diff --git a/.gitignore b/.gitignore index 3b17f94..20df2b2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.19.tar.gz +SOURCES/scap-security-guide-0.1.25.tar.gz diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 511f55a..7038a45 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -f7257eb00ab18acda843d41851a430268d6bba30 SOURCES/scap-security-guide-0.1.19.tar.gz +1dc2e85ad80098968485bc75050697abc40143d4 SOURCES/scap-security-guide-0.1.25.tar.gz diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch deleted file mode 100644 index 8e4ee57..0000000 --- a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch +++ /dev/null @@ -1,38 +0,0 @@ ---- scap-security-guide-0.1.19/RHEL/7/input/system/selinux.xml.orig 2014-09-29 06:19:27.427097200 -0400 -+++ scap-security-guide-0.1.19/RHEL/7/input/system/selinux.xml 2014-09-29 06:20:14.703998808 -0400 -@@ -117,23 +117,6 @@ targeted for exploitation, such as netwo - - - -- --Enable the SELinux Context Restoration Service (restorecond) --The restorecond service utilizes inotify to look --for the creation of new files listed in the --/etc/selinux/restorecond.conf configuration file. When a file is --created, restorecond ensures the file receives the proper SELinux --security context. -- -- --The restorecond service helps ensure that the default SELinux --file context is applied to files. This allows automatic correction --of file contexts created by some programs. -- -- -- -- -- - - Uninstall setroubleshoot Package - The SETroubleshoot service notifies desktop users of SELinux ---- scap-security-guide-0.1.19/RHEL/7/input/fixes/bash/service_restorecond_enabled.sh 2014-09-28 07:55:58.000000000 -0400 -+++ /dev/null 2014-09-29 05:45:02.862000000 -0400 -@@ -1,9 +0,0 @@ --# --# Enable restorecond.service for all systemd targets --# --systemctl enable restorecond.service -- --# --# Start restorecond.service if not currently running --# --systemctl start restorecond.service diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch deleted file mode 100644 index b34822c..0000000 --- a/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- scap-security-guide-0.1.19/RHEL/7/input/guide.xslt.orig 2014-09-29 07:55:24.154151816 -0400 -+++ scap-security-guide-0.1.19/RHEL/7/input/guide.xslt 2014-09-29 07:56:48.376190494 -0400 -@@ -8,10 +8,7 @@ - - - -- -- -- -- -+ - - - A conditional clause for check statements. diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch deleted file mode 100644 index 7cc9038..0000000 --- a/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch +++ /dev/null @@ -1,89 +0,0 @@ ---- scap-security-guide-0.1.19/RHEL/7/input/system/accounts/pam.xml.orig 2014-09-29 08:53:24.078751294 -0400 -+++ scap-security-guide-0.1.19/RHEL/7/input/system/accounts/pam.xml 2014-09-29 08:59:28.963638607 -0400 -@@ -81,33 +81,28 @@ and gives them an opportunity to notify - - - Set Password Quality Requirements --The default pam_cracklib PAM module provides strength -+The default pam_pwquality PAM module provides strength - checking for passwords. It performs a number of checks, such as - making sure passwords are not similar to dictionary words, are of - at least a certain length, are not the previous password reversed, - and are not simply a change of case from the previous password. It - can also require passwords to be in certain character classes. -

--The pam_passwdqc PAM module also provides the ability to enforce --stringent password strength requirements. It is provided --in an RPM of the same name. --

--The man pages pam_cracklib(8) and pam_passwdqc(8) --provide information on the capabilities and configuration of --each.
-+The man page pam_pwquality(8) provide further information -+on the capabilities and configuration.
- - - Set Password Quality Requirements, if using --pam_cracklib --The pam_cracklib PAM module can be configured to meet -+ pam_pwquality -+The pam_pwquality PAM module can be configured to meet - requirements for a variety of policies. -

