp.profile -+++ b/fedora/profiles/ospp.profile -@@ -43,6 +43,7 @@ selections: - - sysctl_kernel_kptr_restrict - - sysctl_kernel_kexec_load_disabled - - sysctl_kernel_dmesg_restrict -+ - dconf_db_up_to_date - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay -diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh -new file mode 100644 -index 0000000000..db06c9f5aa ---- /dev/null -+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh -@@ -0,0 +1,3 @@ -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol -+ -+dconf update -diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -new file mode 100644 -index 0000000000..b3b5b0358b ---- /dev/null -+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -@@ -0,0 +1,63 @@ -+ -+ -+ {{% macro check_db_is_up_to_date(db_name) %}} -+ -+ /etc/dconf/db/{{{ db_name }}} -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/dconf/db/{{{ db_name }}}.d/ -+ .* -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ var_dconf_{{{ db_name }}}_db_modified_time -+ -+ -+ -+ -+ -+ -+ {{% endmacro %}} -+ -+ -+ -+ Configure the GNOME3 GUI Screen locking -+ -+ Red Hat Enterprise Linux 7 -+ Red Hat Enterprise Linux 8 -+ multi_platform_fedora -+ multi_platform_ol -+ -+ The allowed period of inactivity before the screensaver is activated. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ {{{ check_db_is_up_to_date("local") }}} -+ {{{ check_db_is_up_to_date("gdm") }}} -+ -+ -diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml -new file mode 100644 -index 0000000000..3017b789f8 ---- /dev/null -+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml -@@ -0,0 +1,30 @@ -+documentation_complete: true -+ -+prodtype: rhel7,rhel8,fedora,ol7,ol8 -+ -+title: 'Make sure that the dconf databases are up-to-date with regards to respective keyfiles' -+ -+description: |- -+ By default, DConf uses a binary database as a data backend. -+ The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the
dconf update
command. -+ -+rationale: |- -+ Unlike text-based keyfiles, the binary database is impossible to check by OVAL. -+ Therefore, in order to evaluate dconf configuration, both have to be true at the same time - -+ configuration files have to be compliant, and the database needs to be more recent than those keyfiles, -+ which gives confidence that it reflects them. -+ -+severity: high -+ -+identifiers: -+ cce@rhel8: 81003-6 -+ cce@rhel7: 81004-4 -+ -+ocil_clause: 'The system-wide dconf databases are up-to-date with regards to respective keyfiles' -+ -+ocil: |- -+ In order to be sure that the databases are up-to-date, run the -+
dconf update
-+ command as the administrator. -+ -+platform: machine -diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile -index 36e5d7ee90..d551465f70 100644 ---- a/rhel7/profiles/ospp.profile -+++ b/rhel7/profiles/ospp.profile -@@ -401,6 +401,7 @@ selections: - - network_sniffer_disabled - - network_ipv6_disable_rpc - - network_ipv6_privacy_extensions -+ - dconf_db_up_to_date - - dconf_gnome_banner_enabled - - dconf_gnome_disable_automount - - dconf_gnome_disable_ctrlaltdel_reboot -diff --git a/shared/references/cce-rhel-avail.txt b/shared/references/cce-rhel-avail.txt -index 3cc6d0a916..d6e8161225 100644 ---- a/shared/references/cce-rhel-avail.txt -+++ b/shared/references/cce-rhel-avail.txt -@@ -1,5 +1,3 @@ --CCE-81003-6 --CCE-81004-4 - CCE-81005-1 - CCE-81006-9 - CCE-81007-7 - -From 5a857f490e914078b610eb3d05e390861c30eef4 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Wed, 29 May 2019 17:31:02 +0200 -Subject: [PATCH 2/9] Add test scenarios for dconf gnome rules. - ---- - .../correct_value.pass.sh | 18 ++++++++++++++++ - .../wrong_value.fail.sh | 18 ++++++++++++++++ - .../correct_value.pass.sh | 21 +++++++++++++++++++ - .../wrong_value.fail.sh | 21 +++++++++++++++++++ - .../correct_value.pass.sh | 18 ++++++++++++++++ - .../wrong_value.fail.sh | 18 ++++++++++++++++ - .../correct_value.pass.sh | 18 ++++++++++++++++ - .../wrong_value.fail.sh | 18 ++++++++++++++++ - .../correct_value.pass.sh | 18 ++++++++++++++++ - .../wrong_value.fail.sh | 18 ++++++++++++++++ - .../correct_value.pass.sh | 18 ++++++++++++++++ - .../wrong_value.fail.sh | 18 ++++++++++++++++ - 12 files changed, 222 insertions(+) - create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh - create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh - create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh - create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh - -diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh -new file mode 100644 -index 0000000000..d6f11373d0 ---- /dev/null -+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh -@@ -0,0 +1,18 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../../../../group_software/group_gnome/dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "true" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings" -+ -+dconf update -diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh -new file mode 100644 -index 0000000000..f1e97fea20 ---- /dev/null -+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh -@@ -0,0 +1,18 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../../../../group_software/group_gnome/dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "false" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings" -+ -+dconf update -diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh -new file mode 100644 -index 0000000000..e161691aa7 ---- /dev/null -+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh -@@ -0,0 +1,21 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../../../../group_software/group_gnome/dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+login_banner_text="--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials." -+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}''" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock" -+ -+dconf update -diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh -new file mode 100644 -index 0000000000..b45c5b193f ---- /dev/null -+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh -@@ -0,0 +1,21 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../../../../group_software/group_gnome/dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+login_banner_text="Wrong Banner Text" -+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock" -+ -+dconf update -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh -new file mode 100644 -index 0000000000..a5a207b80a ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh -@@ -0,0 +1,18 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../../dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "true" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "disable-restart-buttons" "gdm.d" "00-security-settings-lock" -+ -+dconf update -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh -new file mode 100644 -index 0000000000..04d3e9eca2 ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh -@@ -0,0 +1,18 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../../dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "false" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "disable-restart-buttons" "gdm.d" "00-security-settings-lock" -+ -+dconf update -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh -new file mode 100644 -index 0000000000..9a3d60d9f6 ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh -@@ -0,0 +1,18 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../../dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "disable-user-list" "true" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "disable-user-list" "gdm.d" "00-security-settings-lock" -+ -+dconf update -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh -new file mode 100644 -index 0000000000..11e3cbfa9b ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh -@@ -0,0 +1,18 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../../dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "disable-user-list" "false" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "disable-user-list" "gdm.d" "00-security-settings-lock" -+ -+dconf update -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh -new file mode 100644 -index 0000000000..58703799f6 ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh -@@ -0,0 +1,18 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../../dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "true" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "enable-smartcard-authentication" "gdm.d" "00-security-settings-lock" -+ -+dconf update -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh -new file mode 100644 -index 0000000000..18f89c182e ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh -@@ -0,0 +1,18 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../../dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "false" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "enable-smartcard-authentication" "gdm.d" "00-security-settings-lock" -+ -+dconf update -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh -new file mode 100644 -index 0000000000..0cc2a80762 ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh -@@ -0,0 +1,18 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../../dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "allowed-failures" "3" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "allowed-failures" "gdm.d" "00-security-settings-lock" -+ -+dconf update -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh -new file mode 100644 -index 0000000000..f89a9d74b9 ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh -@@ -0,0 +1,18 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../../dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "allowed-failures" "99" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "allowed-failures" "gdm.d" "00-security-settings-lock" -+ -+dconf update - -From d2facf408c5f011449539fc3edeaed90a72af04d Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 30 May 2019 15:39:36 +0200 -Subject: [PATCH 3/9] Add test scenarios for dconf_db_up_to_date. - ---- - .../group_gnome/dconf_test_functions.sh | 7 ++++- - .../db_not_up_to_date.fail.sh | 26 +++++++++++++++++++ - .../db_up_to_date.pass.sh | 21 +++++++++++++++ - .../no_db_files.fail.sh | 23 ++++++++++++++++ - 4 files changed, 76 insertions(+), 1 deletion(-) - create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh - create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh - -diff --git a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh -index 07940ea272..d975ea0715 100644 ---- a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh -+++ b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh -@@ -4,6 +4,11 @@ clean_dconf_settings(){ - rm -rf /etc/dconf/db/* - } - -+# Wipes out dconf db files -+remove_dconf_databases(){ -+ rm -f /etc/dconf/db/* -+} -+ - # Adds a new dconf setting - # $1 _path - # $2 _setting -@@ -12,7 +17,7 @@ clean_dconf_settings(){ - # $5 _settingFile - add_dconf_setting() { - local _path=$1 _setting=$2 _value=$3 _db=$4 _settingFile=$5 -- mkdir /etc/dconf/db/${_db} -+ mkdir -p /etc/dconf/db/${_db} || true - echo "[${_path}]" > /etc/dconf/db/${_db}/${_settingFile} - echo "${_setting}=${_value}" >> /etc/dconf/db/${_db}/${_settingFile} - } -diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh -new file mode 100644 -index 0000000000..bb8b1d42ff ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh -@@ -0,0 +1,26 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock" -+ -+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-security-settings-lock" -+ -+dconf update -+ -+sleep 3 -+ -+# make static files newer than the database -+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh -new file mode 100644 -index 0000000000..66ed76e4fa ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh -@@ -0,0 +1,21 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+clean_dconf_settings -+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock" -+ -+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-security-settings-lock" -+ -+dconf update -diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh -new file mode 100644 -index 0000000000..a7bc04efac ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh -@@ -0,0 +1,23 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../dconf_test_functions.sh -+ -+if ! rpm -q dconf; then -+ yum -y install dconf -+fi -+ -+if ! rpm -q gdm; then -+ yum -y install gdm -+fi -+ -+# remove all database files -+remove_dconf_databases -+ -+sleep 3 -+ -+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock" -+ -+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings" -+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-security-settings-lock" - -From d57e981a45e88a9e28b621ed5d9cbf64c17f3592 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 30 May 2019 16:45:35 +0200 -Subject: [PATCH 4/9] Add dconf_db_up_to_date to profiles which use gnome - config. - ---- - fedora/profiles/pci-dss.profile | 1 + - ol7/profiles/pci-dss.profile | 1 + - ol7/profiles/stig-ol7-disa.profile | 1 + - ol8/profiles/ospp.profile | 1 + - ol8/profiles/pci-dss.profile | 1 + - rhel7/profiles/C2S.profile | 1 + - rhel7/profiles/hipaa.profile | 1 + - rhel7/profiles/ospp42.profile | 1 + - rhel7/profiles/pci-dss.profile | 1 + - rhel7/profiles/stig-rhel7-disa.profile | 1 + - rhel8/profiles/cjis.profile | 1 + - rhel8/profiles/hipaa.profile | 1 + - rhel8/profiles/ospp.profile | 1 + - rhel8/profiles/pci-dss.profile | 1 + - 14 files changed, 14 insertions(+) - -diff --git a/fedora/profiles/pci-dss.profile b/fedora/profiles/pci-dss.profile -index 5e47534e81..dea9efe685 100644 ---- a/fedora/profiles/pci-dss.profile -+++ b/fedora/profiles/pci-dss.profile -@@ -98,6 +98,7 @@ selections: - - account_disable_post_pw_expiration - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_unlock_time -+ - dconf_db_up_to_date - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_lock_enabled -diff --git a/ol7/profiles/pci-dss.profile b/ol7/profiles/pci-dss.profile -index 1648129066..01fcda6031 100644 ---- a/ol7/profiles/pci-dss.profile -+++ b/ol7/profiles/pci-dss.profile -@@ -121,6 +121,7 @@ selections: - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_unlock_time - - account_unique_name -+ - dconf_db_up_to_date - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_enabled -diff --git a/ol7/profiles/stig-ol7-disa.profile b/ol7/profiles/stig-ol7-disa.profile -index f9d2f4c900..9ae23a41be 100644 ---- a/ol7/profiles/stig-ol7-disa.profile -+++ b/ol7/profiles/stig-ol7-disa.profile -@@ -109,6 +109,7 @@ selections: - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow -+ - dconf_db_up_to_date - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_activation_locked - - dconf_gnome_screensaver_idle_delay -diff --git a/ol8/profiles/ospp.profile b/ol8/profiles/ospp.profile -index 5c13575f72..8506713cc1 100644 ---- a/ol8/profiles/ospp.profile -+++ b/ol8/profiles/ospp.profile -@@ -42,6 +42,7 @@ selections: - - sysctl_kernel_kptr_restrict - - sysctl_kernel_kexec_load_disabled - - sysctl_kernel_dmesg_restrict -+ - dconf_db_up_to_date - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay -diff --git a/ol8/profiles/pci-dss.profile b/ol8/profiles/pci-dss.profile -index 6920cf9b7d..237757c523 100644 ---- a/ol8/profiles/pci-dss.profile -+++ b/ol8/profiles/pci-dss.profile -@@ -126,6 +126,7 @@ selections: - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_unlock_time - - account_unique_name -+ - dconf_db_up_to_date - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_enabled -diff --git a/rhel7/profiles/C2S.profile b/rhel7/profiles/C2S.profile -index 65805957af..031b0247df 100644 ---- a/rhel7/profiles/C2S.profile -+++ b/rhel7/profiles/C2S.profile -@@ -70,6 +70,7 @@ selections: - - selinux_confinement_of_daemons - - banner_etc_issue - - login_banner_text=usgcb_default -+ - dconf_db_up_to_date - - dconf_gnome_login_banner_text - - dconf_gnome_banner_enabled - - security_patches_up_to_date -diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile -index 76fb4a8269..a58f625309 100644 ---- a/rhel7/profiles/hipaa.profile -+++ b/rhel7/profiles/hipaa.profile -@@ -28,6 +28,7 @@ selections: - - service_debug-shell_disabled - - disable_ctrlaltdel_reboot - - disable_ctrlaltdel_burstaction -+ - dconf_db_up_to_date - - dconf_gnome_remote_access_credential_prompt - - dconf_gnome_remote_access_encryption - - sshd_disable_empty_passwords -diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile -index de4827afaf..3f59466477 100644 ---- a/rhel7/profiles/ospp42.profile -+++ b/rhel7/profiles/ospp42.profile -@@ -42,6 +42,7 @@ selections: - - sysctl_kernel_kptr_restrict - - sysctl_kernel_kexec_load_disabled - - sysctl_kernel_dmesg_restrict -+ - dconf_db_up_to_date - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay -diff --git a/rhel7/profiles/pci-dss.profile b/rhel7/profiles/pci-dss.profile -index b4e4786ce9..0d9a51c42b 100644 ---- a/rhel7/profiles/pci-dss.profile -+++ b/rhel7/profiles/pci-dss.profile -@@ -79,6 +79,7 @@ selections: - - account_disable_post_pw_expiration - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_unlock_time -+ - dconf_db_up_to_date - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_lock_enabled -diff --git a/rhel7/profiles/stig-rhel7-disa.profile b/rhel7/profiles/stig-rhel7-disa.profile -index 4edae36b0c..1d558f0068 100644 ---- a/rhel7/profiles/stig-rhel7-disa.profile -+++ b/rhel7/profiles/stig-rhel7-disa.profile -@@ -57,6 +57,7 @@ selections: - - rpm_verify_permissions - - rpm_verify_ownership - - rpm_verify_hashes -+ - dconf_db_up_to_date - - dconf_gnome_banner_enabled - - dconf_gnome_login_banner_text - - banner_etc_issue -diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile -index ec225d89a4..8d173d257f 100644 ---- a/rhel8/profiles/cjis.profile -+++ b/rhel8/profiles/cjis.profile -@@ -86,6 +86,7 @@ selections: - - var_password_pam_retry=5 - - var_accounts_passwords_pam_faillock_deny=5 - - var_accounts_passwords_pam_faillock_unlock_time=600 -+ - dconf_db_up_to_date - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_lock_enabled -diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile -index d44960d84c..3debc739fc 100644 ---- a/rhel8/profiles/hipaa.profile -+++ b/rhel8/profiles/hipaa.profile -@@ -28,6 +28,7 @@ selections: - - service_debug-shell_disabled - - disable_ctrlaltdel_reboot - - disable_ctrlaltdel_burstaction -+ - dconf_db_up_to_date - - dconf_gnome_remote_access_credential_prompt - - dconf_gnome_remote_access_encryption - - sshd_disable_empty_passwords -diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile -index f9f7cd04dc..c5a7ee5ed5 100644 ---- a/rhel8/profiles/ospp.profile -+++ b/rhel8/profiles/ospp.profile -@@ -219,6 +219,7 @@ selections: - ### FMT_MOF_EXT.1 / AC-11(a) - ### Enable Screen Lock - - package_tmux_installed -+ - dconf_db_up_to_date - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_lock_delay -diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile -index bdca65b4fa..89abad1338 100644 ---- a/rhel8/profiles/pci-dss.profile -+++ b/rhel8/profiles/pci-dss.profile -@@ -98,6 +98,7 @@ selections: - - account_disable_post_pw_expiration - - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_unlock_time -+ - dconf_db_up_to_date - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_screensaver_idle_activation_enabled - - dconf_gnome_screensaver_lock_enabled - -From 42cb1e23c1c39dd19d99628d133fae60b06f078c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Thu, 30 May 2019 17:26:11 +0200 -Subject: [PATCH 5/9] Added an OVAL customization for Fedora - (dconf_db_up_to_date). - ---- - .../gnome/dconf_db_up_to_date/oval/shared.xml | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -index b3b5b0358b..6b34446487 100644 ---- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -@@ -37,6 +37,10 @@ - - {{% endmacro %}} - -+ {{% macro check_db_criterion(db_name) %}} -+ -+ {{% endmacro %}} -+ - - - Configure the GNOME3 GUI Screen locking -@@ -50,14 +54,18 @@ - - - -- -- -- -+ -+ {{% if product != 'fedora' %}} -+ {{{ check_db_criterion("gdm") }}} -+ {{% endif %}} -+ {{{ check_db_criterion("local") }}} - - - - -+ {{% if product != 'fedora' %}} -+ {{{ check_db_is_up_to_date("gdm") }}} -+ {{% endif %}} - {{{ check_db_is_up_to_date("local") }}} -- {{{ check_db_is_up_to_date("gdm") }}} - - - -From 758e239c798620038216c554a05cba9bd95a93c1 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 30 May 2019 17:37:36 +0200 -Subject: [PATCH 6/9] Create helper function to install gdm and dconf to be - used within test scenarios. - -Fix test scenario when dconf db is not up to date. ---- - .../correct_value.pass.sh | 8 +------- - .../wrong_value.fail.sh | 8 +------- - .../correct_value.pass.sh | 8 +------- - .../wrong_value.fail.sh | 8 +------- - .../group_gnome/dconf_test_functions.sh | 11 +++++++++++ - .../correct_value.pass.sh | 8 +------- - .../wrong_value.fail.sh | 8 +------- - .../correct_value.pass.sh | 8 +------- - .../wrong_value.fail.sh | 8 +------- - .../correct_value.pass.sh | 8 +------- - .../wrong_value.fail.sh | 8 +------- - .../correct_value.pass.sh | 8 +------- - .../wrong_value.fail.sh | 8 +------- - .../db_not_up_to_date.fail.sh | 14 +++++--------- - .../rule_dconf_db_up_to_date/db_up_to_date.pass.sh | 8 +------- - .../rule_dconf_db_up_to_date/no_db_files.fail.sh | 11 +++-------- - 16 files changed, 32 insertions(+), 108 deletions(-) - -diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh -index d6f11373d0..285c9474d4 100644 ---- a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh -+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh -@@ -3,13 +3,7 @@ - - . ../../../../group_software/group_gnome/dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - clean_dconf_settings - add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "true" "gdm.d" "00-security-settings" -diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh -index f1e97fea20..9408a5c3bb 100644 ---- a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh -+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh -@@ -3,13 +3,7 @@ - - . ../../../../group_software/group_gnome/dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - clean_dconf_settings - add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "false" "gdm.d" "00-security-settings" -diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh -index e161691aa7..c39f919959 100644 ---- a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh -+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh -@@ -3,13 +3,7 @@ - - . ../../../../group_software/group_gnome/dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - login_banner_text="--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials." - expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') -diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh -index b45c5b193f..b9e7fc8661 100644 ---- a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh -+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh -@@ -3,13 +3,7 @@ - - . ../../../../group_software/group_gnome/dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - login_banner_text="Wrong Banner Text" - expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') -diff --git a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh -index d975ea0715..a218f1f8e7 100644 ---- a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh -+++ b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh -@@ -1,4 +1,15 @@ - -+# Check if gdm and dconf are installed, if not then install them -+install_dconf_and_gdm_if_needed(){ -+ if ! rpm -q dconf; then -+ yum -y install dconf -+ fi -+ -+ if ! rpm -q gdm; then -+ yum -y install gdm -+ fi -+} -+ - # Wipes out dconf db settings directory - clean_dconf_settings(){ - rm -rf /etc/dconf/db/* -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh -index a5a207b80a..9aea0b74cf 100644 ---- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh -@@ -3,13 +3,7 @@ - - . ../../dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - clean_dconf_settings - add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "true" "gdm.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh -index 04d3e9eca2..d8c571fc0a 100644 ---- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh -@@ -3,13 +3,7 @@ - - . ../../dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - clean_dconf_settings - add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "false" "gdm.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh -index 9a3d60d9f6..776f9e7c23 100644 ---- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh -@@ -3,13 +3,7 @@ - - . ../../dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - clean_dconf_settings - add_dconf_setting "org/gnome/login-screen" "disable-user-list" "true" "gdm.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh -index 11e3cbfa9b..571bd75f22 100644 ---- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh -@@ -3,13 +3,7 @@ - - . ../../dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - clean_dconf_settings - add_dconf_setting "org/gnome/login-screen" "disable-user-list" "false" "gdm.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh -index 58703799f6..13562cfa1d 100644 ---- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh -@@ -3,13 +3,7 @@ - - . ../../dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - clean_dconf_settings - add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "true" "gdm.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh -index 18f89c182e..666ce2c21c 100644 ---- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh -@@ -3,13 +3,7 @@ - - . ../../dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - clean_dconf_settings - add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "false" "gdm.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh -index 0cc2a80762..59d005967a 100644 ---- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh -@@ -3,13 +3,7 @@ - - . ../../dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - clean_dconf_settings - add_dconf_setting "org/gnome/login-screen" "allowed-failures" "3" "gdm.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh -index f89a9d74b9..c6d31f5b8a 100644 ---- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh -+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh -@@ -3,13 +3,7 @@ - - . ../../dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - clean_dconf_settings - add_dconf_setting "org/gnome/login-screen" "allowed-failures" "99" "gdm.