diff --git a/.gitignore b/.gitignore index 573eb37..3e926eb 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.50.tar.bz2 +SOURCES/scap-security-guide-0.1.53.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index d7de47e..d061d4f 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2 +86a00c7cf51695c4718329590af7f9f599312dda SOURCES/scap-security-guide-0.1.53.tar.bz2 diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch index 80b2a96..fdd5c66 100644 --- a/SOURCES/disable-not-in-good-shape-profiles.patch +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -1,24 +1,27 @@ -From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001 +From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001 From: Watson Sato -Date: Fri, 17 Jan 2020 19:01:22 +0100 +Date: Thu, 3 Dec 2020 14:35:47 +0100 Subject: [PATCH] Disable profiles that are not in good shape for RHEL8 -They raise too many errors and fails. -Also disable tables for profiles that are not built. --- - rhel8/CMakeLists.txt | 2 -- - rhel8/profiles/cjis.profile | 2 +- - rhel8/profiles/rhelh-stig.profile | 2 +- - rhel8/profiles/rhelh-vpp.profile | 2 +- - rhel8/profiles/rht-ccp.profile | 2 +- - rhel8/profiles/standard.profile | 2 +- - 9 files changed, 8 insertions(+), 10 deletions(-) + rhel8/CMakeLists.txt | 6 ------ + rhel8/profiles/anssi_bp28_enhanced.profile | 2 +- + rhel8/profiles/anssi_bp28_high.profile | 2 +- + rhel8/profiles/anssi_bp28_intermediary.profile | 2 +- + rhel8/profiles/anssi_bp28_minimal.profile | 2 +- + rhel8/profiles/cjis.profile | 2 +- + rhel8/profiles/ism_o.profile | 2 +- + rhel8/profiles/rhelh-stig.profile | 2 +- + rhel8/profiles/rhelh-vpp.profile | 2 +- + rhel8/profiles/rht-ccp.profile | 2 +- + rhel8/profiles/standard.profile | 2 +- + 11 files changed, 10 insertions(+), 16 deletions(-) diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt -index 40f2b2b0f..492a8dae1 100644 +index d61689c97..5e444a101 100644 --- a/rhel8/CMakeLists.txt +++ b/rhel8/CMakeLists.txt -@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") +@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") ssg_build_html_table_by_ref(${PRODUCT} "pcidss") ssg_build_html_table_by_ref(${PRODUCT} "anssi") @@ -26,18 +29,74 @@ index 40f2b2b0f..492a8dae1 100644 ssg_build_html_nistrefs_table(${PRODUCT} "ospp") ssg_build_html_nistrefs_table(${PRODUCT} "stig") - # Uncomment when anssi profiles are marked documentation_complete: true - #ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal") +-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal") +-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary") +-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced") +-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high") +- + ssg_build_html_cce_table(${PRODUCT}) + + ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE}) +diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile +index e7e2f2875..75b1f4153 100644 +--- a/rhel8/profiles/anssi_bp28_enhanced.profile ++++ b/rhel8/profiles/anssi_bp28_enhanced.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'ANSSI BP-028 (enhanced)' + +diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile +index ccad93d67..6a854378c 100644 +--- a/rhel8/profiles/anssi_bp28_high.profile ++++ b/rhel8/profiles/anssi_bp28_high.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'ANSSI BP-028 (high)' + +diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile +index 638e60e0e..55ef4d680 100644 +--- a/rhel8/profiles/anssi_bp28_intermediary.profile ++++ b/rhel8/profiles/anssi_bp28_intermediary.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'ANSSI BP-028 (intermediary)' + +diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile +index 45cbba8f3..468c20adf 100644 +--- a/rhel8/profiles/anssi_bp28_minimal.profile ++++ b/rhel8/profiles/anssi_bp28_minimal.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'ANSSI BP-028 (minimal)' + diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile -index 05ea9cdd6..9c55ac5b1 100644 +index 035d2705b..c6475f33e 100644 --- a/rhel8/profiles/cjis.profile +++ b/rhel8/profiles/cjis.profile @@ -1,4 +1,4 @@ -documentation_complete: true +documentation_complete: false - title: 'Criminal Justice Information Services (CJIS) Security Policy' + metadata: + version: 5.4 +diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile +index a3c427c01..4605dea3b 100644 +--- a/rhel8/profiles/ism_o.profile ++++ b/rhel8/profiles/ism_o.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + metadata: + SMEs: diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile index 1efca5f44..c3d0b0964 100644 --- a/rhel8/profiles/rhelh-stig.profile @@ -79,5 +138,5 @@ index a63ae2cf3..da669bb84 100644 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' -- -2.21.1 +2.26.2 diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch deleted file mode 100644 index e859c54..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 12 May 2020 08:17:20 +0200 -Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated - ---- - .../ansible/shared.yml | 33 +++++++++++++++++++ - 1 file changed, 33 insertions(+) - create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml - -diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml -new file mode 100644 -index 0000000000..5d76b3c073 ---- /dev/null -+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml -@@ -0,0 +1,33 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = configure -+# complexity = low -+# disruption = low -+ -+- name: Configure daily log rotation in /etc/logrotate.conf -+ lineinfile: -+ create: yes -+ dest: "/etc/logrotate.conf" -+ regexp: "^daily$" -+ line: "daily" -+ -+- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf -+ lineinfile: -+ create: no -+ dest: "/etc/logrotate.conf" -+ regexp: "^(weekly|monthly|yearly)$" -+ state: absent -+ -+- name: Configure cron.daily if not already -+ block: -+ - name: Add shebang -+ lineinfile: -+ path: "/etc/cron.daily/logrotate" -+ line: "#!/bin/sh" -+ insertbefore: BOF -+ create: yes -+ - name: Add logrotate call -+ lineinfile: -+ path: "/etc/cron.daily/logrotate" -+ line: '/usr/sbin/logrotate /etc/logrotate.conf' -+ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$' - -From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 12 May 2020 14:48:15 +0200 -Subject: [PATCH 2/2] Add test for ensure_logrotate_activated - -Test scenario when monthly is there, but weekly is not. ---- - .../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++ - 1 file changed, 4 insertions(+) - create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh - -diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh -new file mode 100644 -index 0000000000..b10362989b ---- /dev/null -+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+sed -i "s/weekly/daily/g" /etc/logrotate.conf -+echo "monthly" >> /etc/logrotate.conf diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch deleted file mode 100644 index a864ebf..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch +++ /dev/null @@ -1,115 +0,0 @@ -From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 13 May 2020 20:49:08 +0200 -Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions - ---- - .../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++ - .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++ - 2 files changed, 22 insertions(+) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh -new file mode 100644 -index 0000000000..a816eea390 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh -@@ -0,0 +1,11 @@ -+# profiles = xccdf_org.ssgproject.content_profile_cis -+# platform = Red Hat Enterprise Linux 8 -+ -+#!/bin/bash -+SSHD_CONFIG="/etc/ssh/sshd_config" -+ -+if grep -q "^MaxSessions" $SSHD_CONFIG; then -+ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG -+ else -+ echo "MaxSessions 4" >> $SSHD_CONFIG -+fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh -new file mode 100644 -index 0000000000..b36125f5bb ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh -@@ -0,0 +1,11 @@ -+# profiles = xccdf_org.ssgproject.content_profile_cis -+# platform = Red Hat Enterprise Linux 8 -+ -+#!/bin/bash -+SSHD_CONFIG="/etc/ssh/sshd_config" -+ -+if grep -q "^MaxSessions" $SSHD_CONFIG; then -+ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG -+ else -+ echo "MaxSessions 10" >> $SSHD_CONFIG -+fi - -From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 13 May 2020 20:53:50 +0200 -Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions - ---- - .../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++ - .../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++ - .../tests/correct_value.pass.sh | 2 +- - .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +- - 4 files changed, 22 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml -new file mode 100644 -index 0000000000..a7e171dfe9 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml -@@ -0,0 +1,8 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = configure -+# complexity = low -+# disruption = low -+- (xccdf-var var_sshd_max_sessions) -+ -+{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh -new file mode 100644 -index 0000000000..fc0a1d8b42 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh -@@ -0,0 +1,12 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = configure -+# complexity = low -+# disruption = low -+ -+# Include source function library. -+. /usr/share/scap-security-guide/remediation_functions -+ -+populate var_sshd_max_sessions -+ -+{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh -index a816eea390..4cc6d65988 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh -@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config" - if grep -q "^MaxSessions" $SSHD_CONFIG; then - sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG - else -- echo "MaxSessions 4" >> $SSHD_CONFIG -+ echo "MaxSessions 4" >> $SSHD_CONFIG - fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh -index b36125f5bb..bc0c47842a 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh -@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config" - if grep -q "^MaxSessions" $SSHD_CONFIG; then - sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG - else -- echo "MaxSessions 10" >> $SSHD_CONFIG -+ echo "MaxSessions 10" >> $SSHD_CONFIG - fi diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch deleted file mode 100644 index ff529ca..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 11:52:35 +0200 -Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line - -Very likey a copy-pasta error from bash remediation for -audit_rules_immutable ---- - .../audit_rules_system_shutdown/bash/shared.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -index 1c9748ce9b..b56513cdcd 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -@@ -8,7 +8,7 @@ - # files to check if '-f .*' setting is present in that '*.rules' file already. - # If found, delete such occurrence since auditctl(8) manual page instructs the - # '-f 2' rule should be placed as the last rule in the configuration --find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' -+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' - - # Append '-f 2' requirement at the end of both: - # * /etc/audit/audit.rules file (for auditctl case) - -From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 12:12:21 +0200 -Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown - -Along with very basic test scenarios ---- - .../ansible/shared.yml | 28 +++++++++++++++++++ - .../tests/augen_correct.pass.sh | 4 +++ - .../tests/augen_e_2_immutable.fail.sh | 3 ++ - 3 files changed, 35 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml -new file mode 100644 -index 0000000000..b9e8fa87fa ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml -@@ -0,0 +1,28 @@ -+# platform = multi_platform_all -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+- name: Collect all files from /etc/audit/rules.d with .rules extension -+ find: -+ paths: "/etc/audit/rules.d/" -+ patterns: "*.rules" -+ register: find_rules_d -+ -+- name: Remove the -f option from all Audit config files -+ lineinfile: -+ path: "{{ item }}" -+ regexp: '^\s*(?:-f)\s+.*$' -+ state: absent -+ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" -+ -+- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules -+ lineinfile: -+ path: "{{ item }}" -+ create: True -+ line: "-f 2" -+ loop: -+ - "/etc/audit/audit.rules" -+ - "/etc/audit/rules.d/immutable.rules" -+ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh -new file mode 100644 -index 0000000000..0587b937e0 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+echo "-e 2" > /etc/audit/rules.d/immutable.rules -+echo "-f 2" >> /etc/audit/rules.d/immutable.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh -new file mode 100644 -index 0000000000..fa5b7231df ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "-e 2" > /etc/audit/rules.d/immutable.rules - -From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 14:06:08 +0200 -Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name - ---- - .../audit_rules_immutable/ansible/shared.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -index 5ac7b3dabb..1cafb744cc 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -@@ -17,7 +17,7 @@ - state: absent - loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" - --- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules -+- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules - lineinfile: - path: "{{ item }}" - create: True - -From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 11:02:56 +0200 -Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix - ---- - .../audit_rules_system_shutdown/bash/shared.sh | 8 -------- - 1 file changed, 8 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -index b56513cdcd..a349bb1ca1 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -@@ -4,16 +4,8 @@ - # - # /etc/audit/audit.rules, (for auditctl case) - # /etc/audit/rules.d/*.rules (for augenrules case) --# --# files to check if '-f .*' setting is present in that '*.rules' file already. --# If found, delete such occurrence since auditctl(8) manual page instructs the --# '-f 2' rule should be placed as the last rule in the configuration - find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' - --# Append '-f 2' requirement at the end of both: --# * /etc/audit/audit.rules file (for auditctl case) --# * /etc/audit/rules.d/immutable.rules (for augenrules case) -- - for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" - do - echo '' >> $AUDIT_FILE diff --git a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch deleted file mode 100644 index 2b5acdc..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 21 May 2020 18:16:43 +0200 -Subject: [PATCH] Attribute content to CIS - -And update the description a bit. ---- - rhel7/profiles/cis.profile | 8 +++++--- - rhel8/profiles/cis.profile | 8 +++++--- - 2 files changed, 10 insertions(+), 6 deletions(-) - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 0826a49547..829c388133 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -3,9 +3,11 @@ documentation_complete: true - title: 'CIS Red Hat Enterprise Linux 7 Benchmark' - - description: |- -- This baseline aligns to the Center for Internet Security -- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released -- 12-27-2017. -+ This profile defines a baseline that aligns to the Center for Internet Security® -+ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017. -+ -+ This profile includes Center for Internet Security® -+ Red Hat Enterprise Linux 7 CIS Benchmarks™ content. - - selections: - # Necessary for dconf rules -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index f332ee5462..868b9f21a6 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -3,9 +3,11 @@ documentation_complete: true - title: 'CIS Red Hat Enterprise Linux 8 Benchmark' - - description: |- -- This baseline aligns to the Center for Internet Security -- Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released -- 09-30-2019. -+ This profile defines a baseline that aligns to the Center for Internet Security® -+ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. -+ -+ This profile includes Center for Internet Security® -+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. - - selections: - # Necessary for dconf rules diff --git a/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch deleted file mode 100644 index 3c4f3b1..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch +++ /dev/null @@ -1,274 +0,0 @@ -From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 25 May 2020 12:17:48 +0200 -Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8 - ---- - rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++ - rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++ - 2 files changed, 250 insertions(+) - create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg - create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg - -diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg -new file mode 100644 -index 0000000000..14c82c4231 ---- /dev/null -+++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg -@@ -0,0 +1,125 @@ -+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server -+# Version: 0.0.1 -+# Date: 2020-05-25 -+# -+# Based on: -+# http://fedoraproject.org/wiki/Anaconda/Kickstart -+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -+ -+# Install a fresh new system (optional) -+install -+ -+# Specify installation method to use for installation -+# To use a different one comment out the 'url' one below, update -+# the selected choice with proper options & un-comment it -+# -+# Install from an installation tree on a remote server via FTP or HTTP: -+# --url the URL to install from -+# -+# Example: -+# -+# url --url=http://192.168.122.1/image -+# -+# Modify concrete URL in the above example appropriately to reflect the actual -+# environment machine is to be installed in -+# -+# Other possible / supported installation methods: -+# * install from the first CD-ROM/DVD drive on the system: -+# -+# cdrom -+# -+# * install from a directory of ISO images on a local drive: -+# -+# harddrive --partition=hdb2 --dir=/tmp/install-tree -+# -+# * install from provided NFS server: -+# -+# nfs --server= --dir= [--opts=] -+# -+ -+# Set language to use during installation and the default language to use on the installed system (required) -+lang en_US.UTF-8 -+ -+# Set system keyboard type / layout (required) -+keyboard us -+ -+# Configure network information for target system and activate network devices in the installer environment (optional) -+# --onboot enable device at a boot time -+# --device device to be activated and / or configured with the network command -+# --bootproto method to obtain networking configuration for device (default dhcp) -+# --noipv6 disable IPv6 on this device -+# -+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, -+# "--bootproto=static" must be used. For example: -+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 -+# -+network --onboot yes --device eth0 --bootproto dhcp --noipv6 -+ -+# Set the system's root password (required) -+# Plaintext password is: server -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 -+ -+# The selected profile will restrict root login -+# Add a user that can login and escalate privileges -+# Plaintext password is: admin123 -+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted -+ -+# Configure firewall settings for the system (optional) -+# --enabled reject incoming connections that are not in response to outbound requests -+# --ssh allow sshd service through the firewall -+firewall --enabled --ssh -+ -+# Set up the authentication options for the system (required) -+# --enableshadow enable shadowed passwords by default -+# --passalgo hash / crypt algorithm for new passwords -+# See the manual page for authconfig for a complete list of possible options. -+authconfig --enableshadow --passalgo=sha512 -+ -+# State of SELinux on the installed system (optional) -+# Defaults to enforcing -+selinux --enforcing -+ -+# Set the system time zone (required) -+timezone --utc America/New_York -+ -+# Specify how the bootloader should be installed (required) -+# Plaintext password is: password -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 -+ -+# Initialize (format) all disks (optional) -+zerombr -+ -+# The following partition layout scheme assumes disk of size 20GB or larger -+# Modify size of partitions appropriately to reflect actual machine's hardware -+# -+# Remove Linux partitions from the system prior to creating new ones (optional) -+# --linux erase all Linux partitions -+# --initlabel initialize the disk label to the default based on the underlying architecture -+clearpart --linux --initlabel -+ -+# Create primary system partitions (required for installs) -+autopart -+ -+# Harden installation with HIPAA profile -+# For more details and configuration options see command %addon org_fedora_oscap in -+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands -+%addon org_fedora_oscap -+ content-type = scap-security-guide -+ profile = xccdf_org.ssgproject.content_profile_hipaa -+%end -+ -+# Packages selection (%packages section is required) -+%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section -+ -+# Reboot