--For example, to configure pam_cracklib to require at least one uppercase -+For example, to configure pam_pwquality to require at least one uppercase - character, lowercase character, digit, and other (special) - character, locate the following line in /etc/pam.d/system-auth: --
password requisite pam_cracklib.so try_first_pass retry=3
-+
password requisite pam_pwquality.so try_first_pass retry=3
- and then alter it to read: --
password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
-+
password required pam_pwquality.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
- If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth. - The arguments can be modified to ensure compliance with - your organization's security policy. Discussion of each parameter follows. -@@ -268,14 +263,14 @@ is different from account lockout, which - - - Set Password to Maximum of Three Consecutive Repeating Characters --The pam_cracklib module's maxrepeat parameter controls requirements for -+The pam_pwquality module's maxrepeat parameter controls requirements for - consecutive repeating characters. When set to a positive number, it will reject passwords - which contain more than that number of consecutive characters. Add maxrepeat=3 --after pam_cracklib.so to prevent a run of four or more identical characters. -+after pam_pwquality.so to prevent a run of four or more identical characters. - - - To check the maximum value for consecutive repeating characters, run the following command: --
$ grep pam_cracklib /etc/pam.d/system-auth
-+
$ grep pam_pwquality /etc/pam.d/system-auth
- Look for the value of the maxrepeat parameter. The DoD requirement is 3. -
- -@@ -413,7 +408,7 @@ Note that passwords which are changed on - - - Set Password Strength Minimum Different Categories --The pam_cracklib module's minclass parameter controls requirements for -+The pam_pwquality module's minclass parameter controls requirements for - usage of different character classes, or types, of character that must exist in a password - before it is considered valid. For example, setting this value to three (3) requires that - any password must have characters from at least three different categories in order to be -@@ -425,7 +420,7 @@ four categories available: - * Digits - * Special characters (for example, punctuation) - --Add minclass=NUM after pam_cracklib.so entry into the -+Add minclass=NUM after pam_pwquality.so entry into the - /etc/pam.d/system-auth file in order to require differing categories of - characters when changing passwords, substituting NUM appropriately (for example to - require at least three character classes to be used in password, use minclass=3). -@@ -433,7 +428,7 @@ require at least three character classes - - To check how many categories of characters must be used in password during a password change, - run the following command: --
$ grep pam_cracklib /etc/pam.d/system-auth
-+
$ grep pam_pwquality /etc/pam.d/system-auth
- The minclass parameter will indicate how many character classes must be used. If - the requirement was for the password to contain characters from three different categories, - then this would appear as minclass=3. diff --git a/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch b/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch deleted file mode 100644 index 5395704..0000000 --- a/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch +++ /dev/null @@ -1,109 +0,0 @@ ---- scap-security-guide-0.1.19/RHEL/6/input/auxiliary/scap-security-guide.8.orig 2014-10-21 09:26:33.048661043 -0400 -+++ scap-security-guide-0.1.19/RHEL/6/input/auxiliary/scap-security-guide.8 2014-10-21 09:29:18.031611398 -0400 -@@ -1,4 +1,4 @@ --.TH scap-security-guide 8 "26 Jan 2013" "version 1" -+.TH scap-security-guide 8 "29 Sep 2014" "version 1" - - .SH NAME - SCAP Security Guide - Delivers security guidance, baselines, and -@@ -23,59 +23,24 @@ https://fedorahosted.org/scap-security-g - - - .SH PROFILES --The SSG content is broken into 'profiles,' groupings of security settings that correlate to a known policy. Available profiles are: -+The SSG content is broken into 'profiles,' groupings of security settings that -+correlate to a known policy. Available profiles are: - --.I stig-rhel6-server-upstream -+.I rht-cpp - .RS --The Security Technical Implementation Guides (STIGs) and the NSA Guides are the --configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, --DISA Field Security Operations (FSO) has played a critical role enhancing the --security posture of DoD's security systems by providing the Security Technical --Implementation Guides (STIGs). This profile was created as a collaboration --effort between the National Security Agency, DISA FSO, and Red Hat. -- --As a result of the upstream/downstream relationship between the SCAP Security --Guide project and the official DISA FSO STIG baseline, users should expect --variance between SSG and DISA FSO content. For additional information relating --to STIGs, please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/ -- --While this profile is packaged by Red Hat as part of the SCAP Security Guide --package, please note that commercial support of this SCAP content is NOT --available. This profile is provided as example SCAP content with no --endorsement for suitability or production readiness. Support for this profile --is provided by the upstream SCAP Security Guide community on a best-effort --basis. The