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh -index bb8b1d42ff..db6e7138aa 100644 ---- a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh -+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh -@@ -3,13 +3,7 @@ - - . ../dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - clean_dconf_settings - add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" -@@ -20,7 +14,9 @@ add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-se - - dconf update - --sleep 3 -+# ensure that the modification happens a reasonable amount of time after running dconf update -+sleep 5 - --# make static files newer than the database -+# make static keyfiles newer than the database - add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" -+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh -index 66ed76e4fa..5a6c2f0a43 100644 ---- a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh -+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh -@@ -3,13 +3,7 @@ - - . ../dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - clean_dconf_settings - add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" -diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh -index a7bc04efac..3fdbed905e 100644 ---- a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh -+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh -@@ -3,18 +3,13 @@ - - . ../dconf_test_functions.sh - --if ! rpm -q dconf; then -- yum -y install dconf --fi -- --if ! rpm -q gdm; then -- yum -y install gdm --fi -+install_dconf_and_gdm_if_needed - - # remove all database files - remove_dconf_databases - --sleep 3 -+# ensure that the modification happens a reasonable amount of time after running dconf update -+sleep 5 - - add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings" - add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock" - -From 68e3f056a723ceb170fd81105d354e390e3ea00a Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Fri, 31 May 2019 10:06:03 +0200 -Subject: [PATCH 7/9] Update dconf_db_up_to_date OVAL metadata. - ---- - .../system/software/gnome/dconf_db_up_to_date/oval/shared.xml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -index 6b34446487..499bb4db60 100644 ---- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -@@ -43,14 +43,14 @@ - - - -- Configure the GNOME3 GUI Screen locking -+ The dconf databases are up-to-date. - - Red Hat Enterprise Linux 7 - Red Hat Enterprise Linux 8 - multi_platform_fedora - multi_platform_ol - -- The allowed period of inactivity before the screensaver is activated. -+ Make sure that the dconf databases are up-to-date with regards to respective keyfiles. - - - - -From f86c4b314cc7d4d3922cf424a77674f9332eced9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 31 May 2019 15:59:11 +0200 -Subject: [PATCH 8/9] Made the gdm.d keyfile tree relevant only for RHEL7. - ---- - .../system/software/gnome/dconf_db_up_to_date/oval/shared.xml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -index 499bb4db60..bc31a6cb7e 100644 ---- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -@@ -55,7 +55,7 @@ - - - -- {{% if product != 'fedora' %}} -+ {{% if product == 'rhel7' %}} - {{{ check_db_criterion("gdm") }}} - {{% endif %}} - {{{ check_db_criterion("local") }}} -@@ -63,7 +63,7 @@ - - - -- {{% if product != 'fedora' %}} -+ {{% if product == 'rhel7' %}} - {{{ check_db_is_up_to_date("gdm") }}} - {{% endif %}} - {{{ check_db_is_up_to_date("local") }}} - -From 64a53ece4ffea9f9d4017955433a251493649175 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Mon, 3 Jun 2019 14:39:09 +0200 -Subject: [PATCH 9/9] Added support for missing keyfiles. - ---- - .../gnome/dconf_db_up_to_date/oval/shared.xml | 12 +++++++++--- - .../rule_dconf_db_up_to_date/no_keyfiles.pass.sh | 8 ++++++++ - 2 files changed, 17 insertions(+), 3 deletions(-) - create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_keyfiles.pass.sh - -diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -index bc31a6cb7e..f073268762 100644 ---- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml -@@ -12,8 +12,7 @@ - - - -- /etc/dconf/db/{{{ db_name }}}.d/ -- .* -+ ^/etc/dconf/db/{{{ db_name }}}.d/.* - - - -@@ -35,10 +34,17 @@ - - - -+ -+ -+ -+ - {{% endmacro %}} - - {{% macro check_db_criterion(db_name) %}} -- -+ -+ -+ -+ - {{% endmacro %}} - - -diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_keyfiles.pass.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_keyfiles.pass.sh -new file mode 100644 -index 0000000000..06945575f1 ---- /dev/null -+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_keyfiles.pass.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+. ../dconf_test_functions.sh -+ -+install_dconf_and_gdm_if_needed -+ -+clean_dconf_settings diff --git a/SOURCES/scap-security-guide-0.1.45-aide_not_applicable_to_containers.patch b/SOURCES/scap-security-guide-0.1.45-aide_not_applicable_to_containers.patch deleted file mode 100644 index e25c6e9..0000000 --- a/SOURCES/scap-security-guide-0.1.45-aide_not_applicable_to_containers.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 6418fbbce4050ec84836b4fa6855a2699d86a6ac Mon Sep 17 00:00:00 2001 -From: Marek Haicman -Date: Mon, 20 May 2019 12:54:15 +0200 -Subject: [PATCH] AIDE rules not applicable to containers - -AIDE is tool to assess changes in the system. As containers have this capability by definition, there is no need have AIDE to duplicate it. ---- - .../aide/aide_periodic_cron_checking/rule.yml | 2 -- - .../system/software/integrity/software-integrity/aide/group.yml | 2 ++ - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -index 7fc8d96b04..68ea7937bd 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -@@ -63,5 +63,3 @@ ocil: |- -
05 4 * * * root /usr/sbin/aide --check
- - NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. -- --platform: machine -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/group.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/group.yml -index 69d2f0fb56..faa2458657 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/group.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/group.yml -@@ -8,3 +8,5 @@ description: |- - created immediately after initial system configuration, and then again after any - software update. AIDE is highly configurable, with further configuration - information located in /usr/share/doc/aide-VERSION. -+ -+platform: machine diff --git a/SOURCES/scap-security-guide-0.1.45-fix_ansible_sssd_ssh_known_hosts_timeout.patch b/SOURCES/scap-security-guide-0.1.45-fix_ansible_sssd_ssh_known_hosts_timeout.patch deleted file mode 100644 index 6845269..0000000 --- a/SOURCES/scap-security-guide-0.1.45-fix_ansible_sssd_ssh_known_hosts_timeout.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 25af71b8262a2a320652feb2d47235f81f2aa213 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Tue, 21 May 2019 17:15:21 +0200 -Subject: [PATCH] Use right variable for ansible remediation in - sssd_ssh_known_hosts_timeout rule. - ---- - .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -index d7f246e..92bdf8f 100644 ---- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml -@@ -3,7 +3,7 @@ - # strategy = unknown - # complexity = low - # disruption = medium --- (xccdf-var sshd_idle_timeout_value) -+- (xccdf-var var_sssd_ssh_known_hosts_timeout) - - - name: "Test for domain group" - shell: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf -@@ -34,7 +34,7 @@ - dest: /etc/sssd/sssd.conf - section: ssh - option: ssh_known_hosts_timeout -- value: "{{ sshd_idle_timeout_value }}" -+ value: "{{ var_sssd_ssh_known_hosts_timeout }}" - create: yes - mode: 0600 - tags: diff --git a/SOURCES/scap-security-guide-0.1.45-fix_dconf_remediation.patch b/SOURCES/scap-security-guide-0.1.45-fix_dconf_remediation.patch deleted file mode 100644 index 7fbeb08..0000000 --- a/SOURCES/scap-security-guide-0.1.45-fix_dconf_remediation.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 8ea989799f6d69c4a80ca8e4bf0d08177e916571 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Wed, 12 Jun 2019 15:48:39 +0200 -Subject: [PATCH] Call dconf update in all dconf-related shared remediation - functions. - ---- - shared/bash_remediation_functions/include_dconf_settings.sh | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/shared/bash_remediation_functions/include_dconf_settings.sh b/shared/bash_remediation_functions/include_dconf_settings.sh -index 02f9877e97..9cfce467f8 100644 ---- a/shared/bash_remediation_functions/include_dconf_settings.sh -+++ b/shared/bash_remediation_functions/include_dconf_settings.sh -@@ -70,5 +70,7 @@ function dconf_lock { - then - echo "/${_key}/${_setting}" >> "/etc/dconf/db/${_db}/locks/${_lockFile}" - fi -+ -+ dconf update - } - diff --git a/SOURCES/scap-security-guide-0.1.45-fix_rule_sssd_ssh_known_hosts_timeout.patch b/SOURCES/scap-security-guide-0.1.45-fix_rule_sssd_ssh_known_hosts_timeout.patch deleted file mode 100644 index 87112fd..0000000 --- a/SOURCES/scap-security-guide-0.1.45-fix_rule_sssd_ssh_known_hosts_timeout.patch +++ /dev/null @@ -1,377 +0,0 @@ -From 15488aa8ae05def7d6e967170e550b3f764204e4 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 16 May 2019 17:38:17 +0200 -Subject: [PATCH 1/4] Add bash remediation, fix oval and add test scenarios for - sssd_ssh_known_hosts_timeout. - ---- - .../bash/shared.sh | 23 +++++++++++++++++++ - .../oval/shared.xml | 2 +- - .../sssd_ssh_known_hosts_timeout/rule.yml | 2 +- - .../comment.fail.sh | 12 ++++++++++ - .../correct_value.pass.sh | 12 ++++++++++ - .../wrong_section.fail.sh | 12 ++++++++++ - .../wrong_value.fail.sh | 15 ++++++++++++ - 7 files changed, 76 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh - create mode 100644 tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh - create mode 100644 tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh - create mode 100644 tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh - create mode 100644 tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh - -diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh -new file mode 100644 -index 0000000000..33ebf544e3 ---- /dev/null -+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh -@@ -0,0 +1,23 @@ -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol -+ -+# Include source function library. -+. /usr/share/scap-security-guide/remediation_functions -+ -+populate var_sssd_ssh_known_hosts_timeout -+ -+SSSD_CONF="/etc/sssd/sssd.conf" -+SSH_KNOWN_HOSTS_TIMEOUT_REGEX="[[:space:]]*\[ssh]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" -+SSH_REGEX="[[:space:]]*\[ssh]" -+ -+# Try find [ssh] and ssh_known_hosts_timeout in sssd.conf, if it exists, set to -+# var_sssd_ssh_known_hosts_timeout, if it isn't here, add it, if [ssh] doesn't -+# exist, add it there -+if grep -qzosP $SSH_KNOWN_HOSTS_TIMEOUT_REGEX $SSSD_CONF; then -+ sed -i "s/ssh_known_hosts_timeout[^(\n)]*/ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout/" $SSSD_CONF -+elif grep -qs $SSH_REGEX $SSSD_CONF; then -+ sed -i "/$SSH_REGEX/a ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" $SSSD_CONF -+else -+ mkdir -p /etc/sssd -+ touch $SSSD_CONF -+ echo -e "[ssh]\nssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" >> $SSSD_CONF -+fi -diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml -index 5bfdeee99e..d98934d294 100644 ---- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml -+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml -@@ -27,7 +27,7 @@ -
- - /etc/sssd/sssd.conf -- ^\[ssh]([^\n]*\n+)+?ssh_known_hosts_timeout[\s]+=[\s]+(\d+)$ -+ ^[\s]*\[ssh](?:[^\n\[]*\n+)+?[\s]*ssh_known_hosts_timeout[\s]*=[\s]*(\d+)$ - 1 - - -diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml -index ada49bd662..d041029264 100644 ---- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml -+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel6,rhel7,rhel8 -+prodtype: rhel6,rhel7,rhel8,fedora,rhv4 - - title: 'Configure SSSD to Expire SSH Known Hosts' - -diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh -new file mode 100644 -index 0000000000..5092f147c6 ---- /dev/null -+++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh -@@ -0,0 +1,12 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+SSSD_CONF="/etc/sssd/sssd.conf" -+TIMEOUT="180" -+ -+dnf -y install sssd -+systemctl enable sssd -+mkdir -p /etc/sssd -+touch $SSSD_CONF -+echo -e "[ssh]\n#ssh_known_hosts_timeout = $TIMEOUT" >> $SSSD_CONF -diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh -new file mode 100644 -index 0000000000..84a93b955f ---- /dev/null -+++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh -@@ -0,0 +1,12 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+SSSD_CONF="/etc/sssd/sssd.conf" -+TIMEOUT="180" -+ -+dnf -y install sssd -+systemctl enable sssd -+mkdir -p /etc/sssd -+touch $SSSD_CONF -+echo -e "[ssh]\nssh_known_hosts_timeout = $TIMEOUT" >> $SSSD_CONF -diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh -new file mode 100644 -index 0000000000..da720151dc ---- /dev/null -+++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh -@@ -0,0 +1,12 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+SSSD_CONF="/etc/sssd/sssd.conf" -+TIMEOUT="180" -+ -+dnf -y install sssd -+systemctl enable sssd -+mkdir -p /etc/sssd -+touch $SSSD_CONF -+echo -e "[ssh]\nsomething = wrong\n[pam]\nssh_known_hosts_timeout = $TIMEOUT" >> $SSSD_CONF -diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh -new file mode 100644 -index 0000000000..fcba0e0019 ---- /dev/null -+++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh -@@ -0,0 +1,15 @@ -+#!/bin/bash -+ -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+SSSD_CONF="/etc/sssd/sssd.conf" -+ -+# The rule sssd_memcache_timeout requires memcache_timeout = 86400 -+# Let's put there a different value to fail -+TIMEOUT="99999" -+ -+dnf -y install sssd -+systemctl enable sssd -+mkdir -p /etc/sssd -+touch $SSSD_CONF -+echo -e "[ssh]\nssh_known_hosts_timeout = $TIMEOUT" >> $SSSD_CONF - -From 4737fa82aaed8ad9f305b9900c992f80d37b3fb6 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Fri, 17 May 2019 13:55:23 +0200 -Subject: [PATCH 2/4] Change values in timeout test scenarios so it has better - accuracy in test results. - ---- - .../group_sssd/rule_sssd_memcache_timeout/comment.fail.sh | 2 +- - .../rule_sssd_memcache_timeout/correct_value.pass.sh | 4 +++- - .../rule_sssd_memcache_timeout/wrong_section.fail.sh | 2 +- - .../group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh | 4 ++-- - .../rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh | 2 ++ - 5 files changed, 9 insertions(+), 5 deletions(-) - -diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh -index 8d68ec3a05..d4f2cd99aa 100644 ---- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh -+++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh -@@ -3,7 +3,7 @@ - # profiles = xccdf_org.ssgproject.content_profile_ospp - - SSSD_CONF="/etc/sssd/sssd.conf" --TIMEOUT="86400" -+TIMEOUT="180" - - dnf -y install sssd - systemctl enable sssd -diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh -index 7320a79564..25c6593a7f 100644 ---- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh -+++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh -@@ -3,7 +3,9 @@ - # profiles = xccdf_org.ssgproject.content_profile_ospp - - SSSD_CONF="/etc/sssd/sssd.conf" --TIMEOUT="86400" -+# The smallest variable value for sssd_memcache_timeout is 180 so -+# this should pass for every product which contains ospp profile -+TIMEOUT="180" - - dnf -y install sssd - systemctl enable sssd -diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh -index b3326721e4..7b78532d92 100644 ---- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh -+++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh -@@ -3,7 +3,7 @@ - # profiles = xccdf_org.ssgproject.content_profile_ospp - - SSSD_CONF="/etc/sssd/sssd.conf" --TIMEOUT="86400" -+TIMEOUT="180" - - dnf -y install sssd - systemctl enable sssd -diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh -index 1e378ef034..a5ac22077e 100644 ---- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh -+++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh -@@ -4,8 +4,8 @@ - - SSSD_CONF="/etc/sssd/sssd.conf" - --# The rule sssd_memcache_timeout requires memcache_timeout = 86400 --# Let's put there a different value to fail -+# The highest variable value for sssd_memcache_timeout is 86400 so -+# Let's put there a higher value to fail - TIMEOUT="99999" - - dnf -y install sssd -diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh -index 84a93b955f..cb0462d9a7 100644 ---- a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh -+++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh -@@ -3,6 +3,8 @@ - # profiles = xccdf_org.ssgproject.content_profile_ospp - - SSSD_CONF="/etc/sssd/sssd.conf" -+# The smallest variable value for sssd_memcache_timeout is 180 so -+# this should pass for every product which contains ospp profile - TIMEOUT="180" - - dnf -y install sssd - -From f5ca4d6be1eeac477be9ba8c3e5764c33d17ffe9 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Fri, 17 May 2019 14:30:34 +0200 -Subject: [PATCH 3/4] Use yum to install packages in test scenarios. - ---- - .../group_sssd/rule_sssd_memcache_timeout/comment.fail.sh | 2 +- - .../group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh | 2 +- - .../group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh | 2 +- - .../group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh | 2 +- - .../rule_sssd_ssh_known_hosts_timeout/comment.fail.sh | 2 +- - .../rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh | 2 +- - .../rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh | 2 +- - .../rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh | 2 +- - 8 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh -index d4f2cd99aa..d6ce9eedec 100644 ---- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh -+++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/comment.fail.sh -@@ -5,7 +5,7 @@ - SSSD_CONF="/etc/sssd/sssd.conf" - TIMEOUT="180" - --dnf -y install sssd -+yum -y install sssd - systemctl enable sssd - mkdir -p /etc/sssd - touch $SSSD_CONF -diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh -index 25c6593a7f..7d492a5a37 100644 ---- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh -+++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/correct_value.pass.sh -@@ -7,7 +7,7 @@ SSSD_CONF="/etc/sssd/sssd.conf" - # this should pass for every product which contains ospp profile - TIMEOUT="180" - --dnf -y install sssd -+yum -y install sssd - systemctl enable sssd - mkdir -p /etc/sssd - touch $SSSD_CONF -diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh -index 7b78532d92..e46427a391 100644 ---- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh -+++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_section.fail.sh -@@ -5,7 +5,7 @@ - SSSD_CONF="/etc/sssd/sssd.conf" - TIMEOUT="180" - --dnf -y install sssd -+yum -y install sssd - systemctl enable sssd - mkdir -p /etc/sssd - touch $SSSD_CONF -diff --git a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh -index a5ac22077e..440ae8d404 100644 ---- a/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh -+++ b/tests/data/group_services/group_sssd/rule_sssd_memcache_timeout/wrong_value.fail.sh -@@ -8,7 +8,7 @@ SSSD_CONF="/etc/sssd/sssd.conf" - # Let's put there a higher value to fail - TIMEOUT="99999" - --dnf -y install sssd -+yum -y install sssd - systemctl enable sssd - mkdir -p /etc/sssd - touch $SSSD_CONF -diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh -index 5092f147c6..4c40dedb8a 100644 ---- a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh -+++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/comment.fail.sh -@@ -5,7 +5,7 @@ - SSSD_CONF="/etc/sssd/sssd.conf" - TIMEOUT="180" - --dnf -y install sssd -+yum -y install sssd - systemctl enable sssd - mkdir -p /etc/sssd - touch $SSSD_CONF -diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh -index cb0462d9a7..0610144030 100644 ---- a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh -+++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/correct_value.pass.sh -@@ -7,7 +7,7 @@ SSSD_CONF="/etc/sssd/sssd.conf" - # this should pass for every product which contains ospp profile - TIMEOUT="180" - --dnf -y install sssd -+yum -y install sssd - systemctl enable sssd - mkdir -p /etc/sssd - touch $SSSD_CONF -diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh -index da720151dc..c35754881c 100644 ---- a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh -+++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_section.fail.sh -@@ -5,7 +5,7 @@ - SSSD_CONF="/etc/sssd/sssd.conf" - TIMEOUT="180" - --dnf -y install sssd -+yum -y install sssd - systemctl enable sssd - mkdir -p /etc/sssd - touch $SSSD_CONF -diff --git a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh -index fcba0e0019..2422bb70fe 100644 ---- a/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh -+++ b/tests/data/group_services/group_sssd/rule_sssd_ssh_known_hosts_timeout/wrong_value.fail.sh -@@ -8,7 +8,7 @@ SSSD_CONF="/etc/sssd/sssd.conf" - # Let's put there a different value to fail - TIMEOUT="99999" - --dnf -y install sssd -+yum -y install sssd - systemctl enable sssd - mkdir -p /etc/sssd - touch $SSSD_CONF - -From 42f536cfdb0898e56ac6a4e9ba8eefcce81ae17a Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Fri, 17 May 2019 14:30:59 +0200 -Subject: [PATCH 4/4] Remove unused variable from rhel7/stig-rhel7-disa.profile. - ---- - rhel7/profiles/stig-rhel7-disa.profile | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/rhel7/profiles/stig-rhel7-disa.profile b/rhel7/profiles/stig-rhel7-disa.profile -index 85dfda0ad2..9f8e9ab156 100644 ---- a/rhel7/profiles/stig-rhel7-disa.profile -+++ b/rhel7/profiles/stig-rhel7-disa.profile -@@ -18,7 +18,6 @@ description: |- - selections: - - login_banner_text=dod_banners - - inactivity_timeout_value=15_minutes -- - var_sssd_ssh_known_hosts_timeout=5_minutes - - var_screensaver_lock_delay=5_seconds - - sshd_idle_timeout_value=10_minutes - - var_accounts_fail_delay=4 diff --git a/SOURCES/scap-security-guide-0.1.45-mark_rules_as_machine_only.patch b/SOURCES/scap-security-guide-0.1.45-mark_rules_as_machine_only.patch deleted file mode 100644 index 8568afb..0000000 --- a/SOURCES/scap-security-guide-0.1.45-mark_rules_as_machine_only.patch +++ /dev/null @@ -1,1060 +0,0 @@ -commit 167d69498e13516f345dd0581e72720211760476 -Author: Gabriel Becker -Date: Mon Apr 8 12:43:30 2019 +0200 - - Mark as machine only rules which are not applicable for containers. - -diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml -index 07f6351..3c98479 100644 ---- a/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml -+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/group.yml -@@ -8,3 +8,5 @@ description: |- - controls and perform some logging. It has been largely obsoleted by other - features, and it is not installed by default. The older Inetd service - is not even available as part of {{{ full_name }}}. -+ -+platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml -index 6b01ddb..d6feb28 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml -@@ -37,5 +37,3 @@ ocil: |- - To verify the operating system has the packages required for multifactor - authentication installed, run the following command: -
$ sudo yum list installed esc pam_pkcs11 authconfig-gtk
-- --platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml -index a49f9e7..03e37fd 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml -@@ -33,3 +33,5 @@ references: - ocil_clause: 'the pcscd service is not enabled' - - ocil: '{{{ ocil_service_enabled(service="pcscd") }}}' -+ -+platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml -index a5e92fe..d8aa9ec 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml -@@ -70,5 +70,3 @@ ocil: |- - network and system components from outside the protection boundary - documented in the IATT. - -- --platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml -index 56af0e3..a2c4bd9 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml -@@ -42,5 +42,3 @@ ocil: |- -
cert_policy = ca, ocsp_on, signature;
-     cert_policy = ca, ocsp_on, signature;
-     cert_policy = ca, ocsp_on, signature;
-- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml -index 968820f..0741629 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml -@@ -64,4 +64,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml -index 3803b04..f5ec6e6 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml -index 13ecde1..a66c91e 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml -index 982e8e6..26e17b8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml -index 16eac8a..27d325c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml -index 6db400e..2aa77fa 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml -index 56528dd..02ac1db 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml -@@ -68,4 +68,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml -index 88e8429..545889e 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml -index 81ea227..de20307 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml -index 49d6959..726791b 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml -@@ -68,4 +68,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml -index 79c16c7..5305faf 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml -index 6659e81..273abda 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml -@@ -67,4 +67,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml -index 10c8001..5282707 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml -index 719044f..791b8c8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/group.yml -@@ -20,4 +20,3 @@ description: |- - -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod - -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{{ auid }}} -F auid!=unset -F key=perm_mod - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml -index 80f412b..cf741ed 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml -@@ -55,4 +55,3 @@ ocil: |- - The output should return something similar to: -
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged-priv_change
- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml -index d24fa07..bb9a502 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_restorecon/rule.yml -@@ -54,4 +54,3 @@ ocil: |- - The output should return something similar to: -
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged-priv_change
- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml -index 3d9b812..4a7b768 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml -@@ -55,4 +55,3 @@ ocil: |- - The output should return something similar to: -
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged-priv_change
- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml -index 39eb75d..5971f64 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml -@@ -55,4 +55,3 @@ ocil: |- - The output should return something similar to: -
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=privileged-priv_change
- --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml -index a6ef8d4..cfb5e3b 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml -@@ -68,4 +68,3 @@ warnings: -
  • audit_rules_file_deletion_events_unlinkat
  • - - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml -index 13e7da6..c25cfbb 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml -@@ -48,4 +48,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="rename") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml -index d2facfa..769527b 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml -@@ -48,4 +48,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="renameat") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml -index c68afdc..29a0d77 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml -@@ -48,4 +48,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="rmdir") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml -index 4d79c16..5b1ff7b 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml -@@ -48,4 +48,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="unlink") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml -index e330ec2..f8ca887 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml -@@ -48,4 +48,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="unlinkat") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml -index 551ca92..3a5cad0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml -@@ -71,4 +71,3 @@ warnings: -
  • audit_rules_kernel_module_loading_modprobe
  • - - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -index 5797736..50b57ff 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -@@ -46,4 +46,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="delete_module") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -index a98abfb..da9702d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -@@ -46,4 +46,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="finit_module") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -index 8e098d8..ea3b126 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -@@ -45,4 +45,3 @@ references: - - {{{ complete_ocil_entry_audit_syscall(syscall="init_module") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod/rule.yml -index 5bf3012..b3c0d36 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_insmod/rule.yml -@@ -49,4 +49,3 @@ ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/usr/sbin/insmod\|-w /usr/sbin/insmod"
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe/rule.yml -index c734c5b..3a39469 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_modprobe/rule.yml -@@ -49,4 +49,3 @@ ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/usr/sbin/modprobe\|-w /usr/sbin/modprobe"
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod/rule.yml -index bd0cd78..c1554c3 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_rmmod/rule.yml -@@ -49,4 +49,3 @@ ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/usr/sbin/rmmod\|-w /usr/sbin/rmmod"
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml -index e9de60b..5bcd7cf 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml -@@ -58,4 +58,3 @@ warnings: -
  • audit_rules_login_events_lastlog
  • - - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml -index 015ad9c..508bbe1 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml -@@ -51,4 +51,3 @@ ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/var/run/faillock\|-w /var/run/faillock"
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -index 5e3795c..5fae020 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml -@@ -51,4 +51,3 @@ ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/var/log/lastlog\|-w /var/log/lastlog"
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml -index 7ea479d..26c31e9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml -@@ -51,4 +51,3 @@ ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/var/log/tallylog\|-w /var/log/tallylog"
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml -index 83dbbdd..7debab8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml -@@ -86,4 +86,3 @@ warnings: -
  • audit_rules_privileged_commands_passwd
  • - - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml -index f5e8b11..c655fa1 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml -@@ -56,4 +56,3 @@ ocil: |- -
    $ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml -index c5f7dd3..3884282 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml -@@ -56,4 +56,3 @@ ocil: |- -
    $ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml -index a9bff8b..28fe87c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml -@@ -56,4 +56,3 @@ ocil: |- -
    $ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml -index 2a77c28..5254306 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml -@@ -57,4 +57,3 @@ ocil: |- -
    $ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml -index cb92e81..e4138c0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml -@@ -57,4 +57,3 @@ ocil: |- -
    $ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml -index 6249290..61e54af 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml -@@ -56,4 +56,3 @@ ocil: |- -
    $ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml -index 7a41823..6ff660a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml -@@ -57,4 +57,3 @@ ocil: |- -
    $ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml -index 053ea23..cab809e 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml -@@ -56,4 +56,3 @@ ocil: |- -
    $ sudo grep postdrop /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml -index 0b5188f..206606a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml -@@ -56,4 +56,3 @@ ocil: |- -
    $ sudo grep postqueue /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml -index dd3a189..fd231b8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml -@@ -54,4 +54,3 @@ ocil: |- -
    $ sudo grep pt_chown /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml -index d27edda..89b09f2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml -@@ -57,4 +57,3 @@ ocil: |- -
    $ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml -index 10b060f..8587f72 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml -@@ -57,4 +57,3 @@ ocil: |- -
    $ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml -index e1366d3..b6865ab 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml -@@ -57,4 +57,3 @@ ocil: |- -
    $ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml -index 7b33ea2..0289b75 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml -@@ -57,4 +57,3 @@ ocil: |- -
    $ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml -index 5c35c29..aa029ef 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml -@@ -56,4 +56,3 @@ ocil: |- -
    $ sudo grep umount /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml -index dbda1c3..8bfc971 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml -@@ -57,4 +57,3 @@ ocil: |- -
    $ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml -index d6ff871..1508def 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml -@@ -57,4 +57,3 @@ ocil: |- -
    $ sudo grep userhelper /etc/audit/audit.rules /etc/audit/rules.d/*
    - It should return a relevant line in the audit rules. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml -index 3fe0463..619bed8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml -@@ -43,4 +43,3 @@ references: - iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 - cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml -index 4f54a47..1814663 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/rule.yml -@@ -54,4 +54,3 @@ ocil: |- - configuration, a line should be returned (including - perm=wa indicating permissions that are watched). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml -index 740d7c6..d0c39af 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml -@@ -57,4 +57,3 @@ ocil: |- - To verify that auditing is configured for all media exportation events, run the following command: -
    $ sudo auditctl -l | grep syscall | grep mount
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml -index af42de6..6d9efc2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/rule.yml -@@ -62,4 +62,3 @@ ocil: |- - If the system is configured to watch for network configuration changes, a line should be returned for - each file specified (and perm=wa should be indicated for each). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml -index b0b3c5f..792d64c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/rule.yml -@@ -48,4 +48,3 @@ references: - iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2 - cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml -index 436d093..03beb79 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml -@@ -54,4 +54,3 @@ ocil: |- - To verify that auditing is configured for system administrator actions, run the following command: -
    $ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d"
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml -index 21f5b25..92564b9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/rule.yml -@@ -54,4 +54,3 @@ ocil: |- - The output should contain: -
    -f 2
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml -index 5dc997b..7ff82bf 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/rule.yml -@@ -77,4 +77,3 @@ warnings: -
  • audit_rules_usergroup_modification_passwd
  • - - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml -index 7639721..5604748 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml -@@ -60,4 +60,3 @@ ocil: |- - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml -index 4dd886e..0fb6873 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml -@@ -60,4 +60,3 @@ ocil: |- - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml -index aeb9241..22e8114 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml -@@ -60,4 +60,3 @@ ocil: |- - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml -index e1dc4d0..e07a77f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml -@@ -60,4 +60,3 @@ ocil: |- - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml -index 2bbba00..18294e2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml -@@ -60,4 +60,3 @@ ocil: |- - If the system is configured to watch for account changes, lines should be returned for - each file specified (and with perm=wa for each). - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml -index f250c07..e511b12 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/rule.yml -@@ -58,4 +58,3 @@ ocil_clause: 'the system is not configured to audit time changes' - - {{{ complete_ocil_entry_audit_syscall(syscall="adjtimex") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml -index d0371e2..52544e7 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/rule.yml -@@ -58,4 +58,3 @@ ocil_clause: 'the system is not configured to audit time changes' - - {{{ complete_ocil_entry_audit_syscall(syscall="clock_settime") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml -index 9d21d98..a7b87b2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/rule.yml -@@ -58,4 +58,3 @@ ocil_clause: 'the system is not configured to audit time changes' - - {{{ complete_ocil_entry_audit_syscall(syscall="settimeofday") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml -index 09dd535..4f069dc 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/rule.yml -@@ -64,4 +64,3 @@ ocil: |- - If the system is 64-bit only, this is not applicable
    - {{{ complete_ocil_entry_audit_syscall(syscall="stime") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml -index ed393a4..8e2b77f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/rule.yml -@@ -57,4 +57,3 @@ ocil: |- -
    $ sudo auditctl -l | grep "watch=/etc/localtime"
    - If the system is configured to audit this activity, it will return a line. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification/rule.yml -index ae079ab..30780c7 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification/rule.yml -@@ -72,4 +72,3 @@ warnings: -
  • audit_rules_unsuccessful_file_modification_creat
  • - - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml -index f797fa7..7d1fee5 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml -index d737fcd..5186f7a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml -index a5f1d03..9cf0a90 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml -index 6571e87..6f523f1 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml -index eec216c..0ed0a60 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml -index d6c3608..ce91925 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml -@@ -62,4 +62,3 @@ warnings: - have been placed independent of other system calls. Grouping these system - calls with others as identifying earlier in this guide is more efficient. - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml -index 90e5181..5981689 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/rule.yml -@@ -34,3 +34,5 @@ ocil: |- - /var/log/audit directory, run the following command: -
    $ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules
    - If the system is configured to audit this activity, it will return a line. -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml -index e0ba2a5..41a0ae9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml -@@ -39,4 +39,3 @@ ocil: |- - {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} - {{{ describe_file_owner(file="/var/log/audit/*", owner="root") }}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml -index b9ae2ef..851d1bb 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml -@@ -43,4 +43,3 @@ ocil: |- -
    $ sudo ls -l /var/log/audit
    - Audit logs must be mode 0640 or less permissive. - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml -index e97f2d8..d760406 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml -@@ -51,4 +51,3 @@ ocil: |- - is an IP address or hostname: -
    remote_server = REMOTE_SYSTEM
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml -index 0635d1e..664b988 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml -@@ -41,4 +41,3 @@ ocil: |- - Acceptable values also include syslog and - halt. - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml -index 484464c..9327ca6 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml -@@ -48,4 +48,3 @@ ocil: |- -
    enable_krb5 = yes
    - {{% endif %}} - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml -index c8699c7..874df40 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml -@@ -41,4 +41,3 @@ ocil: |- - Acceptable values also include syslog and - halt. - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml -index 20bc9d2..e5a783b 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/rule.yml -@@ -57,4 +57,3 @@ ocil: |- - {{% endif %}} - If the plugin is active, the output will show yes. - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml -index 19347e9..01a3b57 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml -@@ -48,4 +48,3 @@ ocil: |- - account when it needs to notify an administrator: -
    action_mail_acct = root
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml -index abb19df..cbd1ae6 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml -@@ -53,4 +53,3 @@ ocil: |- - or halt when disk space has run low: -
    admin_space_left_action single
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml -index 9b8dff7..e26cab6 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml -@@ -45,4 +45,3 @@ ocil: |- - Acceptable values are DATA, and SYNC. The setting is - case-insensitive. - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml -index fa9de00..66b30c2 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml -@@ -46,4 +46,3 @@ ocil: |- - $ sudo grep max_log_file /etc/audit/auditd.conf -
    max_log_file = 6
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml -index 70d95ff..5d685bb 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml -@@ -56,4 +56,3 @@ ocil: |- - $ sudo grep max_log_file_action /etc/audit/auditd.conf -
    max_log_file_action rotate
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml -index 76ca34b..3f88969 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml -@@ -45,4 +45,3 @@ ocil: |- - $ sudo grep num_logs /etc/audit/auditd.conf -
    num_logs = 5
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml -index 884f5dc..b185f06 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml -@@ -46,4 +46,3 @@ ocil: |- - determine if the system is configured correctly: -
    space_left SIZE_in_MB
    - --platform: machine -diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml -index 5f1c0c9..015b1c6 100644 ---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml -+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml -@@ -63,4 +63,3 @@ ocil: |- -
    space_left_action
    - Acceptable values are email, suspend, single, and halt. - --platform: machine -diff --git a/linux_os/guide/system/auditing/group.yml b/linux_os/guide/system/auditing/group.yml -index 586caa9..82f87e8 100644 ---- a/linux_os/guide/system/auditing/group.yml -+++ b/linux_os/guide/system/auditing/group.yml -@@ -101,3 +101,6 @@ description: |- - the process, which in this case, is exe="/usr/sbin/httpd". - - -+ -+platform: machine -+ -diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml -index 3e63c36..d8c5495 100644 ---- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml -+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml -@@ -69,4 +69,3 @@ warnings: - {{% endif %}} - - --platform: machine -diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml -index b61c67d..ad03a9c 100644 ---- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml -+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml -@@ -52,3 +52,5 @@ warnings: -
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    - {{% endif %}} - -+ -+platform: machine -diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml -index b181588..91a4e67 100644 ---- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml -+++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml -@@ -48,4 +48,3 @@ references: - - ocil: '{{{ ocil_service_enabled(service="auditd") }}}' - --platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -index e5c8052..0c8992e 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -@@ -22,3 +22,5 @@ references: - nist: SC-39 - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml -index c2d4f7a..8431198 100644 ---- a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml -@@ -50,3 +50,5 @@ warnings: -
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    - {{% endif %}} - -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml -index bedc3d4..97aa564 100644 ---- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml -@@ -53,3 +53,5 @@ warnings: -
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    - {{% endif %}} - -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml -index bee9f1a..7762bfe 100644 ---- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml -@@ -53,3 +53,5 @@ warnings: -
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    - {{% endif %}} - -+ -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml -index 1213164..e359566 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml -@@ -17,3 +17,4 @@ identifiers: - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}} - -+platform: machine -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml -index 86f0748..ad39585 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml -@@ -19,3 +19,4 @@ identifiers: - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}} - -+platform: machine -diff --git a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml -index fc1f87b..80844ca 100644 ---- a/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml -+++ b/linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml -@@ -54,3 +54,5 @@ ocil: |- - All authorized non-administrative - users must be mapped to the user_u role or the appropriate domain - (user_t). -+ -+platform: machine -diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml -index b1315e1..94ebc4a 100644 ---- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml -+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml -@@ -53,5 +53,3 @@ warnings: -

    - See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} - for a list of FIPS certified vendors. -- --platform: machine -diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml -index 303119f..c640718 100644 ---- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml -+++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml -@@ -41,5 +41,3 @@ warnings: -

    - See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} - for a list of FIPS certified vendors. -- --platform: machine -diff --git a/linux_os/guide/system/software/integrity/fips/group.yml b/linux_os/guide/system/software/integrity/fips/group.yml -index d8719f6..abcfc29 100644 ---- a/linux_os/guide/system/software/integrity/fips/group.yml -+++ b/linux_os/guide/system/software/integrity/fips/group.yml -@@ -14,3 +14,5 @@ description: |- - Security Levels 1, 2, 3, or 4 for use on {{{ full_name }}}. -

    - See {{{ weblink(link="http://csrc.nist.gov/publications/PubsFIPS.html") }}} for more information. -+ -+platform: machine -diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml -index 21687ed..1395d85 100644 ---- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml -+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml -@@ -70,5 +70,3 @@ warnings: -

    - See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} - for a list of FIPS certified vendors. -- --platform: machine -diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml -index dac5329..f27dd2f 100644 ---- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml -+++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml -@@ -49,5 +49,3 @@ warnings: -

    - See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} - for a list of FIPS certified vendors. -- --platform: machine diff --git a/SOURCES/scap-security-guide-0.1.45-smartcards_not_applicable_to_containers.patch b/SOURCES/scap-security-guide-0.1.45-smartcards_not_applicable_to_containers.patch deleted file mode 100644 index 2f8b167..0000000 --- a/SOURCES/scap-security-guide-0.1.45-smartcards_not_applicable_to_containers.patch +++ /dev/null @@ -1,31 +0,0 @@ -From eebf6eaae22d6d993b9351a0ccaad55ca2bff3d6 Mon Sep 17 00:00:00 2001 -From: Marek Haicman -Date: Fri, 24 May 2019 12:33:57 +0200 -Subject: [PATCH] Smartcard not applicable to containers - -Smartcard configuration make sense on the host, not in general container base. ---- - .../accounts-physical/screen_locking/smart_card_login/group.yml | 2 ++ - .../smart_card_login/service_pcscd_enabled/rule.yml | 2 -- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/group.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/group.yml -index e1ee1122bd..5a2b0728cb 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/group.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/group.yml -@@ -11,3 +11,5 @@ description: |- - In Red Hat Enterprise Linux servers and workstations, hardware token login - {{% endif %}} - is not enabled by default and must be enabled in the system settings. -+ -+platform: machine -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml -index 03e37fd889..a49f9e755f 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/rule.yml -@@ -33,5 +33,3 @@ references: - ocil_clause: 'the pcscd service is not enabled' - - ocil: '{{{ ocil_service_enabled(service="pcscd") }}}' -- --platform: machine diff --git a/SOURCES/scap-security-guide-0.1.47-add_-t_parameter_to_fix_audit_syscall_rule.patch b/SOURCES/scap-security-guide-0.1.47-add_-t_parameter_to_fix_audit_syscall_rule.patch new file mode 100644 index 0000000..ece79f4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.47-add_-t_parameter_to_fix_audit_syscall_rule.patch @@ -0,0 +1,31 @@ +From 9df5bac6e7ee74c75c750ff15bf3d36c5d9a653f Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Tue, 1 Oct 2019 16:56:37 +0200 +Subject: [PATCH] Add -t parameter for readarray to remove trailing newline. + +--- + shared/bash_remediation_functions/fix_audit_syscall_rule.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +index 25f80fe30b..d91e4f7b62 100644 +--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh ++++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +@@ -82,7 +82,7 @@ elif [ "$tool" == 'augenrules' ] + then + # Extract audit $key from audit rule so we can use it later + key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)') +- readarray matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules) ++ readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules) + if [ $? -ne 0 ] + then + retval=1 +@@ -114,7 +114,7 @@ do + # * follow the rule pattern, and + # * meet the hardware architecture requirement, and + # * are current syscall group specific +- readarray existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file") ++ readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file") + if [ $? -ne 0 ] + then + retval=1 diff --git a/SOURCES/scap-security-guide-0.1.47-add_missing_cce_sudo_require_authentication.patch b/SOURCES/scap-security-guide-0.1.47-add_missing_cce_sudo_require_authentication.patch new file mode 100644 index 0000000..e1020b6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.47-add_missing_cce_sudo_require_authentication.patch @@ -0,0 +1,19 @@ +commit 12ee9b8f0b3829ab7dff76992764e38032fc7346 +Author: Matěj Týč +Date: Fri Oct 11 15:55:56 2019 +0200 + + Added missing CCEs. + +diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml +index e542b8965..1ad038f77 100644 +--- a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml +@@ -21,6 +21,8 @@ severity: medium + + identifiers: + cce@rhel6: 80506-9 ++ cce@rhel7: 82278-3 ++ cce@rhel8: 82279-1 + + references: + disa@rhel6: "2038" diff --git a/SOURCES/scap-security-guide-0.1.47-compare_suid_files_with_rpm.patch b/SOURCES/scap-security-guide-0.1.47-compare_suid_files_with_rpm.patch new file mode 100644 index 0000000..e15c07c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.47-compare_suid_files_with_rpm.patch @@ -0,0 +1,1013 @@ +From b457ba1cf5ea6043a501ecc45f7a54c4de61b372 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 22 Jul 2019 15:26:48 +0200 +Subject: [PATCH 1/6] Compare suid/sgid files with the RPM database + +It is difficult to maintain the list to list paths of all possible suid +and sgid binaries in a Linux distribution. Instead, we can check if the +suid or sgid file is owned by an RPM package by consulting the RPM +database. Another advantage of this solution is that we can have a +single OVAL for all RPM-related Linux distributions. The patch modifies +OVAL for rules file_permissions_unauthorized_suid and +file_permissions_unauthorized_sgid and also adds test scenarios for +these rules. +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1693026 +--- + .../oval/shared.xml | 131 ++++++++---------- + .../oval/wrlinux.xml | 42 ------ + .../tests/no_unpackaged_sgid.pass.sh | 10 ++ + .../tests/unpackaged_sgid.fail.sh | 13 ++ + .../oval/ol7.xml | 93 ------------- + .../oval/ol8.xml | 93 ------------- + .../oval/rhel6.xml | 99 ------------- + .../oval/rhel7.xml | 95 ------------- + .../oval/shared.xml | 62 +++++++++ + .../oval/wrlinux.xml | 55 -------- + .../tests/no_unpackaged_suid.pass.sh | 10 ++ + .../tests/unpackaged_suid.fail.sh | 13 ++ + 12 files changed, 162 insertions(+), 554 deletions(-) + delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml + create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh + create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh + delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml + delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml + delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml + delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml + create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml + delete mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml + create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh + create mode 100644 linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh + +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml +index de4b86c3e0..83988feec7 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml +@@ -1,85 +1,62 @@ + +- +- +- Find setgid files system packages +- +- multi_platform_rhel +- multi_platform_ol +- +- All files with setgid should be owned by a base system package +- +- +- +- +- ++ ++ ++ Find SGID files that are not owned by RPM packages ++ ++ multi_platform_fedora ++ multi_platform_rhel ++ multi_platform_ol ++ multi_platform_wrlinux ++ ++ Evaluates to true if all files with SGID set are owned by RPM packages. ++ ++ ++ ++ ++ + +- +- +- ++ ++ ++ + +- +- +- / +- ^.