after the installation is complete (optional) -+# --eject attempt to eject CD or DVD media before rebooting -+reboot --eject -diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg -new file mode 100644 -index 0000000000..861db36f18 ---- /dev/null -+++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg -@@ -0,0 +1,125 @@ -+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server -+# Version: 0.0.1 -+# Date: 2020-05-25 -+# -+# Based on: -+# http://fedoraproject.org/wiki/Anaconda/Kickstart -+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart -+ -+# Install a fresh new system (optional) -+install -+ -+# Specify installation method to use for installation -+# To use a different one comment out the 'url' one below, update -+# the selected choice with proper options & un-comment it -+# -+# Install from an installation tree on a remote server via FTP or HTTP: -+# --url the URL to install from -+# -+# Example: -+# -+# url --url=http://192.168.122.1/image -+# -+# Modify concrete URL in the above example appropriately to reflect the actual -+# environment machine is to be installed in -+# -+# Other possible / supported installation methods: -+# * install from the first CD-ROM/DVD drive on the system: -+# -+# cdrom -+# -+# * install from a directory of ISO images on a local drive: -+# -+# harddrive --partition=hdb2 --dir=/tmp/install-tree -+# -+# * install from provided NFS server: -+# -+# nfs --server= --dir= [--opts=] -+# -+ -+# Set language to use during installation and the default language to use on the installed system (required) -+lang en_US.UTF-8 -+ -+# Set system keyboard type / layout (required) -+keyboard us -+ -+# Configure network information for target system and activate network devices in the installer environment (optional) -+# --onboot enable device at a boot time -+# --device device to be activated and / or configured with the network command -+# --bootproto method to obtain networking configuration for device (default dhcp) -+# --noipv6 disable IPv6 on this device -+# -+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, -+# "--bootproto=static" must be used. For example: -+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 -+# -+network --onboot yes --device eth0 --bootproto dhcp --noipv6 -+ -+# Set the system's root password (required) -+# Plaintext password is: server -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 -+ -+# The selected profile will restrict root login -+# Add a user that can login and escalate privileges -+# Plaintext password is: admin123 -+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted -+ -+# Configure firewall settings for the system (optional) -+# --enabled reject incoming connections that are not in response to outbound requests -+# --ssh allow sshd service through the firewall -+firewall --enabled --ssh -+ -+# Set up the authentication options for the system (required) -+# sssd profile sets sha512 to hash passwords -+# passwords are shadowed by default -+# See the manual page for authselect-profile for a complete list of possible options. -+authselect select sssd -+ -+# State of SELinux on the installed system (optional) -+# Defaults to enforcing -+selinux --enforcing -+ -+# Set the system time zone (required) -+timezone --utc America/New_York -+ -+# Specify how the bootloader should be installed (required) -+# Plaintext password is: password -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 -+ -+# Initialize (format) all disks (optional) -+zerombr -+ -+# The following partition layout scheme assumes disk of size 20GB or larger -+# Modify size of partitions appropriately to reflect actual machine's hardware -+# -+# Remove Linux partitions from the system prior to creating new ones (optional) -+# --linux erase all Linux partitions -+# --initlabel initialize the disk label to the default based on the underlying architecture -+clearpart --linux --initlabel -+ -+# Create primary system partitions (required for installs) -+autopart -+ -+# Harden installation with HIPAA profile -+# For more details and configuration options see -+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program -+%addon org_fedora_oscap -+ content-type = scap-security-guide -+ profile = xccdf_org.ssgproject.content_profile_hipaa -+%end -+ -+# Packages selection (%packages section is required) -+%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section -+ -+# Reboot after the installation is complete (optional) -+# --eject attempt to eject CD or DVD media before rebooting -+reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch b/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch deleted file mode 100644 index e6dc9cb..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 22 May 2020 14:12:18 +0200 -Subject: [PATCH] Add missing CCEs for RHEL8 - ---- - .../password_storage/no_netrc_files/rule.yml | 1 + - .../accounts_user_interactive_home_directory_exists/rule.yml | 1 + - .../file_groupownership_home_directories/rule.yml | 1 + - shared/references/cce-redhat-avail.txt | 3 --- - 4 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml -index 8547893201..1bd1f5742e 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel6: 27225-2 - cce@rhel7: 80211-6 -+ cce@rhel8: 83444-0 - cce@ocp4: 82667-7 - - references: -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -index bedf3a0b19..e69bc9d736 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -@@ -21,6 +21,7 @@ severity: medium - - identifiers: - cce@rhel7: 80529-1 -+ cce@rhel8: 83424-2 - - references: - stigid@ol7: "020620" -diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -index 1c5ac8d099..f931f6d160 100644 ---- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -@@ -20,6 +20,7 @@ severity: medium - - identifiers: - cce@rhel7: 80532-5 -+ cce@rhel8: 83434-1 - - references: - stigid@ol7: "020650" -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 2f0d2a526b..45d03a2c1d 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -95,7 +95,6 @@ CCE-83411-9 - CCE-83421-8 - CCE-83422-6 - CCE-83423-4 --CCE-83424-2 - CCE-83425-9 - CCE-83426-7 - CCE-83427-5 -@@ -105,7 +104,6 @@ CCE-83430-9 - CCE-83431-7 - CCE-83432-5 - CCE-83433-3 --CCE-83434-1 - CCE-83435-8 - CCE-83436-6 - CCE-83437-4 -@@ -115,7 +113,6 @@ CCE-83440-8 - CCE-83441-6 - CCE-83442-4 - CCE-83443-2 --CCE-83444-0 - CCE-83445-7 - CCE-83446-5 - CCE-83447-3 diff --git a/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch b/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch deleted file mode 100644 index b435b97..0000000 --- a/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 21 May 2020 13:30:24 +0200 -Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins - ---- - .../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -index e9a29a24d5..6fbb7c72a5 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -@@ -3,13 +3,9 @@ - # strategy = restrict - # complexity = low - # disruption = low --- name: Test for existence of /etc/securetty -- stat: -- path: /etc/securetty -- register: securetty_empty -+ - - - name: "Direct root Logins Not Allowed" - copy: - dest: /etc/securetty - content: "" -- when: securetty_empty.stat.size > 1 - -From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 21 May 2020 14:21:38 +0200 -Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8 - ---- - shared/templates/template_ANSIBLE_sebool | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool -index 29f37081be..38d7c7c350 100644 ---- a/shared/templates/template_ANSIBLE_sebool -+++ b/shared/templates/template_ANSIBLE_sebool -@@ -13,11 +13,17 @@ - {{% else %}} - - (xccdf-var var_{{{ SEBOOLID }}}) - -+{{% if product == "rhel8" %}} -+- name: Ensure python3-libsemanage installed -+ package: -+ name: python3-libsemanage -+ state: present -+{{% else %}} - - name: Ensure libsemanage-python installed - package: - name: libsemanage-python - state: present -- -+{{% endif %}} - - name: Set SELinux boolean {{{ SEBOOLID }}} accordingly - seboolean: - name: {{{ SEBOOLID }}} - -From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 21 May 2020 14:57:05 +0200 -Subject: [PATCH 3/3] add tests for no_direct_root_logins - ---- - .../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++ - .../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++ - .../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++ - 3 files changed, 9 insertions(+) - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh -new file mode 100644 -index 0000000000..17251f6a98 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo > /etc/securetty -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh -new file mode 100644 -index 0000000000..c764814b26 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+rm -f /etc/securetty -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh -new file mode 100644 -index 0000000000..43ac341e87 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "something" > /etc/securetty diff --git a/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch b/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch deleted file mode 100644 index 5c6664f..0000000 --- a/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch +++ /dev/null @@ -1,308 +0,0 @@ -From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Tue, 26 May 2020 17:49:21 +0200 -Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation. - -Affected rules: - - selinux_policytype - - selinux_state ---- - .../selinux/selinux_policytype/ansible/shared.yml | 9 ++------- - .../selinux/selinux_policytype/bash/shared.sh | 5 +++-- - .../tests/selinuxtype_minimum.fail.sh | 10 ++++++++++ - .../selinux/selinux_state/ansible/shared.yml | 9 ++------- - .../system/selinux/selinux_state/bash/shared.sh | 5 +++-- - .../selinux_state/tests/selinux_missing.fail.sh | 5 +++++ - .../tests/selinux_permissive.fail.sh | 10 ++++++++++ - shared/macros-ansible.jinja | 11 +++++++++++ - shared/macros-bash.jinja | 15 +++++++++++++++ - 9 files changed, 61 insertions(+), 18 deletions(-) - create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh - create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh - create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh - -diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml -index 5c70cc9f7f..9f8cf66dfb 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml -+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml -@@ -3,11 +3,6 @@ - # strategy = restrict - # complexity = low - # disruption = low - - (xccdf-var var_selinux_policy_name) - --- name: "{{{ rule_title }}}" -- lineinfile: -- path: /etc/sysconfig/selinux -- regexp: '^SELINUXTYPE=' -- line: "SELINUXTYPE={{ var_selinux_policy_name }}" -- create: yes -+{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}} -diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh -index d0fbbf4446..2b5ce31b12 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh -+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh -@@ -1,7 +1,8 @@ - # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv --# -+ - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions -+ - populate var_selinux_policy_name - --replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s' -+{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}} -diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh -new file mode 100644 -index 0000000000..1a6eb94953 ---- /dev/null -+++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp -+ -+SELINUX_FILE='/etc/selinux/config' -+ -+if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then -+ sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE -+else -+ echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE -+fi -diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml -index b465ac6729..1c1560a86c 100644 ---- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml -+++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml -@@ -3,11 +3,6 @@ - # strategy = restrict - # complexity = low - # disruption = low - - (xccdf-var var_selinux_state) - --- name: "{{{ rule_title }}}" -- lineinfile: -- path: /etc/sysconfig/selinux -- regexp: '^SELINUX=' -- line: "SELINUX={{ var_selinux_state }}" -- create: yes -+{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}} -diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh -index 58193b5504..a402a861d7 100644 ---- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh -+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh -@@ -1,10 +1,11 @@ - # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv --# -+ - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions -+ - populate var_selinux_state - --replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -+{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}} - - fixfiles onboot - fixfiles -f relabel -diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh -new file mode 100644 -index 0000000000..180dd80791 ---- /dev/null -+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp -+ -+SELINUX_FILE='/etc/selinux/config' -+sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE -diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh -new file mode 100644 -index 0000000000..3db1e56b5f ---- /dev/null -+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp -+ -+SELINUX_FILE='/etc/selinux/config' -+ -+if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then -+ sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE -+else -+ echo 'SELINUX=permissive' >> $SELINUX_FILE -+fi -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 6798a25d1f..01d3155b37 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}" - {{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} - {{%- endmacro %}} - -+{{# -+ High level macro to set a parameter in /etc/selinux/config. -+ Parameters: -+ - msg: the name for the Ansible task -+ - parameter: parameter to be set in the configuration file -+ - value: value of the parameter -+#}} -+{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}} -+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} -+{{%- endmacro %}} -+ - {{# - Generates an Ansible task that puts 'contents' into a file at 'filepath' - Parameters: -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index 3a94fe5dd8..2531d1c52d 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -86,6 +86,21 @@ populate {{{ name }}} - }}} - {{%- endmacro -%}} - -+{{%- macro bash_selinux_config_set(parameter, value) -%}} -+{{{ set_config_file( -+ path="/etc/selinux/config", -+ parameter=parameter, -+ value=value, -+ create=true, -+ insert_after="", -+ insert_before="", -+ insensitive=true, -+ separator="=", -+ separator_regex="\s*=\s*", -+ prefix_regex="^\s*") -+ }}} -+{{%- endmacro -%}} -+ - {{# - # Install a package - # Uses the right command based on pkg_manger proprerty defined in product.yaml. - -From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Wed, 27 May 2020 18:48:57 +0200 -Subject: [PATCH 2/2] Remediation requires reboot. - -Update OVAL check to disallow spaces. -Removed selinuxtype_minimum test scenario since breaks the system. ---- - .../selinux/selinux_policytype/ansible/shared.yml | 2 +- - .../system/selinux/selinux_policytype/bash/shared.sh | 4 ++++ - .../system/selinux/selinux_policytype/oval/shared.xml | 2 +- - .../tests/selinuxtype_minimum.fail.sh | 10 ---------- - .../guide/system/selinux/selinux_state/bash/shared.sh | 4 ++++ - .../guide/system/selinux/selinux_state/oval/shared.xml | 2 +- - shared/macros-ansible.jinja | 2 +- - shared/macros-bash.jinja | 4 ++-- - 8 files changed, 14 insertions(+), 16 deletions(-) - delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh - -diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml -index 9f8cf66dfb..73e6ec7cd4 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml -+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml -@@ -1,5 +1,5 @@ - # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv --# reboot = false -+# reboot = true - # strategy = restrict - # complexity = low - # disruption = low -diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh -index 2b5ce31b12..b4f79c97f9 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh -+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh -@@ -1,4 +1,8 @@ - # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low - - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions -diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml -index f1840a1290..3d69fff07f 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml -+++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml -@@ -27,7 +27,7 @@ - - - /etc/selinux/config -- ^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*) -+ ^SELINUXTYPE=(.*)$ - 1 - - -diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh -deleted file mode 100644 -index 1a6eb94953..0000000000 ---- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh -+++ /dev/null -@@ -1,10 +0,0 @@ --#!/bin/bash --# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp -- --SELINUX_FILE='/etc/selinux/config' -- --if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then -- sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE --else -- echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE --fi -diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh -index a402a861d7..645a7acab4 100644 ---- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh -+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh -@@ -1,4 +1,8 @@ - # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low - - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions -diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml -index c0881696e1..8c328060af 100644 ---- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml -+++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml -@@ -18,7 +18,7 @@ - - - /etc/selinux/config -- ^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$ -+ ^SELINUX=(.*)$ - 1 - - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 01d3155b37..580a0b948e 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}" - - value: value of the parameter - #}} - {{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}} --{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} -+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}} - {{%- endmacro %}} - - {{# -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index 2531d1c52d..8abcc914d3 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -96,8 +96,8 @@ populate {{{ name }}} - insert_before="", - insensitive=true, - separator="=", -- separator_regex="\s*=\s*", -- prefix_regex="^\s*") -+ separator_regex="=", -+ prefix_regex="^") - }}} - {{%- endmacro -%}} - diff --git a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch deleted file mode 100644 index 1e028b7..0000000 --- a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 23:36:18 +0200 -Subject: [PATCH] Ansible mount_option: split mount and option task - -Separate task that adds mount options mounts the mountpoint into two tasks. -Conditioning the "mount" task on the absence of the target mount option -caused the task to always be skipped when mount option was alredy present, -and could result in the mount point not being mounted. ---- - shared/templates/template_ANSIBLE_mount_option | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option -index 95bede25f9..a0cf8d6b7a 100644 ---- a/shared/templates/template_ANSIBLE_mount_option -+++ b/shared/templates/template_ANSIBLE_mount_option -@@ -26,14 +26,19 @@ - - device_name.stdout is defined and device_name.stdout_lines is defined - - (device_name.stdout | length > 0) - --- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}} -+- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options -+ set_fact: -+ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}" -+ when: -+ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options -+ -+- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option - mount: - path: "{{{ MOUNTPOINT }}}" - src: "{{ mount_info.source }}" -- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}" -+ opts: "{{ mount_info.options }}" - state: "mounted" - fstype: "{{ mount_info.fstype }}" - when: -- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options - - device_name.stdout is defined - - (device_name.stdout | length > 0) diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch deleted file mode 100644 index 47b9cdb..0000000 --- a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch +++ /dev/null @@ -1,33 +0,0 @@ -From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 14 May 2020 16:46:07 +0200 -Subject: [PATCH] reorder groups because of permissions verification - ---- - ssg/build_yaml.py | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py -index e3e138283c..c9f3179c08 100644 ---- a/ssg/build_yaml.py -+++ b/ssg/build_yaml.py -@@ -700,6 +700,11 @@ def to_xml_element(self): - # audit_rules_privileged_commands, othervise the rule - # does not catch newly installed screeen binary during remediation - # and report fail -+ # the software group should come before the -+ # bootloader-grub2 group because of conflict between -+ # rules rpm_verify_permissions and file_permissions_grub2_cfg -+ # specific rules concerning permissions should -+ # be applied after the general rpm_verify_permissions - # The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS. - # the firewalld_activation must come before ruleset_modifications, othervise - # remediations for ruleset_modifications won't work -@@ -707,6 +712,7 @@ def to_xml_element(self): - # otherwise the remediation prints error although it is successful - priority_order = [ - "accounts", "auditing", -+ "software", "bootloader-grub2", - "fips", "crypto", - "firewalld_activation", "ruleset_modifications", - "disabling_ipv6", "configuring_ipv6" diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch b/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch deleted file mode 100644 index 34531f1..0000000 --- a/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch +++ /dev/null @@ -1,171 +0,0 @@ -From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 14 May 2020 01:20:53 +0200 -Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig - -All paths in /etc/rsyslog.conf were taken as log files, but paths -in lines containing "include" or "$IncludeConfig" are config files. - -Let's not take them in as log files ---- - .../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -index a78cd69df2..c74f3da3f5 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -@@ -87,8 +87,18 @@ - --> - ^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ - 1 -+ state_ignore_include_paths - - -+ -+ -+ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) -+ -+ - - -From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 14 May 2020 00:16:37 +0200 -Subject: [PATCH 2/4] Fix permissions of files referenced by include() - -The remediation script also needs to parse the files included via -"include()". -The awk also takes into consideration the multiline aspect. ---- - .../rsyslog_files_permissions/bash/shared.sh | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -index 6cbf0c6a24..dca35301e7 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" - # * And also the log file paths listed after rsyslog's $IncludeConfig directive - # (store the result into array for the case there's shell glob used as value of IncludeConfig) - readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) -+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) -+ - # Declare an array to hold the final list of different log file paths - declare -a LOG_FILE_PATHS - - # Browse each file selected above as containing paths of log files - # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) --for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" -+for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}" - do - # From each of these files extract just particular log file path(s), thus: - # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, - -From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 15:53:58 +0200 -Subject: [PATCH 3/4] Make regex for include file more strict - -For some reason gensub in awk doesn't support non capturing group. -So the group with OR is capturing and we substitute everyting with the -second group, witch matches the file path. ---- - .../rsyslog_files_permissions/bash/shared.