upstream project homepage is https://fedorahosted.org/scap-security-guide/. -- --.RE --.I usgcb-rhel6-server --.RS --The purpose of the United States Government Configuration Baseline (USGCB) --initiative is to create security configuration baselines for Information --Technology products widely deployed across the federal agencies. The USGCB --baseline evolved from the Federal Desktop Core Configuration mandate. The --USGCB is a Federal government-wide initiative that provides guidance to --agencies on what should be done to improve and maintain an effective --configuration settings focusing primarily on security. -- --.B "NOTE: " --While the current content maps to USGCB requirements, it has NOT --been validated by NIST as of yet. This content should be considered --draft, we are highly interested in feedback. -- --For additional information relating to USGCB, please refer to the NIST --webpage at http://usgcb.nist.gov/usgcb_content.html. -+Red Hat Corporate Profile for Certified Cloud Providers (RH CCP). This is a -+*draft* SCAP profile for Red Hat Certified Cloud Providers. - .RE - -- - .SH EXAMPLES - To scan your system utilizing the OpenSCAP utility against the --stig-rhel6-server-upstream profile: -+rht-ccp profile: - --oscap xccdf eval --profile stig-rhel6-server-upstream \ -+oscap xccdf eval --profile rht-ccp \ - --results /tmp/`hostname`-ssg-results.xml \ - --report /tmp/`hostname`-ssg-results.html \ ----cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ --/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml -+--cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml \ -+/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml - .PP - Additional details can be found on the projects wiki page: - https://fedorahosted.org/scap-security-guide/wiki/usageguide -@@ -99,15 +64,10 @@ ssg-{profile}-oval.xml - ssg-{profile}-xccdf.xml - .RE - --.I /usr/share/xml/scap/ssg/guides/ --.RS --HTML versions of SSG profiles. --.RE -- --.I /usr/share/xml/scap/ssg/policytables/ -+.I /usr/share/doc/scap-security-guide-0.1.19 - .RS --HTML tables reflecting which institutionalized policy a particular SSG rule --conforms to. -+Contains HTML versions of the SSG profiles and also HTML tables reflecting which -+institutionalized policy a particular SSG rule conforms to. - .RE - - .SH STATEMENT OF SUPPORT -@@ -116,9 +76,9 @@ and the NSA, provides XCCDF and OVAL con - source project, community participation extends into U.S. Department of Defense - agencies, civilian agencies, academia, and other industrial partners. - --SCAP Security Guide is provided to consumers through Red Hat's Extended --Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security Guide --content is considered "vendor provided." -+SCAP Security Guide is provided to consumers through Red Hat's system and content -+management services (Red Hat Network Classic or Red Hat Subscription Management). -+As such, SCAP Security Guide content is considered "vendor provided." - - Note that while Red Hat hosts the infrastructure for this project and - Red Hat engineers are involved as maintainers and leaders, there is no diff --git a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch deleted file mode 100644 index 65b59a6..0000000 --- a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch +++ /dev/null @@ -1,472 +0,0 @@ -diff --git a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml -index a00fc16..dc1b249 100644 ---- a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml -+++ b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml -@@ -99,7 +99,7 @@ upstream project homepage is https://fedorahosted.org/scap-security-guide/. - - - -- -+ - - - -diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml -index adf0aaf..b2da2a4 100644 ---- a/RHEL/6/input/system/accounts/pam.xml -+++ b/RHEL/6/input/system/accounts/pam.xml -@@ -48,7 +48,7 @@ operator="equals" interactive="0"> - /etc/security/opasswd in order to force password change history and - keep the user from alternating between the same password too - frequently.
--24 -+5 - 0 - 5 - 10 -@@ -342,7 +342,7 @@ more difficult by ensuring a larger search space. - usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to - contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional - length credit for each special character. --Add ocredit=-1 after pam_cracklib.so to require use of a special character in passwords. -+Add ocredit= after pam_cracklib.so to require use of a special character in passwords. -
- - To check how many special characters are required in a password, run the following command: -@@ -357,7 +357,7 @@ more difficult by ensuring a larger search space. -
- - -- -+ - -
- -@@ -551,7 +551,7 @@ be accomplished by using the remember option for the pam_unix - module. In the file /etc/pam.d/system-auth, append remember= to the - line which refers to the pam_unix.so module, as shown: -
password sufficient pam_unix.so existing_options remember=
--The DoD and FISMA requirement is 24 passwords.
-+The DoD STIG requirement is 5 passwords.
- - To verify the password reuse setting is compliant, run the following command: -
$ grep remember /etc/pam.d/system-auth
-diff --git a/RHEL/6/input/system/accounts/restrictions/password_expiration.xml b/RHEL/6/input/system/accounts/restrictions/password_expiration.xml -index e4af5aa..a8e90c2 100644 ---- a/RHEL/6/input/system/accounts/restrictions/password_expiration.xml -+++ b/RHEL/6/input/system/accounts/restrictions/password_expiration.xml -@@ -159,7 +159,7 @@ increases the risk of users writing down the password in a convenient - location subject to physical compromise. - - -- -+ - -