*$ +- state_file_permissions_unauthorized_sgid +- state_sgid_whitelist +- ++ ++ ++ / ++ ^.*$ ++ state_file_permissions_unauthorized_sgid_sgid_set ++ state_file_permissions_unauthorized_sgid_filepaths ++ + +- +- true +- ++ ++ ++ .* ++ .* ++ .* ++ .* ++ .* ++ ++ + +- +- +- +- ++ ++ ++ / ++ ^.*$ ++ state_file_permissions_unauthorized_sgid_sgid_set ++ + +- +- {{% if product == "rhel6" %}} +- /bin/cgclassify +- /bin/cgexec +- /sbin/netreport +- {{% else %}} +- /usr/bin/cgclassify +- /usr/bin/cgexec +- /usr/sbin/netreport +- /usr/lib/vte-2.90/gnome-pty-helper +- /usr/lib/vte-2.91/gnome-pty-helper +- /usr/lib64/vte/gnome-pty-helper +- /usr/lib64/vte-2.90/gnome-pty-helper +- /usr/lib64/vte-2.91/gnome-pty-helper +- /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache +- /usr/libexec/openssh/ssh-keysign +- {{% endif %}} +- /usr/bin/crontab +- /usr/bin/gnomine +- /usr/bin/iagno +- /usr/bin/locate +- /usr/bin/lockfile +- /usr/bin/same-gnome +- /usr/bin/screen +- /usr/bin/ssh-agent +- /usr/bin/wall +- /usr/bin/write +- /usr/lib/vte/gnome-pty-helper +- /usr/libexec/kde4/kdesud +- /usr/libexec/utempter/utempter +- /usr/lib/mailman/cgi-bin/admindb +- /usr/lib/mailman/cgi-bin/admin +- /usr/lib/mailman/cgi-bin/confirm +- /usr/lib/mailman/cgi-bin/create +- /usr/lib/mailman/cgi-bin/edithtml +- /usr/lib/mailman/cgi-bin/listinfo +- /usr/lib/mailman/cgi-bin/options +- /usr/lib/mailman/cgi-bin/private +- /usr/lib/mailman/cgi-bin/rmlist +- /usr/lib/mailman/cgi-bin/roster +- /usr/lib/mailman/cgi-bin/subscribe +- /usr/lib/mailman/mail/mailman +- /usr/sbin/lockdev +- /usr/sbin/postdrop +- /usr/sbin/postqueue +- /usr/sbin/sendmail.sendmail +- ++ ++ true ++ + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml +deleted file mode 100644 +index 962a26d5f3..0000000000 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/wrlinux.xml ++++ /dev/null +@@ -1,42 +0,0 @@ +- +- +- +- Find setgid files system packages +- +- Wind River Linux 8 +- +- All files with setgid should be owned by a base system package +- +- +- +- +- +- +- +- +- +- +- +- +- / +- ^.*$ +- state_file_permissions_unauthorized_sgid +- state_sgid_whitelist +- +- +- +- true +- +- +- +- +- +- +- +- +- /usr/bin/crontab +- /usr/sbin/postdrop +- /usr/sbin/postqueue +- +- +- +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh +new file mode 100644 +index 0000000000..adf6b6b959 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/no_unpackaged_sgid.pass.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_standard ++# remediation = none ++ ++for x in $(find / -perm /g=s) ; do ++ if ! rpm -qf $x ; then ++ rm -rf $x ++ fi ++done +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh +new file mode 100644 +index 0000000000..4aa273ca89 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/tests/unpackaged_sgid.fail.sh +@@ -0,0 +1,13 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_standard ++# remediation = none ++ ++for x in $(find / -perm /g=s) ; do ++ if ! rpm -qf $x ; then ++ rm -rf $x ++ fi ++done ++ ++touch /usr/bin/sgid_binary ++chmod g+xs /usr/bin/sgid_binary +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml +deleted file mode 100644 +index 6f4a87e3fb..0000000000 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol7.xml ++++ /dev/null +@@ -1,93 +0,0 @@ +- +- +- +- Find setuid files from system packages +- +- Oracle Linux 7 +- +- All files with setuid should be owned by a base system package +- +- +- +- +- +- +- +- +- +- +- +- +- / +- ^.*$ +- state_file_permissions_unauthorized_suid +- state_suid_whitelist +- +- +- +- true +- +- +- +- +- +- +- +- +- +- /usr/bin/abrt-action-install-debuginfo-to-abrt-cache +- /usr/bin/at +- /usr/bin/chage +- /usr/bin/chfn +- /usr/bin/chsh +- /usr/bin/crontab +- /usr/bin/fusermount +- /usr/bin/gpasswd +- /usr/bin/ksu +- /usr/bin/mount +- /usr/bin/newgrp +- /usr/bin/passwd +- /usr/bin/pkexec +- /usr/bin/staprun +- /usr/bin/sudoedit +- /usr/bin/sudo +- /usr/bin/su +- /usr/bin/umount +- /usr/bin/Xorg +- /usr/lib64/amanda/application/amgtar +- /usr/lib64/amanda/application/amstar +- /usr/lib64/amanda/calcsize +- /usr/lib64/amanda/dumper +- /usr/lib64/amanda/killpgrp +- /usr/lib64/amanda/planner +- /usr/lib64/amanda/rundump +- /usr/lib64/amanda/runtar +- /usr/lib64/dbus-1/dbus-daemon-launch-helper +- /usr/lib/amanda/application/amgtar +- /usr/lib/amanda/application/amstar +- /usr/lib/amanda/calcsize +- /usr/lib/amanda/dumper +- /usr/lib/amanda/killpgrp +- /usr/lib/amanda/planner +- /usr/lib/amanda/rundump +- /usr/lib/amanda/runtar +- /usr/lib/dbus-1/dbus-daemon-launch-helper +- /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache +- /usr/libexec/kde4/kpac_dhcp_helper +- /usr/libexec/qemu-bridge-helper +- /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper +- /usr/libexec/sssd/krb5_child +- /usr/libexec/sssd/ldap_child +- /usr/libexec/sssd/proxy_child +- /usr/libexec/sssd/selinux_child +- /usr/lib/polkit-1/polkit-agent-helper-1 +- /usr/sbin/amcheck +- /usr/sbin/amservice +- /usr/sbin/mount.nfs +- /usr/sbin/pam_timestamp_check +- /usr/sbin/unix_chkpwd +- /usr/sbin/userhelper +- /usr/sbin/usernetctl +- +- +- +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml +deleted file mode 100644 +index f185efc221..0000000000 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/ol8.xml ++++ /dev/null +@@ -1,93 +0,0 @@ +- +- +- +- Find setuid files from system packages +- +- Oracle Linux 8 +- +- All files with setuid should be owned by a base system package +- +- +- +- +- +- +- +- +- +- +- +- +- / +- ^.*$ +- state_file_permissions_unauthorized_suid +- state_suid_whitelist +- +- +- +- true +- +- +- +- +- +- +- +- +- +- /usr/bin/abrt-action-install-debuginfo-to-abrt-cache +- /usr/bin/at +- /usr/bin/chage +- /usr/bin/chfn +- /usr/bin/chsh +- /usr/bin/crontab +- /usr/bin/fusermount +- /usr/bin/gpasswd +- /usr/bin/ksu +- /usr/bin/mount +- /usr/bin/newgrp +- /usr/bin/passwd +- /usr/bin/pkexec +- /usr/bin/staprun +- /usr/bin/sudoedit +- /usr/bin/sudo +- /usr/bin/su +- /usr/bin/umount +- /usr/bin/Xorg +- /usr/lib64/amanda/application/amgtar +- /usr/lib64/amanda/application/amstar +- /usr/lib64/amanda/calcsize +- /usr/lib64/amanda/dumper +- /usr/lib64/amanda/killpgrp +- /usr/lib64/amanda/planner +- /usr/lib64/amanda/rundump +- /usr/lib64/amanda/runtar +- /usr/lib64/dbus-1/dbus-daemon-launch-helper +- /usr/lib/amanda/application/amgtar +- /usr/lib/amanda/application/amstar +- /usr/lib/amanda/calcsize +- /usr/lib/amanda/dumper +- /usr/lib/amanda/killpgrp +- /usr/lib/amanda/planner +- /usr/lib/amanda/rundump +- /usr/lib/amanda/runtar +- /usr/lib/dbus-1/dbus-daemon-launch-helper +- /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache +- /usr/libexec/kde4/kpac_dhcp_helper +- /usr/libexec/qemu-bridge-helper +- /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper +- /usr/libexec/sssd/krb5_child +- /usr/libexec/sssd/ldap_child +- /usr/libexec/sssd/proxy_child +- /usr/libexec/sssd/selinux_child +- /usr/lib/polkit-1/polkit-agent-helper-1 +- /usr/sbin/amcheck +- /usr/sbin/amservice +- /usr/sbin/mount.nfs +- /usr/sbin/pam_timestamp_check +- /usr/sbin/unix_chkpwd +- /usr/sbin/userhelper +- /usr/sbin/usernetctl +- +- +- +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml +deleted file mode 100644 +index 3a59897356..0000000000 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel6.xml ++++ /dev/null +@@ -1,99 +0,0 @@ +- +- +- +- Find setuid files from system packages +- +- Red Hat Enterprise Linux 6 +- +- All files with setuid should be owned by a base system package +- +- +- +- +- +- +- +- +- +- +- +- +- / +- ^.*$ +- state_file_permissions_unauthorized_suid +- state_suid_whitelist +- +- +- +- true +- +- +- +- +- +- +- +- +- /bin/fusermount +- /bin/mount +- /bin/ping6 +- /bin/ping +- /bin/su +- /bin/umount +- /lib64/dbus-1/dbus-daemon-launch-helper +- /lib/dbus-1/dbus-daemon-launch-helper +- /sbin/mount.ecryptfs_private +- /sbin/mount.nfs +- /sbin/pam_timestamp_check +- /sbin/unix_chkpwd +- /usr/bin/abrt-action-install-debuginfo-to-abrt-cache +- /usr/bin/at +- /usr/bin/chage +- /usr/bin/chfn +- /usr/bin/chsh +- /usr/bin/crontab +- /usr/bin/gpasswd +- /usr/bin/kgrantpty +- /usr/bin/kpac_dhcp_helper +- /usr/bin/ksu +- /usr/bin/newgrp +- /usr/bin/newrole +- /usr/bin/passwd +- /usr/bin/pkexec +- /usr/bin/rcp +- /usr/bin/rlogin +- /usr/bin/rsh +- /usr/bin/sperl5.10.1 +- /usr/bin/staprun +- /usr/bin/sudoedit +- /usr/bin/sudo +- /usr/bin/Xorg +- /usr/lib64/amanda/calcsize +- /usr/lib64/amanda/dumper +- /usr/lib64/amanda/killpgrp +- /usr/lib64/amanda/planner +- /usr/lib64/amanda/rundump +- /usr/lib64/amanda/runtar +- /usr/lib64/nspluginwrapper/plugin-config +- /usr/lib/amanda/calcsize +- /usr/lib/amanda/dumper +- /usr/lib/amanda/killpgrp +- /usr/lib/amanda/planner +- /usr/lib/amanda/rundump +- /usr/lib/amanda/runtar +- /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache +- /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper +- /usr/libexec/mc/cons.saver +- /usr/libexec/openssh/ssh-keysign +- /usr/libexec/polkit-1/polkit-agent-helper-1 +- /usr/libexec/pt_chown +- /usr/libexec/pulse/proximity-helper +- /usr/lib/nspluginwrapper/plugin-config +- /usr/sbin/amcheck +- /usr/sbin/seunshare +- /usr/sbin/suexec +- /usr/sbin/userhelper +- /usr/sbin/usernetctl +- +- +- +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml +deleted file mode 100644 +index c48bda0ef6..0000000000 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/rhel7.xml ++++ /dev/null +@@ -1,95 +0,0 @@ +- +- +- +- Find setuid files from system packages +- +- Red Hat Enterprise Linux 7 +- +- All files with setuid should be owned by a base system package +- +- +- +- +- +- +- +- +- +- +- +- +- / +- ^.*$ +- state_file_permissions_unauthorized_suid +- state_suid_whitelist +- +- +- +- true +- +- +- +- +- +- +- +- +- +- /usr/bin/abrt-action-install-debuginfo-to-abrt-cache +- /usr/bin/at +- /usr/bin/chage +- /usr/bin/chfn +- /usr/bin/chsh +- /usr/bin/crontab +- /usr/bin/fusermount +- /usr/bin/gpasswd +- /usr/bin/ksu +- /usr/bin/mount +- /usr/bin/newgrp +- /usr/bin/passwd +- /usr/bin/pkexec +- /usr/bin/staprun +- /usr/bin/sudoedit +- /usr/bin/sudo +- /usr/bin/su +- /usr/bin/umount +- /usr/bin/Xorg +- /usr/lib64/amanda/application/amgtar +- /usr/lib64/amanda/application/amstar +- /usr/lib64/amanda/calcsize +- /usr/lib64/amanda/dumper +- /usr/lib64/amanda/killpgrp +- /usr/lib64/amanda/planner +- /usr/lib64/amanda/rundump +- /usr/lib64/amanda/runtar +- /usr/lib64/dbus-1/dbus-daemon-launch-helper +- /usr/lib/amanda/application/amgtar +- /usr/lib/amanda/application/amstar +- /usr/lib/amanda/calcsize +- /usr/lib/amanda/dumper +- /usr/lib/amanda/killpgrp +- /usr/lib/amanda/planner +- /usr/lib/amanda/rundump +- /usr/lib/amanda/runtar +- /usr/lib/dbus-1/dbus-daemon-launch-helper +- /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache +- /usr/libexec/cockpit-session +- /usr/libexec/dbus-1/dbus-daemon-launch-helper +- /usr/libexec/kde4/kpac_dhcp_helper +- /usr/libexec/qemu-bridge-helper +- /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper +- /usr/libexec/sssd/krb5_child +- /usr/libexec/sssd/ldap_child +- /usr/libexec/sssd/proxy_child +- /usr/libexec/sssd/selinux_child +- /usr/lib/polkit-1/polkit-agent-helper-1 +- /usr/sbin/amcheck +- /usr/sbin/amservice +- /usr/sbin/mount.nfs +- /usr/sbin/pam_timestamp_check +- /usr/sbin/unix_chkpwd +- /usr/sbin/userhelper +- /usr/sbin/usernetctl +- +- +- +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml +new file mode 100644 +index 0000000000..e83595c198 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml +@@ -0,0 +1,62 @@ ++ ++ ++ ++ Find SUID files that are not owned by RPM packages ++ ++ multi_platform_fedora ++ multi_platform_rhel ++ multi_platform_ol ++ multi_platform_wrlinux ++ ++ Evaluates to true if all files with SUID set are owned by RPM packages. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ / ++ ^.*$ ++ state_file_permissions_unauthorized_suid_suid_set ++ state_file_permissions_unauthorized_suid_filepaths ++ ++ ++ ++ ++ .* ++ .* ++ .* ++ .* ++ .* ++ ++ ++ ++ ++ ++ / ++ ^.*$ ++ state_file_permissions_unauthorized_suid_suid_set ++ ++ ++ ++ true ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml +deleted file mode 100644 +index 8306d38211..0000000000 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/wrlinux.xml ++++ /dev/null +@@ -1,55 +0,0 @@ +- +- +- +- Find setuid files from system packages +- +- Wind River Linux 8 +- +- All files with setuid should be owned by a base system package +- +- +- +- +- +- +- +- +- +- +- +- +- / +- ^.*$ +- state_file_permissions_unauthorized_suid +- state_suid_whitelist +- +- +- +- true +- +- +- +- +- +- +- +- +- +- /bin/su.shadow +- /bin/su.util-linux +- /usr/bin/chage +- /usr/bin/chfn.shadow +- /usr/bin/chsh.shadow +- /usr/bin/expiry +- /usr/bin/gpasswd +- /usr/bin/newgidmap +- /usr/bin/newgrp.shadow +- /usr/bin/newuidmap +- /usr/bin/passwd.shadow +- /usr/bin/sudo +- /usr/lib64/dbus/dbus-daemon-launch-helper +- /usr/sbin/unix_chkpwd +- /usr/sbin/vlock-main +- +- +- +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh +new file mode 100644 +index 0000000000..e6e5a29fb3 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/no_unpackaged_suid.pass.sh +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_standard ++# remediation = none ++ ++for x in $(find / -perm /u=s) ; do ++ if ! rpm -qf $x ; then ++ rm -rf $x ++ fi ++done +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh +new file mode 100644 +index 0000000000..f05f1821ec +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/tests/unpackaged_suid.fail.sh +@@ -0,0 +1,13 @@ ++#!/bin/bash ++ ++# profiles = xccdf_org.ssgproject.content_profile_standard ++# remediation = none ++ ++for x in $(find / -perm /u=s) ; do ++ if ! rpm -qf $x ; then ++ rm -rf $x ++ fi ++done ++ ++touch /usr/bin/suid_binary ++chmod u+xs /usr/bin/suid_binary + +From 359400441acb2290af7e5ff49942dec01cb39a43 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 9 Aug 2019 08:44:59 +0200 +Subject: [PATCH 2/6] Describe the logic of the check in rule description + +--- + .../files/file_permissions_unauthorized_sgid/rule.yml | 5 +++++ + .../files/file_permissions_unauthorized_suid/rule.yml | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +index f039eea88c..9bad52d9b2 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +@@ -8,6 +8,11 @@ description: |- + unauthorized SGID files is determine if any were not installed as part of an + RPM package, which is cryptographically verified. Investigate the origin + of any unpackaged SGID files. ++ This configuration check whitelists SGID files which were installed via RPM. ++ It is assumed that when an individual has sudo access to install an RPM ++ and all packages are signed with an organizationally-recognized GPG key, ++ the software should be considered an approved package on the system. ++ Any SGID file not deployed through an RPM will be flagged for further review. + + rationale: |- + Executable files with the SGID permission run with the privileges of +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +index 5f4bc02cd1..1e01924469 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +@@ -8,6 +8,11 @@ description: |- + unauthorized SGID files is determine if any were not installed as part of an + RPM package, which is cryptographically verified. Investigate the origin + of any unpackaged SUID files. ++ This configuration check whitelists SUID files which were installed via RPM. ++ It is assumed that when an individual has sudo access to install an RPM ++ and all packages are signed with an organizationally-recognized GPG key, ++ the software should be considered an approved package on the system. ++ Any SUID file not deployed through an RPM will be flagged for further review. + + rationale: |- + Executable files with the SUID permission run with the privileges of + +From f8f7c2ae18f6c1d0cb145d996fb59d875276c991 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 14 Aug 2019 11:28:38 +0200 +Subject: [PATCH 3/6] Change 'whitelists' to 'considers authorized' + +--- + .../files/file_permissions_unauthorized_sgid/rule.yml | 2 +- + .../files/file_permissions_unauthorized_suid/rule.yml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +index 9bad52d9b2..e92637ca09 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +@@ -8,7 +8,7 @@ description: |- + unauthorized SGID files is determine if any were not installed as part of an + RPM package, which is cryptographically verified. Investigate the origin + of any unpackaged SGID files. +- This configuration check whitelists SGID files which were installed via RPM. ++ This configuration check considers authorized SGID files which were installed via RPM. + It is assumed that when an individual has sudo access to install an RPM + and all packages are signed with an organizationally-recognized GPG key, + the software should be considered an approved package on the system. +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +index 1e01924469..9f3f3dc86c 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +@@ -8,7 +8,7 @@ description: |- + unauthorized SGID files is determine if any were not installed as part of an + RPM package, which is cryptographically verified. Investigate the origin + of any unpackaged SUID files. +- This configuration check whitelists SUID files which were installed via RPM. ++ This configuration check considers authorized SUID files which were installed via RPM. + It is assumed that when an individual has sudo access to install an RPM + and all packages are signed with an organizationally-recognized GPG key, + the software should be considered an approved package on the system. + +From 69fac9536f88047a77aea67db81004872e27dae6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 16 Oct 2019 10:23:47 +0200 +Subject: [PATCH 4/6] Fix OCIL + +--- + .../files/file_permissions_unauthorized_sgid/rule.yml | 4 ++-- + .../files/file_permissions_unauthorized_suid/rule.yml | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +index e92637ca09..d03e7bf980 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +@@ -41,5 +41,5 @@ references: + ocil_clause: 'there is output' + + ocil: |- +- To find world-writable files, run the following command: +-
    $ sudo find / -xdev -type f -perm -002
    ++ To find SGID files, run the following command: ++
    $ sudo find / -xdev -type f -perm -2000
    +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +index 9f3f3dc86c..9aa7f40161 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +@@ -41,5 +41,5 @@ references: + ocil_clause: 'only authorized files appear in the output of the find command' + + ocil: |- +- To find world-writable files, run the following command: +-
    $ sudo find / -xdev -type f -perm -002
    ++ To find SUID files, run the following command: ++
    $ sudo find / -xdev -type f -perm -4000
    + +From 4cd5fec7f7c71a475bbd5e9781dbfc38fdda5b92 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 16 Oct 2019 10:23:58 +0200 +Subject: [PATCH 5/6] Fix a typo + +--- + .../files/file_permissions_unauthorized_suid/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +index 9aa7f40161..6cfcff2e4b 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +@@ -5,7 +5,7 @@ title: 'Ensure All SUID Executables Are Authorized' + description: |- + The SUID (set user id) bit should be set only on files that were + installed via authorized means. A straightforward means of identifying +- unauthorized SGID files is determine if any were not installed as part of an ++ unauthorized SUID files is determine if any were not installed as part of an + RPM package, which is cryptographically verified. Investigate the origin + of any unpackaged SUID files. + This configuration check considers authorized SUID files which were installed via RPM. + +From 5cce2c77ae93750442a9635929786fb265834310 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 16 Oct 2019 11:19:54 +0200 +Subject: [PATCH 6/6] Add prodtype + +This rule has OVAL only for RHEL, Fedora, OL and WRLinux. +We can specify it in prodtype to prevent its inclusion to datastreams +for products where this rule isn't applicable +--- + .../files/file_permissions_unauthorized_sgid/rule.yml | 2 ++ + .../files/file_permissions_unauthorized_suid/rule.yml | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +index d03e7bf980..de627fbe7e 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +@@ -2,6 +2,8 @@ documentation_complete: true + + title: 'Ensure All SGID Executables Are Authorized' + ++prodtype: rhel6,rhel7,rhel8,ol7,ol8,fedora,wrlinux8,wrlinux1019 ++ + description: |- + The SGID (set group id) bit should be set only on files that were + installed via authorized means. A straightforward means of identifying +diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +index 6cfcff2e4b..27946fb86a 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +@@ -2,6 +2,8 @@ documentation_complete: true + + title: 'Ensure All SUID Executables Are Authorized' + ++prodtype: rhel6,rhel7,rhel8,ol7,ol8,fedora,wrlinux8,wrlinux1019 ++ + description: |- + The SUID (set user id) bit should be set only on files that were + installed via authorized means. A straightforward means of identifying diff --git a/SOURCES/scap-security-guide-0.1.47-e8.patch b/SOURCES/scap-security-guide-0.1.47-e8.patch new file mode 100644 index 0000000..a16df46 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.47-e8.patch @@ -0,0 +1,301 @@ +From 294a7b225581b89a8029143e18e14cd961fcff7d Mon Sep 17 00:00:00 2001 +From: shaneboulden +Date: Sun, 22 Sep 2019 06:10:57 +1000 +Subject: [PATCH] Add Essential Eight profiles + +The Australian Cyber Security Centre (ACSC) Essential Eight provides +a baseline for cyber resilience. + +A copy of the Essential Eight in Linux Environments guide can be found +at the ACSC website: + +https://www.cyber.gov.au/publications/essential-eight-in-linux-environments +--- + rhel7/profiles/e8.profile | 132 ++++++++++++++++++++++++++++++++++++ + rhel8/profiles/e8.profile | 138 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 270 insertions(+) + create mode 100644 rhel7/profiles/e8.profile + create mode 100644 rhel8/profiles/e8.profile + +diff --git a/rhel7/profiles/e8.profile b/rhel7/profiles/e8.profile +new file mode 100644 +index 0000000000..27ff2a58e6 +--- /dev/null ++++ b/rhel7/profiles/e8.profile +@@ -0,0 +1,132 @@ ++documentation_complete: true ++ ++title: 'Australian Cyber Security Centre (ACSC) Essential Eight' ++ ++description: |- ++ This profile contains configuration checks for Red Hat Enterprise Linux 7 ++ that align to the Australian Cyber Security Centre (ACSC) Essential Eight. ++ ++ A copy of the Essential Eight in Linux Environments guide can be found at the ++ ACSC website: ++ ++ https://www.cyber.gov.au/publications/essential-eight-in-linux-environments ++ ++selections: ++ ++ ### Remove obsolete packages ++ - package_talk_removed ++ - package_talk-server_removed ++ - package_xinetd_removed ++ - service_xinetd_disabled ++ - package_ypbind_removed ++ - package_telnet_removed ++ - service_telnet_disabled ++ - package_telnet-server_removed ++ - package_rsh_removed ++ - package_rsh-server_removed ++ - service_zebra_disabled ++ - package_quagga_removed ++ - service_avahi-daemon_disabled ++ - package_squid_removed ++ - service_squid_disabled ++ ++ ### Software update ++ - ensure_redhat_gpgkey_installed ++ - ensure_gpgcheck_never_disabled ++ - ensure_gpgcheck_local_packages ++ - ensure_gpgcheck_globally_activated ++ - security_patches_up_to_date ++ ++ ### System security settings ++ - sysctl_kernel_randomize_va_space ++ - sysctl_kernel_exec_shield ++ - sysctl_kernel_kptr_restrict ++ - sysctl_kernel_dmesg_restrict ++ - sysctl_kernel_kexec_load_disabled ++ - sysctl_kernel_yama_ptrace_scope ++ ++ ### SELinux ++ - var_selinux_state=enforcing ++ - selinux_state ++ - var_selinux_policy_name=targeted ++ - selinux_policytype ++ ++ ### Filesystem integrity ++ - rpm_verify_hashes ++ - rpm_verify_permissions ++ - rpm_verify_ownership ++ - file_permissions_unauthorized_sgid ++ - file_permissions_unauthorized_suid ++ - file_permissions_unauthorized_world_writable ++ - dir_perms_world_writable_sticky_bits ++ - file_permissions_library_dirs ++ - file_ownership_binary_dirs ++ - file_permissions_binary_dirs ++ - file_ownership_library_dirs ++ ++ ### Passwords ++ - no_empty_passwords ++ ++ ### Partitioning ++ - mount_option_dev_shm_nodev ++ - mount_option_dev_shm_nosuid ++ - mount_option_dev_shm_noexec ++ ++ ### Network ++ - package_firewalld_installed ++ - service_firewalld_enabled ++ - network_sniffer_disabled ++ ++ ### Admin privileges ++ - sudo_remove_nopasswd ++ - sudo_remove_no_authenticate ++ - sudo_require_authentication ++ ++ ### Audit ++ - package_rsyslog_installed ++ - service_rsyslog_enabled ++ - service_auditd_enabled ++ - var_auditd_flush=incremental_async ++ - auditd_data_retention_flush ++ - auditd_local_events ++ - auditd_write_logs ++ - auditd_log_format ++ - auditd_freq ++ - auditd_name_format ++ - audit_rules_login_events_tallylog ++ - audit_rules_login_events_faillock ++ - audit_rules_login_events_lastlog ++ - audit_rules_login_events ++ - audit_rules_time_adjtimex ++ - audit_rules_time_clock_settime ++ - audit_rules_time_watch_localtime ++ - audit_rules_time_settimeofday ++ - audit_rules_time_stime ++ - audit_rules_execution_restorecon ++ - audit_rules_execution_chcon ++ - audit_rules_execution_semanage ++ - audit_rules_execution_setsebool ++ - audit_rules_execution_setfiles ++ - audit_rules_execution_seunshare ++ - audit_rules_sysadmin_actions ++ - audit_rules_networkconfig_modification ++ - audit_rules_usergroup_modification ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_chown ++ - audit_rules_kernel_module_loading ++ ++ ### Secure access ++ - sshd_disable_root_login ++ - sshd_disable_gssapi_auth ++ - sshd_use_strong_ciphers ++ - sshd_print_last_log ++ - sshd_use_priv_separation ++ - sshd_do_not_permit_user_env ++ - sshd_disable_rhosts_rsa ++ - sshd_disable_rhosts ++ - sshd_allow_only_protocol2 ++ - sshd_set_loglevel_info ++ - sshd_disable_empty_passwords ++ - sshd_disable_user_known_hosts ++ - sshd_enable_strictmodes ++ - sshd_use_strong_macs +diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile +new file mode 100644 +index 0000000000..53b4c156e2 +--- /dev/null ++++ b/rhel8/profiles/e8.profile +@@ -0,0 +1,138 @@ ++documentation_complete: true ++ ++title: 'Australian Cyber Security Centre (ACSC) Essential Eight' ++ ++description: |- ++ This profile contains configuration checks for Red Hat Enterprise Linux 8 ++ that align to the Australian Cyber Security Centre (ACSC) Essential Eight. ++ ++ A copy of the Essential Eight in Linux Environments guide can be found at the ++ ACSC website: ++ ++ https://www.cyber.gov.au/publications/essential-eight-in-linux-environments ++ ++selections: ++ ++ ### Remove obsolete packages ++ - package_talk_removed ++ - package_talk-server_removed ++ - package_xinetd_removed ++ - service_xinetd_disabled ++ - package_ypbind_removed ++ - package_telnet_removed ++ - service_telnet_disabled ++ - package_telnet-server_removed ++ - package_rsh_removed ++ - package_rsh-server_removed ++ - service_zebra_disabled ++ - package_quagga_removed ++ - service_avahi-daemon_disabled ++ - package_squid_removed ++ - service_squid_disabled ++ ++ ### Software update ++ - ensure_redhat_gpgkey_installed ++ - ensure_gpgcheck_never_disabled ++ - ensure_gpgcheck_local_packages ++ - ensure_gpgcheck_globally_activated ++ - security_patches_up_to_date ++ ++ ### System security settings ++ - sysctl_kernel_randomize_va_space ++ - sysctl_kernel_exec_shield ++ - sysctl_kernel_kptr_restrict ++ - sysctl_kernel_dmesg_restrict ++ - sysctl_kernel_kexec_load_disabled ++ - sysctl_kernel_yama_ptrace_scope ++ - sysctl_kernel_unprivileged_bpf_disabled ++ - sysctl_net_core_bpf_jit_harden ++ ++ ### SELinux ++ - var_selinux_state=enforcing ++ - selinux_state ++ - var_selinux_policy_name=targeted ++ - selinux_policytype ++ ++ ### Filesystem integrity ++ - rpm_verify_hashes ++ - rpm_verify_permissions ++ - rpm_verify_ownership ++ - file_permissions_unauthorized_sgid ++ - file_permissions_unauthorized_suid ++ - file_permissions_unauthorized_world_writable ++ - dir_perms_world_writable_sticky_bits ++ - file_permissions_library_dirs ++ - file_ownership_binary_dirs ++ - file_permissions_binary_dirs ++ - file_ownership_library_dirs ++ ++ ### Passwords ++ - no_empty_passwords ++ ++ ### Partitioning ++ - mount_option_dev_shm_nodev ++ - mount_option_dev_shm_nosuid ++ - mount_option_dev_shm_noexec ++ ++ ### Network ++ - package_firewalld_installed ++ - service_firewalld_enabled ++ - network_sniffer_disabled ++ ++ ### Admin privileges ++ - sudo_remove_nopasswd ++ - sudo_remove_no_authenticate ++ - sudo_require_authentication ++ ++ ### Audit ++ - package_rsyslog_installed ++ - service_rsyslog_enabled ++ - service_auditd_enabled ++ - var_auditd_flush=incremental_async ++ - auditd_data_retention_flush ++ - auditd_local_events ++ - auditd_write_logs ++ - auditd_log_format ++ - auditd_freq ++ - auditd_name_format ++ - audit_rules_login_events_tallylog ++ - audit_rules_login_events_faillock ++ - audit_rules_login_events_lastlog ++ - audit_rules_login_events ++ - audit_rules_time_adjtimex ++ - audit_rules_time_clock_settime ++ - audit_rules_time_watch_localtime ++ - audit_rules_time_settimeofday ++ - audit_rules_time_stime ++ - audit_rules_execution_restorecon ++ - audit_rules_execution_chcon ++ - audit_rules_execution_semanage ++ - audit_rules_execution_setsebool ++ - audit_rules_execution_setfiles ++ - audit_rules_execution_seunshare ++ - audit_rules_sysadmin_actions ++ - audit_rules_networkconfig_modification ++ - audit_rules_usergroup_modification ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_chown ++ - audit_rules_kernel_module_loading ++ ++ ### Secure access ++ - sshd_disable_root_login ++ - sshd_disable_gssapi_auth ++ - sshd_print_last_log ++ - sshd_use_priv_separation ++ - sshd_do_not_permit_user_env ++ - sshd_disable_rhosts_rsa ++ - sshd_disable_rhosts ++ - sshd_allow_only_protocol2 ++ - sshd_set_loglevel_info ++ - sshd_disable_empty_passwords ++ - sshd_disable_user_known_hosts ++ - sshd_enable_strictmodes ++ ++ ### Application whitelisting ++ - package_fapolicyd_installed ++ - service_fapolicyd_enabled ++ - configure_fapolicyd_mounts ++ diff --git a/SOURCES/scap-security-guide-0.1.47-first_occurence_mtab.patch b/SOURCES/scap-security-guide-0.1.47-first_occurence_mtab.patch new file mode 100644 index 0000000..938aa71 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.47-first_occurence_mtab.patch @@ -0,0 +1,54 @@ +From 4a4c12bf3058079bc2336db9e7330aa869b0753f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 31 Oct 2019 16:00:52 +0100 +Subject: [PATCH 1/2] Use only first occurence from /etc/mtab + +The mount options of the first entry will be used. If there are +multiple lines in `/etc/mtab` that match the same mount point, the +variable `_previous_mount_opts` contained newline characters. These +newlines were propagated to `/etc/fstab`. As a result, an invalid entry +in /etc/fstab was created, `mount` command hasn't been successful and +the oscap scan after remediation returned false. +--- + .../include_mount_options_functions.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/bash_remediation_functions/include_mount_options_functions.sh b/shared/bash_remediation_functions/include_mount_options_functions.sh +index 392367dc05..7e81e8c711 100644 +--- a/shared/bash_remediation_functions/include_mount_options_functions.sh ++++ b/shared/bash_remediation_functions/include_mount_options_functions.sh +@@ -27,7 +27,7 @@ function ensure_mount_option_in_fstab { + + if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then + # runtime opts without some automatic kernel/userspace-added defaults +- _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | awk '{print $4}' \ ++ _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//") + [ "$_previous_mount_opts" ] && _previous_mount_opts+="," + echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab + +From 0a7f149efed656fe61ab3e873055fd630054f5f5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 1 Nov 2019 14:50:42 +0100 +Subject: [PATCH 2/2] Add test scenario for multiple entries in mtab + +--- + .../tests/multiple_entries_in_mtab.fail.sh | 9 +++++++++ + 1 file changed, 9 insertions(+) + create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh +new file mode 100644 +index 0000000000..dd56f9bb6c +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++cat /etc/mtab > /etc/mtab.old ++# destroy symlink ++rm -f /etc/mtab ++cp /etc/mtab.old /etc/mtab ++echo "tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0" >> /etc/mtab ++echo "tmpfs /dev/shm tmpfs rw,seclabel,relatime 0 0" >> /etc/mtab diff --git a/SOURCES/scap-security-guide-0.1.47-fix_missing_cce.patch b/SOURCES/scap-security-guide-0.1.47-fix_missing_cce.patch new file mode 100644 index 0000000..85adba9 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.47-fix_missing_cce.patch @@ -0,0 +1,1028 @@ +From 06a1519f5121eb7a2fbf39d31fec3e951191ad57 Mon Sep 17 00:00:00 2001 +From: Matus Marhefka +Date: Tue, 24 Sep 2019 14:31:03 +0200 +Subject: [PATCH] Added RHEL7 CCEs for rules audit_rules_for_ospp and + installed_OS_is_vendor_supported + +--- + .../system/auditing/policy_rules/audit_rules_for_ospp/rule.yml | 1 + + .../certified-vendor/installed_OS_is_vendor_supported/rule.yml | 1 + + 3 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml +index bebb86f93d..18a6f2f49a 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml +@@ -37,6 +37,7 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel7: 82370-8 + cce@rhel8: 82309-6 + + references: +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +index 82d9c22726..6a4ff9bc0e 100644 +--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +@@ -28,6 +28,7 @@ warnings: + severity: high + + identifiers: ++ cce@rhel7: 82371-6 + cce@rhel8: 80947-5 + + references: +From a22ef605871ed199454eaed3aae02cb033a04b04 Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Wed, 30 Oct 2019 15:36:29 +0100 +Subject: [PATCH 1/5] Add missing CCEs to rules from ncp profile. + +--- + .../package_pcsc-lite_installed/rule.yml | 1 + + .../sebool_cron_can_relabel/rule.yml | 3 + + .../rule.yml | 3 + + .../rule.yml | 3 + + .../sebool_daemons_dump_core/rule.yml | 3 + + .../sebool_daemons_use_tcp_wrapper/rule.yml | 3 + + .../sebool_daemons_use_tty/rule.yml | 3 + + .../sebool_deny_execmem/rule.yml | 3 + + .../sebool_deny_ptrace/rule.yml | 3 + + .../sebool_domain_fd_use/rule.yml | 3 + + .../rule.yml | 3 + + .../sebool_gpg_web_anon_write/rule.yml | 3 + + .../sebool_guest_exec_content/rule.yml | 3 + + .../sebool_kerberos_enabled/rule.yml | 3 + + .../sebool_logadm_exec_content/rule.yml | 3 + + .../rule.yml | 3 + + .../sebool_logging_syslogd_use_tty/rule.yml | 3 + + .../sebool_login_console_enabled/rule.yml | 3 + + .../sebool_mmap_low_allowed/rule.yml | 3 + + .../sebool_mock_enable_homedirs/rule.yml | 3 + + .../sebool_mount_anyfile/rule.yml | 3 + + .../sebool_polyinstantiation_enabled/rule.yml | 3 + + .../sebool_secadm_exec_content/rule.yml | 3 + + .../sebool_secure_mode/rule.yml | 3 + + .../sebool_secure_mode_insmod/rule.yml | 3 + + .../sebool_secure_mode_policyload/rule.yml | 3 + + .../rule.yml | 3 + + .../sebool_selinuxuser_execheap/rule.yml | 1 + + .../sebool_selinuxuser_execmod/rule.yml | 1 + + .../sebool_selinuxuser_execstack/rule.yml | 1 + + .../rule.yml | 3 + + .../sebool_selinuxuser_ping/rule.yml | 3 + + .../rule.yml | 3 + + .../rule.yml | 3 + + .../sebool_selinuxuser_share_music/rule.yml | 3 + + .../sebool_selinuxuser_tcp_server/rule.yml | 3 + + .../sebool_selinuxuser_udp_server/rule.yml | 3 + + .../rule.yml | 3 + + .../sebool_ssh_chroot_rw_homedirs/rule.yml | 3 + + .../sebool_ssh_keysign/rule.yml | 3 + + .../sebool_ssh_sysadm_login/rule.yml | 3 + + .../sebool_staff_exec_content/rule.yml | 3 + + .../sebool_sysadm_exec_content/rule.yml | 3 + + .../sebool_unconfined_login/rule.yml | 3 + + .../sebool_use_ecryptfs_home_dirs/rule.yml | 3 + + .../sebool_user_exec_content/rule.yml | 3 + + .../sebool_xdm_bind_vnc_tcp_port/rule.yml | 3 + + .../sebool_xdm_exec_bootloader/rule.yml | 3 + + .../sebool_xdm_sysadm_login/rule.yml | 3 + + .../sebool_xdm_write_home/rule.yml | 3 + + .../sebool_xguest_connect_network/rule.yml | 3 + + .../sebool_xguest_exec_content/rule.yml | 3 + + .../sebool_xguest_mount_media/rule.yml | 3 + + .../sebool_xguest_use_bluetooth/rule.yml | 3 + + .../rule.yml | 3 + + .../sebool_xserver_execmem/rule.yml | 3 + + .../sebool_xserver_object_manager/rule.yml | 3 + + 58 files changed, 163 insertions(+), 57 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +index ac9e4f8a17..f7d2cb64b2 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_pcsc-lite_installed/rule.yml +@@ -14,6 +14,7 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel7: 82347-6 + cce@rhel8: 80993-9 + + references: +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml +index e7a65fcacb..8cb1b590d2 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82284-1 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="cron_can_relabel") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml +index 79db9b1d33..3af5c04e41 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_system_cronjob_use_shares/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82285-8 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="cron_system_cronjob_use_shares") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml +index ec48f00f8d..e29b865fae 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_cron_userdomain_transition/rule.yml +@@ -14,4 +14,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82286-6 ++ + {{{ complete_ocil_entry_sebool_enabled(sebool="cron_userdomain_transition") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml +index a92c190617..67ff95568e 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_dump_core/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82287-4 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="daemons_dump_core") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml +index eff77b941a..cae4936565 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tcp_wrapper/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82288-2 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="daemons_use_tcp_wrapper") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml +index 9517982a88..3e8749669f 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82289-0 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="daemons_use_tty") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml +index 489a75feb6..81f490af40 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82290-8 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="deny_execmem") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml +index 5213001969..b60ef6cc0c 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_ptrace/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82291-6 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="deny_ptrace") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml +index 02b0281f60..7ebcdc08f1 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_fd_use/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82292-4 ++ + {{{ complete_ocil_entry_sebool_enabled(sebool="domain_fd_use") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml +index aed06f6e60..b55f7449c3 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_domain_kernel_load_modules/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82293-2 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="domain_kernel_load_modules") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml +index 9879943020..bd3aef8967 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_gpg_web_anon_write/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82294-0 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="gpg_web_anon_write") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml +index 0cd25b2abf..604add7c40 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_guest_exec_content/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82295-7 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="guest_exec_content") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml +index 4e046cef2e..9f4eea0835 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled/rule.yml +@@ -14,4 +14,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82296-5 ++ + {{{ complete_ocil_entry_sebool_enabled(sebool="kerberos_enabled") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml +index 09e5b17eee..5c6812d5fc 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logadm_exec_content/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82298-1 ++ + {{{ complete_ocil_entry_sebool_enabled(sebool="logadm_exec_content") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml +index 84c05ea067..21a1476843 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_can_sendmail/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82299-9 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="logging_syslogd_can_sendmail") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml +index 4600b4d2a4..faa4b66598 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_logging_syslogd_use_tty/rule.yml +@@ -14,4 +14,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82300-5 ++ + {{{ complete_ocil_entry_sebool_enabled(sebool="logging_syslogd_use_tty") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml +index f06a939af2..65d8b21785 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_login_console_enabled/rule.yml +@@ -14,4 +14,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82301-3 ++ + {{{ complete_ocil_entry_sebool_enabled(sebool="login_console_enabled") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml +index e9b55edff6..f3fb149cd6 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82302-1 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="mmap_low_allowed") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml +index 4222d2b1dd..7f6303b37d 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mock_enable_homedirs/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82303-9 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="mock_enable_homedirs") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml +index e172deda7e..ee010438d9 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_mount_anyfile/rule.yml +@@ -14,4 +14,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82304-7 ++ + {{{ complete_ocil_entry_sebool_enabled(sebool="mount_anyfile") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml +index 32b48441c6..9bd370ac94 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82305-4 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="polyinstantiation_enabled") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml +index 6699164b3a..5e404adfe8 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secadm_exec_content/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82306-2 ++ + {{{ complete_ocil_entry_sebool_enabled(sebool="secadm_exec_content") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml +index 19ff0ff859..c021a016cd 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82307-0 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml +index 020ade04d0..45513725d8 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_insmod/rule.yml +@@ -16,4 +16,7 @@ references: + + severity: medium + ++identifiers: ++ cce@rhel7: 82308-8 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_insmod") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml +index 4dc1dd57f9..5259ec3776 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_secure_mode_policyload/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82310-4 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="secure_mode_policyload") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml +index 7389882aba..4d76582d9d 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_direct_dri_enabled/rule.yml +@@ -14,4 +14,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82311-2 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_direct_dri_enabled") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml +index 3b5276d8d8..bfef9808ed 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml +@@ -14,6 +14,7 @@ rationale: "" + severity: medium + + identifiers: ++ cce@rhel7: 82312-0 + cce@rhel8: 80949-1 + + references: +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml +index 97d65d0175..f8f65b4d20 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execmod/rule.yml +@@ -14,6 +14,7 @@ rationale: "" + severity: medium + + identifiers: ++ cce@rhel7: 82313-8 + cce@rhel8: 80950-9 + + references: +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml +index d6ed7c355b..785a3e9d06 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml +@@ -15,6 +15,7 @@ rationale: "" + severity: medium + + identifiers: ++ cce@rhel7: 82314-6 + cce@rhel8: 80951-7 + + references: +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml +index c12f9b0b84..18cfd17a78 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_mysql_connect_enabled/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82317-9 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_mysql_connect_enabled") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml +index d8d6d69f98..25a4cb4c20 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping/rule.yml +@@ -14,4 +14,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82318-7 ++ + {{{ complete_ocil_entry_sebool_enabled(sebool="selinuxuser_ping") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml +index f17f6b3cf4..fedba937e5 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_postgresql_connect_enabled/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82319-5 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_postgresql_connect_enabled") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml +index 14218b5015..8d30bc437d 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_rw_noexattrfile/rule.yml +@@ -14,4 +14,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82320-3 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_rw_noexattrfile") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml +index cf7cd9ec7c..221e925b9b 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_share_music/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82321-1 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_share_music") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml +index e6a8407c13..cfc17033f8 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_tcp_server/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82322-9 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_tcp_server") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml +index 69a650a1c6..c773cfaa7b 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_udp_server/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82323-7 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_udp_server") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml +index 062b060180..f2005f056c 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_use_ssh_chroot/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82324-5 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="selinuxuser_use_ssh_chroot") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml +index 1a3dd18dce..64085cfd8b 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_chroot_rw_homedirs/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82325-2 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_chroot_rw_homedirs") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml +index 5ed8effd7f..ea48425f03 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_keysign/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82326-0 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_keysign") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml +index 26db5e0b28..6a4f49c410 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml +@@ -16,4 +16,7 @@ references: + + severity: medium + ++identifiers: ++ cce@rhel7: 82327-8 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_sysadm_login") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml +index deddaa989f..473fe953fe 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_staff_exec_content/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82328-6 ++ + {{{ complete_ocil_entry_sebool_enabled(sebool="staff_exec_content") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml +index 63c36e8822..65c3d85d62 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_sysadm_exec_content/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82329-4 ++ + {{{ complete_ocil_entry_sebool_enabled(sebool="sysadm_exec_content") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml +index de1f78e8dc..88a8b842af 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_unconfined_login/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82330-2 ++ + {{{ complete_ocil_entry_sebool_enabled(sebool="unconfined_login") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml +index 9d51a610ca..6e5983fd3a 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_use_ecryptfs_home_dirs/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82331-0 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="use_ecryptfs_home_dirs") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml +index 5c32b74fab..394b49cade 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_user_exec_content/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82332-8 ++ + {{{ complete_ocil_entry_sebool_enabled(sebool="user_exec_content") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml +index d39d6eb97d..19a1ee23cc 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_bind_vnc_tcp_port/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82333-6 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_bind_vnc_tcp_port") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml +index 52f90382e4..dca18f3744 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_exec_bootloader/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82334-4 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_exec_bootloader") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml +index 42acdebfbc..fed51e91ec 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82335-1 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_sysadm_login") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml +index c601c4ef66..fca878f48d 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xdm_write_home/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82336-9 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="xdm_write_home") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml +index da71e2e0aa..0d6c2be3d8 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_connect_network/rule.yml +@@ -14,4 +14,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82337-7 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_connect_network") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml +index 0713368404..4a94acd4bf 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_exec_content/rule.yml +@@ -14,4 +14,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82338-5 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_exec_content") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml +index 171b21bb76..a106a6e148 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_mount_media/rule.yml +@@ -14,4 +14,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82339-3 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_mount_media") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml +index 28ef740608..9162facb68 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xguest_use_bluetooth/rule.yml +@@ -14,4 +14,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82340-1 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="xguest_use_bluetooth") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml +index 793bca2fab..954456203c 