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -index dca35301e7..99d2d0e794 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" - # * And also the log file paths listed after rsyslog's $IncludeConfig directive - # (store the result into array for the case there's shell glob used as value of IncludeConfig) - readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) --readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) -+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) - - # Declare an array to hold the final list of different log file paths - declare -a LOG_FILE_PATHS - -From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 16:55:02 +0200 -Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership - -These three files basically work the same way ---- - .../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++ - .../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++ - .../rsyslog_files_permissions/oval/shared.xml | 4 ++-- - 3 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml -index 5828f25321..9941e2b94f 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml -@@ -86,8 +86,18 @@ - --> - ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ - 1 -+ state_groupownership_ignore_include_paths - - -+ -+ -+ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) -+ -+ - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml -index 3c46eab6d6..29dd1a989e 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml -@@ -83,8 +83,18 @@ - --> - ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ - 1 -+ state_owner_ignore_include_paths - - -+ -+ -+ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) -+ -+ - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -index c74f3da3f5..da37a15b8c 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -@@ -87,10 +87,10 @@ - --> - ^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ - 1 -- state_ignore_include_paths -+ state_permissions_ignore_include_paths - - -- -+ - -- -- -- -- - - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -1 -- -- -- -- -- -1 -- -- -- -- -- -- -- -- -- variable_default_range_quad_expr -- -- -- -- -- 0 -- -- - - -- -- -- -- -+ -+ -+ -+ -+ -+ -+ 0 -+ -+ -+ -+ - - - - - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -1 -- -- -- -- -- -- -- -- -- variable_reserved_range_quad_expr -- -- -- -- -- 0 -- -- - - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -1 -- -- -- -- -- -- -- -- -- -- -1 -- -- -- -- -- -- -- -- -- variable_dynalloc_range_quad_expr -- -+ -+ -+ -+ - -- -- -- 0 -- -+ -+ -+ - - - -- -- -- -- -+ -+ -+ -+ - -+ -+ -+ -+ -+ -+ - - -From 31654f72ee7cd30f937f84889c870fd330e7c366 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 4 Jun 2020 14:04:37 +0200 -Subject: [PATCH 3/3] no_shelllogin_for_systemaccounts: Fix text shebangs - ---- - .../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 2 +- - .../no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh | 3 +-- - .../tests/only_system_users.pass.sh | 3 +-- - .../tests/system_user_with_shell.fail.sh | 3 +-- - 4 files changed, 4 insertions(+), 7 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh -index 6d48ad78fd..833831f79d 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh -@@ -1,4 +1,4 @@ -+#!/bin/bash - # remediation = none - --#!/bin/bash - true -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh -index bc4f9cee8c..6769895eb2 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh -@@ -1,6 +1,5 @@ --# remediation = none -- - #!/bin/bash -+# remediation = none - - # Force unset of SYS_UID values - sed -i '/^SYS_UID_MIN/d' /etc/login.defs -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh -index 0cdb820bbb..06edf671ce 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh -@@ -1,6 +1,5 @@ --# remediation = none -- - #!/bin/bash -+# remediation = none - - # remove any non-system user - sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh -index 7639a8809d..10312593b8 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh -@@ -1,6 +1,5 @@ --# remediation = none -- - #!/bin/bash -+# remediation = none - - # change system user "mail" shell to bash - usermod --shell /bin/bash mail diff --git a/SOURCES/scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch b/SOURCES/scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch deleted file mode 100644 index 218e89b..0000000 --- a/SOURCES/scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch +++ /dev/null @@ -1,163 +0,0 @@ -From bf4da502abb91d3db88e76f7239880909f400604 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 25 Jun 2020 09:53:38 +0200 -Subject: [PATCH 1/3] fixed description, oval, ansible, bash - ---- - .../configure_openssl_crypto_policy/ansible/shared.yml | 4 ++-- - .../configure_openssl_crypto_policy/bash/shared.sh | 4 ++-- - .../configure_openssl_crypto_policy/oval/shared.xml | 2 +- - .../crypto/configure_openssl_crypto_policy/rule.yml | 10 +++++----- - 4 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml -index e6318f221c..98fe134aca 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml -@@ -15,7 +15,7 @@ - lineinfile: - create: yes - insertafter: '^\s*\[\s*crypto_policy\s*]\s*' -- line: ".include /etc/crypto-policies/back-ends/openssl.config" -+ line: ".include /etc/crypto-policies/back-ends/opensslcnf.config" - path: /etc/pki/tls/openssl.cnf - when: - - test_crypto_policy_group.stdout is defined -@@ -24,7 +24,7 @@ - - name: "Add crypto_policy group and set include openssl.config" - lineinfile: - create: yes -- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/openssl.config" -+ line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config" - path: /etc/pki/tls/openssl.cnf - when: - - test_crypto_policy_group.stdout is defined -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh -index 0b3cbf3b46..a0b30cce96 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh -@@ -2,8 +2,8 @@ - - OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' - OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' --OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/openssl.config' --OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config$' -+OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' -+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$' - - function remediate_openssl_crypto_policy() { - CONFIG_FILE="/etc/pki/tls/openssl.cnf" -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml -index a9b3f7b6e9..2019769736 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml -@@ -20,7 +20,7 @@ - - /etc/pki/tls/openssl.cnf -- ^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config\s*$ -+ ^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config\s*$ - 1 - - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml -index 8c015bb3b2..1a66570a8c 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml -@@ -11,7 +11,7 @@ description: |- - To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file - available under /etc/pki/tls/openssl.cnf. - This file has the ini format, and it enables crypto policy support -- if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/openssl.config directive. -+ if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. - - rationale: |- - Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, -@@ -29,11 +29,11 @@ references: - - ocil_clause: |- - the OpenSSL config file doesn't contain the whole section, -- or that the section doesn't have the
.include /etc/crypto-policies/back-ends/openssl.config
directive -+ or that the section doesn't have the
.include /etc/crypto-policies/back-ends/opensslcnf.config
directive - - ocil: |- -- To verify that OpenSSL uses the system crypro policy, check out that the OpenSSL config file -+ To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file -
/etc/pki/tls/openssl.cnf
contains the
[ crypto_policy ]
section with the --
.include /etc/crypto-policies/back-ends/openssl.config
directive: --
grep '\.include\s* /etc/crypto-policies/back-ends/openssl.config$' /etc/pki/tls/openssl.cnf
. -+
.include /etc/crypto-policies/back-ends/opensslcnf.config
directive: -+
grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf
. - - -From 5e4f19a3301fbdc74b199b418a435924089d6c30 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 25 Jun 2020 09:54:09 +0200 -Subject: [PATCH 2/3] updated tests - ---- - .../configure_openssl_crypto_policy/tests/ok.pass.sh | 2 +- - .../tests/wrong.fail.sh | 10 ++++++++++ - 2 files changed, 11 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh -index 5b8334735e..c56916883e 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh -+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh -@@ -6,5 +6,5 @@ - - create_config_file_with "[ crypto_policy ] - --.include /etc/crypto-policies/back-ends/openssl.config -+.include /etc/crypto-policies/back-ends/opensslcnf.config - " -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh -new file mode 100644 -index 0000000000..5b8334735e ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard -+ -+. common.sh -+ -+create_config_file_with "[ crypto_policy ] -+ -+.include /etc/crypto-policies/back-ends/openssl.config -+" - -From 73804523130ce02162b780b8811e79e6adcb51a6 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Thu, 25 Jun 2020 17:32:00 +0200 -Subject: [PATCH 3/3] Update task name to reflect correct opensslcnf.config - file. - ---- - .../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml -index 98fe134aca..986543c10f 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml -@@ -11,7 +11,7 @@ - changed_when: False - check_mode: no - --- name: "Add .include for openssl.config to crypto_policy section" -+- name: "Add .include for opensslcnf.config to crypto_policy section" - lineinfile: - create: yes - insertafter: '^\s*\[\s*crypto_policy\s*]\s*' -@@ -21,7 +21,7 @@ - - test_crypto_policy_group.stdout is defined - - test_crypto_policy_group.stdout | length > 0 - --- name: "Add crypto_policy group and set include openssl.config" -+- name: "Add crypto_policy group and set include opensslcnf.config" - lineinfile: - create: yes - line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config" diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch deleted file mode 100644 index 77a9e01..0000000 --- a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch +++ /dev/null @@ -1,383 +0,0 @@ -From 91c7ff65572b51b52eaf14f3b147b118dc85cc9f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Tue, 19 May 2020 15:49:34 +0200 -Subject: [PATCH 1/5] Made the rule sshd_rekey_limit parametrized. - -Introduce the rekey_limit_size and rekey_limit_time XCCDF values -to make the rule more flexible. ---- - .../sshd_rekey_limit/bash/shared.sh | 9 ++++ - .../sshd_rekey_limit/oval/shared.xml | 43 +++++++++++++++++++ - .../ssh/ssh_server/sshd_rekey_limit/rule.yml | 12 +----- - .../sshd_rekey_limit/tests/bad_size.fail.sh | 4 ++ - .../sshd_rekey_limit/tests/bad_time.fail.sh | 4 ++ - .../sshd_rekey_limit/tests/no_line.fail.sh | 3 ++ - .../sshd_rekey_limit/tests/ok.pass.sh | 4 ++ - .../ssh/ssh_server/var_rekey_limit_size.var | 14 ++++++ - .../ssh/ssh_server/var_rekey_limit_time.var | 14 ++++++ - rhel8/profiles/ospp.profile | 2 + - 10 files changed, 99 insertions(+), 10 deletions(-) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var - create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh -new file mode 100644 -index 0000000000..2620c2d49e ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh -@@ -0,0 +1,9 @@ -+# platform = multi_platform_all -+ -+# Include source function library. -+. /usr/share/scap-security-guide/remediation_functions -+ -+populate var_rekey_limit_size -+populate var_rekey_limit_time -+ -+{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml -new file mode 100644 -index 0000000000..57aa090948 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml -@@ -0,0 +1,43 @@ -+{{% set filepath = "/etc/ssh/sshd_config" %}} -+{{% set parameter = "RekeyLimit" %}} -+ -+ -+ -+ -+ -+ {{{ rule_title }}} -+ {{{- oval_affected(products) }}} -+ Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}' -+ -+ -+ {{{- application_not_required_or_requirement_unset() }}} -+ {{{- application_required_or_requirement_unset() }}} -+ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}} -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ {{{ filepath }}} -+ -+ 1 -+ -+ -+ -+ -+ ^[\s]*RekeyLimit[\s]+ -+ -+ [\s]+ -+ -+ [\s]*$ -+ -+ -+ -+ -+ -+ -+ -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml -index e11678faa0..4936a381f5 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml -@@ -7,7 +7,7 @@ description: |- - the session key of the is renegotiated, both in terms of - amount of data that may be transmitted and the time - elapsed. To decrease the default limits, put line -- RekeyLimit 512M 1h to file /etc/ssh/sshd_config. -+ RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}} to file /etc/ssh/sshd_config. - - rationale: |- - By decreasing the limit based on the amount of data and enabling -@@ -30,12 +30,4 @@ ocil: |- - following command: -
$ sudo grep RekeyLimit /etc/ssh/sshd_config
- If configured properly, output should be --
RekeyLimit 512M 1h
-- --template: -- name: sshd_lineinfile -- vars: -- missing_parameter_pass: 'false' -- parameter: RekeyLimit -- rule_id: sshd_rekey_limit -- value: 512M 1h -+
RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh -new file mode 100644 -index 0000000000..2ac0bbf350 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh -@@ -0,0 +1,4 @@ -+# platform = multi_platform_all -+ -+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config -+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh -new file mode 100644 -index 0000000000..fec859fe05 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh -@@ -0,0 +1,4 @@ -+# platform = multi_platform_all -+ -+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config -+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh -new file mode 100644 -index 0000000000..a6cd10163f ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh -@@ -0,0 +1,3 @@ -+# platform = multi_platform_all -+ -+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh -new file mode 100644 -index 0000000000..a6a2ba7adf ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh -@@ -0,0 +1,4 @@ -+# platform = multi_platform_all -+ -+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config -+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config -diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var -new file mode 100644 -index 0000000000..16dc376508 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var -@@ -0,0 +1,14 @@ -+documentation_complete: true -+ -+title: 'SSH RekeyLimit - size' -+ -+description: 'Specify the size component of the rekey limit.' -+ -+type: string -+ -+operator: equals -+ -+options: -+ sshd_default: "default" -+ default: "512M" -+ "512M": "512M" -diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var -new file mode 100644 -index 0000000000..8801fbbf6f ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var -@@ -0,0 +1,14 @@ -+documentation_complete: true -+ -+title: 'SSH RekeyLimit - size' -+ -+description: 'Specify the size component of the rekey limit.' -+ -+type: string -+ -+operator: equals -+ -+options: -+ sshd_default: "none" -+ default: "1h" -+ "1hour": "1h" -diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile -index c672066050..a5223a187f 100644 ---- a/rhel8/profiles/ospp.profile -+++ b/rhel8/profiles/ospp.profile -@@ -58,6 +58,8 @@ selections: - - sshd_set_keepalive - - sshd_enable_warning_banner - - sshd_rekey_limit -+ - var_rekey_limit_size=512M -+ - var_rekey_limit_time=1hour - - sshd_use_strong_rng - - openssl_use_strong_entropy - - -From 85efae481db88792de138916c242fbbf0a7adeb1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Tue, 19 May 2020 17:57:12 +0200 -Subject: [PATCH 2/5] Updated stable profile definitions. - ---- - tests/data/profile_stability/rhel8/ospp.profile | 2 ++ - tests/data/profile_stability/rhel8/stig.profile | 3 ++- - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile -index 23039c82b4..bdda39a903 100644 ---- a/tests/data/profile_stability/rhel8/ospp.profile -+++ b/tests/data/profile_stability/rhel8/ospp.profile -@@ -214,6 +214,8 @@ selections: - - timer_dnf-automatic_enabled - - usbguard_allow_hid_and_hub - - var_sshd_set_keepalive=0 -+- var_rekey_limit_size=512M -+- var_rekey_limit_time=1hour - - var_accounts_user_umask=027 - - var_password_pam_difok=4 - - var_password_pam_maxrepeat=3 -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index cd31b73700..ebef541921 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -21,7 +21,6 @@ description: 'This profile contains configuration checks that align to the - - - Red Hat Containers with a Red Hat Enterprise Linux 8 image' - documentation_complete: true --extends: ospp - selections: - - account_disable_post_pw_expiration - - account_temp_expire_date -@@ -243,6 +242,8 @@ selections: - - timer_dnf-automatic_enabled - - usbguard_allow_hid_and_hub - - var_sshd_set_keepalive=0 -+- var_rekey_limit_size=512M -+- var_rekey_limit_time=1hour - - var_accounts_user_umask=027 - - var_password_pam_difok=4 - - var_password_pam_maxrepeat=3 - -From d75161c4f7232380a1b46aa8d99fa5d562503c80 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 22 May 2020 11:43:36 +0200 -Subject: [PATCH 3/5] Improved how variables are handled in remediations. - ---- - shared/macros-ansible.jinja | 14 ++++++++++++++ - shared/macros-bash.jinja | 15 +++++++++++++++ - 2 files changed, 29 insertions(+) - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 56a3f5f3ec..6798a25d1f 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -1,3 +1,17 @@ -+{{# -+Pass strings that correspond to XCCDF value names as arguments to this macro: -+ansible_instantiate_variables("varname1", "varname2") -+ -+Then, assume that the task that follows can work with the variable by referencing it, e.g. -+value: "Setting={{ varname1 }}" -+ -+#}} -+{{%- macro ansible_instantiate_variables() -%}} -+{{%- for name in varargs -%}} -+- (xccdf-var {{{ name }}}) -+{{% endfor -%}} -+{{%- endmacro -%}} -+ - {{# - A wrapper over the Ansible lineinfile module. This handles the most common - options for us. regex is optional and when blank, it won't be included in -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index 01b9e62e7b..3a94fe5dd8 