- -diff --git a/RHEL/7/input/checks/accounts_password_pam_minlen.xml b/RHEL/7/input/checks/accounts_password_pam_minlen.xml -new file mode 100644 -index 0000000..77f89af ---- /dev/null -+++ b/RHEL/7/input/checks/accounts_password_pam_minlen.xml -@@ -0,0 +1,40 @@ -+ -+ -+ -+ Set Password minlen Requirements -+ -+ Red Hat Enterprise Linux 7 -+ -+ The password minlen should meet minimum requirements -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/pam.d/system-auth -+ ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*minlen=(-?\d+)(?:[\s]|$) -+ 1 -+ -+ -+ -+ -+ 1 -+ -+ -+ -+ -+ -+ -diff --git a/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh b/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh -new file mode 100644 -index 0000000..5bc5b0f ---- /dev/null -+++ b/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh -@@ -0,0 +1,8 @@ -+source ./templates/support.sh -+populate var_password_pam_minlen -+ -+if grep -q "minlen=" /etc/pam.d/system-auth; then -+ sed -i --follow-symlink "s/\(minlen *= *\).*/\1$var_password_pam_minlen/" /etc/pam.d/system-auth -+else -+ sed -i --follow-symlink "/pam_pwquality.so/ s/$/ minlen=$var_password_pam_minlen/" /etc/pam.d/system-auth -+fi -diff --git a/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml b/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml -index ef079b4..19a06b3 100644 ---- a/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml -+++ b/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml -@@ -2,6 +2,36 @@ - Pre-release Draft STIG for RHEL 7 Server - This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO. - -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - -+ -+ -+ -+ -+ -+ - -diff --git a/RHEL/7/input/system/accounts/pam.xml b/RHEL/7/input/system/accounts/pam.xml -index 3cdd433..f5d9cdf 100644 ---- a/RHEL/7/input/system/accounts/pam.xml -+++ b/RHEL/7/input/system/accounts/pam.xml -@@ -48,7 +48,7 @@ operator="equals" interactive="0"> - /etc/security/opasswd in order to force password change history and - keep the user from alternating between the same password too - frequently. --24 -+5 - 0 - 5 - 10 -@@ -137,13 +137,14 @@ reason. - - minlen - Minimum number of characters in password --14 -+15 - 6 - - 8 - 10 - 12 - 14 -+ - 15 - - -@@ -190,11 +191,12 @@ password - password - Keep this high for short - passwords --4 -+15 - 2 - 3 - 4 - 5 -+15 - - - -@@ -306,10 +308,34 @@ search space. - - - -- -+ - - - -+ -+Set Password Minimum Length -+The pam_pwquality module's minlen parameter controls requirements for -+minimum characters required in a password. Add minlen= -+after pam_pwquality to set minimum password length requirements. -+ -+ -+To check how many characters are required in a password, run the following command: -+
$ grep pam_pwquality /etc/pam.d/system-auth
-+Your output should contain minlen= -+
-+ -+Password length is one factor of several that helps to determine -+strength and how long it takes to crack a password. Use of more characters in -+a password helps to exponentially increase the time and/or resources -+required to compromise the password. -+ -+ -+ -+ -+ -+
-+ -+ - - Set Password Strength Minimum Uppercase Characters - The pam_pwquality module's ucredit= parameter controls requirements for -@@ -331,18 +357,18 @@ more difficult by ensuring a larger search space. - - - -- -+ - - - - - Set Password Strength Minimum Special Characters - The pam_pwquality module's ocredit= parameter controls requirements for --usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to -+usage of special (or "other") characters in a password. When set to a negative number, any password will be required to - contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional - length credit for each special character. --Add ocredit=-1 after pam_pwquality.so to require use of a special character in passwords. -- -+Add ocredit= after pam_pwquality.so to -+require use of a special character in passwords. - - To check how many special characters are required in a password, run the following command: -
$ grep pam_pwquality /etc/pam.d/system-auth
-@@ -356,7 +382,7 @@ more difficult by ensuring a larger search space. - - - -- -+ - -
- -@@ -381,7 +407,7 @@ more difficult by ensuring a larger search space. - - - -- -+ - - - -@@ -391,14 +417,14 @@ more difficult by ensuring a larger search space. - usage of different characters during a password change. - Add difok=NUM after pam_pwquality.so to require differing - characters when changing passwords, substituting NUM appropriately. --The DoD requirement is 4. -+The DoD requirement is 15. - - - To check how many characters must differ during a password change, run the following command: -
$ grep pam_pwquality /etc/pam.d/system-auth
- The difok parameter will indicate how many characters must differ. --The DoD requires four characters differ during a password change. --This would appear as difok=4. -+The DoD requires 15 characters differ during a password change. -+This would appear as difok=15. -
- - Requiring a minimum number of different characters during password changes ensures that -@@ -407,7 +433,7 @@ Note that passwords which are changed on compromised systems will still be compr - - - -- -+ - - - -@@ -476,13 +502,13 @@ attempts using pam_faillock.so: -