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_clients_write_xshm/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82341-9 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="xserver_clients_write_xshm") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml +index 2f73f30596..cc4ccc0342 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_execmem/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82342-7 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="xserver_execmem") }}} +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml +index 31c10d6459..2f4bc25fe3 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_xserver_object_manager/rule.yml +@@ -13,4 +13,7 @@ rationale: "" + + severity: medium + ++identifiers: ++ cce@rhel7: 82346-8 ++ + {{{ complete_ocil_entry_sebool_disabled(sebool="xserver_object_manager") }}} +From 7f41b550251afb65fec04a1ada7a59432816fa52 Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Wed, 30 Oct 2019 15:49:44 +0100 +Subject: [PATCH 2/5] Add missing CCEs to rules from rhelh-stig profile. + +--- + .../guide/system/software/gnome/package_gdm_removed/rule.yml | 3 +++ + .../guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml | 3 +++ + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml +index 012dbebb38..57b3c00454 100644 +--- a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml ++++ b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml +@@ -18,6 +18,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel7: 82348-4 ++ + references: + nist: AC-17(8).1(ii) + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml +index 0f20412886..3dbf1b4499 100644 +--- a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/rule.yml +@@ -16,6 +16,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel7: 82349-2 ++ + ocil_clause: 'nopasswd is set for any users beyond vdsm' + + ocil: |- +diff --git From 9bd0bbf84484fa02c1c53953aa48bb01bed41663 Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Wed, 30 Oct 2019 15:54:44 +0100 +Subject: [PATCH 3/5] Add missing CCEs to rules from anssi_nt28_high profile. + +--- + .../services/deprecated/package_telnetd_removed/rule.yml | 3 +++ + .../system/bootloader-grub2/grub2_enable_iommu_force/rule.yml | 3 +++ + .../permissions/files/file_permissions_systemmap/rule.yml | 3 +++ + .../software/disk_partitioning/partition_for_var_tmp/rule.yml | 3 +++ + 5 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml b/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml +index a08170f2c4..bdbbe8437a 100644 +--- a/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml ++++ b/linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml +@@ -8,6 +8,9 @@ rationale: 'telnet allows clear text communications, and does not protect any da + + severity: high + ++identifiers: ++ cce@rhel7: 82352-6 ++ + references: + anssi: NT007(R03) + nist: AC-17(8),CM-7 +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml +index 785ebe4a69..baade9c13e 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml +@@ -12,5 +12,8 @@ rationale: |- + + severity: unknown + ++identifiers: ++ cce@rhel7: 82351-8 ++ + references: + anssi: NT28(R11) +diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml +index 0cf14df579..3c313824d3 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml +@@ -13,6 +13,9 @@ rationale: |- + + severity: unknown + ++identifiers: ++ cce@rhel7: 82350-0 ++ + references: + anssi: NT28(R13) + +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +index 32a15afc45..65d7d8060b 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +@@ -16,6 +16,9 @@ rationale: |- + + severity: low + ++identifiers: ++ cce@rhel7: 82353-4 ++ + references: + cis: 1.1.7 + anssi: NT28(R12) +From fd0aee12ebdced5f1d0507cd7ee1a8a0a470c401 Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Wed, 30 Oct 2019 15:57:35 +0100 +Subject: [PATCH 4/5] Add missing CCEs to rules from C2S profile. + +--- + .../services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml | 3 +++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +index 2a20218c3c..9bdc4bb57a 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml +@@ -14,6 +14,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel7: 82354-2 ++ + references: + cis@debian8: 9.3.5 + cis@rhel7: 5.2.5 +From aa2b6ca11b84700b1b0c4a9d034cd33b594ebdbe Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Wed, 30 Oct 2019 16:00:18 +0100 +Subject: [PATCH 5/5] Add missing CCEs to rules from e8 profile. + +--- + .../ssh/ssh_server/sshd_use_strong_ciphers/rule.yml | 3 +++ + .../services/ssh/ssh_server/sshd_use_strong_macs/rule.yml | 3 +++ + .../audit_rules_execution_seunshare/rule.yml | 1 + + .../auditd_freq/rule.yml | 1 + + .../auditd_local_events/rule.yml | 1 + + .../auditd_log_format/rule.yml | 1 + + .../auditd_name_format/rule.yml | 1 + + .../auditd_write_logs/rule.yml | 1 + + 9 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml +index 39e87e86bf..d4b61cedb9 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml +@@ -23,6 +23,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel7: 82363-3 ++ + references: + cis@debian: 9.3.11 + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml +index 16259017d8..7f0d75c53d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml +@@ -19,6 +19,9 @@ rationale: |- + + severity: medium + ++identifiers: ++ cce@rhel7: 82364-1 ++ + ocil_clause: 'MACs option is commented out or not using strong hash algorithms' + + ocil: |- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml +index 1d25819675..ae64febdf5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_seunshare/rule.yml +@@ -31,6 +31,7 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel7: 82362-5 + cce@rhel8: 80933-5 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_freq/rule.yml b/linux_os/guide/system/auditing/auditd_freq/rule.yml +index b0a89910f1..38a356dad9 100644 +--- a/linux_os/guide/system/auditing/auditd_freq/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_freq/rule.yml +@@ -15,6 +15,7 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel7: 82358-3 + cce@rhel8: 82258-5 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/auditd_local_events/rule.yml +index 9d24add817..3db55f6594 100644 +--- a/linux_os/guide/system/auditing/auditd_local_events/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_local_events/rule.yml +@@ -14,6 +14,7 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel7: 82355-9 + cce@rhel8: 82233-8 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_log_format/rule.yml b/linux_os/guide/system/auditing/auditd_log_format/rule.yml +index a10e86113d..75c63e1d5b 100644 +--- a/linux_os/guide/system/auditing/auditd_log_format/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_log_format/rule.yml +@@ -15,6 +15,7 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel7: 82357-5 + cce@rhel8: 82201-5 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/auditd_name_format/rule.yml +index fecae8163f..6673dd050c 100644 +--- a/linux_os/guide/system/auditing/auditd_name_format/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_name_format/rule.yml +@@ -16,6 +16,7 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel7: 82359-1 + cce@rhel8: 82897-0 + + references: +diff --git a/linux_os/guide/system/auditing/auditd_write_logs/rule.yml b/linux_os/guide/system/auditing/auditd_write_logs/rule.yml +index 2f2d0fa258..261bee9695 100644 +--- a/linux_os/guide/system/auditing/auditd_write_logs/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_write_logs/rule.yml +@@ -14,6 +14,7 @@ rationale: |- + severity: medium + + identifiers: ++ cce@rhel7: 82356-7 + cce@rhel8: 82366-6 + + references: diff --git a/SOURCES/scap-security-guide-0.1.47-improve_bash_based_on_shellcheck.patch b/SOURCES/scap-security-guide-0.1.47-improve_bash_based_on_shellcheck.patch new file mode 100644 index 0000000..e4e6775 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.47-improve_bash_based_on_shellcheck.patch @@ -0,0 +1,172 @@ +From 7014c398140eb02e651639e22b85c0b9e91938fd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Tue, 3 Sep 2019 14:02:02 +0200 +Subject: [PATCH] Improved Bash code based on shellcheck feedback. + +* Quote `find` glob, arguments, so they are protected from the shell. +* Quote the whole `awk` command, so shellcheck is not confused by unquoted curly braces. +* Fix a typo of `file_to_inspect` vs `files_to_inspect`. +* Made vars expansion explicit when they are followed by square brackets, + i.e. `$x[[:space:]]` to `${x}[[:space:]]` +* Separated `local` declarations from assignments using subsells. + `local` shadows the subshell return code in those cases. +* Removed `local` from the Jinja macro, as there is no function there. +* Changed `sed` separator in `FSTAB_TARGET_ROW` definition to `|`, got rid of `TARGET_ESCAPED`. +* Double-quoted backslashes in double quotes. +* Commented out unused def of `TARGET_OPTS`. +--- + .../audit_rules_immutable/bash/shared.sh | 2 +- + .../audit_rules_system_shutdown/bash/shared.sh | 2 +- + .../dir_perms_world_writable_sticky_bits/bash/shared.sh | 2 +- + .../bash/rhel6.sh | 9 +++------ + .../bash_remediation_functions/fix_audit_syscall_rule.sh | 2 +- + .../include_mount_options_functions.sh | 2 +- + ...form_audit_adjtimex_settimeofday_stime_remediation.sh | 2 +- + shared/bash_remediation_functions/service_command.sh | 4 +++- + shared/macros-bash.jinja | 4 ++-- + 9 files changed, 14 insertions(+), 15 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh +index ce411358a7..20282296d7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/bash/shared.sh +@@ -8,7 +8,7 @@ + # files to check if '-e .*' setting is present in that '*.rules' file already. + # If found, delete such occurrence since auditctl(8) manual page instructs the + # '-e 2' rule should be placed as the last rule in the configuration +-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' ++find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' + + # Append '-e 2' requirement at the end of both: + # * /etc/audit/audit.rules file (for auditctl case) +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +index 58047353cf..1c9748ce9b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh +@@ -8,7 +8,7 @@ + # files to check if '-f .*' setting is present in that '*.rules' file already. + # If found, delete such occurrence since auditctl(8) manual page instructs the + # '-f 2' rule should be placed as the last rule in the configuration +-find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' ++find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' + + # Append '-f 2' requirement at the end of both: + # * /etc/audit/audit.rules file (for auditctl case) +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh +index 57b1ef0198..150244d4cd 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh +@@ -1,5 +1,5 @@ + # platform = multi_platform_rhel +-df --local -P | awk {'if (NR!=1) print $6'} \ ++df --local -P | awk '{if (NR!=1) print $6}' \ + | xargs -I '{}' find '{}' -xdev -type d \ + \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ + | xargs chmod a+t +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh +index 609658410a..0e56752ae4 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/rhel6.sh +@@ -44,23 +44,20 @@ do + MOUNT_OPTIONS="$MOUNT_OPTIONS,nodev" + fi + +- # Escape possible slash ('/') characters in target for use as sed +- # expression below +- TARGET_ESCAPED=${TARGET//$'/'/$'\/'} + # This target doesn't contain 'nodev' in mount options yet (and meets + # the above filtering criteria). Therefore obtain particular /etc/fstab's + # row into FSTAB_TARGET_ROW variable separating the mount options field with + # hash '#' character +- FSTAB_TARGET_ROW=$(sed -n "s/\(.*$TARGET_ESCAPED[$SP]\+$FSTYPE[$SP]\+\)\([^$SP]\+\)/\1#\2#/p" /etc/fstab) ++ FSTAB_TARGET_ROW=$(sed -n "s|\\(.*${TARGET}[$SP]\\+${FSTYPE}[$SP]\\+\\)\\([^$SP]\\+\\)|\\1#\\2#|p" /etc/fstab) + # Split the retrieved value by the hash '#' delimiter to get the + # row's head & tail (i.e. columns other than mount options) which won't + # get modified + TARGET_HEAD=$(cut -f 1 -d '#' <<< "$FSTAB_TARGET_ROW") +- TARGET_OPTS=$(cut -f 2 -d '#' <<< "$FSTAB_TARGET_ROW") ++ # TARGET_OPTS=$(cut -f 2 -d '#' <<< "$FSTAB_TARGET_ROW") + TARGET_TAIL=$(cut -f 3 -d '#' <<< "$FSTAB_TARGET_ROW") + # Replace old mount options for particular /etc/fstab's row (for this target + # and fstype) with new mount options +- sed -i "s#${TARGET_HEAD}\(.*\)${TARGET_TAIL}#${TARGET_HEAD}${MOUNT_OPTIONS}${TARGET_TAIL}#" /etc/fstab ++ sed -i "s|${TARGET_HEAD}\(.*\)${TARGET_TAIL}|${TARGET_HEAD}${MOUNT_OPTIONS}${TARGET_TAIL}|" /etc/fstab + fi + fi + done +diff --git a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +index 0bb5ad2ef4..25f80fe30b 100644 +--- a/shared/bash_remediation_functions/fix_audit_syscall_rule.sh ++++ b/shared/bash_remediation_functions/fix_audit_syscall_rule.sh +@@ -95,7 +95,7 @@ then + if [ ${#files_to_inspect[@]} -eq "0" ] + then + file_to_inspect="/etc/audit/rules.d/$key.rules" +- files_to_inspect=("$files_to_inspect") ++ files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" +diff --git a/shared/bash_remediation_functions/include_mount_options_functions.sh b/shared/bash_remediation_functions/include_mount_options_functions.sh +index 8467b01628..392367dc05 100644 +--- a/shared/bash_remediation_functions/include_mount_options_functions.sh ++++ b/shared/bash_remediation_functions/include_mount_options_functions.sh +@@ -8,7 +8,7 @@ function include_mount_options_functions { + # $4: mount type of new mount point (used when adding new entry in fstab) + function ensure_mount_option_for_vfstype { + local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=() +- readarray -t _vfstype_points < <(grep -E "[[:space:]]$_vfstype[[:space:]]" /etc/fstab | awk '{print $2}') ++ readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}') + + for _vfstype_point in "${_vfstype_points[@]}" + do +diff --git a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh +index 8d2f357c0c..be1425b454 100644 +--- a/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh ++++ b/shared/bash_remediation_functions/perform_audit_adjtimex_settimeofday_stime_remediation.sh +@@ -14,7 +14,7 @@ source fix_audit_syscall_rule.sh + function perform_audit_adjtimex_settimeofday_stime_remediation { + + # Retrieve hardware architecture of the underlying system +-[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") ++[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + + for ARCH in "${RULE_ARCHS[@]}" + do +diff --git a/shared/bash_remediation_functions/service_command.sh b/shared/bash_remediation_functions/service_command.sh +index feb8a9648f..e1eb18cd95 100644 +--- a/shared/bash_remediation_functions/service_command.sh ++++ b/shared/bash_remediation_functions/service_command.sh +@@ -13,7 +13,9 @@ function service_command { + # Load function arguments into local variables + local service_state=$1 + local service=$2 +-local xinetd=$(echo $3 | cut -d'=' -f2) ++local xinetd ++ ++xinetd=$(echo $3 | cut -d = -f 2) + + # Check sanity of the input + if [ $# -lt "2" ] +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 135531991a..969989e59f 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -173,7 +173,7 @@ printf '%s\n' "{{{ line }}}" > "{{{ path }}}" + cat "{{{ path }}}.bak" >> "{{{ path }}}" + {{%- elif insert_after %}} + # Insert after the line matching the regex '{{{ insert_after }}}' +-local line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" ++line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" + if [ -z "$line_number" ]; then + # There was no match of '{{{ insert_after }}}', insert at + # the end of the file. +@@ -185,7 +185,7 @@ else + fi + {{%- elif insert_before %}} + # Insert before the line matching the regex '{{{ insert_before }}}'. +-local line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" ++line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" + if [ -z "$line_number" ]; then + # There was no match of '{{{ insert_before }}}', insert at + # the end of the file. diff --git a/SOURCES/scap-security-guide-0.1.47-remove_directory_access_var_log_audit_from_ospp.patch b/SOURCES/scap-security-guide-0.1.47-remove_directory_access_var_log_audit_from_ospp.patch new file mode 100644 index 0000000..d6b7bd2 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.47-remove_directory_access_var_log_audit_from_ospp.patch @@ -0,0 +1,69 @@ +From d0f70c7a7383dd41277599cb776e03534aa2137c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 30 Oct 2019 18:11:09 +0100 +Subject: [PATCH 1/2] Remove audit_rules_for_ospp from RHEL 7 OSPP + +The audit rule `-a always,exit -F dir=/var/log/audit/ +-F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail +is present in /usr/share/doc/audit-2.8.5/rules/30-ospp-v42.rules +(checked on audit-2.8.5-4.el7.x86_64). That means this audir rule +is already checked and remediated by rule `audit_rules_for_ospp`. +--- + rhel7/profiles/ospp.profile | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile +index e20c58875d..81762ad782 100644 +--- a/rhel7/profiles/ospp.profile ++++ b/rhel7/profiles/ospp.profile +@@ -285,13 +285,11 @@ selections: + ## AU-2(a) / FAU_GEN.1.1.c + ## Audit Kernel Module Loading and Unloading Events (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c +- - audit_rules_for_ospp +- + ## Audit All Audit and Log Data Accesses (Success/Failure) + ## CNSSI 1253 Value or DoD-specific Values: + ## - Audit and log data access (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c +- - directory_access_var_log_audit ++ - audit_rules_for_ospp + + + ### SELinux Configuration + +From 0b822d21cdee7c7da136337a45e9c7136b7d576e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 31 Oct 2019 15:23:01 +0100 +Subject: [PATCH 2/2] Make comments the same + +--- + rhel7/profiles/ospp.profile | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile +index 81762ad782..a3168d51a7 100644 +--- a/rhel7/profiles/ospp.profile ++++ b/rhel7/profiles/ospp.profile +@@ -278,6 +278,10 @@ selections: + ## CNSSI 1253 Value or DoD-specific Values: + ## - Privilege/Role escalation (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c ++ ## Audit All Audit and Log Data Accesses (Success/Failure) ++ ## CNSSI 1253 Value or DoD-specific Values: ++ ## - Audit and log data access (Success/Failure) ++ ## AU-2(a) / FAU_GEN.1.1.c + ## Audit Cryptographic Verification of Software (Success/Failure) + ## CNSSI 1253 Value or DoD-specific Values: + ## - Applications (e.g. Firefox, Internet Explorer, MS Office Suite, +@@ -285,10 +289,6 @@ selections: + ## AU-2(a) / FAU_GEN.1.1.c + ## Audit Kernel Module Loading and Unloading Events (Success/Failure) + ## AU-2(a) / FAU_GEN.1.1.c +- ## Audit All Audit and Log Data Accesses (Success/Failure) +- ## CNSSI 1253 Value or DoD-specific Values: +- ## - Audit and log data access (Success/Failure) +- ## AU-2(a) / FAU_GEN.1.1.c + - audit_rules_for_ospp + + diff --git a/SOURCES/scap-security-guide-0.1.47-remove_shell_module_from_playbooks.patch b/SOURCES/scap-security-guide-0.1.47-remove_shell_module_from_playbooks.patch new file mode 100644 index 0000000..e118819 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.47-remove_shell_module_from_playbooks.patch @@ -0,0 +1,476 @@ +From 4995c390a22020454be6625f2bd63c1a04302043 Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Fri, 30 Aug 2019 11:15:22 -0600 +Subject: [PATCH 1/5] Remove usage of the SHELL module or get rid of pipe usage + +--- + .../no_direct_root_logins/ansible/shared.yml | 10 ++++----- + .../ansible/shared.yml | 22 +++++++++---------- + .../ansible/shared.yml | 4 +--- + .../template_ANSIBLE_service_disabled | 14 +++++++----- + 4 files changed, 25 insertions(+), 25 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml +index 9049733c64..e9a29a24d5 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml +@@ -3,13 +3,13 @@ + # strategy = restrict + # complexity = low + # disruption = low +-- name: Test for existence /etc/cron.allow ++- name: Test for existence of /etc/securetty + stat: + path: /etc/securetty + register: securetty_empty + + - name: "Direct root Logins Not Allowed" +- shell: echo > /etc/securetty +- args: +- warn: False +- changed_when: securetty_empty.stat.size > 1 ++ copy: ++ dest: /etc/securetty ++ content: "" ++ when: securetty_empty.stat.size > 1 +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml +index 3ec812835f..cee947e8cc 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml +@@ -3,27 +3,27 @@ + # strategy = restrict + # complexity = low + # disruption = medium +-- name: "Fail if user is not root" ++- name: "Print error message if user is not root" + fail: + msg: 'Root account required to read root $PATH' + when: ansible_user != "root" ++ ignore_errors: true + + - name: "Get root paths which are not symbolic links" +- shell: | +- set -o pipefail +- tr ":" "\n" <<< "$PATH" | xargs -I% find % -maxdepth 0 -type d +- args: +- warn: False +- executable: /bin/bash ++ stat: ++ path: "{{ item }}" + changed_when: False + failed_when: False + register: root_paths ++ with_items: "{{ ansible_env.PATH.split(':') }}" + when: ansible_user == "root" +- check_mode: no + + - name: "Disable writability to root directories" + file: +- path: "{{ item }}" ++ path: "{{ item.item }}" + mode: "g-w,o-w" +- with_items: "{{ root_paths.stdout_lines }}" +- when: root_paths.stdout_lines is defined ++ with_items: "{{ root_paths.results }}" ++ when: ++ - root_paths.results is defined ++ - item.stat.exists ++ - not item.stat.islnk +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml +index 7f958e0af5..9a8f91020c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml +@@ -5,9 +5,7 @@ + # disruption = low + + - name: Search for privileged commands +- shell: | +- set -o pipefail +- find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat ++ shell: find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null + args: + warn: False + executable: /bin/bash +diff --git a/shared/templates/template_ANSIBLE_service_disabled b/shared/templates/template_ANSIBLE_service_disabled +index 69bf69aaea..07bb8fff0c 100644 +--- a/shared/templates/template_ANSIBLE_service_disabled ++++ b/shared/templates/template_ANSIBLE_service_disabled +@@ -4,9 +4,10 @@ + # complexity = low + # disruption = low + {{%- if init_system == "systemd" %}} +-- name: "Unit Service Exists" +- shell: systemctl list-unit-files | grep -q '^{{{ DAEMONNAME }}}.service' ++- name: "Unit Service Exists - {{{ DAEMONNAME }}}.service" ++ command: systemctl list-unit-files {{{ DAEMONNAME }}}.service + register: service_file_exists ++ changed_when: False + ignore_errors: True + + - name: Disable service {{{ SERVICENAME }}} +@@ -17,11 +18,12 @@ + {{%- if MASK_SERVICE %}} + masked: "yes" + {{%- endif %}} +- when: service_file_exists.rc == 0 ++ when: '"{{{ DAEMONNAME }}}.service" in service_file_exists.stdout_lines[1]' + +-- name: "Unit Socket Exists" +- shell: systemctl list-unit-files | grep -q '^{{{ DAEMONNAME }}}.socket' ++- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket" ++ command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket + register: socket_file_exists ++ changed_when: False + ignore_errors: True + + - name: Disable socket {{{ SERVICENAME }}} +@@ -32,7 +34,7 @@ + {{%- if MASK_SERVICE %}} + masked: "yes" + {{%- endif %}} +- when: socket_file_exists.rc == 0 ++ when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]' + + {{% elif init_system == "upstart" %}} + - name: Stop {{{ SERVICENAME }}} + +From e268f1e07192a5cf343b6ac36053553d1074bd3b Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Fri, 30 Aug 2019 12:53:40 -0600 +Subject: [PATCH 2/5] Use command and mount module instead of shell + +- Fixes #4783 +--- + .../ansible/shared.yml | 20 ++++++++----------- + ...te_ANSIBLE_mount_option_remote_filesystems | 19 ++++++++---------- + 2 files changed, 16 insertions(+), 23 deletions(-) + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml +index 506c3dee31..6982ce293e 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml +@@ -5,20 +5,16 @@ + # disruption = medium + + - name: "Get nfs and nfs4 mount points, that don't have Kerberos security option" +- shell: | +- set -o pipefail +- grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "sec=krb5:krb5i:krb5p" | awk '{print $2}' +- args: +- warn: False +- executable: /bin/bash ++ command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n -o TARGET + register: points_register + check_mode: no + changed_when: False + +-- name: "Add Kerberos security to mount points" +- shell: awk '$2=="{{ item }}"{$4=$4",sec=krb5:krb5i:krb5p"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab +- args: +- warn: False +- with_items: +- - "{{ points_register.stdout_lines }}" ++- name: "Add Kerberos security to nfs and nfs4 mount points" ++ mount: ++ path: "{{ item.split()[0] }}" ++ src: "{{ item.split()[1] }}" ++ fstype: "{{ item.split()[2] }}" ++ state: mounted ++ opts: "{{ item.split()[3] }},sec=krb5:krb5i:krb5p" + when: (points_register.stdout | length > 0) +diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems +index f89c1d7285..f3d6f02d82 100644 +--- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems ++++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems +@@ -5,19 +5,16 @@ + # disruption = medium + + - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}" +- shell: | +- set -o pipefail +- grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "{{{ MOUNTOPTION }}}" | awk '{print $2}' +- args: +- executable: /bin/bash ++ command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }} -n + register: points_register + check_mode: no + changed_when: False + +-- name: "Add {{{ MOUNTOPTION }}} to mount points" +- shell: awk '$2=="{{ item }}"{$4=$4",{{{ MOUNTOPTION }}}"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab +- args: +- executable: /bin/bash +- with_items: +- - "{{ points_register.stdout_lines }}" ++- name: "Add {{{ MOUNTOPTION }}} to nfs and nfs4 mount points" ++ mount: ++ path: "{{ item.split()[0] }}" ++ src: "{{ item.split()[1] }}" ++ fstype: "{{ item.split()[2] }}" ++ state: mounted ++ opts: "{{ item.split()[3] }},{{{ MOUNTOPTION }}}" + when: (points_register.stdout | length > 0) + +From 189a8962ddfc35a516eb468f7df1b66a55d874a6 Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Fri, 30 Aug 2019 15:18:02 -0600 +Subject: [PATCH 3/5] Remove usage of shell module in gpgkey install Ansible + snippet + +--- + .../ansible/shared.yml | 18 +++++++++--------- + ...ate_ANSIBLE_mount_option_remote_filesystems | 2 +- + 2 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml +index 079020f8cd..91a98640ad 100644 +--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml ++++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml +@@ -14,13 +14,9 @@ + - name: Read signatures in GPG key + # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10 + {{% if product == "rhel8" -%}} +- shell: | +- set -o pipefail +- gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10 ++ command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + {{%- else -%}} +- shell: | +- set -o pipefail +- gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" | grep "^fpr" | cut -d ":" -f 10 ++ command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + {{%- endif %}} + args: + warn: False +@@ -29,9 +25,13 @@ + register: gpg_fingerprints + check_mode: no + ++- name: Set Fact - Installed GPG Fingerprints ++ set_fact: ++ gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}" ++ + - name: Set Fact - Valid fingerprints + set_fact: +- gpg_valid_fingerprints: ("{{{ release_key_fingerprint }}}" "{{{ auxiliary_key_fingerprint }}}") ++ gpg_valid_fingerprints: ("{{{ release_key_fingerprint }}}" "{{{ auxiliary_key_fingerprint }}}") + + - name: Import RedHat GPG key + rpm_key: +@@ -39,6 +39,6 @@ + key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + when: + - gpg_key_directory_permission.stat.mode <= '0755' +- - ( gpg_fingerprints.stdout_lines | difference(gpg_valid_fingerprints)) | length == 0 +- - gpg_fingerprints.stdout_lines | length > 0 ++ - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0 ++ - gpg_installed_fingerprints | length > 0 + - ansible_distribution == "RedHat" +diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems +index f3d6f02d82..a58d7729ec 100644 +--- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems ++++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems +@@ -5,7 +5,7 @@ + # disruption = medium + + - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}" +- command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }} -n ++ command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }}} -n + register: points_register + check_mode: no + changed_when: False + +From 047c5d342860745dcc2f80a9f00d30cf25e76348 Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Tue, 3 Sep 2019 14:18:54 -0600 +Subject: [PATCH 4/5] Remove shell module usage for rpm verification tasks + +- Fixes #4617 +--- + .../rpm_verify_hashes/ansible/shared.yml | 27 ++++++++++++------- + .../rpm_verify_ownership/ansible/shared.yml | 11 +++----- + .../rpm_verify_permissions/ansible/shared.yml | 19 ++++++++----- + 3 files changed, 34 insertions(+), 23 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +index 2a38e43c3b..1ba29992ab 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +@@ -1,6 +1,6 @@ + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + # reboot = false +-# strategy = unknown ++# strategy = restrict + # complexity = high + # disruption = medium + - name: "Set fact: Package manager reinstall command (dnf)" +@@ -14,21 +14,30 @@ + when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") + + - name: "Read files with incorrect hash" +- shell: | +- set -o pipefail +- rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | awk '{print $NF}' ++ command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noconfig --noghost + args: + warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module +- executable: /bin/bash + register: files_with_incorrect_hash + changed_when: False + failed_when: files_with_incorrect_hash.rc > 1 + when: (package_manager_reinstall_cmd is defined) +- check_mode: no ++ ++- name: Create list of packages ++ command: rpm -qf "{{ item }}" ++ args: ++ warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module ++ with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" ++ register: list_of_packages ++ changed_when: False ++ when: ++ - files_with_incorrect_hash.stdout_lines is defined ++ - (files_with_incorrect_hash.stdout_lines | length > 0) + + - name: "Reinstall packages of files with incorrect hash" +- shell: "{{ package_manager_reinstall_cmd }} $(rpm -qf '{{ item }}')" ++ command: "{{ package_manager_reinstall_cmd }} '{{ item }}'" + args: + warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager +- with_items: "{{ files_with_incorrect_hash.stdout_lines }}" +- when: (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) ++ with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" ++ when: ++ - files_with_incorrect_hash.stdout_lines is defined ++ - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +index 9fd07f8da2..1d9720cb82 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +@@ -4,27 +4,24 @@ + # complexity = high + # disruption = medium + - name: "Read list of files with incorrect ownership" +- shell: | +- set -o pipefail +- rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }' ++ command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode + args: + warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module +- executable: /bin/bash + register: files_with_incorrect_ownership + failed_when: files_with_incorrect_ownership.rc > 1 + changed_when: False +- check_mode: no + + - name: Create list of packages + command: rpm -qf "{{ item }}" + args: + warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module +- with_items: "{{ files_with_incorrect_ownership.stdout_lines | unique }}" ++ with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" + register: list_of_packages ++ changed_when: False + when: (files_with_incorrect_ownership.stdout_lines | length > 0) + + - name: "Correct file ownership with RPM" +- command: "rpm --quiet --setugids '{{ item }}'" ++ command: "rpm --setperms '{{ item }}'" + args: + warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module + with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +index a22f03a987..149dbf9fb7 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +@@ -4,20 +4,25 @@ + # complexity = high + # disruption = medium + - name: "Read list of files with incorrect permissions" +- shell: | +- set -o pipefail +- rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }' ++ command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup + args: + warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module +- executable: /bin/bash + register: files_with_incorrect_permissions + failed_when: files_with_incorrect_permissions.rc > 1 + changed_when: False +- check_mode: no ++ ++- name: Create list of packages ++ command: rpm -qf "{{ item }}" ++ args: ++ warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module ++ with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" ++ register: list_of_packages ++ changed_when: False ++ when: (files_with_incorrect_permissions.stdout_lines | length > 0) + + - name: "Correct file permissions with RPM" +- shell: "rpm --setperms $(rpm -qf '{{ item }}')" ++ command: "rpm --setperms '{{ item }}'" + args: + warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module +- with_items: "{{ files_with_incorrect_permissions.stdout_lines }}" ++ with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" + when: (files_with_incorrect_permissions.stdout_lines | length > 0) + +From 83d241dceafb1b8d8829655b0cdeb44af1b01d2a Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Fri, 6 Sep 2019 11:55:18 -0600 +Subject: [PATCH 5/5] Fix regex and escape correctly + +--- + .../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 2 +- + .../rpm_verification/rpm_verify_ownership/ansible/shared.yml | 4 ++-- + .../rpm_verify_permissions/ansible/shared.yml | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +index 1ba29992ab..0dc09339f4 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +@@ -26,7 +26,7 @@ + command: rpm -qf "{{ item }}" + args: + warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module +- with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" ++ with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" + register: list_of_packages + changed_when: False + when: +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +index 1d9720cb82..d02508808c 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +@@ -15,13 +15,13 @@ + command: rpm -qf "{{ item }}" + args: + warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module +- with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" ++ with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" + register: list_of_packages + changed_when: False + when: (files_with_incorrect_ownership.stdout_lines | length > 0) + + - name: "Correct file ownership with RPM" +- command: "rpm --setperms '{{ item }}'" ++ command: "rpm --quiet --setugids '{{ item }}'" + args: + warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module + with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}" +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +index 149dbf9fb7..55a37a4235 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +@@ -15,7 +15,7 @@ + command: rpm -qf "{{ item }}" + args: + warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module +- with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}" ++ with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" + register: list_of_packages + changed_when: False + when: (files_with_incorrect_permissions.stdout_lines | length > 0) diff --git a/SOURCES/scap-security-guide-0.1.47-remove_slash_from_audit_rules_login_faillock.patch b/SOURCES/scap-security-guide-0.1.47-remove_slash_from_audit_rules_login_faillock.patch new file mode 100644 index 0000000..a1ef98b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.47-remove_slash_from_audit_rules_login_faillock.patch @@ -0,0 +1,26 @@ +From 10c50d294f61c3638abd4a8dfa0e6870c4d4f10f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 2 Oct 2019 15:10:42 +0200 +Subject: [PATCH] Remove slash from audit rules login failock + +Follows 0e83474ea75d762c77f78630448ad5a72b58d211 +There shoudn't be slash. +--- + .../audit_rules_login_events/bash/shared.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh +index 17112b7c4e..a0d18c21b2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/bash/shared.sh +@@ -8,8 +8,8 @@ + fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins" + fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins" + +-fix_audit_watch_rule "auditctl" "/var/run/faillock/" "wa" "logins" +-fix_audit_watch_rule "augenrules" "/var/run/faillock/" "wa" "logins" ++fix_audit_watch_rule "auditctl" "/var/run/faillock" "wa" "logins" ++fix_audit_watch_rule "augenrules" "/var/run/faillock" "wa" "logins" + + fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins" + fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins" diff --git a/SOURCES/scap-security-guide-0.1.47-update_arufm_to_match_multiple_-S_args.patch b/SOURCES/scap-security-guide-0.1.47-update_arufm_to_match_multiple_-S_args.patch new file mode 100644 index 0000000..614e391 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.47-update_arufm_to_match_multiple_-S_args.patch @@ -0,0 +1,162 @@ +From 754649d2ac077e64aae4fcadfdfca30f09149687 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 2 Oct 2019 18:51:48 +0200 +Subject: [PATCH 1/2] Add tests for acceptable rule syntax for arufm + +These test scenarios cover multiple valid formats for the audit rules. +arufm stands for audit_rules_unsuccessful_file_modification +--- + .../tests/default.fail.sh | 6 +++ + .../tests/syscalls_multiple_per_arg.pass.sh | 12 ++++++ + .../tests/syscalls_one_per_arg.pass.sh | 11 ++++++ + .../tests/syscalls_one_per_line.pass.sh | 12 ++++++ + .../tests/test_audit.rules | 39 +++++++++++++++++++ + 5 files changed, 80 insertions(+) + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/default.fail.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_multiple_per_arg.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_arg.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_line.pass.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/test_audit.rules + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/default.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/default.fail.sh +new file mode 100644 +index 0000000000..5769121389 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/default.fail.sh +@@ -0,0 +1,6 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = bash ++ ++rm -f /etc/audit/rules.d/* ++> /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_multiple_per_arg.pass.sh +new file mode 100644 +index 0000000000..ba950a6dfe +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_multiple_per_arg.pass.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = bash ++ ++# Use auditctl, on RHEL7, default is to use augenrules ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++rm -f /etc/audit/rules.d/* ++ ++# Deletes everything up do "one per line" ++# Then deletes everything from "one per arg" until end of file ++sed '/# one per line/,/# multiple per arg/d;/# one per arg/,$d' test_audit.rules > /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_arg.pass.sh +new file mode 100644 +index 0000000000..1741dad27d +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_arg.pass.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = bash ++ ++# Use auditctl, on RHEL7, default is to use augenrules ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++rm -f /etc/audit/rules.d/* ++ ++# Delete everything that is between "one per line" and "one per arg" ++sed '/# one per line/,/# one per arg/d' test_audit.rules > /etc/audit/audit.rules +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_line.pass.sh +new file mode 100644 +index 0000000000..5cdc0294be +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/syscalls_one_per_line.pass.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# profiles = xccdf_org.ssgproject.content_profile_pci-dss ++# remediation = bash ++ ++# Use auditctl, on RHEL7, default is to use augenrules ++sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service ++ ++rm -f /etc/audit/rules.d/* ++ ++# Delete everything that is not between "one per line" and "multiple per arg" ++sed '/# one per line/,/# multiple per arg/!d' test_audit.rules > /etc/audit/audit.rules ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/test_audit.rules b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/test_audit.rules +new file mode 100644 +index 0000000000..0c9f7e6b61 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/tests/test_audit.rules +@@ -0,0 +1,39 @@ ++# WARNING: Do not remove the comments in this file ++# one per line ++-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++ ++-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++ ++# multiple per arg ++-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++ ++# one per arg ++-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ++-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +From df1f092a9f0786c6137d10bb8ac440f572d4e460 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 2 Oct 2019 20:14:47 +0200 +Subject: [PATCH 2/2] Update regex to match multiple syscall args + +The regex was not matching case where there were multiple '-S' +arguments +--- + .../template_OVAL_audit_rules_unsuccessful_file_modification | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification +index 688c482ba4..314d7a7610 100644 +--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification ++++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification +@@ -48,12 +48,13 @@ + + + ++ + + +- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*({{{ NAME }}})(?:,[\S]+)*)[\s]+ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,]))).* + + +- ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*({{{ NAME }}})(?:,[\S]+)*)[\s]+ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,]))).* + + + [\s]+(?:-F\s+auid>={{{ auid }}}[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ diff --git a/SOURCES/scap-security-guide-0.1.48-add_e8_profile_kickstart.patch b/SOURCES/scap-security-guide-0.1.48-add_e8_profile_kickstart.patch new file mode 100644 index 0000000..9d425f5 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.48-add_e8_profile_kickstart.patch @@ -0,0 +1,362 @@ +From 3cf5caec6f0705d24bc3f285e19d1831714bca16 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 13 Nov 2019 18:05:32 +0100 +Subject: [PATCH 1/4] Add simple kickstart file for e8 profiles + +As the profile doesn't require a particular disk partition layout, I +went for the 'autopart' feature. +--- + rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 122 ++++++++++++++++++++++++++++ + rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 122 ++++++++++++++++++++++++++++ + 2 files changed, 244 insertions(+) + create mode 100644 rhel7/kickstart/ssg-rhel7-e8-ks.cfg + create mode 100644 rhel8/kickstart/ssg-rhel8-e8-ks.cfg + +diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg +new file mode 100644 +index 0000000000..9e44a87a86 +--- /dev/null ++++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg +@@ -0,0 +1,122 @@ ++# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 7 Server ++# Version: 0.0.1 ++# Date: 2019-11-13 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_e8 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +new file mode 100644 +index 0000000000..3555f528cb +--- /dev/null ++++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +@@ -0,0 +1,122 @@ ++# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 8 Server ++# Version: 0.0.1 ++# Date: 2019-11-13 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_e8 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject + +From 94249bce4b61c33e52f59efdb112e2082b4acf46 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 Nov 2019 11:19:51 +0100 +Subject: [PATCH 2/4] Use authselect for el8 kickstart + +auth and authconfig are deprecated +--- + rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +index 3555f528cb..e814024e2e 100644 +--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +@@ -72,10 +72,10 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf + firewall --enabled --ssh + + # Set up the authentication options for the system (required) +-# --enableshadow enable shadowed passwords by default +-# --passalgo hash / crypt algorithm for new passwords +-# See the manual page for authconfig for a complete list of possible options. +-authconfig --enableshadow --passalgo=sha512 ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd + + # State of SELinux on the installed system (optional) + # Defaults to enforcing + +From 1ff6ab4ec0449074c4608eed0194903123eda34b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 Nov 2019 11:22:31 +0100 +Subject: [PATCH 3/4] Updated kickstart documenation link for el8 + +--- + rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +index e814024e2e..41d4b3d654 100644 +--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +@@ -4,7 +4,7 @@ + # + # Based on: + # http://fedoraproject.org/wiki/Anaconda/Kickstart +-# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart + + # Install a fresh new system (optional) + install + +From ef5edccc3ec58131644f31481ec3df20ab345229 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 18 Nov 2019 13:31:18 +0100 +Subject: [PATCH 4/4] Add link to oscap-anaconda-addon documentation + +--- + rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 3 +++ + rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg +index 9e44a87a86..23f1bad7e1 100644 +--- a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg ++++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg +@@ -104,6 +104,9 @@ clearpart --linux --initlabel + # Create primary system partitions (required for installs) + autopart + ++# Harden installation with Essential Eight profile ++# For more details and configuration options see command %addon org_fedora_oscap in ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands + %addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_e8 +diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +index 41d4b3d654..8380ea13a3 100644 +--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +@@ -104,6 +104,9 @@ clearpart --linux --initlabel + # Create primary system partitions (required for installs) + autopart + ++# Harden installation with Essential Eight profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program + %addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_e8 diff --git a/SOURCES/scap-security-guide-0.1.48-fix_aide_periodic_crontab_check.patch b/SOURCES/scap-security-guide-0.1.48-fix_aide_periodic_crontab_check.patch new file mode 100644 index 0000000..c86849e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.48-fix_aide_periodic_crontab_check.patch @@ -0,0 +1,181 @@ +From 29ef00ac92720e22108c78d10ea6f2e8a65cfe98 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 5 Nov 2019 20:01:40 +0100 +Subject: [PATCH 1/5] tried to update regex + +tests added +--- + .../aide/aide_periodic_cron_checking/oval/shared.xml | 2 +- + .../aide_periodic_cron_checking/tests/crontab_daily.pass.sh | 4 ++++ + .../tests/crontab_weekly_on_exact_day.pass.sh | 4 ++++ + .../tests/crontab_weekly_shortcut.pass.sh | 4 ++++ + 4 files changed, 13 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_daily.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_on_exact_day.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_shortcut.pass.sh + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml +index e5b20e545b..49f53e997f 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml +@@ -29,7 +29,7 @@ +
    + + /etc/crontab +- ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ ++ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*[\*,0-9])|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ + 1 + + + +From 6ac0dfcc4fd968a3ab8dd7b32f0654b2800446d7 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 6 Nov 2019 16:06:14 +0100 +Subject: [PATCH 2/5] rewrote oval check, extended remediation, wrote tests + +everything applies only to /etc/crontab +allowed more flexible configuration of runs +remediation deletes all potentially wrong lines from /etc/crontab +--- + .../aide/aide_periodic_cron_checking/bash/shared.sh | 3 +++ + .../aide/aide_periodic_cron_checking/oval/shared.xml | 2 +- + .../aide_periodic_cron_checking/tests/crontab_monthly.fail.sh | 4 ++++ + .../tests/crontab_two_days_week.pass.sh | 4 ++++ + .../tests/crontab_weekly_shortcut.pass.sh | 2 +- + .../tests/crontab_weekly_word.pass.sh | 4 ++++ + .../aide_periodic_cron_checking/tests/crontab_yearly.fail.sh | 4 ++++ + 7 files changed, 21 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_monthly.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_two_days_week.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_word.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_yearly.fail.sh + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh +index 367d7b2df3..674fa7c9d8 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh +@@ -4,4 +4,7 @@ + + if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then + echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab ++else ++ sed -i '/^.*\/usr\/sbin\/aide --check.*$/d' /etc/crontab ++ echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab + fi +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml +index 49f53e997f..06a6eb5618 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml +@@ -29,7 +29,7 @@ + + + /etc/crontab +- ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*[\*,0-9])|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ ++ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ + 1 + + + +From 3c697624a85dcca87daae189103901ce95a7c27a Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 6 Nov 2019 16:25:30 +0100 +Subject: [PATCH 3/5] modified oval checks for other locations + +--- + .../aide/aide_periodic_cron_checking/oval/shared.xml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml +index 06a6eb5618..70271a0553 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml +@@ -39,7 +39,7 @@ + + /etc/cron.d + ^.*$ +- ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ ++ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ + 1 + + +@@ -48,7 +48,7 @@ + + + /var/spool/cron/root +- ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ ++ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*/usr/sbin/aide[\s]*\-\-check.*$ + 1 + + +@@ -56,7 +56,7 @@ + + + +- ^/etc/cron.(daily|weekly|monthly)$ ++ ^/etc/cron.(daily|weekly)$ + ^.*$ + ^\s*/usr/sbin/aide[\s]*\-\-check.*$ + 1 + +From 0d0268edacf7544ca7febe33c5f9e82899fca935 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 7 Nov 2019 09:19:11 +0100 +Subject: [PATCH 4/5] fixed oval comments + +--- + .../aide/aide_periodic_cron_checking/oval/shared.xml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml +index 70271a0553..b330e496e1 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml +@@ -19,7 +19,7 @@ + + + +- ++ + + + +@@ -52,10 +52,10 @@ + 1 + + +- ++ + + +- ++ + ^/etc/cron.(daily|weekly)$ + ^.*$ + ^\s*/usr/sbin/aide[\s]*\-\-check.*$ + +From f1455731d6633375fd144a69e4bc1d0c2d5e7f3a Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 7 Nov 2019 09:32:51 +0100 +Subject: [PATCH 5/5] added one test and modified description + +lower limit of daily Aide scan removed +--- + .../aide/aide_periodic_cron_checking/rule.yml | 2 +- + .../tests/crontab_daily_shortcut.pass.sh | 4 ++++ + .../tests/crontab_weekly_on_exact_day.pass.sh | 2 +- + 3 files changed, 6 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_daily_shortcut.pass.sh + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +index a91aaa23c5..1e13a534fa 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +@@ -5,7 +5,7 @@ prodtype: wrlinux1019,rhel6,rhel7,rhel8,fedora,ol7,ol8,rhv4 + title: 'Configure Periodic Execution of AIDE' + + description: |- +- At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. ++ At a minimum, AIDE should be configured to run a weekly scan. + To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: +
    05 4 * * * root /usr/sbin/aide --check