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -1,5 +1,20 @@ - {{# ##### High level macros ##### #}} - -+{{# -+Pass strings that correspond to XCCDF value names as arguments to this macro: -+bash_instantiate_variables("varname1", "varname2") -+ -+Then, assume that variables of that names are defined and contain the correct value, e.g. -+echo "Setting=$varname1" >> config_file -+ -+#}} -+{{%- macro bash_instantiate_variables() -%}} -+{{%- for name in varargs -%}} -+populate {{{ name }}} -+{{# this line is intentionally left blank #}} -+{{% endfor -%}} -+{{%- endmacro -%}} -+ - {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}} - {{% if no_quotes -%}} - {{% if "$" in value %}} - -From 912ce0a4ade9aa335c044314a6cc018f1ead1abe Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 22 May 2020 11:44:08 +0200 -Subject: [PATCH 4/5] Fixed Bash and Ansible remediations. - ---- - .../ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml | 8 ++++++++ - .../ssh/ssh_server/sshd_rekey_limit/bash/shared.sh | 3 +-- - 2 files changed, 9 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml -new file mode 100644 -index 0000000000..43a2d4521f ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml -@@ -0,0 +1,8 @@ -+# platform = multi_platform_all [0/453] -+# reboot = false -+# strategy = configure -+# complexity = low -+# disruption = low -+{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}} -+ -+{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size}} {{var_rekey_limit_time}}") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh -index 2620c2d49e..0277f31392 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh -@@ -3,7 +3,6 @@ - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions - --populate var_rekey_limit_size --populate var_rekey_limit_time -+{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}} - - {{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}} - -From d0ac47945e14017e522d523267d3a4bfb5ecdf71 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Fri, 22 May 2020 11:49:04 +0200 -Subject: [PATCH 5/5] Improved the OVAL according to the review feedback. - ---- - .../services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml -index 57aa090948..47796e5332 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml -@@ -1,5 +1,4 @@ --{{% set filepath = "/etc/ssh/sshd_config" %}} --{{% set parameter = "RekeyLimit" %}} -+{{% set filepath = "/etc/ssh/sshd_config" -%}} - - - -@@ -7,7 +6,7 @@ - - {{{ rule_title }}} - {{{- oval_affected(products) }}} -- Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}' -+ Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}' - - - {{{- application_not_required_or_requirement_unset() }}} diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch deleted file mode 100644 index 2b758fb..0000000 --- a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 279b1d8b585d3521d4910ec8aa69583f9b7031ac Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 25 May 2020 10:51:24 +0200 -Subject: [PATCH 1/3] change rekey limit to 1G 1h in rhel8 ospp - ---- - .../guide/services/ssh/ssh_server/var_rekey_limit_size.var | 1 + - rhel8/profiles/ospp.profile | 2 +- - rhel8/profiles/stig.profile | 3 +++ - 3 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var -index 16dc376508..395a087a68 100644 ---- a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var -+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var -@@ -12,3 +12,4 @@ options: - sshd_default: "default" - default: "512M" - "512M": "512M" -+ "1G": "1G" -diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile -index a5223a187f..0dca8350f9 100644 ---- a/rhel8/profiles/ospp.profile -+++ b/rhel8/profiles/ospp.profile -@@ -58,7 +58,7 @@ selections: - - sshd_set_keepalive - - sshd_enable_warning_banner - - sshd_rekey_limit -- - var_rekey_limit_size=512M -+ - var_rekey_limit_size=1G - - var_rekey_limit_time=1hour - - sshd_use_strong_rng - - openssl_use_strong_entropy -diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile -index 2bb81cf9dc..a156857647 100644 ---- a/rhel8/profiles/stig.profile -+++ b/rhel8/profiles/stig.profile -@@ -44,3 +44,6 @@ selections: - - package_rsyslog-gnutls_installed - - rsyslog_remote_tls - - rsyslog_remote_tls_cacert -+ - sshd_rekey_limit -+ - var_rekey_limit_size=512M -+ - var_rekey_limit_time=1hour - -From d8ce7bb5f47665e40b6ec2c47e565bb7c46164a9 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 25 May 2020 10:51:54 +0200 -Subject: [PATCH 2/3] update stable ospp profile - ---- - tests/data/profile_stability/rhel8/ospp.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile -index bdda39a903..25f7922bf3 100644 ---- a/tests/data/profile_stability/rhel8/ospp.profile -+++ b/tests/data/profile_stability/rhel8/ospp.profile -@@ -214,7 +214,7 @@ selections: - - timer_dnf-automatic_enabled - - usbguard_allow_hid_and_hub - - var_sshd_set_keepalive=0 --- var_rekey_limit_size=512M -+- var_rekey_limit_size=1G - - var_rekey_limit_time=1hour - - var_accounts_user_umask=027 - - var_password_pam_difok=4 - -From 6623ece14b6534164a3b953fd43111cae4a3eeea Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 28 May 2020 09:30:58 +0200 -Subject: [PATCH 3/3] propagate change also into stig profile - ---- - rhel8/profiles/stig.profile | 3 --- - tests/data/profile_stability/rhel8/stig.profile | 2 +- - 2 files changed, 1 insertion(+), 4 deletions(-) - -diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile -index a156857647..2bb81cf9dc 100644 ---- a/rhel8/profiles/stig.profile -+++ b/rhel8/profiles/stig.profile -@@ -44,6 +44,3 @@ selections: - - package_rsyslog-gnutls_installed - - rsyslog_remote_tls - - rsyslog_remote_tls_cacert -- - sshd_rekey_limit -- - var_rekey_limit_size=512M -- - var_rekey_limit_time=1hour -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index ebef541921..6c4270925f 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -242,7 +242,7 @@ selections: - - timer_dnf-automatic_enabled - - usbguard_allow_hid_and_hub - - var_sshd_set_keepalive=0 --- var_rekey_limit_size=512M -+- var_rekey_limit_size=1G - - var_rekey_limit_time=1hour - - var_accounts_user_umask=027 - - var_password_pam_difok=4 diff --git a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch b/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch deleted file mode 100644 index 8ebfb97..0000000 --- a/SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch +++ /dev/null @@ -1,798 +0,0 @@ -From 604f70aa2d0cce64aed5d699178394523969ba37 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 27 May 2020 14:34:50 +0200 -Subject: [PATCH 01/11] add rule, variables, check, remediations - ---- - .../ssh_client_rekey_limit/ansible/shared.yml | 8 ++++ - .../ssh_client_rekey_limit/bash/shared.sh | 8 ++++ - .../ssh_client_rekey_limit/oval/shared.xml | 39 +++++++++++++++++++ - .../crypto/ssh_client_rekey_limit/rule.yml | 34 ++++++++++++++++ - .../var_ssh_client_rekey_limit_size.var | 15 +++++++ - .../var_ssh_client_rekey_limit_time.var | 14 +++++++ - shared/references/cce-redhat-avail.txt | 1 - - 7 files changed, 118 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml - create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml - create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml - create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var - create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var - -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml -new file mode 100644 -index 0000000000..6d2bcbbd44 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml -@@ -0,0 +1,8 @@ -+# platform = multi_platform_all [0/453] -+# reboot = false -+# strategy = configure -+# complexity = low -+# disruption = low -+{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} -+ -+{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}} -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh -new file mode 100644 -index 0000000000..43d0971ffc ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh -@@ -0,0 +1,8 @@ -+# platform = multi_platform_all -+ -+# Include source function library. -+. /usr/share/scap-security-guide/remediation_functions -+ -+{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} -+ -+{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml -new file mode 100644 -index 0000000000..2412763e3f ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml -@@ -0,0 +1,39 @@ -+{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}} -+ -+ -+ -+ -+ -+ {{{ rule_title }}} -+ {{{- oval_affected(products) }}} -+ Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}' -+ -+ -+ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}} -+ -+ -+ -+ -+ -+ -+ -+ -+ {{{ filepath }}} -+ -+ 1 -+ -+ -+ -+ -+ ^[\s]*RekeyLimit[\s]+ -+ -+ [\s]+ -+ -+ [\s]*$ -+ -+ -+ -+ -+ -+ -+ -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml -new file mode 100644 -index 0000000000..a1b85b0ee5 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml -@@ -0,0 +1,34 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Configure session renegotiation for SSH client' -+ -+description: |- -+ The RekeyLimit parameter specifies how often -+ the session key is renegotiated, both in terms of -+ amount of data that may be transmitted and the time -+ elapsed. To decrease the default limits, put line -+ RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}} to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. -+ -+rationale: |- -+ By decreasing the limit based on the amount of data and enabling -+ time-based limit, effects of potential attacks against -+ encryption keys are limited. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 82880-6 -+ -+references: -+ ospp: FCS_SSHS_EXT.1 -+ -+ocil_clause: 'it is commented out or is not set' -+ -+ocil: |- -+ To check if RekeyLimit is set correctly, run the -+ following command: -+
$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf
-+ If configured properly, output should be -+
RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}
-diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var -new file mode 100644 -index 0000000000..bcf051fd97 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var -@@ -0,0 +1,15 @@ -+documentation_complete: true -+ -+title: 'SSH client RekeyLimit - size' -+ -+description: 'Specify the size component of the rekey limit.' -+ -+type: string -+ -+operator: equals -+ -+options: -+ ssh_client_default: "default" -+ default: "512M" -+ "512M": "512M" -+ "1G": "1G" -diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var -new file mode 100644 -index 0000000000..31c76f9ab5 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var -@@ -0,0 +1,14 @@ -+documentation_complete: true -+ -+title: 'SSH client RekeyLimit - size' -+ -+description: 'Specify the size component of the rekey limit.' -+ -+type: string -+ -+operator: equals -+ -+options: -+ ssh_client_default: "none" -+ default: "1h" -+ "1hour": "1h" -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 45d03a2c1d..e060d2fb1c 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -1,4 +1,3 @@ --CCE-82880-6 - CCE-82882-2 - CCE-82883-0 - CCE-82888-9 - -From a0d54462b9a1e65de3598d7fc262f61a8e3a06ea Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 27 May 2020 14:35:24 +0200 -Subject: [PATCH 02/11] add tests - ---- - .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++++ - .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++++ - .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 3 +++ - .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 4 ++++ - 4 files changed, 15 insertions(+) - create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh - -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh -new file mode 100644 -index 0000000000..2ac0bbf350 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh -@@ -0,0 +1,4 @@ -+# platform = multi_platform_all -+ -+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config -+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh -new file mode 100644 -index 0000000000..fec859fe05 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh -@@ -0,0 +1,4 @@ -+# platform = multi_platform_all -+ -+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config -+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh -new file mode 100644 -index 0000000000..a6cd10163f ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh -@@ -0,0 +1,3 @@ -+# platform = multi_platform_all -+ -+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh -new file mode 100644 -index 0000000000..a6a2ba7adf ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh -@@ -0,0 +1,4 @@ -+# platform = multi_platform_all -+ -+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config -+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config - -From 6ce9e9d55eab07f1c2a3a8d0b28f104d0b5992da Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 27 May 2020 14:35:43 +0200 -Subject: [PATCH 03/11] add rule to rhel8 ospp, update stable profiles - ---- - rhel8/profiles/ospp.profile | 5 +++++ - tests/data/profile_stability/rhel8/ospp.profile | 3 +++ - tests/data/profile_stability/rhel8/stig.profile | 3 +++ - 3 files changed, 11 insertions(+) - -diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile -index 0dca8350f9..07d32b814d 100644 ---- a/rhel8/profiles/ospp.profile -+++ b/rhel8/profiles/ospp.profile -@@ -410,3 +410,8 @@ selections: - - # Prevent Kerberos use by system daemons - - kerberos_disable_no_keytab -+ -+ # set ssh client rekey limit -+ - ssh_client_rekey_limit -+ - var_ssh_client_rekey_limit_size=1G -+ - var_ssh_client_rekey_limit_time=1hour -diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile -index 25f7922bf3..b0d7672c36 100644 ---- a/tests/data/profile_stability/rhel8/ospp.profile -+++ b/tests/data/profile_stability/rhel8/ospp.profile -@@ -240,4 +240,7 @@ selections: - - grub2_vsyscall_argument.severity=info - - sysctl_user_max_user_namespaces.role=unscored - - sysctl_user_max_user_namespaces.severity=info -+- ssh_client_rekey_limit -+- var_ssh_client_rekey_limit_size=1G -+- var_ssh_client_rekey_limit_time=1hour - title: Protection Profile for General Purpose Operating Systems -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 6c4270925f..330ecc7e1e 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -269,4 +269,7 @@ selections: - - grub2_vsyscall_argument.severity=info - - sysctl_user_max_user_namespaces.role=unscored - - sysctl_user_max_user_namespaces.severity=info -+- ssh_client_rekey_limit -+- var_ssh_client_rekey_limit_size=1G -+- var_ssh_client_rekey_limit_time=1hour - title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' - -From 763a79e337eecb24c640d1ac189edf02d20e53ad Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 28 May 2020 14:25:41 +0200 -Subject: [PATCH 04/11] improve description of variables - ---- - .../crypto/var_ssh_client_rekey_limit_size.var | 10 ++++++++-- - .../crypto/var_ssh_client_rekey_limit_time.var | 12 +++++++++--- - 2 files changed, 17 insertions(+), 5 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var -index bcf051fd97..4e20104cba 100644 ---- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var -+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var -@@ -2,14 +2,20 @@ documentation_complete: true - - title: 'SSH client RekeyLimit - size' - --description: 'Specify the size component of the rekey limit.' -+description: |- -+ Specify the size component of the rekey limit. This limit signifies amount -+ of data. After this amount of data is transferred through the connection, -+ the session key is renegotiated. The number is followed by K, M or G for -+ kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also -+ configured according to ellabsed time. -+ -+interactive: true - - type: string - - operator: equals - - options: -- ssh_client_default: "default" - default: "512M" - "512M": "512M" - "1G": "1G" -diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var -index 31c76f9ab5..6143a5448c 100644 ---- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var -+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var -@@ -1,14 +1,20 @@ - documentation_complete: true - --title: 'SSH client RekeyLimit - size' -+title: 'SSH client RekeyLimit - time' - --description: 'Specify the size component of the rekey limit.' -+description: |- -+ Specify the time component of the rekey limit. This limit signifies amount -+ of data. The session key is renegotiated after the defined amount of time -+ passes. The number is followed by units such as H or M for hours or minutes. -+ Note that the RekeyLimit can be also configured according to amount of -+ transfered data. -+ -+interactive: true - - type: string - - operator: equals - - options: -- ssh_client_default: "none" - default: "1h" - "1hour": "1h" - -From 0800fcaff037a1b012b75e59d6771f5e7763e1de Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 28 May 2020 14:26:12 +0200 -Subject: [PATCH 05/11] fix tests and ansible - ---- - .../crypto/ssh_client_rekey_limit/ansible/shared.yml | 2 +- - .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++-- - .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++-- - .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 2 +- - .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 5 +++-- - 5 files changed, 9 insertions(+), 8 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml -index 6d2bcbbd44..bb6544a0a0 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml -@@ -1,4 +1,4 @@ --# platform = multi_platform_all [0/453] -+# platform = multi_platform_all - # reboot = false - # strategy = configure - # complexity = low -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh -index 2ac0bbf350..22c465b08f 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh -@@ -1,4 +1,4 @@ - # platform = multi_platform_all - --sed -e '/RekeyLimit/d' /etc/ssh/sshd_config --echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config -+ -+echo "RekeyLimit 812M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh -index fec859fe05..0dc621b1da 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh -@@ -1,4 +1,4 @@ - # platform = multi_platform_all - --sed -e '/RekeyLimit/d' /etc/ssh/sshd_config --echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config -+ -+echo "RekeyLimit 512M 2h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh -index a6cd10163f..f6abf711da 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh -@@ -1,3 +1,3 @@ - # platform = multi_platform_all - --sed -e '/RekeyLimit/d' /etc/ssh/sshd_config -+echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh -index a6a2ba7adf..e64e4191bc 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh -@@ -1,4 +1,5 @@ - # platform = multi_platform_all - --sed -e '/RekeyLimit/d' /etc/ssh/sshd_config --echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config -+ -+rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf -+echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf - -From 9451e6d91c9975a3e9ecd4c627cbb0f9afce4c92 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 1 Jun 2020 14:29:47 +0200 -Subject: [PATCH 06/11] fix test to use default value, remove rule from stig - ---- - .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 2 +- - rhel8/profiles/stig.profile | 1 + - tests/data/profile_stability/rhel8/stig.profile | 1 - - 3 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh -index e64e4191bc..89d7069687 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh -@@ -2,4 +2,4 @@ - - - rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf --echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf -+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf -diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile -index 2bb81cf9dc..8f12852e26 100644 ---- a/rhel8/profiles/stig.profile -+++ b/rhel8/profiles/stig.profile -@@ -44,3 +44,4 @@ selections: - - package_rsyslog-gnutls_installed - - rsyslog_remote_tls - - rsyslog_remote_tls_cacert -+ - "!ssh_client_rekey_limit" -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 330ecc7e1e..9b164eb5c2 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -269,7 +269,6 @@ selections: - - grub2_vsyscall_argument.severity=info - - sysctl_user_max_user_namespaces.role=unscored - - sysctl_user_max_user_namespaces.severity=info --- ssh_client_rekey_limit - - var_ssh_client_rekey_limit_size=1G - - var_ssh_client_rekey_limit_time=1hour - title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' - -From bd47b1145f17c97de719c887db6146d5e7b59616 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 3 Jun 2020 12:38:19 +0200 -Subject: [PATCH 07/11] rewrite oval to check for multiple locations - ---- - .../ssh_client_rekey_limit/oval/shared.xml | 42 ++++++++++++------- - 1 file changed, 26 insertions(+), 16 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml -index 2412763e3f..41fa0497ae 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml -@@ -1,28 +1,17 @@ --{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}} -- - - - - - {{{ rule_title }}} - {{{- oval_affected(products) }}} -- Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}' -+ Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf - -- -- {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}} -+ -+ -+ - - - -- -- -- -- -- -- {{{ filepath }}} -- -- 1 -- -- - - - ^[\s]*RekeyLimit[\s]+ -@@ -35,5 +24,26 @@ - - - -- - -+ -+ -+ -+ -+ -+ -+ /etc/ssh/ssh_config -+ ^[\s]*RekeyLimit.*$ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ ^/etc/ssh/ssh_config\.d/.*\.conf$ -+ -+ 1 -+ -+ -+