- Add the following lines immediately below the pam_unix.so statement in AUTH section of - both /etc/pam.d/system-auth and /etc/pam.d/password-auth: --
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
--
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
-+
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=
-+
auth required pam_faillock.so authsucc deny=  unlock_time=604800 fail_interval=
- - - To ensure the failed password attempt policy is configured correctly, run the following command: -
$ grep pam_faillock /etc/pam.d/system-auth
--The output should show deny=3. -+The output should show deny=. -
- - Locking out user accounts after a number of incorrect attempts -@@ -490,7 +516,7 @@ prevents direct password guessing attacks. - - - -- -+ - - - -@@ -500,8 +526,8 @@ To configure the system to lock out accounts after a number of incorrect login - attempts and require an administrator to unlock the account using pam_faillock.so: -

- Add the following lines immediately below the pam_env.so statement in /etc/pam.d/system-auth: --
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
--
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
-+
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=
-+
auth required pam_faillock.so authsucc deny=  unlock_time=604800 fail_interval=
- - - To ensure the failed password attempt policy is configured correctly, run the following command: -@@ -527,43 +553,46 @@ attempts. -

- Add the following fail_interval directives to pam_faillock.so immediately below the pam_env.so statement in - /etc/pam.d/system-auth and /etc/pam.d/password-auth: --
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
--
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
-+
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=
-+
auth required pam_faillock.so authsucc deny=  unlock_time=604800 fail_interval=
- - - To ensure the failed password attempt policy is configured correctly, run the following command: -
$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
--For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is 900 (15 minutes) or greater. If the fail_interval parameter is not set, the default setting of 900 seconds is acceptable. -+For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is -+ or greater. -+If the fail_interval parameter is not set, the default setting of 900 seconds is acceptable. -
- - Locking out user accounts after a number of incorrect attempts within a - specific period of time prevents direct password guessing attacks. - -- -+ - -- -+ -
- - - Limit Password Reuse - Do not allow users to reuse recent passwords. This can - be accomplished by using the remember option for the pam_unix PAM --module. In the file /etc/pam.d/system-auth, append remember=24 to the -+module. In the file /etc/pam.d/system-auth, append -+remember= to the - line which refers to the pam_unix.so module, as shown: --
password sufficient pam_unix.so existing_options remember=24
--The DoD and FISMA requirement is 24 passwords.
-+
password sufficient pam_unix.so existing_options remember=
-+The DoD STIG requirement is 5 passwords. - - To verify the password reuse setting is compliant, run the following command: -
$ grep remember /etc/pam.d/system-auth
- The output should show the following at the end of the line: --
remember=24
-+
remember=
-
- - Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. - - - -- -+ - -
- -diff --git a/RHEL/7/input/system/accounts/restrictions/password_expiration.xml b/RHEL/7/input/system/accounts/restrictions/password_expiration.xml -index d79c4a8..9e56b9d 100644 ---- a/RHEL/7/input/system/accounts/restrictions/password_expiration.xml -+++ b/RHEL/7/input/system/accounts/restrictions/password_expiration.xml -@@ -60,8 +60,8 @@ age, and 7 day warning period with the following command: - 7 - 7 - 5 --1 - 2 -+1 - 0 -
- -@@ -131,7 +131,7 @@ after satisfying the password reuse requirement. - - - -- -+ - - - -@@ -145,7 +145,7 @@ and add or correct the following line, replacing DAYS appropriately: - A value of 180 days is sufficient for many environments. - The DoD requirement is 60. - -- -+ - To check the maximum password age, run the command: -
$ grep PASS_MAX_DAYS /etc/login.defs
- The DoD and FISMA requirement is 60. -@@ -157,9 +157,9 @@ periodically change their passwords. This could possibly decrease - the utility of a stolen password. Requiring shorter password lifetimes - increases the risk of users writing down the password in a convenient - location subject to physical compromise. -- -+ - -- -+ - - - -diff --git a/shared/.gitignore b/shared/.gitignore -index d7b3ccb..39328cf 100644 ---- a/shared/.gitignore -+++ b/shared/.gitignore -@@ -1,3 +1,4 @@ - # files not to track in git - *.pyc - *.ini -+*.swp -diff --git a/shared/references/cce-rhel-avail.txt b/shared/references/cce-rhel-avail.txt -index 381d3da..41dc47e 100644 ---- a/shared/references/cce-rhel-avail.txt -+++ b/shared/references/cce-rhel-avail.txt -@@ -1,6 +1,3 @@ --CCE-27051-2 --CCE-26615-5 --CCE-26763-3 - CCE-26436-6 - CCE-26989-4 - CCE-26992-8 diff --git a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch deleted file mode 100644 index 5bc5cc7..0000000 --- a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch +++ /dev/null @@ -1,142 +0,0 @@ -diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml -index b2da2a4..29fa69f 100644 ---- a/RHEL/6/input/system/accounts/pam.xml -+++ b/RHEL/6/input/system/accounts/pam.xml -@@ -472,12 +472,17 @@ and a second to use unlock_time and set it to a Value - Set Deny For Failed Password Attempts - - To configure the system to lock out accounts after a number of incorrect login --attempts using pam_faillock.so: -+attempts using pam_faillock.so, modify the content of both -+/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: -