    + To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: diff --git a/SOURCES/scap-security-guide-0.1.48-fix_ansible_tasks_in_check_mode.patch b/SOURCES/scap-security-guide-0.1.48-fix_ansible_tasks_in_check_mode.patch new file mode 100644 index 0000000..5fe9bf9 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.48-fix_ansible_tasks_in_check_mode.patch @@ -0,0 +1,349 @@ +From f891d5d4245963ca1bb1a2c785656077ae9fcced Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Nov 2019 15:36:12 +0100 +Subject: [PATCH 1/6] Run the command also in check mode + +Setting check_mode to False will force to run the command in +this task even if the playbook is run in check_mode. This task +produces variable `socket_file_exists` which is then used +in task "Disable socket ...". In check mode, the command wasn't +executed, which caused this error: + +fatal: [localhost]: FAILED! => {"msg": "The conditional check +'\"sshd.socket\" in socket_file_exists.stdout_lines[1]' failed. The +error was: error while evaluating conditional (\"sshd.socket\" in +socket_file_exi +sts.stdout_lines[1]): Unable to look up a name or access an attribute in +template string ({% if \"sshd.socket\" in +socket_file_exists.stdout_lines[1] %} True {% else %} False {% endif +%}).\nMake sure your variab +le name does not contain invalid characters like '-': argument of type +'AnsibleUndefined' is not iterable\n\nThe error appears to be in +'/home/jcerny/scap-security-guide/build/fedora/playbooks/all/service_sshd_d +isabled.yml': line 44, column 7, but may\nbe elsewhere in the file +depending on the exact syntax problem.\n\nThe offending line appears to +be:\n\n\n - name: Disable socket sshd\n ^ here\n"} +--- + shared/templates/template_ANSIBLE_service_disabled | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/shared/templates/template_ANSIBLE_service_disabled b/shared/templates/template_ANSIBLE_service_disabled +index 1faeeeb9b8..cb3d0634af 100644 +--- a/shared/templates/template_ANSIBLE_service_disabled ++++ b/shared/templates/template_ANSIBLE_service_disabled +@@ -26,6 +26,7 @@ + register: socket_file_exists + changed_when: False + ignore_errors: True ++ check_mode: False + + - name: Disable socket {{{ SERVICENAME }}} + systemd: + +From 0a5f4fdac9a409e543ff05f2dbb46c78a7fc76b3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Nov 2019 15:58:42 +0100 +Subject: [PATCH 2/6] Add "check_mode: no" everywhere possible + +This option forces to run the command also in the check mode. +If the command only reads, eg. grep, it should be harmless. +It prevents issues that in "check" mode the playbook will terminate +because the variable that was expected to be populated by this +command is empty. +--- + .../sssd_ldap_configure_tls_ca_dir/ansible/shared.yml | 1 + + .../sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml | 1 + + .../services/sssd/sssd_enable_smartcards/ansible/shared.yml | 1 + + .../services/sssd/sssd_memcache_timeout/ansible/shared.yml | 1 + + .../sssd/sssd_offline_cred_expiration/ansible/shared.yml | 1 + + .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 1 + + .../integrity/fips/grub2_enable_fips_mode/ansible/shared.yml | 3 +++ + .../package_dracut-fips-aesni_installed/ansible/shared.yml | 1 + + 8 files changed, 10 insertions(+) + +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml +index 7ab0904da0..ca7bbf9f4f 100644 +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml +@@ -10,6 +10,7 @@ + register: test_grep_domain + ignore_errors: yes + changed_when: False ++ check_mode: no + + - name: "Add default domain group and set CA directory (if no domain there)" + ini_file: +diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml +index 1aeb2728db..1fd1e7d2c5 100644 +--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml ++++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml +@@ -16,6 +16,7 @@ + register: test_grep_domain + ignore_errors: yes + changed_when: False ++ check_mode: no + + - name: "Add default domain group and use STARTTLS (if no domain there)" + ini_file: +diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml +index 636bc3f65f..1087367dde 100644 +--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml ++++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml +@@ -8,6 +8,7 @@ + register: test_grep_domain + ignore_errors: yes + changed_when: False ++ check_mode: no + + - name: "Add default domain group (if no domain there)" + ini_file: +diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +index 79dbd9140a..4a146b1008 100644 +--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml ++++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +@@ -10,6 +10,7 @@ + register: test_grep_domain + ignore_errors: yes + changed_when: False ++ check_mode: no + + - name: "Add default domain group (if no domain there)" + ini_file: +diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml +index 614cf5c05e..d79b0e6ca6 100644 +--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml ++++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml +@@ -8,6 +8,7 @@ + register: test_grep_domain + ignore_errors: yes + changed_when: False ++ check_mode: no + + - name: "Add default domain group (if no domain there)" + ini_file: +diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +index 6284435ec4..6763e27c7e 100644 +--- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml ++++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +@@ -10,6 +10,7 @@ + register: test_grep_domain + ignore_errors: yes + changed_when: False ++ check_mode: no + + - name: "Add default domain group (if no domain there)" + ini_file: +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml +index 5cc5fe0e96..b642b6c3c3 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml +@@ -24,6 +24,7 @@ + command: grep -q -m1 -o aes /proc/cpuinfo + failed_when: aesni_supported.rc > 1 + register: aesni_supported ++ check_mode: no + + - name: Ensure dracut-fips-aesni is installed + package: +@@ -45,6 +46,7 @@ + command: grep 'GRUB_CMDLINE_LINUX.*fips=' /etc/default/grub + failed_when: False + register: fipsargcheck ++ check_mode: no + + - name: replace existing fips argument + replace: +@@ -68,6 +70,7 @@ + command: grep 'GRUB_CMDLINE_LINUX.*boot=' /etc/default/grub + failed_when: False + register: bootargcheck ++ check_mode: no + + - name: replace existing boot argument + replace: +diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml +index 28a9dd71c4..8ed524fc75 100644 +--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml +@@ -7,6 +7,7 @@ + command: grep -q -m1 -o aes /proc/cpuinfo + failed_when: aesni_supported.rc > 1 + register: aesni_supported ++ check_mode: no + + - name: Ensure dracut-fips-aesni is installed + package: + +From 7b669bf3d9e30e842095693456109c38d82f94a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Nov 2019 16:51:04 +0100 +Subject: [PATCH 3/6] Prevent fails in check mode + +Addressing: + +fatal: [localhost]: FAILED! => {"msg": "The task includes an option with +an undefined variable. The error was: 'dict object' has no attribute +'stdout'\n\nThe error appears to be in '/home/jcerny/scap-security-gu +ide/build/rhel7/playbooks/all/grub2_enable_fips_mode.yml': line 134, +column 7, but may\nbe elsewhere in the file depending on the exact +syntax problem.\n\nThe offending line appears to be:\n\n\n - name: +add b +oot argument\n ^ here\n"} +--- + .../integrity/fips/grub2_enable_fips_mode/ansible/shared.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml +index b642b6c3c3..0dd7dea18d 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml +@@ -65,6 +65,7 @@ + - name: get boot device uuid + command: findmnt --noheadings --output uuid --target /boot + register: bootuuid ++ check_mode: no + + - name: check boot argument exists + command: grep 'GRUB_CMDLINE_LINUX.*boot=' /etc/default/grub + +From 309946d9ae49847bdb922ac5e0ba3657afa787a3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Nov 2019 17:14:06 +0100 +Subject: [PATCH 4/6] Prevent fails in check mode + +--- + .../rpm_verification/rpm_verify_hashes/ansible/shared.yml | 2 ++ + .../rpm_verification/rpm_verify_ownership/ansible/shared.yml | 2 ++ + .../rpm_verification/rpm_verify_permissions/ansible/shared.yml | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +index 0dc09339f4..991d637853 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml +@@ -20,6 +20,7 @@ + register: files_with_incorrect_hash + changed_when: False + failed_when: files_with_incorrect_hash.rc > 1 ++ check_mode: False + when: (package_manager_reinstall_cmd is defined) + + - name: Create list of packages +@@ -29,6 +30,7 @@ + with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" + register: list_of_packages + changed_when: False ++ check_mode: False + when: + - files_with_incorrect_hash.stdout_lines is defined + - (files_with_incorrect_hash.stdout_lines | length > 0) +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +index d02508808c..d0d52e7c76 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml +@@ -10,6 +10,7 @@ + register: files_with_incorrect_ownership + failed_when: files_with_incorrect_ownership.rc > 1 + changed_when: False ++ check_mode: False + + - name: Create list of packages + command: rpm -qf "{{ item }}" +@@ -18,6 +19,7 @@ + with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" + register: list_of_packages + changed_when: False ++ check_mode: False + when: (files_with_incorrect_ownership.stdout_lines | length > 0) + + - name: "Correct file ownership with RPM" +diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +index 55a37a4235..517cc38af2 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml +@@ -10,6 +10,7 @@ + register: files_with_incorrect_permissions + failed_when: files_with_incorrect_permissions.rc > 1 + changed_when: False ++ check_mode: False + + - name: Create list of packages + command: rpm -qf "{{ item }}" +@@ -18,6 +19,7 @@ + with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}" + register: list_of_packages + changed_when: False ++ check_mode: False + when: (files_with_incorrect_permissions.stdout_lines | length > 0) + + - name: "Correct file permissions with RPM" + +From d410766260716cf974fba04dfd3710b9bfd72323 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Nov 2019 17:26:42 +0100 +Subject: [PATCH 5/6] Fix template_ANSIBLE_mount_option_remote_filesystems + +"item" was not defined. Also, `findmnt` command can return 1 if there +is no nfs entry in /etc/fstab. The MOUNTOPTION variable is a complete +mount option, eg. `nosuid`. +--- + .../ansible/shared.yml | 1 + + .../template_ANSIBLE_mount_option_remote_filesystems | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml +index 6982ce293e..1c318715cf 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml +@@ -18,3 +18,4 @@ + state: mounted + opts: "{{ item.split()[3] }},sec=krb5:krb5i:krb5p" + when: (points_register.stdout | length > 0) ++ with_items: "{{ points_register.stdout_lines }}" +diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems +index a58d7729ec..c82201d507 100644 +--- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems ++++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems +@@ -5,10 +5,13 @@ + # disruption = medium + + - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}" ++ # 'no' before MOUNTOPTION isn't omission, it means a negation + command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }}} -n + register: points_register + check_mode: no + changed_when: False ++ # if no nfs/nfs4 entries are in /etc/fstab, findmnt command returns 1 ++ failed_when: False + + - name: "Add {{{ MOUNTOPTION }}} to nfs and nfs4 mount points" + mount: +@@ -18,3 +21,4 @@ + state: mounted + opts: "{{ item.split()[3] }},{{{ MOUNTOPTION }}}" + when: (points_register.stdout | length > 0) ++ with_items: "{{ points_register.stdout_lines }}" + +commit 924ac061a1e044213f838ac5a15f26b451f35352 +Author: Gabriel Becker +Date: Fri Nov 15 17:27:15 2019 +0100 + + Fix mount_option_krb_sec_remote_filesystems ansible content. + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml +index 1c31871..befa06e 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml +@@ -5,10 +5,11 @@ + # disruption = medium + + - name: "Get nfs and nfs4 mount points, that don't have Kerberos security option" +- command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n -o TARGET ++ command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n + register: points_register + check_mode: no + changed_when: False ++ failed_when: False + + - name: "Add Kerberos security to nfs and nfs4 mount points" + mount: diff --git a/SOURCES/scap-security-guide-0.1.48-fix_grub2_enable_fips_mode.patch b/SOURCES/scap-security-guide-0.1.48-fix_grub2_enable_fips_mode.patch new file mode 100644 index 0000000..0be3f99 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.48-fix_grub2_enable_fips_mode.patch @@ -0,0 +1,121 @@ +From 77a21063367337b874e9396547b3d1439eef2754 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Fri, 6 Sep 2019 11:44:49 -0400 +Subject: [PATCH] Rename disable_prelink -> bash_disable_prelink + +Per conversation in #4746, we should probably prefix bash remediation +helpers with the bash_ prefix. This lets us quickly identify which +language a particular macro is for, especially when macros with similar +functionality behave differently across languages. + +Signed-off-by: Alexander Scheel +--- + .../system/software/integrity/disable_prelink/bash/shared.sh | 2 +- + .../integrity/fips/grub2_enable_fips_mode/bash/shared.sh | 2 +- + shared/macros-bash.jinja | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh b/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh +index a79bd71ab0..ed6a388d0a 100644 +--- a/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh +@@ -1,2 +1,2 @@ + # platform = multi_platform_all +-{{{ disable_prelink() }}} ++{{{ bash_disable_prelink() }}} +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh +index 2b99be11a7..18b57e6f87 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh +@@ -3,7 +3,7 @@ + # include remediation functions library + . /usr/share/scap-security-guide/remediation_functions + +-{{{ disable_prelink() }}} ++{{{ bash_disable_prelink() }}} + + if grep -q -m1 -o aes /proc/cpuinfo; then + {{{ bash_package_install("dracut-fips-aesni") }}} +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 1af0143805..8a6b9b5099 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -87,7 +87,7 @@ apt-get remove -y "{{{ package }}}" + {{%- endif -%}} + {{%- endmacro -%}} + +-{{%- macro disable_prelink() -%}} ++{{%- macro bash_disable_prelink() -%}} + # prelink not installed + if test ! -e /etc/sysconfig/prelink -a ! -e /usr/sbin/prelink; then + return 0 +From 747a407d54a4c3549795fbf2a484092d175a39a4 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 6 Nov 2019 15:45:47 +0100 +Subject: [PATCH 1/2] Invert logic when testing for prelink package presence. + +Since this piece of code is not a bash function anymore, it is not +possible to use the return statement, so inverting the logic of the test +did the trick. +--- + shared/macros-bash.jinja | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja +index 49ef874f0b..62b1b165a8 100644 +--- a/shared/macros-bash.jinja ++++ b/shared/macros-bash.jinja +@@ -89,21 +89,19 @@ apt-get remove -y "{{{ package }}}" + + {{%- macro bash_disable_prelink() -%}} + # prelink not installed +-if test ! -e /etc/sysconfig/prelink -a ! -e /usr/sbin/prelink; then +- return 0 +-fi +- +-if grep -q ^PRELINKING /etc/sysconfig/prelink +-then +- sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink +-else +- printf '\n' >> /etc/sysconfig/prelink +- printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink +-fi ++if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then ++ if grep -q ^PRELINKING /etc/sysconfig/prelink ++ then ++ sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink ++ else ++ printf '\n' >> /etc/sysconfig/prelink ++ printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink ++ fi + +-# Undo previous prelink changes to binaries if prelink is available. +-if test -x /usr/sbin/prelink; then +- /usr/sbin/prelink -ua ++ # Undo previous prelink changes to binaries if prelink is available. ++ if test -x /usr/sbin/prelink; then ++ /usr/sbin/prelink -ua ++ fi + fi + {{%- endmacro -%}} + + +From 6c7182016b956d53ac5cf306da6d1b4efda953ab Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 6 Nov 2019 17:15:47 +0100 +Subject: [PATCH 2/2] Add dracut-fips-aesni package to grub2_enable_fips_mode + anaconda remediation. + +--- + .../fips/grub2_enable_fips_mode/anaconda/shared.anaconda | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda +index 4a329df8f4..2dd06202b3 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda +@@ -1,3 +1,3 @@ + # platform = Red Hat Enterprise Linux 7,Oracle Linux 7 + +-package --add=dracut-fips ++package --add=dracut-fips --add=dracut-fips-aesni diff --git a/SOURCES/scap-security-guide-0.1.48-fix_sshd_use_strong.patch b/SOURCES/scap-security-guide-0.1.48-fix_sshd_use_strong.patch new file mode 100644 index 0000000..60a0b62 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.48-fix_sshd_use_strong.patch @@ -0,0 +1,86 @@ +From 8bf82a98ae80879d2b1800ae0d5bc19b6c5cab3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 14 Nov 2019 18:04:39 +0100 +Subject: [PATCH 1/2] Fix RHEL7 rules sshd_use_strong_macs and + sshd_use_strong_ciphers. + +- Implemented Bash remediations according to rule description. +- Synced sshd_use_strong_ciphers OVAL according with the rule description. +--- + .../ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh | 3 +++ + .../ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml | 2 +- + .../ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh | 4 ++++ + 3 files changed, 8 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh +new file mode 100644 +index 0000000000..69c1f3eead +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh +@@ -0,0 +1,3 @@ ++# platform = multi_platform_all ++ ++{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml +index 3adae19c5a..0b20f775ce 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml +@@ -1 +1 @@ +-{{{ oval_sshd_config(parameter="Ciphers", value="((chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}} ++{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh +new file mode 100644 +index 0000000000..f77be04a1b +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh +@@ -0,0 +1,4 @@ ++# platform = multi_platform_all ++ ++{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}} ++ + +From 32c5bdbfc532d36bae5aaf0e0510b8516373598e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Fri, 15 Nov 2019 14:44:25 +0100 +Subject: [PATCH 2/2] Fixed sshd_use_strong_ciphers. + +- Fixed ciphers rule description metadata and bash remediation - removed duplicate ciphers. +- Fixed ciphers rule OVAL. +--- + .../ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh | 2 +- + .../ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml | 2 +- + .../ssh/ssh_server/sshd_use_strong_ciphers/rule.yml | 3 +-- + 7 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh +index 69c1f3eead..d30e534064 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh +@@ -1,3 +1,3 @@ + # platform = multi_platform_all + +-{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr") }}} ++{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml +index 0b20f775ce..474cb49979 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml +@@ -1 +1 @@ +-{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}} ++{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com),?)+") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml +index d4b61cedb9..90e11c0d99 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml +@@ -9,8 +9,7 @@ description: |- + Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. + The following line in /etc/ssh/sshd_config + demonstrates use of those ciphers: +-
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr
    +-
    chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
    ++
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    + The man page sshd_config(5) contains a list of supported ciphers. + + rationale: |- diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index b20c578..59c8712 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,47 +1,33 @@ -%global redhatssgversion 43 - # Somehow, _pkgdocdir is already defined and points to unversioned docs dir # RHEL 7.X uses versioned docs dir, hence the definition below %global _pkgdocdir %{_docdir}/%{name}-%{version} Name: scap-security-guide -Version: 0.1.%{redhatssgversion} -Release: 13%{?dist} +Version: 0.1.46 +Release: 11%{?dist} Summary: Security guidance and baselines in SCAP formats Group: System Environment/Base License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content Source0: %{name}-%{version}.tar.bz2 -Patch1: scap-security-guide-0.1.44-rule_pcsc-lite_installed.patch -Patch2: scap-security-guide-0.1.44-fix_no_direct_root_logins_changed_when.patch -Patch3: scap-security-guide-0.1.44-rules_docker_psacct_installed.patch -Patch4: scap-security-guide-0.1.44-fix_removed_sebooleans.patch -Patch5: scap-security-guide-0.1.44-fix_ansible_sssd_tasks.patch -Patch6: scap-security-guide-0.1.44-template_file_permissions_use_regex.patch -Patch7: scap-security-guide-0.1.44-fix_rpm_verify_permissions.patch -Patch8: scap-security-guide-0.1.44-fix_stig_duplicated_audit_rules.patch -Patch9: scap-security-guide-0.1.45-mark_rules_as_machine_only.patch -Patch10: scap-security-guide-0.1.44-cpe-shadow-utils.patch -Patch11: scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch -Patch12: scap-security-guide-0.1.44-cpe-gdm.patch -Patch13: scap-security-guide-0.1.44-cpe-remaining.patch -Patch14: scap-security-guide-0.1.44-update-cpe-dictionary.patch -Patch15: scap-security-guide-0.1.44-mark_selinux_rules_as_machine_only.patch -Patch16: scap-security-guide-0.1.44-mark_service_disabled_rules_as_machine_only.patch -Patch17: scap-security-guide-0.1.44-remove_gpgcheck_repo_from_profiles.patch -Patch18: scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules.patch -Patch19: evaluate_new_package_cpes_to_true.patch -Patch20: scap-security-guide-0.1.44-deduplicate_cce_assigned_to_rules2.patch -Patch21: scap-security-guide-0.1.45-fix_rule_sssd_ssh_known_hosts_timeout.patch -Patch22: add-missing-tags-and-platforms.patch -Patch23: scap-security-guide-0.1.45-fix_ansible_sssd_ssh_known_hosts_timeout.patch -Patch24: remove_dconf_use_text_backend_rule_from_profiles.patch -Patch25: scap-security-guide-0.1.45-aide_not_applicable_to_containers.patch -Patch26: scap-security-guide-0.1.45-smartcards_not_applicable_to_containers.patch -Patch27: scap-security-guide-0.1.45-add_rule_dconf_db_up_to_date.patch -Patch28: scap-security-guide-0.1.45-fix_dconf_remediation.patch -Patch999: centos-debranding.patch +Patch1: scap-security-guide-0.1.47-compare_suid_files_with_rpm.patch +Patch2: scap-security-guide-0.1.47-improve_bash_based_on_shellcheck.patch +Patch3: scap-security-guide-0.1.47-add_-t_parameter_to_fix_audit_syscall_rule.patch +Patch4: scap-security-guide-0.1.47-remove_slash_from_audit_rules_login_faillock.patch +Patch5: scap-security-guide-0.1.47-update_arufm_to_match_multiple_-S_args.patch +Patch6: scap-security-guide-0.1.47-first_occurence_mtab.patch +Patch7: scap-security-guide-0.1.48-fix_grub2_enable_fips_mode.patch +Patch8: scap-security-guide-0.1.47-remove_shell_module_from_playbooks.patch +Patch9: scap-security-guide-0.1.47-remove_directory_access_var_log_audit_from_ospp.patch +Patch10: scap-security-guide-0.1.48-fix_ansible_tasks_in_check_mode.patch +Patch11: scap-security-guide-0.1.47-e8.patch +Patch12: scap-security-guide-0.1.48-fix_sshd_use_strong.patch +Patch13: scap-security-guide-0.1.47-fix_missing_cce.patch +Patch14: scap-security-guide-0.1.48-add_e8_profile_kickstart.patch +Patch15: scap-security-guide-0.1.48-fix_aide_periodic_crontab_check.patch +Patch16: scap-security-guide-0.1.47-add_missing_cce_sudo_require_authentication.patch +Patch17: disable-not-in-good-shape-profiles.patch BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.16, python-jinja2, cmake >= 2.8, PyYAML @@ -69,10 +55,6 @@ been generated from XCCDF benchmarks present in %{name} package. %prep %setup -q -n %{name}-%{version} -# Workaround to remove Python byte cache files from the upstream sources -# See https://github.com/ComplianceAsCode/content/issues/4042 -find . -name '*.pyc' -exec rm -f {} ';' -mkdir build %patch1 -p1 %patch2 -p1 %patch3 -p1 @@ -90,54 +72,25 @@ mkdir build %patch15 -p1 %patch16 -p1 %patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch999 -p1 +# Workaround to remove Python byte cache files from the upstream sources +# See https://github.com/ComplianceAsCode/content/issues/4042 +find . -name '*.pyc' -exec rm -f {} ';' +mkdir build %build mkdir -p build && cd build %cmake -D CMAKE_INSTALL_DOCDIR=%{_pkgdocdir} \ --DSSG_PRODUCT_EXAMPLE:BOOL=OFF \ --DSSG_PRODUCT_CHROMIUM:BOOL=OFF \ --DSSG_PRODUCT_DEBIAN8:BOOL=OFF \ --DSSG_PRODUCT_FEDORA:BOOL=OFF \ +-DSSG_PRODUCT_DEFAULT:BOOL=OFF \ -DSSG_PRODUCT_FIREFOX:BOOL=ON \ --DSSG_PRODUCT_JBOSS_EAP6:BOOL=OFF \ --DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF \ --DSSG_PRODUCT_JBOSS_JRE:BOOL=ON \ --DSSG_PRODUCT_OCP3:BOOL=OFF \ --DSSG_PRODUCT_OPENSUSE:BOOL=OFF \ --DSSG_PRODUCT_OSP13:BOOL=OFF \ +-DSSG_PRODUCT_JRE:BOOL=ON \ -DSSG_PRODUCT_RHEL6:BOOL=ON \ -DSSG_PRODUCT_RHEL7:BOOL=ON \ --DSSG_PRODUCT_RHEL8:BOOL=OFF \ --DSSG_PRODUCT_RHV4:BOOL=OFF \ --DSSG_PRODUCT_SUSE11:BOOL=OFF \ --DSSG_PRODUCT_SUSE12:BOOL=OFF \ --DSSG_PRODUCT_UBUNTU14:BOOL=OFF \ --DSSG_PRODUCT_UBUNTU16:BOOL=OFF \ --DSSG_PRODUCT_UBUNTU18:BOOL=OFF \ --DSSG_PRODUCT_WRLINUX:BOOL=OFF \ --DSSG_PRODUCT_OL7:BOOL=OFF \ --DSSG_PRODUCT_OL8:BOOL=OFF \ --DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \ +-DSSG_PRODUCT_RHEL8:BOOL=ON \ +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \ ../ make %{?_smp_mflags} -%check -cd build -ctest %{?_smp_mflags} -E linkchecker --output-on-failure - %install cd build %make_install @@ -160,6 +113,51 @@ cd build %doc build/guides/ssg-*-guide-*.html %changelog +* Thu Nov 28 2019 Jan Černý - 0.1.46-11 +- Ship RHEL 8 content (RHBZ#1777862) + +* Wed Nov 20 2019 Vojtech Polasek - 0.1.46-10 +- Added missing CCE for rule sudo_require_authentication. (RHBZ#1755192) +- fix check and remediation for rule aide_periodic_cron_checking (RHBZ#1658036) + +* Mon Nov 18 2019 Gabriel Becker - 0.1.46-9 +- Fixed missing CCE for OSPP, E8 and STIG profiles. (RHBZ#1726698) +- Added kickstart file for the Essential Eight (e8) profile. (RHBZ#1755192) + +* Fri Nov 15 2019 Gabriel Becker - 0.1.46-8 +- Fix an omission on backporting the patch which fixes krb_sec rule. (RHBZ#1726698) + +* Fri Nov 15 2019 Matěj Týč - 0.1.46-7 +- Added support for the Essential Eight (e8) profile. (RHBZ#1755192) +- Fixed issues with sshd rules used in the e8 profile. (RHBZ#1755192) + +* Wed Nov 13 2019 Gabriel Becker - 0.1.46-6 +- Updated ansible playbooks to use modules in favor of shell. (RHBZ#1726698) +- Removed rule directory_access_var_log_audit from OSPP profile. (RHBZ#1726698) +- Fixed ansible playbooks failing when running in --check mode. (RHBZ#1726698) + +* Mon Nov 11 2019 Gabriel Becker - 0.1.46-5 +- Fixed grub2_enable_fips_mode rule when installing RHEL on machines with AES-enabled processors. (RHBZ#1754532) + +* Wed Nov 06 2019 Jan Černý - 0.1.46-4 +- Fix evaluation and remediation of audit rules in PCI-DSS profile (RHBZ#1754550) +- Fixed mtab handling of remediation of /dev/shm/noexec (RHBZ#1754553) + +* Tue Nov 05 2019 Matěj Týč - 0.1.46-3 +- Made the cmake product selection future-proof. (RHBZ#1726698) + +* Tue Nov 05 2019 Jan Černý - 0.1.46-2 +- Fix rules file_permissions_unauthorized_suid and sgid (RHBZ#1693026) + +* Mon Sep 02 2019 Watson Sato - 0.1.46-1 +- Update to the latest upstream release 0.1.46 (RHBZ#1726698) + +* Fri Aug 09 2019 Matěj Týč - 0.1.45-2 +- Added a patch not to build SCAP 1.2 datastreams, only SCAP 1.3 (RHBZ#1726698) + +* Tue Aug 06 2019 Watson Sato - 0.1.45-1 +- Update to the latest upstream release (RHBZ#1726698) + * Wed Jun 12 2019 Matěj Týč - 0.1.43-13 - Fixed the shared dconf bash remediation (RHBZ#1631378)