- -From c090301ab1cf43a83994b654ccb2ab0b967d05b4 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 4 Jun 2020 08:24:54 +0200 -Subject: [PATCH 08/11] reqrite remediations - ---- - .../ssh_client_rekey_limit/ansible/shared.yml | 16 ++++++++++++++++ - .../crypto/ssh_client_rekey_limit/bash/shared.sh | 13 +++++++++++++ - 2 files changed, 29 insertions(+) - -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml -index bb6544a0a0..36de503806 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml -@@ -5,4 +5,20 @@ - # disruption = low - {{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} - -+{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', create='no', state='absent') }}} -+ -+- name: Collect all include config files for ssh client which configure RekeyLimit -+ find: -+ paths: "/etc/ssh/ssh_config.d/" -+ contains: '^[\s]*RekeyLimit.*$' -+ patterns: "*.config" -+ register: ssh_config_include_files -+ -+- name: Remove all occurences of RekeyLimit configuration from include config files of ssh client -+ lineinfile: -+ path: "{{ item }}" -+ regexp: '^[\s]*RekeyLimit.*$' -+ state: "absent" -+ loop: "{{ ssh_config_include_files.files }}" -+ - {{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}} -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh -index 43d0971ffc..99f6f63c92 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh -@@ -5,4 +5,17 @@ - - {{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} - -+main_config="/etc/ssh/ssh_config" -+include_directory="/etc/ssh/ssh_config.d" -+ -+if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then -+ sed -i '/^[\s]*RekeyLimit.*/d' "$main_config" -+fi -+ -+for file in "$include_directory"/*.conf; do -+ if grep -q '^[\s]*RekeyLimit.*$' "$file"; then -+ sed -i '/^[\s]*RekeyLimit.*/d' "$file" -+ fi -+done -+ - {{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} - -From 22b8cb067cfc9d6d48065233973d1dba223ef5a4 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 4 Jun 2020 08:25:14 +0200 -Subject: [PATCH 09/11] add more tests - ---- - .../tests/bad_main_config_good_include_config.fail.sh | 4 ++++ - .../ssh_client_rekey_limit/tests/line_in_main_config.fail.sh | 4 ++++ - .../tests/ok_different_config_file.pass.sh | 3 +++ - 3 files changed, 11 insertions(+) - create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh - -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh -new file mode 100644 -index 0000000000..90314712af ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/basdh -+ -+echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config -+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh -new file mode 100644 -index 0000000000..9ba20b0290 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+rm -rf /etc/ssh/ssh_config.d/* -+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh -new file mode 100644 -index 0000000000..f725f6936f ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/05-some-file.conf - -From 78904a0cc4461cc26786289095fd76e8ce15843e Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 4 Jun 2020 08:25:29 +0200 -Subject: [PATCH 10/11] extend description and ocil - ---- - .../crypto/ssh_client_rekey_limit/rule.yml | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml -index a1b85b0ee5..76f5f84090 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml -@@ -10,6 +10,12 @@ description: |- - amount of data that may be transmitted and the time - elapsed. To decrease the default limits, put line - RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}} to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. -+ Make sure that there is no other RekeyLimit configuration preceding -+ the include directive in the main config file -+ /etc/ssh/ssh_config. Check also other files in -+ /etc/ssh/ssh_config.d directory. Files are processed according to -+ their names. Make sure that there is no file processed before -+ 02-rekey-limit.conf containing definition of RekeyLimit. - - rationale: |- - By decreasing the limit based on the amount of data and enabling -@@ -27,8 +33,11 @@ references: - ocil_clause: 'it is commented out or is not set' - - ocil: |- -- To check if RekeyLimit is set correctly, run the -- following command: --
$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf
-- If configured properly, output should be --
RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}
-+ To check if RekeyLimit is set correctly, run the following command:
$
-+    sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf
If configured -+ properly, output should be
/etc/ssh/ssh_config.d/02-rekey-limit.conf:
-+    RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
-+    sub_var_value("var_ssh_client_rekey_limit_time") }}}
Check also the -+ main configuration file with the following command:
sudo grep
-+    RekeyLimit /etc/ssh/ssh_config
The command should not return any -+ output. - -From 854d5c9d1e1a44e97fe59aeaace687adcff620d5 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 8 Jun 2020 11:44:44 +0200 -Subject: [PATCH 11/11] fix typos and wording - ---- - .../integrity/crypto/ssh_client_rekey_limit/rule.yml | 5 +++-- - .../tests/bad_main_config_good_include_config.fail.sh | 2 +- - .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 1 + - .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 1 + - .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 1 + - .../crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 1 + - .../integrity/crypto/var_ssh_client_rekey_limit_size.var | 2 +- - .../integrity/crypto/var_ssh_client_rekey_limit_time.var | 9 ++++----- - 8 files changed, 13 insertions(+), 9 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml -index 76f5f84090..b054d9d221 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml -@@ -14,8 +14,9 @@ description: |- - the include directive in the main config file - /etc/ssh/ssh_config. Check also other files in - /etc/ssh/ssh_config.d directory. Files are processed according to -- their names. Make sure that there is no file processed before -- 02-rekey-limit.conf containing definition of RekeyLimit. -+ lexicographical order of file names. Make sure that there is no file -+ processed before 02-rekey-limit.conf containing definition of -+ RekeyLimit. - - rationale: |- - By decreasing the limit based on the amount of data and enabling -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh -index 90314712af..58befb0107 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh -@@ -1,4 +1,4 @@ --#!/bin/basdh -+#!/bin/bash - - echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config - echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh -index 22c465b08f..1803c26629 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh -@@ -1,3 +1,4 @@ -+#!/bin/bash - # platform = multi_platform_all - - -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh -index 0dc621b1da..2c9e839255 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh -@@ -1,3 +1,4 @@ -+#!/bin/bash - # platform = multi_platform_all - - -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh -index f6abf711da..7de108eafd 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh -@@ -1,3 +1,4 @@ -+#!/bin/bash - # platform = multi_platform_all - - echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf -diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh -index 89d7069687..4c047ed179 100644 ---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh -+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh -@@ -1,3 +1,4 @@ -+#!/bin/bash - # platform = multi_platform_all - - -diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var -index 4e20104cba..c8dd8ef10e 100644 ---- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var -+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var -@@ -7,7 +7,7 @@ description: |- - of data. After this amount of data is transferred through the connection, - the session key is renegotiated. The number is followed by K, M or G for - kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also -- configured according to ellabsed time. -+ configured according to elapsed time. - - interactive: true - -diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var -index 6143a5448c..6223e8e38f 100644 ---- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var -+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var -@@ -3,11 +3,10 @@ documentation_complete: true - title: 'SSH client RekeyLimit - time' - - description: |- -- Specify the time component of the rekey limit. This limit signifies amount -- of data. The session key is renegotiated after the defined amount of time -- passes. The number is followed by units such as H or M for hours or minutes. -- Note that the RekeyLimit can be also configured according to amount of -- transfered data. -+ Specify the time component of the rekey limit. The session key is -+ renegotiated after the defined amount of time passes. The number is followed -+ by units such as H or M for hours or minutes. Note that the RekeyLimit can -+ be also configured according to amount of transfered data. - - interactive: true - diff --git a/SOURCES/scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch b/SOURCES/scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch deleted file mode 100644 index d80f19e..0000000 --- a/SOURCES/scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 713bc3b17929d0c73b7898f42fe7935806a3bfff Mon Sep 17 00:00:00 2001 -From: Gabe -Date: Tue, 16 Jun 2020 16:04:10 -0600 -Subject: [PATCH] Remove grub documentation links from RHEL7 rationale - ---- - .../system/bootloader-grub2/grub2_admin_username/rule.yml | 7 ------- - .../guide/system/bootloader-grub2/grub2_password/rule.yml | 7 ------- - .../system/bootloader-grub2/grub2_uefi_password/rule.yml | 7 ------- - 3 files changed, 21 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml -index 2042a17806..63a6a7a83c 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml -@@ -24,13 +24,6 @@ description: |- - - rationale: |- - Having a non-default grub superuser username makes password-guessing attacks less effective. -- {{% if product == "rhel7" %}} -- For more information on how to configure the grub2 superuser account and password, -- please refer to --
    --
  • {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}
  • . --
-- {{% endif %}} - - severity: low - -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml -index 00cec58c77..985b8727d7 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml -@@ -23,13 +23,6 @@ rationale: |- - users with physical access cannot trivially alter - important bootloader settings. These include which kernel to use, - and whether to enter single-user mode. -- {{% if product == "rhel7" %}} -- For more information on how to configure the grub2 superuser account and password, -- please refer to --
    --
  • {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}
  • . --
-- {{% endif %}} - - severity: high - -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml -index 954d6f21d0..3ce5a2df13 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml -@@ -23,13 +23,6 @@ rationale: |- - users with physical access cannot trivially alter - important bootloader settings. These include which kernel to use, - and whether to enter single-user mode. -- {{% if product == "rhel7" %}} -- For more information on how to configure the grub2 superuser account and password, -- please refer to --
    --
  • {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Protecting_GRUB_2_with_a_Password.html") }}}
  • . --
-- {{% endif %}} - - severity: medium - diff --git a/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch b/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch deleted file mode 100644 index 4b69221..0000000 --- a/SOURCES/scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch +++ /dev/null @@ -1,1216 +0,0 @@ -From 29eb0f64454f275085015b481a59184e73ebe7f6 Mon Sep 17 00:00:00 2001 -From: Shawn Wells -Date: Sun, 29 Mar 2020 00:58:02 -0400 -Subject: [PATCH 01/20] update CIS RHEL8 profile - ---- - .../service_crond_enabled/rule.yml | 2 +- - .../r_services/no_rsh_trust_files/rule.yml | 8 +- - .../rule.yml | 2 +- - .../account_unique_name/rule.yml | 11 +- - .../accounts_maximum_age_login_defs/rule.yml | 2 +- - .../accounts_minimum_age_login_defs/rule.yml | 1 + - .../rule.yml | 1 + - .../var_accounts_maximum_age_login_defs.var | 1 + - .../password_storage/no_netrc_files/rule.yml | 4 +- - .../accounts_no_uid_except_zero/rule.yml | 2 +- - .../no_direct_root_logins/rule.yml | 2 +- - .../rule.yml | 1 + - .../accounts-session/accounts_tmout/rule.yml | 1 + - .../rule.yml | 1 + - .../rule.yml | 1 + - .../file_permissions_home_dirs/rule.yml | 4 +- - .../rsyslog_files_permissions/rule.yml | 2 +- - .../ensure_logrotate_activated/rule.yml | 1 + - .../package_rsyslog_installed/rule.yml | 2 +- - .../rsyslog_nolisten/rule.yml | 2 + - .../rsyslog_remote_loghost/rule.yml | 4 +- - .../logging/service_rsyslog_enabled/rule.yml | 2 +- - rhel8/profiles/cis.profile | 141 ++++++++++++------ - shared/references/cce-redhat-avail.txt | 2 - - 24 files changed, 137 insertions(+), 63 deletions(-) - -diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -index a1f82cf5c9..09d1a92a55 100644 ---- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -+++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -@@ -24,7 +24,7 @@ identifiers: - references: - stigid@rhel6: "000224" - srg@rhel6: SRG-OS-999999 -- cis: 5.1.1 -+ cis@rhel8: 5.1.1 - hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) - nist: CM-6(a) - nist-csf: PR.IP-1,PR.PT-3 -diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml -index 2ccf4127b7..ec2fa6c012 100644 ---- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml -+++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/rule.yml -@@ -12,9 +12,9 @@ description: |- -
$ rm ~/.rhosts
- - rationale: |- -- Trust files are convenient, but when -- used in conjunction with the R-services, they can allow -- unauthenticated access to a system. -+ This action is only meaningful if .rhosts support is permitted -+ through PAM. Trust files are convenient, but when used in conjunction with -+ the R-services, they can allow unauthenticated access to a system. - - severity: high - -@@ -26,7 +26,7 @@ identifiers: - references: - stigid@rhel6: "000019" - srg@rhel6: SRG-OS-000248 -- cis: 6.2.14 -+ cis@rhel8: 6.2.13 - disa: "1436" - hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) - nist: CM-7(a),CM-7(b),CM-6(a) -diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -index fff30d70c7..7a1538392a 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -@@ -43,7 +43,7 @@ references: - stigid@rhel6: "000062" - srg@rhel6: SRG-OS-000120 - disa@rhel6: '803' -- cis: 6.3.1 -+ cis@rhel8: 5.4.4 - cjis: 5.6.2.2 - cui: 3.13.11 - disa: "196" -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml -index 2cdafc0609..35652a410b 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml -@@ -2,9 +2,15 @@ documentation_complete: true - - title: 'Ensure All Accounts on the System Have Unique Names' - --description: 'Change usernames, or delete accounts, so each has a unique name.' -+description: |- -+ Although the useradd utility prevents creation of duplicate user -+ names, it is possible for a malicious administrator to manually edit the -+ /etc/passwd file and change the user name. - --rationale: 'Unique usernames allow for accountability on the system.' -+rationale: |- -+ If a user is assigned a duplicate user name, the new user will be able to -+ create and have access to files with the first UID for that username as -+ defined in /etc/passwd. - - severity: medium - -@@ -19,6 +25,7 @@ references: - cjis: 5.5.2 - disa: 770,804 - pcidss: Req-8.1.1 -+ cis@rhel8: 6.2.17 - - ocil_clause: 'a line is returned' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -index af1ea13d8f..c2c4aa11bc 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml -@@ -34,7 +34,7 @@ references: - stigid@rhel6: "000053" - srg@rhel6: SRG-OS-000076 - disa@rhel6: '180' -- cis: 5.4.1.1 -+ cis@rhel8: 5.5.1.1 - cjis: 5.6.2.1 - cui: 3.5.6 - disa: "199" -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml -index 2de12efb3e..6147d672a4 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml -@@ -44,6 +44,7 @@ references: - cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 - iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 - cis-csc: 1,12,15,16,5 -+ cis@rhel8: 5.5.1.2 - - ocil_clause: 'it is not equal to or greater than the required value' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml -index 3a5c00708d..2a1005bd20 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml -@@ -33,6 +33,7 @@ references: - cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 - iso27001-2013: A.12.4.1,A.12.4.3,A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 - cis-csc: 1,12,13,14,15,16,18,3,5,7,8 -+ cis@rhel8: 5.5.1.3 - - ocil_clause: 'it is not set to the required value' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var -index 731f8f475f..11eb238c5d 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_login_defs.var -@@ -9,6 +9,7 @@ type: number - interactive: false - - options: -+ 365: 365 - 120: 120 - 180: 180 - 60: 60 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml -index 01454a7274..8547893201 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml -@@ -11,8 +11,7 @@ description: |- - - rationale: |- - Unencrypted passwords for remote FTP servers may be stored in .netrc -- files. DoD policy requires passwords be encrypted in storage and not used -- in access scripts. -+ files. - - severity: medium - -@@ -24,6 +23,7 @@ identifiers: - references: - stigid@rhel6: "000347" - srg@rhel6: SRG-OS-000073 -+ cis@rhel8: 6.2.11 - disa: "196" - nist: IA-5(h),IA-5(1)(c),CM-6(a),IA-5(7) - nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.PT-3 -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml -index 0b61daf925..14f9140687 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml -@@ -31,7 +31,7 @@ references: - stigid@ol7: "020310" - stigid@rhel6: "000032" - srg@rhel6: SRG-OS-999999 -- cis: 6.2.5 -+ cis@rhel8: 6.2.6 - cui: 3.1.1,3.1.5 - disa: "366" - nist: IA-2,AC-6(5),IA-4(b) -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml -index 1d08bde4d9..9e00f3aad6 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/rule.yml -@@ -33,7 +33,7 @@ identifiers: - cce@ocp4: 82698-2 - - references: -- cis: "5.5" -+ cis@rhel8: "5.6" - cui: 3.1.1,3.1.6 - hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) - nist: IA-2,CM-6(a) -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml -index ae8ba133b7..0c26ac3240 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/rule.yml -@@ -35,6 +35,7 @@ references: - cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 - iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 - cis-csc: 12,13,14,15,16,18,3,5 -+ cis@rhel8: "5.6" - srg: SRG-OS-000324-GPOS-00125 - - ocil_clause: 'root login over virtual console devices is permitted' -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -index 787f2264de..f09006b72b 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -@@ -38,6 +38,7 @@ references: - cobit5: DSS05.04,DSS05.10,DSS06.10 - iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 - cis-csc: 1,12,15,16 -+ cis@rhel8: 5.5.3 - anssi: NT28(R29) - - ocil_clause: 'value of TMOUT is not less than or equal to expected setting' -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -index e7e9a751a4..bedf3a0b19 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -@@ -27,6 +27,7 @@ references: - disa: "366" - srg: SRG-OS-000480-GPOS-00227 - stigid@rhel7: "020620" -+ cis@rhel8: 6.2.20 - - ocil_clause: 'users home directory does not exist' - -diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -index d58884235e..1c5ac8d099 100644 ---- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -@@ -26,6 +26,7 @@ references: - disa: "366" - srg: SRG-OS-000480-GPOS-00227 - stigid@rhel7: "020650" -+ cis@rhel8: 6.2.8 - - ocil_clause: 'the group ownership is incorrect' - -diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml -index 8812f9d123..27c190b5b1 100644 ---- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/rule.yml -@@ -22,11 +22,12 @@ rationale: |- - to one another's home directories, this can be provided using - groups or ACLs. - --severity: unknown -+severity: medium - - identifiers: - cce@rhel6: 26981-1 - cce@rhel7: 80201-7 -+ cce@rhel8: 84274-0 - - references: - disa: "225" -@@ -37,6 +38,7 @@ references: - cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 - iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 - cis-csc: 12,13,14,15,16,18,3,5 -+ cis@rhel8: 6.2.7 - - ocil_clause: 'the user home directory is group-writable or world-readable' - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml -index 4c1e69020b..aa6e0905ae 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml -@@ -31,7 +31,7 @@ references: - anssi: NT28(R36) - stigid@rhel6: "000135" - srg@rhel6: SRG-OS-000206 -- cis: 4.2.1.3 -+ cis@rhel8: 4.2.1.3 - disa: "1314" - nist: CM-6(a),AC-6(1) - pcidss: Req-10.5.1,Req-10.5.2 -diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml -index def9566692..2c41a3b9ef 100644 ---- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml -+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml -@@ -35,6 +35,7 @@ references: - cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 - iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 - cis-csc: 1,14,15,16,3,5,6 -+ cis@rhel8: 4.3 - anssi: NT28(R43),NT12(R18) - - ocil_clause: 'logrotate is not configured to run daily' -diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml -index 9f00dd9704..00fecf8a3c 100644 ---- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml -+++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml -@@ -18,7 +18,7 @@ identifiers: - references: - cis@debian8: 5.1.1 - anssi: NT28(R5),NT28(R46) -- cis: 4.2.3 -+ cis@rhel8: 4.2.1.1 - disa: 1311,1312 - hipaa: 164.312(a)(2)(ii) - iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 -diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml -index 8a5a15e1da..14e729252c 100644 ---- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml -+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml -@@ -26,6 +26,7 @@ severity: medium - identifiers: - cce@rhel6: 26803-7 - cce@rhel7: 80192-8 -+ cce@rhel8: 84275-7 - - references: - stigid@ol7: "031010" -@@ -39,3 +40,4 @@ references: - iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.5.1,A.12.6.2,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 - cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 - stigid@rhel7: "031010" -+ cis@rhel8: 4.2.1.6 -diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml -index 7b70b0c186..da28b99561 100644 ---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml -+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml -@@ -46,8 +46,8 @@ references: - anssi: NT28(R7),NT28(R43),NT12(R5) - stigid@rhel6: "000136" - srg@rhel6: SRG-OS-000043,SRG-OS-000215 -- cis: 4.2.1.4 -- disa: 136,366,1348,1851 -+ cis@rhel8: 4.2.1.5 -+ disa: 366,1348,136,1851 - hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(B),164.308(a)(5)(ii)(C),164.308(a)(6)(ii),164.308(a)(8),164.310(d)(2)(iii),164.312(b),164.314(a)(2)(i)(C),164.314(a)(2)(iii) - iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.17.2.1 - nist: CM-6(a),AU-4(1),AU-9(2) -diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml -index ce8347c686..92fd6bc4d8 100644 ---- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml -+++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml -@@ -20,7 +20,7 @@ identifiers: - references: - cis@debian8: 5.1.2 - anssi: NT28(R5),NT28(R46) -- cis: 4.2.1.1 -+ cis@rhel8: 4.2.1.2 - disa: 1311,1312,1557,1851 - hipaa: 164.312(a)(2)(ii) - iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2,A.17.2.1 -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index cc0c2a5b9a..528f17d696 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -602,87 +602,88 @@ selections: - - ### 4.1.9 Ensure discretionary access control permission modification - ### events are collected (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5509 - - ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are - ### collected (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5510 - - ### 4.1.11 Ensure events that modify user/group information are - ### collected (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5511 - - ### 4.1.12 Ensure successful file system mounts are collected (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512 - - ### 4.1.13 Ensure use of privileged commands is collected (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513 - - ### 4.1.14 Ensure file deletion events by users are collected - ### (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5514 - - ### 4.1.15 Ensure kernel module loading and unloading is collected - ### (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5515 - - ### 4.1.16 Ensure system administrator actions (sudolog) are - ### collected (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 - - ### 4.1.17 Ensure the audit configuration is immutable (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5517 - - ## 4.2 Configure Logging - - ### 4.2.1 Configure rsyslog - - #### 4.2.1.1 Ensure rsyslog is installed (Scored) -- -+ - package_rsyslog_installed - - #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored) -- -+ - service_rsyslog_enabled - - #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) -- -+ - rsyslog_files_permissions - - #### 4.2.1.4 Ensure logging is configured (Not Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519 - - #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote - #### log host (Scored) -- -+ - rsyslog_remote_loghost - - #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on - #### designated log hosts (Not Scored) -- -+ - rsyslog_nolisten - - ### 4.2.2 Configure journald - - #### 4.2.2.1 Ensure journald is configured to send logs to - #### rsyslog (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520 - - #### 4.2.2.2 Ensure journald is configured to compress large - #### log files (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521 - - - #### 4.2.2.3 Ensure journald is configured to write logfiles to - #### persistent disk (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522 - - ### 4.2.3 Ensure permissions on all logfiles are configured (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523 - - ## 4.3 Ensure logrotate is conifgured (Not Scored) -- -+ - ensure_logrotate_activated - - # 5 Access, Authentication and Authorization - - ## 5.1 Configure cron - -- - ### 5.1.1 Ensure cron daemon is enabled (Scored) -+ - service_crond_enabled - - - ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) -@@ -790,19 +791,19 @@ selections: - - ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute - ### or less (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525 - - ### 5.2.15 Ensure SSH warning banner is configured (Scored) - - sshd_enable_warning_banner - - ### 5.2.16 Ensure SSH PAM is enabled (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526 - - ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) - - sshd_disable_tcp_forwarding - - ### 5.2.18 Ensure SSH MaxStarups is configured (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528 - - ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) - - sshd_set_max_sessions -@@ -815,69 +816,75 @@ selections: - - - ### 5.3.1 Create custom authselectet profile (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530 - - ### 5.3.2 Select authselect profile (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531 - - ### 5.3.3 Ensure authselect includes with-faillock (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532 - - ## 5.4 Configure PAM - - ### 5.4.1 Ensure password creation requirements are configured (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5533 - - ### 5.4.2 Ensure lockout for failed password attempts is - ### configured (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5534 - - ### 5.4.3 Ensure password reuse is limited (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535 - - ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) -- -+ - set_password_hashing_algorithm_systemauth - - ## 5.5 User Accounts and Environment - - ### 5.5.1 Set Shadow Password Suite Parameters - - #### 5.5.1 Ensure password expiration is 365 days or less (Scored) -- -+ - var_accounts_maximum_age_login_defs=365 -+ - accounts_maximum_age_login_defs - - #### 5.5.1.2 Ensure minimum days between password changes is 7 - #### or more (Scored) -- -+ - var_accounts_minimum_age_login_defs=7 -+ - accounts_minimum_age_login_defs - - #### 5.5.1.3 Ensure password expiration warning days is - #### 7 or more (Scored) -- -+ - var_accounts_password_warn_age_login_defs=7 -+ - accounts_password_warn_age_login_defs - - #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5536 - - #### 5.5.1.5 Ensure all users last password change date is - #### in the past (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 - - ### 5.5.2 Ensure system accounts are secured (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5538 - - ### 5.5.3 Ensure default user shell timeout is 900 seconds - ### or less (Scored) -- -+ - var_accounts_tmout=15_min -+ - accounts_tmout - - ### 5.5.4 Ensure default group for the root account is - ### GID 0 (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 - - ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) -- -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5540 - - ## 5.6 Ensure root login is restricted to system console (Not Scored) -- -+ - securetty_root_login_console_only -+ - no_direct_root_logins - - ## 5.7 Ensure access to the su command is restricted (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541 - - # System Maintenance - -@@ -971,8 +978,58 @@ selections: - ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) - - no_legacy_plus_entries_etc_passwd - -- ## 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) -+ ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) - - no_legacy_plus_entries_etc_shadow - -- ###6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) -+ ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) - - no_legacy_plus_entries_etc_group -+ -+ ### 6.2.6 Ensure root is the only UID 0 account (Scored) -+ - accounts_no_uid_except_zero -+ -+ ### 6.2.7 Ensure users' home directories permissions are 750 -+ ### or more restrictive (Scored) -+ - file_permissions_home_dirs -+ -+ ### 6.2.8 Ensure users own their home directories (Scored) -+ # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507 -+ - file_groupownership_home_directories -+ -+ ### 6.2.9 Ensure users' dot files are not group or world -+ ### writable (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506 -+ -+ ### 6.2.10 Ensure no users have .forward files (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505 -+ -+ ### 6.2.11 Ensure no users have .netrc files (Scored) -+ - no_netrc_files -+ -+ ### 6.2.12 Ensure users' .netrc Files are not group or -+ ### world accessible (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504 -+ -+ ### 6.2.13 Ensure no users have .rhosts files (Scored) -+ - no_rsh_trust_files -+ -+ ### 6.2.14 Ensure all groups in /etc/passwd exist in -+ ### /etc/group (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503 -+ -+ ### 6.2.15 Ensure no duplicate UIDs exist (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502 -+ -+ ### 6.2.16 Ensure no duplicate GIDs exist (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501 -+ -+ ### 6.2.17 Ensure no duplicate user names exist (Scored) -+ - account_unique_name -+ -+ ### 6.2.18 Ensure no duplicate group names exist (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500 -+ -+ ### 6.2.19 Ensure shadow group is empty (Scored) -+ # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499 -+ -+ ### 6.2.20 Ensure all users' home directories exist (Scored) -+ - accounts_user_interactive_home_directory_exists -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index feb31b0395..9e7bd35178 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -901,8 +901,6 @@ CCE-84270-8 - CCE-84271-6 - CCE-84272-4 - CCE-84273-2 --CCE-84274-0 --CCE-84275-7 - CCE-84276-5 - CCE-84277-3 - CCE-84278-1 - -From c8a19c84dad5165ece50f6148646f9bbc8c4c3fd Mon Sep 17 00:00:00 2001 -From: Shawn Wells -Date: Sat, 25 Apr 2020 18:52:21 -0400 -Subject: [PATCH 02/20] misc cis8 updates - ---- - .../accounts_users_home_files_ownership/rule.yml | 1 + - .../logging/log_rotation/ensure_logrotate_activated/rule.yml | 2 +- - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml -index a9c73e46ac..8e225cdc64 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml -@@ -24,6 +24,7 @@ references: - stigid@ol7: "020660" - disa: "366" - srg: SRG-OS-000480-GPOS-00227 -+ cis@rhel8: 6.2.8 - stigid@rhel7: "020660" - - ocil_clause: 'the user ownership is incorrect' -diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml -index 2c41a3b9ef..6e569edfa9 100644 ---- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml -+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml -@@ -35,7 +35,7 @@ references: - cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 - iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 - cis-csc: 1,14,15,16,3,5,6 -- cis@rhel8: 4.3 -+ cis@rhel8: "4.3" - anssi: NT28(R43),NT12(R18) - - ocil_clause: 'logrotate is not configured to run daily' - -From f8d80a55f0cd6bf3b9bf5b75ba037466b7fc89c8 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 22:32:44 +0200 -Subject: [PATCH 03/20] Add auxiliary rule for dconf settings - ---- - rhel8/profiles/cis.profile | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index 528f17d696..202db7f693 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -8,6 +8,8 @@ description: |- - 09-30-2019. - - selections: -+ # Necessary for dconf rules -+ - dconf_db_up_to_date - - ### Partitioning - - mount_option_home_nodev - -From 865fe310e82a1eb0fc0c37c8de253dc7171abae7 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 22:43:20 +0200 -Subject: [PATCH 04/20] Update time synchonization rule selections - -In RHEL8, only chrony is available ---- - rhel8/profiles/cis.profile | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index 202db7f693..762d4a04e3 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -256,10 +256,12 @@ selections: - ### 2.2.1 Time Synchronization - - #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) -- - service_chronyd_or_ntpd_enabled -+ - package_chrony_installed - - #### 2.2.1.2 Ensure chrony is configured (Scored) -- - chronyd_or_ntpd_specify_remote_server -+ - service_chronyd_enabled -+ - chronyd_specify_remote_server -+ - chronyd_run_as_chrony_user - - ### 2.2.2 Ensure X Window System is not installed (Scored) - - package_xorg-x11-server-common_removed - -From a515b26c5af850dbc7917807397668df8a076249 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 22:49:55 +0200 -Subject: [PATCH 05/20] Select sysctl rules for secure ICMp redirects - -Fixes: #5234 -Fixes: #5235 ---- - rhel8/profiles/cis.profile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index 762d4a04e3..3a8e19259b 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -371,14 +371,14 @@ selections: - - sysctl_net_ipv6_conf_all_accept_redirects - - #### net.ipv6.conf.defaults.accept_redirects = 0 -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5234 -+ - sysctl_net_ipv6_conf_default_accept_redirects - - ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) - #### net.ipv4.conf.all.secure_redirects = 0 - - sysctl_net_ipv4_conf_all_secure_redirects - - #### net.ipv4.cof.default.secure_redirects = 0 -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5235 -+ - sysctl_net_ipv4_conf_default_secure_redirects - - ### 3.2.4 Ensure suspicious packets are logged (Scored) - #### net.ipv4.conf.all.log_martians = 1 - -From d14ce8e0ab8c39282883520bb141919af379d0fa Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:02:09 +0200 -Subject: [PATCH 06/20] Select Audit DAC rules for RHEL8 CIS - -Fixes: #5509 ---- - rhel8/profiles/cis.profile | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index 3a8e19259b..a990de4565 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -606,7 +606,19 @@ selections: - - ### 4.1.9 Ensure discretionary access control permission modification - ### events are collected (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5509 -+ - audit_rules_dac_modification_chmod -+ - audit_rules_dac_modification_fchmod -+ - audit_rules_dac_modification_fchmodat -+ - audit_rules_dac_modification_chown -+ - audit_rules_dac_modification_fchown -+ - audit_rules_dac_modification_fchownat -+ - audit_rules_dac_modification_lchown -+ - audit_rules_dac_modification_setxattr -+ - audit_rules_dac_modification_lsetxattr -+ - audit_rules_dac_modification_fsetxattr -+ - audit_rules_dac_modification_removexattr -+ - audit_rules_dac_modification_lremovexattr -+ - audit_rules_dac_modification_fremovexattr - - ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are - ### collected (Scored) - -From aec372e7bd05b3ed470f188952dbf11a6ae123ad Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:07:34 +0200 -Subject: [PATCH 07/20] Select rules for unsuccessful modification - -Fixes: #5510 ---- - rhel8/profiles/cis.profile | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index a990de4565..db54d9ece5 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -622,7 +622,13 @@ selections: - - ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are - ### collected (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5510 -+ - audit_rules_unsuccessful_file_modification_creat -+ - audit_rules_unsuccessful_file_modification_open -+ - audit_rules_unsuccessful_file_modification_openat -+ - audit_rules_unsuccessful_file_modification_truncate -+ - audit_rules_unsuccessful_file_modification_ftruncate -+ # Opinionated selection -+ - audit_rules_unsuccessful_file_modification_open_by_handle_at - - ### 4.1.11 Ensure events that modify user/group information are - ### collected (Scored) - -From 69493775c8a5b140f55802f7dca84c659662039c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:10:45 +0200 -Subject: [PATCH 08/20] Select rules for user/group modification - -Fixes: #5511 ---- - rhel8/profiles/cis.profile | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index db54d9ece5..f8ec16b9a8 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -632,7 +632,11 @@ selections: - - ### 4.1.11 Ensure events that modify user/group information are - ### collected (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5511 -+ - audit_rules_usergroup_modification_passwd -+ - audit_rules_usergroup_modification_group -+ - audit_rules_usergroup_modification_gshadow -+ - audit_rules_usergroup_modification_shadow -+ - audit_rules_usergroup_modification_opasswd - - ### 4.1.12 Ensure successful file system mounts are collected (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512 - -From 86c35876312882a861d253e13d31ff5bfc32630b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:12:58 +0200 -Subject: [PATCH 09/20] Audit successful system mounts - -Fixes: #5512 ---- - rhel8/profiles/cis.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index f8ec16b9a8..e4f5313e3e 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -639,7 +639,7 @@ selections: - - audit_rules_usergroup_modification_opasswd - - ### 4.1.12 Ensure successful file system mounts are collected (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5512 -+ - audit_rules_media_export - - ### 4.1.13 Ensure use of privileged commands is collected (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513 - -From ea7ef606c881fdddecfef036383fbd0718950162 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:14:21 +0200 -Subject: [PATCH 10/20] Audit privileged commands - -Fixes: #5513 ---- - rhel8/profiles/cis.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index e4f5313e3e..087dd79bb5 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -642,7 +642,7 @@ selections: - - audit_rules_media_export - - ### 4.1.13 Ensure use of privileged commands is collected (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5513 -+ - audit_rules_privileged_commands - - ### 4.1.14 Ensure file deletion events by users are collected - ### (Scored) - -From 16d84540566c8fa6d9f6880f3f1fe04edf97b822 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:15:49 +0200 -Subject: [PATCH 11/20] Audit file deletion events - -Fixes: #5514 ---- - rhel8/profiles/cis.profile | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index 087dd79bb5..ca42f24190 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -646,7 +646,12 @@ selections: - - ### 4.1.14 Ensure file deletion events by users are collected - ### (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5514 -+ - audit_rules_file_deletion_events_unlink -+ - audit_rules_file_deletion_events_unlinkat -+ - audit_rules_file_deletion_events_rename -+ - audit_rules_file_deletion_events_renameat -+ # Opinionated selection -+ - audit_rules_file_deletion_events_rmdir - - ### 4.1.15 Ensure kernel module loading and unloading is collected - ### (Scored) - -From 8377e1d574a9d0388c0847177f11afe83af3a30f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:16:33 +0200 -Subject: [PATCH 12/20] Audit kernel module loads - -Fixes: #5515 ---- - rhel8/profiles/cis.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index ca42f24190..5e214941ec 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -655,7 +655,7 @@ selections: - - ### 4.1.15 Ensure kernel module loading and unloading is collected - ### (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5515 -+ - audit_rules_kernel_module_loading - - ### 4.1.16 Ensure system administrator actions (sudolog) are - ### collected (Scored) - -From 7d62c009987be550d074f8e7cacd2e843d1e3061 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:17:52 +0200 -Subject: [PATCH 13/20] Audit rules should be immutable - -Fixes: #5517 ---- - rhel8/profiles/cis.