--Add the following lines immediately below the pam_unix.so statement in AUTH section of --both /etc/pam.d/system-auth and /etc/pam.d/password-auth: --
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=900
--
auth required pam_faillock.so authsucc deny= unlock_time=604800 fail_interval=900
-+
    -+
  • add the following line immediately before the pam_unix.so statement in the AUTH section: -+

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

  • -+
  • add the following line immediately after the pam_unix.so statement in the AUTH section: -+

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

  • -+
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: -+

    account required pam_faillock.so

  • -+
-
- - To ensure the failed password attempt policy is configured correctly, run the following command: -@@ -497,11 +502,17 @@ prevents direct password guessing attacks. - Set Lockout Time For Failed Password Attempts - - To configure the system to lock out accounts after a number of incorrect login --attempts and require an administrator to unlock the account using pam_faillock.so: -+attempts and require an administrator to unlock the account using pam_faillock.so, -+modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: -

--Add the following lines immediately below the pam_env.so statement in /etc/pam.d/system-auth: --
auth [default=die] pam_faillock.so authfail deny=3 unlock_time= fail_interval=900
--
auth required pam_faillock.so authsucc deny=3 unlock_time= fail_interval=900
-+
    -+
  • add the following line immediately before the pam_unix.so statement in the AUTH section: -+

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

  • -+
  • add the following line immediately after the pam_unix.so statement in the AUTH section: -+

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

  • -+
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: -+

    account required pam_faillock.so

  • -+
-
- - To ensure the failed password attempt policy is configured correctly, run the following command: -@@ -523,12 +534,16 @@ situations. - Set Interval For Counting Failed Password Attempts - - Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out accounts after a number of incorrect login --attempts. -+attempts. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: -

--Add the following fail_interval directives to pam_faillock.so immediately below the pam_env.so statement in --/etc/pam.d/system-auth and /etc/pam.d/password-auth: --
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=
--
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=
-+
    -+
  • add the following line immediately before the pam_unix.so statement in the AUTH section: -+

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

  • -+
  • add the following line immediately after the pam_unix.so statement in the AUTH section: -+

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

  • -+
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: -+

    account required pam_faillock.so

  • -+
-
- - To ensure the failed password attempt policy is configured correctly, run the following command: -diff --git a/RHEL/7/input/system/accounts/pam.xml b/RHEL/7/input/system/accounts/pam.xml -index f5d9cdf..e6bcd60 100644 ---- a/RHEL/7/input/system/accounts/pam.xml -+++ b/RHEL/7/input/system/accounts/pam.xml -@@ -498,12 +498,17 @@ and a second to use unlock_time and set it to a Value - Set Deny For Failed Password Attempts - - To configure the system to lock out accounts after a number of incorrect login --attempts using pam_faillock.so: -+attempts using pam_faillock.so, modify the content of both -+/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: -

--Add the following lines immediately below the pam_unix.so statement in AUTH section of --both /etc/pam.d/system-auth and /etc/pam.d/password-auth: --
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=
--
auth required pam_faillock.so authsucc deny=  unlock_time=604800 fail_interval=
-+
    -+
  • add the following line immediately before the pam_unix.so statement in the AUTH section: -+

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

  • -+
  • add the following line immediately after the pam_unix.so statement in the AUTH section: -+

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

  • -+
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: -+

    account required pam_faillock.so

  • -+
-
- - To ensure the failed password attempt policy is configured correctly, run the following command: -@@ -523,11 +528,17 @@ prevents direct password guessing attacks. - Set Lockout Time For Failed Password Attempts - - To configure the system to lock out accounts after a number of incorrect login --attempts and require an administrator to unlock the account using pam_faillock.so: -+attempts and require an administrator to unlock the account using pam_faillock.so, -+modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: -

--Add the following lines immediately below the pam_env.so statement in /etc/pam.d/system-auth: --
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=
--
auth required pam_faillock.so authsucc deny=  unlock_time=604800 fail_interval=
-+
    -+
  • add the following line immediately before the pam_unix.so statement in the AUTH section: -+

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

  • -+
  • add the following line immediately after the pam_unix.so statement in the AUTH section: -+

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

  • -+
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: -+

    account required pam_faillock.so

  • -+
-
- - To ensure the failed password attempt policy is configured correctly, run the following command: -@@ -549,12 +560,16 @@ situations. - Set Interval For Counting Failed Password Attempts - - Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out accounts after a number of incorrect login --attempts. -+attempts. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: -

--Add the following fail_interval directives to pam_faillock.so immediately below the pam_env.so statement in --/etc/pam.d/system-auth and /etc/pam.d/password-auth: --
auth [default=die] pam_faillock.so authfail deny= unlock_time=604800 fail_interval=
--
auth required pam_faillock.so authsucc deny=  unlock_time=604800 fail_interval=
-+
    -+
  • add the following line immediately before the pam_unix.so statement in the AUTH section: -+

    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=

  • -+
  • add the following line immediately after the pam_unix.so statement in the AUTH section: -+

    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=

  • -+
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: -+

    account required pam_faillock.so

  • -+
-
- - To ensure the failed password attempt policy is configured correctly, run the following command: diff --git a/SOURCES/scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch b/SOURCES/scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch deleted file mode 100644 index 2b77b38..0000000 --- a/SOURCES/scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff --git a/RHEL/7/input/profiles/rht-ccp.xml b/RHEL/7/input/profiles/rht-ccp.xml -index e611421..5236ffa 100644 ---- a/RHEL/7/input/profiles/rht-ccp.xml -+++ b/RHEL/7/input/profiles/rht-ccp.xml -@@ -18,7 +18,7 @@ - - - -- -+ - - - -diff --git a/shared/fixes/bash/accounts_password_pam_unix_remember.sh b/shared/fixes/bash/accounts_password_pam_unix_remember.sh -index 04e0767..98aecef 100644 ---- a/shared/fixes/bash/accounts_password_pam_unix_remember.sh -+++ b/shared/fixes/bash/accounts_password_pam_unix_remember.sh -@@ -4,5 +4,5 @@ populate var_password_pam_unix_remember - if grep -q "remember=" /etc/pam.d/system-auth; then - sed -i --follow-symlink "s/\(remember *= *\).*/\1$var_password_pam_unix_remember/" /etc/pam.d/system-auth - else -- sed -i --follow-symlink "/^password[\s]sufficient[\s]pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth -+ sed -i --follow-symlink "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth - fi diff --git a/SOURCES/scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch b/SOURCES/scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch deleted file mode 100644 index 03cdfd6..0000000 --- a/SOURCES/scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff --git a/RHEL/7/Makefile b/RHEL/7/Makefile -index c3be98b..0f15c1d 100644 ---- a/RHEL/7/Makefile -+++ b/RHEL/7/Makefile -@@ -44,11 +44,12 @@ checks: - - guide: shorthand2xccdf - # remove auxiliary Groups which are only for use in tables, and not guide output. --# specifying a nonexistent profile, "allrules," to make oscap print all Rules - xsltproc -o $(OUT)/unlinked-rhel7-xccdf-guide.xml $(TRANS)/xccdf-removeaux.xslt $(OUT)/unlinked-rhel7-xccdf.xml - xsltproc -o $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml $(TRANS)/xccdf-removetested.xslt $(OUT)/unlinked-rhel7-xccdf-guide.xml -- oscap xccdf generate guide --profile allrules $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml > $(OUT)/rhel7-guide.html -- xsltproc -o $(OUT)/rhel7-guide-custom.html $(TRANS)/xccdf2html.xslt $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml -+# OpenSCAP-1.1.1 expects exact profile name in order to include also rules into guide -+# Create guide for RHT-CCP profile -+ oscap xccdf generate guide --profile rht-ccp $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml > $(OUT)/rhel7-ccp-guide.html -+ xsltproc -o $(OUT)/rhel7-ccp-guide-custom.html $(TRANS)/xccdf2html.xslt $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml - - # example, if needed: for converting XCCDF into shorthand - #xccdf2shorthand: diff --git a/SOURCES/scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch b/SOURCES/scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch deleted file mode 100644 index e88e7a4..0000000 --- a/SOURCES/scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff --git a/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh b/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh -index ca11120..b1dbd3a 100644 ---- a/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh -+++ b/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh -@@ -1,18 +1,36 @@ - source ./templates/support.sh - populate var_accounts_passwords_pam_faillock_deny - --for pamFile in "/etc/pam.d/system-auth /etc/pam.d/password-auth" --do -+AUTH_FILES[0]="/etc/pam.d/system-auth" -+AUTH_FILES[1]="/etc/pam.d/password-auth" - -- if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then -- sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile -- else -- sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile -- fi -+for pamFile in "${AUTH_FILES[@]}" -+do - -- if grep -q "^auth.*[default=die].*pam_faillock.so.*authsucc.*deny=" /etc/pam.d/system-auth; then -- sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authsucc.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile -+ # pam_faillock.so already present? -+ if grep -q "^auth.*pam_faillock.so.*" $pamFile; then -+ -+ # pam_faillock.so present, deny directive present? -+ if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then -+ -+ # both pam_faillock.so & deny present, just correct deny directive value -+ sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile -+ sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile -+ -+ # pam_faillock.so present, but deny directive not yet -+ else -+ -+ # append correct deny value to appropriate places -+ sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile -+ sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile -+ fi -+ -+ # pam_faillock.so not present yet - else -- sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authsucc/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile -+ -+ # insert pam_faillock.so preauth & authfail rows with proper value of the 'deny' option -+ sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent deny=$var_accounts_passwords_pam_faillock_deny" $pamFile -+ sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail deny=$var_accounts_passwords_pam_faillock_deny" $pamFile -+ sed -i --follow-symlink "/^account.