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index 5e214941ec..a0fdd69869 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -662,7 +662,7 @@ selections: - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 - - ### 4.1.17 Ensure the audit configuration is immutable (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5517 -+ - audit_rules_immutable - - ## 4.2 Configure Logging - - -From 02e2a9744bd9eb969b46b18d4824fae65d5764f3 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:31:10 +0200 -Subject: [PATCH 14/20] Select rules for password requirements - -Related to: #5533 ---- - rhel8/profiles/cis.profile | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index a0fdd69869..a55c3291a9 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -858,7 +858,12 @@ selections: - ## 5.4 Configure PAM - - ### 5.4.1 Ensure password creation requirements are configured (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5533 -+ # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533 -+ - accounts_password_pam_retry -+ - var_password_pam_minlen=14 -+ - accounts_password_pam_minlen -+ - var_password_pam_minclass=4 -+ - accounts_password_pam_minclass - - ### 5.4.2 Ensure lockout for failed password attempts is - ### configured (Scored) - -From bec97effc13e0056cbcdc939620e78669558f9a4 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:35:50 +0200 -Subject: [PATCH 15/20] Configure password lockout - -Fixes: #5534 ---- - rhel8/profiles/cis.profile | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index a55c3291a9..6e10c2efcb 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -867,7 +867,10 @@ selections: - - ### 5.4.2 Ensure lockout for failed password attempts is - ### configured (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5534 -+ - var_accounts_passwords_pam_faillock_unlock_time=900 -+ - var_accounts_passwords_pam_faillock_deny=5 -+ - accounts_passwords_pam_faillock_unlock_time -+ - accounts_passwords_pam_faillock_deny - - ### 5.4.3 Ensure password reuse is limited (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535 - -From 73a087ed0b13bb73f1e60792c4d2e3c3aa944cd9 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:38:58 +0200 -Subject: [PATCH 16/20] Configure password reuse - -Fixes: #5535 ---- - rhel8/profiles/cis.profile | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index 6e10c2efcb..2fa85d8676 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -873,7 +873,8 @@ selections: - - accounts_passwords_pam_faillock_deny - - ### 5.4.3 Ensure password reuse is limited (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5535 -+ - var_password_pam_unix_remember=5 -+ - accounts_password_pam_unix_remember - - ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) - - set_password_hashing_algorithm_systemauth - -From 4307123e1889359b1c444d55a9b221bc5b3f7970 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:43:04 +0200 -Subject: [PATCH 17/20] Select rule to check useradd INACTIVE setting - -Related to: #5536 ---- - rhel8/profiles/cis.profile | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index 2fa85d8676..e0fd5e1492 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -898,7 +898,10 @@ selections: - - accounts_password_warn_age_login_defs - - #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5536 -+ # TODO: Rule doesn't check list of users -+ # https://github.com/ComplianceAsCode/content/issues/5536 -+ - var_account_disable_post_pw_expiration=30 -+ - account_disable_post_pw_expiration - - #### 5.5.1.5 Ensure all users last password change date is - #### in the past (Scored) - -From 07752fbac033400946c29fe6cbfe553913e4a96c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:46:48 +0200 -Subject: [PATCH 18/20] No shelllogin for system accounts - -Fixes: #5538 ---- - rhel8/profiles/cis.profile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index e0fd5e1492..0431fb0d45 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -908,7 +908,7 @@ selections: - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 - - ### 5.5.2 Ensure system accounts are secured (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5538 -+ - no_shelllogin_for_systemaccounts - - ### 5.5.3 Ensure default user shell timeout is 900 seconds - ### or less (Scored) - -From e46c2cfb8541f559b234df9a8a478494db46e785 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 23:54:07 +0200 -Subject: [PATCH 19/20] Partially cover umask requirements - -Related to: #5540 ---- - rhel8/profiles/cis.profile | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index 0431fb0d45..f332ee5462 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -920,7 +920,9 @@ selections: - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 - - ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) -- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5540 -+ - var_accounts_user_umask=027 -+ - accounts_umask_etc_bashrc -+ - accounts_umask_etc_profile - - ## 5.6 Ensure root login is restricted to system console (Not Scored) - - securetty_root_login_console_only - -From 586cedfb95523acbe0c0c92953851d6536c29230 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 22:31:16 +0200 -Subject: [PATCH 20/20] account_unique_name: Improve description, rationale and - OCIL - ---- - .../account_unique_name/rule.yml | 19 +++++++++---------- - 1 file changed, 9 insertions(+), 10 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml -index 35652a410b..909f1b6657 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml -@@ -3,14 +3,13 @@ documentation_complete: true - title: 'Ensure All Accounts on the System Have Unique Names' - - description: |- -- Although the useradd utility prevents creation of duplicate user -- names, it is possible for a malicious administrator to manually edit the -- /etc/passwd file and change the user name. -+ Ensure accounts on the system have unique names. - --rationale: |- -- If a user is assigned a duplicate user name, the new user will be able to -- create and have access to files with the first UID for that username as -- defined in /etc/passwd. -+ To ensure all accounts have unique names, run the following command: -+
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
-+ If a username is returned, change or delete the username. -+ -+rationale: 'Unique usernames allow for accountability on the system.' - - severity: medium - -@@ -30,6 +29,6 @@ references: - ocil_clause: 'a line is returned' - - ocil: |- -- Run the following command to check for duplicate account names: --
$ sudo pwck -qr
-- If there are no duplicate names, no line will be returned. -+ To verify all accounts have unique names, run the following command: -+
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
-+ No output should be returned. diff --git a/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch b/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch deleted file mode 100644 index 801edff..0000000 --- a/SOURCES/scap-security-guide-0.1.52-fix_hipaa_description.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5a5b3bdead44bd24fb138bd7b9785d4e0809ff4b Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 28 Jul 2020 13:22:58 +0200 -Subject: [PATCH 1/2] update wording for rhel7 profile - ---- - rhel7/profiles/hipaa.profile | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile -index 4310561323..000441de52 100644 ---- a/rhel7/profiles/hipaa.profile -+++ b/rhel7/profiles/hipaa.profile -@@ -12,6 +12,7 @@ description: |- - - This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security - Rule identified for securing of electronic protected health information. -+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). - - selections: - - grub2_password - -From 0c5cc87c4f8aaed8eb199b77440ae0dc64658e4a Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 28 Jul 2020 13:23:18 +0200 -Subject: [PATCH 2/2] update wording for rhel8 profile - ---- - rhel8/profiles/hipaa.profile | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile -index 8d20f9019c..0cb7fbed1f 100644 ---- a/rhel8/profiles/hipaa.profile -+++ b/rhel8/profiles/hipaa.profile -@@ -12,6 +12,7 @@ description: |- - - This profile configures Red Hat Enterprise Linux 8 to the HIPAA Security - Rule identified for securing of electronic protected health information. -+ Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s). - - selections: - - grub2_password diff --git a/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch b/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch deleted file mode 100644 index 36b46ee..0000000 --- a/SOURCES/scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 4c54b1cfb05961bde8248e03d27cabeca967e211 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 17 Aug 2020 10:59:15 +0200 -Subject: [PATCH] Remove SCAP-1.3 SCAPVAL workarounds - -These changes to the DS cause SRC-330 to fail in SCAPVAL-1.3.5. -In SCAPVAL-1.3.5 was fixed and these false positive workarounds are not -necessary anymore. ---- - tests/run_scapval.py | 26 -------------------------- - 1 file changed, 26 deletions(-) - -diff --git a/tests/run_scapval.py b/tests/run_scapval.py -index e1dd806ca1..bc2655b9fd 100755 ---- a/tests/run_scapval.py -+++ b/tests/run_scapval.py -@@ -46,35 +46,9 @@ def process_results(result_path): - return ret_val - - --def workaround_datastream(datastream_path): -- tree = ET.parse(datastream_path) -- root = tree.getroot() -- # group_id and user_id cannot be zero -- # tracked at https://github.com/OVAL-Community/OVAL/issues/23 -- for group_id_element in root.findall(".//{%s}group_id" % oval_unix_ns): -- if group_id_element.text is not None: -- group_id_element.text = "-1" -- for user_id_element in root.findall(".//{%s}user_id" % oval_unix_ns): -- if user_id_element.text is not None: -- user_id_element.text = "-1" -- # OCIL checks for security_patches_up_to_date is causing fail -- # of SRC-377, when requirement is about OVAL checks. -- rule_id = "xccdf_org.ssgproject.content_rule_security_patches_up_to_date" -- for rule in root.findall(".//{%s}Rule[@id=\"%s\"]" % (xccdf_ns, rule_id)): -- for check in rule.findall("{%s}check" % xccdf_ns): -- system = check.get("system") -- if system == "http://scap.nist.gov/schema/ocil/2": -- rule.remove(check) -- output_path = datastream_path + ".workaround.xml" -- tree.write(output_path) -- return output_path -- -- - def test_datastream(datastream_path, scapval_path, scap_version): - result_path = datastream_path + ".result.xml" - report_path = datastream_path + ".report.html" -- if scap_version == "1.3": -- datastream_path = workaround_datastream(datastream_path) - scapval_command = [ - "java", - "-Xmx1024m", diff --git a/SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch b/SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch deleted file mode 100644 index 4f0e114..0000000 --- a/SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch +++ /dev/null @@ -1,408 +0,0 @@ -From 94ace689f800fde1453b986de02c1d0581174451 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 8 Jul 2020 17:37:50 +0200 -Subject: [PATCH 1/9] create rule, check, bash remediation - ---- - .../bash/shared.sh | 9 +++++ - .../oval/shared.xml | 1 + - .../harden_openssl_crypto_policy/rule.yml | 33 +++++++++++++++++++ - shared/references/cce-redhat-avail.txt | 2 -- - 4 files changed, 43 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml - create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml - -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh -new file mode 100644 -index 0000000000..9838a13c95 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh -@@ -0,0 +1,9 @@ -+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora -+ -+cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" -+file=/etc/crypto-policies/local.d/opensslcnf-ospp.config -+ -+#blank line at the begining to ease later readibility -+echo '' > "$file" -+echo "$cp" >> "$file" -+update-crypto-policies -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml -new file mode 100644 -index 0000000000..09199ce4da ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml -@@ -0,0 +1 @@ -+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}} -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -new file mode 100644 -index 0000000000..afbdb36a23 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -@@ -0,0 +1,32 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Harden OpenSSL Crypto Policy' -+ -+description: |- -+ Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. -+ OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact. -+ This can be done by dropping a file named opensslcnf-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied. -+ Changes are propagated into /etc/crypto-policies/back-ends/opensslcnf.config. This rule checks if this file contains predefined Ciphersuites variable configured with predefined value. -+ -+rationale: |- -+ The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: 84286-4 -+ -+references: -+ nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) -+ ospp : FCS_SSHS_EXT.1 -+ srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061 -+ -+ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements' -+ -+ocil: |- -+ To verify if the OpenSSL uses defined Crypto Policy, run: -+
$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1
-+ and verify that the line matches -+
84285-6
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index afc0d80417..01b321b6d5 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -904,8 +904,6 @@ CCE-84281-5 - CCE-84282-3 - CCE-84283-1 - CCE-84284-9 --CCE-84285-6 --CCE-84286-4 - CCE-84287-2 - CCE-84288-0 - CCE-84289-8 - -From ddc8380b44f907872f6f3b9b0d10421329e3c0a1 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 8 Jul 2020 17:38:32 +0200 -Subject: [PATCH 2/9] add tests - ---- - .../harden_openssl_crypto_policy/tests/correct.pass.sh | 7 +++++++ - .../tests/correct_commented.fail.sh | 7 +++++++ - .../tests/correct_followed_by_incorrect.fail.sh | 8 ++++++++ - .../tests/empty_policy.fail.sh | 7 +++++++ - .../tests/incorrect_followed_by_correct.pass.sh | 8 ++++++++ - .../tests/incorrect_policy.fail.sh | 7 +++++++ - .../tests/missing_file.fail.sh | 7 +++++++ - 7 files changed, 51 insertions(+) - create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh - create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh - -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh -new file mode 100644 -index 0000000000..9e59b30bd2 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+configfile=/etc/crypto-policies/back-ends/opensslcnf.config -+ -+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile" -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh -new file mode 100644 -index 0000000000..91863849b3 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+configfile=/etc/crypto-policies/back-ends/opensslcnf.config -+ -+echo "#Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile" -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh -new file mode 100644 -index 0000000000..f44957d3e1 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+configfile=/etc/crypto-policies/back-ends/opensslcnf.config -+ -+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile" -+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" >> "$configfile" -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh -new file mode 100644 -index 0000000000..5b14fe8ef4 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+configfile=/etc/crypto-policies/back-ends/opensslcnf.config -+ -+echo "Ciphersuites=" > "$configfile" -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh -new file mode 100644 -index 0000000000..6be3bb2ffa ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+configfile=/etc/crypto-policies/back-ends/opensslcnf.config -+ -+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile" -+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" >> "$configfile" -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh -new file mode 100644 -index 0000000000..b4fd0f97be ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+configfile=/etc/crypto-policies/back-ends/opensslcnf.config -+ -+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile" -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh -new file mode 100644 -index 0000000000..2d11d227cb ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 -+# profiles = xccdf_org.ssgproject.content_profile_ospp -+ -+configfile=/etc/crypto-policies/back-ends/opensslcnf.config -+ -+rm -f "$configfile" - -From b08a7f3889e4592dc54a431aa4cfb6983990daba Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 9 Jul 2020 09:05:38 +0200 -Subject: [PATCH 3/9] remove blank line from remediation - ---- - .../crypto/harden_openssl_crypto_policy/bash/shared.sh | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh -index 9838a13c95..be6f84f83d 100644 ---- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh -@@ -3,7 +3,6 @@ - cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" - file=/etc/crypto-policies/local.d/opensslcnf-ospp.config - --#blank line at the begining to ease later readibility --echo '' > "$file" -+ - echo "$cp" >> "$file" - update-crypto-policies - -From d249fbe6f2b0cc8b6cd8a0bb02b03ead04e1dd12 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 9 Jul 2020 09:06:02 +0200 -Subject: [PATCH 4/9] fix separator regex in oval - ---- - .../crypto/harden_openssl_crypto_policy/oval/shared.xml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml -index 09199ce4da..37be62ee39 100644 ---- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml -@@ -1 +1 @@ --{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}} -+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="\s*=\s*", ) }}} - -From 0b203279dde378cd45f05ec93a9653e1bc3b6002 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 9 Jul 2020 09:06:29 +0200 -Subject: [PATCH 5/9] reformat rule, fix wrong ocil - ---- - .../harden_openssl_crypto_policy/rule.yml | 22 ++++++++++++++----- - 1 file changed, 16 insertions(+), 6 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -index afbdb36a23..d019d6cd32 100644 ---- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -@@ -5,13 +5,23 @@ prodtype: rhel8 - title: 'Harden OpenSSL Crypto Policy' - - description: |- -- Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. -- OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact. -- This can be done by dropping a file named opensslcnf-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied. -- Changes are propagated into /etc/crypto-policies/back-ends/opensslcnf.config. This rule checks if this file contains predefined Ciphersuites variable configured with predefined value. -+ Crypto Policies are means of enforcing certain cryptographic settings for -+ selected applications including OpenSSL. OPenSSL is by default configured to -+ modify its configuration based on currently configured Crypto-Policy. -+ However, in certain cases it might be needed to override the Crypto Policy -+ specific to OpenSSL r and leave rest of the Crypto Policy intact. This can -+ be done by dropping a file named opensslcnf-xxx.config, replacing -+ xxx with arbitrary identifier, into -+ /etc/crypto-policies/local.d. This has to be followed by running -+ update-crypto-policies so that changes are applied. Changes are -+ propagated into /etc/crypto-policies/back-ends/opensslcnf.config. -+ This rule checks if this file contains predefined Ciphersuites -+ variable configured with predefined value. - - rationale: |- -- The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. -+ The Common Criteria requirements specify that certain parameters for OpenSSL -+ are configured e.g. cipher suites. Currently particular requirements -+ specified by CC are stricter compared to any existing Crypto Policy. - - severity: medium - -@@ -30,4 +40,4 @@ ocil: |- - To verify if the OpenSSL uses defined Crypto Policy, run: -
$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1
- and verify that the line matches --
84285-6
-+
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
- -From aa2555bdfe67ab41978ae92924580527c7a725eb Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 13 Jul 2020 09:49:34 +0200 -Subject: [PATCH 6/9] update references - ---- - .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -index d019d6cd32..075e381906 100644 ---- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -@@ -31,8 +31,8 @@ identifiers: - - references: - nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) -- ospp : FCS_SSHS_EXT.1 -- srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061 -+ ospp: FCS_TLSC_EXT.1.1 -+ srg: SRG-OS-000250-GPOS-00093 - - ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements' - - -From c4e0e35f3dc4abb1cea952aed4216499c622f1cf Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 13 Jul 2020 09:49:48 +0200 -Subject: [PATCH 7/9] add ansible remediation - ---- - .../ansible/shared.yml | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml - -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml -new file mode 100644 -index 0000000000..d5c2c2b9f7 ---- /dev/null -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml -@@ -0,0 +1,16 @@ -+# platform = Red Hat Enterprise Linux 8 -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+- name: "Ensure that the correct crypto policy configuration exists in /etc/crypto-policies/local.d/opensslcnf-ospp.config" -+ lineinfile: -+ path: "/etc/crypto-policies/local.d/opensslcnf-ospp.config" -+ line: "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" -+ create: yes -+ insertafter: EOF -+ -+- name: "Update system crypto policy for changes to take effect" -+ command: -+ cmd: "update-crypto-policies" - -From 3a33b284dc3da993b1b98e75f805ebf018d7f2e9 Mon Sep 17 00:00:00 2001 -From: vojtapolasek -Date: Wed, 15 Jul 2020 09:26:11 +0200 -Subject: [PATCH 8/9] fix typos -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Co-authored-by: Jan Černý ---- - .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -index 075e381906..ce0351aa34 100644 ---- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -@@ -6,10 +6,10 @@ title: 'Harden OpenSSL Crypto Policy' - - description: |- - Crypto Policies are means of enforcing certain cryptographic settings for -- selected applications including OpenSSL. OPenSSL is by default configured to -- modify its configuration based on currently configured Crypto-Policy. -+ selected applications including OpenSSL. OpenSSL is by default configured to -+ modify its configuration based on currently configured Crypto Policy. - However, in certain cases it might be needed to override the Crypto Policy -- specific to OpenSSL r and leave rest of the Crypto Policy intact. This can -+ specific to OpenSSL and leave rest of the Crypto Policy intact. This can - be done by dropping a file named opensslcnf-xxx.config, replacing - xxx with arbitrary identifier, into - /etc/crypto-policies/local.d. This has to be followed by running - -From e5fa539ea5274e723a428a835673598899a301fa Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 15 Jul 2020 09:36:06 +0200 -Subject: [PATCH 9/9] update rule references - ---- - .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -index ce0351aa34..0cbead2a6d 100644 ---- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml -@@ -30,8 +30,8 @@ identifiers: - - references: -- nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) -+ nist: SC-8(1),SC-13 - ospp: FCS_TLSC_EXT.1.1 -- srg: SRG-OS-000250-GPOS-00093 -+ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223 - - ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements' - diff --git a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch deleted file mode 100644 index 88f8237..0000000 --- a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch +++ /dev/null @@ -1,48 +0,0 @@ -From eb3a18cea5776038d0aeef0299083fcd282a0177 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Mon, 17 Aug 2020 15:56:40 +0200 -Subject: [PATCH] Add a missing Crypto Policy rule to OSPP. - -The rule fell out by mistake, this addition complements #4682 ---- - rhel8/profiles/ospp.profile | 1 + - tests/data/profile_stability/rhel8/ospp.profile | 1 + - tests/data/profile_stability/rhel8/stig.profile | 5 +++-- - 3 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile -index 5b5b5b711a..a651885eef 100644 ---- a/rhel8/profiles/ospp.profile -+++ b/rhel8/profiles/ospp.profile -@@ -235,6 +235,7 @@ selections: - - enable_fips_mode - - var_system_crypto_policy=fips_ospp - - configure_crypto_policy -+ - configure_ssh_crypto_policy - - configure_bind_crypto_policy - - configure_openssl_crypto_policy - - configure_libreswan_crypto_policy -diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile -index 5aa3592496..13c4e6b08d 100644 ---- a/tests/data/profile_stability/rhel8/ospp.profile -+++ b/tests/data/profile_stability/rhel8/ospp.profile -@@ -62,6 +62,7 @@ selections: - - configure_kerberos_crypto_policy - - configure_libreswan_crypto_policy - - configure_openssl_crypto_policy -+- configure_ssh_crypto_policy - - configure_tmux_lock_after_time - - configure_tmux_lock_command - - configure_usbguard_auditbackend -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 9b164eb5c2..c7fe02169a 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -77,6 +77,7 @@ selections: - - configure_kerberos_crypto_policy - - configure_libreswan_crypto_policy - - configure_openssl_crypto_policy -+- configure_ssh_crypto_policy - - configure_tmux_lock_after_time - - configure_tmux_lock_command - - configure_usbguard_auditbackend diff --git a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch b/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch deleted file mode 100644 index c469fe6..0000000 --- a/SOURCES/scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 87e62e90df9995de6aca436e9242c0ac4d72e136 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= -Date: Tue, 18 Aug 2020 13:55:12 +0200 -Subject: [PATCH] Added SRG to configure_ssh_crypto_policy - -https://www.stigviewer.com/stig/general_purpose_operating_system_srg/2016-04-25/finding/V-56935 ---- - .../integrity/crypto/configure_ssh_crypto_policy/rule.yml | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -index e2dd99dbb5..51788a3226 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -@@ -24,6 +24,7 @@ identifiers: - references: - nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13 - cis@rhel8: 5.2.20 -+ srg: SRG-OS-000250-GPOS-00093 - - ocil_clause: 'the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd' - diff --git a/SOURCES/scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch b/SOURCES/scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch deleted file mode 100644 index e734ce1..0000000 --- a/SOURCES/scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch +++ /dev/null @@ -1,209 +0,0 @@ -From 60f82f8d33cef82f3ff5e90073803c199bad02fb Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 7 Jul 2020 11:31:59 +0200 -Subject: [PATCH 1/3] modify rule description and ocil - ---- - .../selinux_all_devicefiles_labeled/rule.yml | 19 +++++++++++-------- - 1 file changed, 11 insertions(+), 8 deletions(-) - -diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml -index 765fca583e..1667557740 100644 ---- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml -+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml -@@ -6,18 +6,20 @@ title: 'Ensure No Device Files are Unlabeled by SELinux' - - description: |- - Device files, which are used for communication with important system -- resources, should be labeled with proper SELinux types. If any device -- files do not carry the SELinux type device_t, report the bug so -- that policy can be corrected. Supply information about what the device is -- and what programs use it. -+ resources, should be labeled with proper SELinux types. If any device files -+ carry the SELinux type device_t or unlabeled_t, report the -+ bug so that policy can be corrected. Supply information about what the -+ device is and what programs use it. -

-- To check for unlabeled device files, run the following command: -+ To check for incorrectly labeled device files, run following commands: -
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
-+
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
- It should produce no output in a well-configured system. - - rationale: |- -- If a device file carries the SELinux type device_t, then SELinux -- cannot properly restrict access to the device file. -+ If a device file carries the SELinux type device_t or -+ unlabeled_t, then SELinux cannot properly restrict access to the -+ device file. - - severity: medium - -@@ -45,8 +47,9 @@ references: - ocil_clause: 'there is output' - - ocil: |- -- To check for unlabeled device files, run the following command: -+ To check for incorrectly labeled device files, run following commands: -
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
-+
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
- It should produce no output in a well-configured system. - - warnings: - -From e0cb2d04a9d95967e4adb3e05cc93a4a834a90b5 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 7 Jul 2020 11:32:57 +0200 -Subject: [PATCH 2/3] updated oval to check only device files - ---- - .../oval/shared.xml | 64 +++++++++++++------ - 1 file changed, 43 insertions(+), 21 deletions(-) - -diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml -index 51b68008af..7dcfb98577 100644 ---- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml -+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml -@@ -2,32 +2,54 @@ - - - Device Files Have Proper SELinux Context -- -- Red Hat Enterprise Linux 6 -- Red Hat Enterprise Linux 7 -- Red Hat Enterprise Linux 8 -- Red Hat Virtualization 4 -- multi_platform_fedora -- multi_platform_ol -- multi_platform_wrlinux -- -- All device files in /dev should be assigned an SELinux security context other than 'device_t'. -+ {{{- oval_affected(products) }}} -+ All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'. - -- -- -+ -+ -+ - - -- -- -- -+ -+ -+ -+ -+ /dev -+ ^.*$ -+ state_block_or_char_device_file -+ -+ -+ -+ ^(block|character) special$ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - -- -- -- /dev -- ^.*$ -- state_selinux_all_devicefiles_labeled -+ -+ -+ state_selinux_dev_device_t - -- -+ - device_t - -+ -+ -+ -+ -+ -+ -+ -+ state_selinux_dev_unlabeled_t -+ -+ -+ unlabeled_t -+ -+ - - -From 0bd95e6dbe3684524c86150cdb6beb0af05ff119 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Tue, 7 Jul 2020 11:33:26 +0200 -Subject: [PATCH 3/3] add tests - ---- - .../tests/block_device_device_t.fail.sh | 4 ++++ - .../tests/char_device_unlabeled_t.fail.sh | 14 ++++++++++++++ - .../tests/regular_file_device_t.pass.sh | 4 ++++ - .../tests/symlink_with_wrong_label.pass.sh | 4 ++++ - 4 files changed, 26 insertions(+) - create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh - create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh - create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh - create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh - -diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh -new file mode 100644 -index 0000000000..08c4142e5b ---- /dev/null -+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+mknod /dev/foo b 1 5 -+chcon -t device_t /dev/foo -diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh -new file mode 100644 -index 0000000000..1da85c2034 ---- /dev/null -+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh -@@ -0,0 +1,14 @@ -+#!/bin/bash -+ -+# selinux does not allow unlabeled_t in /dev -+# we have to modify the selinux policy to allow that -+ -+echo '(allow unlabeled_t device_t (filesystem (associate)))' > /tmp/unlabeled_t.cil -+semodule -i /tmp/unlabeled_t.cil -+ -+mknod /dev/foo c 1 5 -+chcon -t unlabeled_t /dev/foo -+ -+ -+mknod /dev/foo c 1 5 -+chcon -t device_t /dev/foo -diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh -new file mode 100644 -index 0000000000..d161951d7a ---- /dev/null -+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+touch /dev/foo -+restorecon -F /dev/foo -diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh -new file mode 100644 -index 0000000000..a8280bf37e ---- /dev/null -+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+ln -s /dev/cpu /dev/foo -+restorecon -F /dev/foo diff --git a/SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch b/SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch deleted file mode 100644 index 927acb5..0000000 --- a/SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch +++ /dev/null @@ -1,183 +0,0 @@ -From 8a6e3fcbe387e6b5476375448964dab198d94959 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Wed, 2 Sep 2020 10:01:45 +0200 -Subject: [PATCH] add CUI kickstart for rhel8 - ---- - rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 167 +++++++++++++++++++++++++++ - 1 file changed, 167 insertions(+) - create mode 100644 rhel8/kickstart/ssg-rhel8-cui-ks.cfg - -diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg -new file mode 100644 -index 0000000000..0957fded96 ---- /dev/null -+++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg -@@ -0,0 +1,167 @@ -+# SCAP Security Guide CUI profile kickstart for Red Hat Enterprise Linux 8 -+# -+# Based on: -+# http://fedoraproject.org/wiki/Anaconda/Kickstart -+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg -+ -+# Install a fresh new system (optional) -+install -+ -+# Specify installation method to use for installation -+# To use a different one comment out the 'url' one below, update -+# the selected choice with proper options & un-comment it -+# -+# Install from an installation tree on a remote server via FTP or HTTP: -+# --url the URL to install from -+# -+# Example: -+# -+# url --url=http://192.168.122.1/image -+# -+# Modify concrete URL in the above example appropriately to reflect the actual -+# environment machine is to be installed in -+# -+# Other possible / supported installation methods: -+# * install from the first CD-ROM/DVD drive on the system: -+# -+# cdrom -+# -+# * install from a directory of ISO images on a local drive: -+# -+# harddrive --partition=hdb2 --dir=/tmp/install-tree -+# -+# * install from provided NFS server: -+# -+# nfs --server= --dir= [--opts=] -+# -+# Set language to use during installation and the default language to use on the installed system (required) -+lang en_US.UTF-8 -+ -+# Set system keyboard type / layout (required) -+keyboard us -+ -+# Configure network information for target system and activate network devices in the installer environment (optional) -+# --onboot enable device at a boot time -+# --device device to be activated and / or configured with the network command -+# --bootproto method to obtain networking configuration for device (default dhcp) -+# --noipv6 disable IPv6 on this device -+# -+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, -+# "--bootproto=static" must be used. For example: -+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 -+# -+network --onboot yes --bootproto dhcp -+ -+# Set the system's root password (required) -+# Plaintext password is: server -+# Refer to e.g. -+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw -+# to see how to create encrypted password form for different plaintext password -+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 -+ -+# The selected profile will restrict root login -+# Add a user that can login and escalate privileges -+# Plaintext password is: admin123 -+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted -+ -+# Configure firewall settings for the system (optional) -+# --enabled reject incoming connections that are not in response to outbound requests -+# --ssh allow sshd service through the firewall -+firewall --enabled --ssh -+ -+# Set up the authentication options for the system (required) -+# --enableshadow enable shadowed passwords by default -+# --passalgo hash / crypt algorithm for new passwords -+# See the manual page for authconfig for a complete list of possible options. -+authconfig --enableshadow --passalgo=sha512 -+ -+# State of SELinux on the installed system (optional) -+# Defaults to enforcing -+selinux --enforcing -+ -+# Set the system time zone (required) -+timezone --utc America/New_York -+ -+# Specify how the bootloader should be installed (required) -+# Refer to e.g. -+# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw -+# to see how to create encrypted password form for different plaintext password -+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" -+ -+# Initialize (format) all disks (optional) -+zerombr -+ -+# The following partition layout scheme assumes disk of size 20GB or larger -+# Modify size of partitions appropriately to reflect actual machine's hardware -+# -+# Remove Linux partitions from the system prior to creating new ones (optional) -+# --linux erase all Linux partitions -+# --initlabel initialize the disk label to the default based on the underlying architecture -+clearpart --linux --initlabel -+ -+# Create primary system partitions (required for installs) -+part /boot --fstype=xfs --size=512 -+part pv.01 --grow --size=1 -+ -+# Create a Logical Volume Management (LVM) group (optional) -+volgroup VolGroup --pesize=4096 pv.01 -+ -+# Create particular logical volumes (optional) -+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow -+# Ensure /home Located On Separate Partition -+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" -+# Ensure /tmp Located On Separate Partition -+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -+# Ensure /var/tmp Located On Separate Partition -+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -+# Ensure /var Located On Separate Partition -+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" -+# Ensure /var/log Located On Separate Partition -+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" -+# Ensure /var/log/audit Located On Separate Partition -+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" -+logvol swap --name=swap --vgname=VolGroup --size=2016 -+ -+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) -+# content - security policies - on the installed system.This add-on has been enabled by default -+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this -+# functionality will automatically be installed. However, by default, no policies are enforced, -+# meaning that no checks are performed during or after installation unless specifically configured. -+# -+# Important -+# Applying a security policy is not necessary on all systems. This screen should only be used -+# when a specific policy is mandated by your organization rules or government regulations. -+# Unlike most other commands, this add-on does not accept regular options, but uses key-value -+# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. -+# Values can be optionally enclosed in single quotes (') or double quotes ("). -+# -+# The following keys are recognized by the add-on: -+# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. -+# - If the content-type is scap-security-guide, the add-on will use content provided by the -+# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect. -+# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location. -+# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream. -+# xccdf-id - ID of the benchmark you want to use. -+# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive. -+# profile - ID of the profile to be applied. Use default to apply the default profile. -+# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url. -+# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. -+# -+# The following is an example %addon org_fedora_oscap section which uses content from the -+# scap-security-guide on the installation media: -+%addon org_fedora_oscap -+ content-type = scap-security-guide -+ profile = xccdf_org.ssgproject.content_profile_cui -+%end -+ -+# Packages selection (%packages section is required) -+%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section -+ -+# Reboot after the installation is complete (optional) -+# --eject attempt to eject CD or DVD media before rebooting -+reboot --eject diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index e098e0d..bb7a7bd 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide -Version: 0.1.50 -Release: 14%{?dist} +Version: 0.1.53 +Release: 2%{?dist} Summary: Security guidance and baselines in SCAP formats Group: Applications/System License: BSD @@ -8,33 +8,6 @@ URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 # Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream Patch0: disable-not-in-good-shape-profiles.patch -Patch1: scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch -Patch2: scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch -Patch3: scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch -Patch4: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch -Patch5: scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch -# Patch6 already contains typo fix -Patch6: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch -Patch7: scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch -Patch8: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch -Patch9: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch -Patch10: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch -Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch -Patch12: scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch -Patch13: scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch -Patch14: scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch -Patch15: scap-security-guide-0.1.52-fix_hipaa_description.patch -Patch16: scap-security-guide-0.1.52-fix_scapval_call_PR_6005.patch -Patch17: scap-security-guide-0.1.52-ospp_missing_ssh_PR_6007.patch -Patch18: scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch -Patch19: scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch -Patch20: scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch -Patch21: scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch -Patch22: scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch -Patch23: scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch -Patch24: scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch -Patch25: scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch -Patch26: scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch BuildArch: noarch @@ -70,32 +43,6 @@ present in %{name} package. %prep %setup -q %patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 mkdir build %build @@ -130,6 +77,12 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Thu Dec 03 2020 Watson Sato - 0.1.53-2 +- Update list of profiles built (RHBZ#1889344) + +* Wed Nov 25 2020 Vojtech Polasek - 0.1.53-1 +- Update to the latest upstream release (RHBZ#1889344) + * Wed Sep 02 2020 Matěj Týč - 0.1.50-14 - Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)