*required.*pam_unix.so/i account required pam_faillock.so" $pamFile - fi - done diff --git a/SOURCES/scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch b/SOURCES/scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch new file mode 100644 index 0000000..b0b28d6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch @@ -0,0 +1,135 @@ +From bb68e10170f532fed47277d76eb74f4fad498039 Mon Sep 17 00:00:00 2001 +From: Jan Lieskovsky +Date: Fri, 24 Jul 2015 16:21:04 +0200 +Subject: [PATCH] [Enhancement] [RHEL/7] New RHEL-7 audit time remediations for + following rules: * audit_rules_time_adjtimex, * + audit_rules_time_settimeofday, and * audit_rules_time_stime + +Testing report: +-------------- +Verified manually on RHEL-7 host the changes are working fine (in both +scenarios, expected rule not at all present in audit.rules configuration, +or expected rule partially present in audit.rules configuration) +--- + .../input/fixes/bash/audit_rules_time_adjtimex.sh | 32 ++++++++++++++++++++++ + .../fixes/bash/audit_rules_time_settimeofday.sh | 32 ++++++++++++++++++++++ + RHEL/7/input/fixes/bash/audit_rules_time_stime.sh | 32 ++++++++++++++++++++++ + 3 files changed, 96 insertions(+) + create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh + create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh + create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_stime.sh + +diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh +new file mode 100644 +index 0000000..43fdfbb +--- /dev/null ++++ b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh +@@ -0,0 +1,32 @@ ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++# Perform the remediation for the syscall rule ++# Retrieve hardware architecture of the underlying system ++[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") ++ ++for ARCH in "${RULE_ARCHS[@]}" ++do ++ ++ PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" ++ ++ # Create expected audit group and audit rule form for particular system call & architecture ++ if [ ${ARCH} = "b32" ] ++ then ++ # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) ++ # so append it to the list of time group system calls to be audited ++ GROUP="\(adjtimex\|settimeofday\|stime\)" ++ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" ++ elif [ ${ARCH} = "b64" ] ++ then ++ # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) ++ # therefore don't add it to the list of time group system calls to be audited ++ GROUP="\(adjtimex\|settimeofday\)" ++ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" ++ fi ++ ++ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' ++ fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++done +diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh +new file mode 100644 +index 0000000..43fdfbb +--- /dev/null ++++ b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh +@@ -0,0 +1,32 @@ ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++# Perform the remediation for the syscall rule ++# Retrieve hardware architecture of the underlying system ++[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") ++ ++for ARCH in "${RULE_ARCHS[@]}" ++do ++ ++ PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" ++ ++ # Create expected audit group and audit rule form for particular system call & architecture ++ if [ ${ARCH} = "b32" ] ++ then ++ # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) ++ # so append it to the list of time group system calls to be audited ++ GROUP="\(adjtimex\|settimeofday\|stime\)" ++ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" ++ elif [ ${ARCH} = "b64" ] ++ then ++ # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) ++ # therefore don't add it to the list of time group system calls to be audited ++ GROUP="\(adjtimex\|settimeofday\)" ++ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" ++ fi ++ ++ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' ++ fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++done +diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh +new file mode 100644 +index 0000000..43fdfbb +--- /dev/null ++++ b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh +@@ -0,0 +1,32 @@ ++ ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ ++# Perform the remediation for the syscall rule ++# Retrieve hardware architecture of the underlying system ++[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") ++ ++for ARCH in "${RULE_ARCHS[@]}" ++do ++ ++ PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" ++ ++ # Create expected audit group and audit rule form for particular system call & architecture ++ if [ ${ARCH} = "b32" ] ++ then ++ # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) ++ # so append it to the list of time group system calls to be audited ++ GROUP="\(adjtimex\|settimeofday\|stime\)" ++ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" ++ elif [ ${ARCH} = "b64" ] ++ then ++ # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) ++ # therefore don't add it to the list of time group system calls to be audited ++ GROUP="\(adjtimex\|settimeofday\)" ++ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" ++ fi ++ ++ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' ++ fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++ fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" ++done diff --git a/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-disable-selected-rules.patch b/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-disable-selected-rules.patch new file mode 100644 index 0000000..40bc76a --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-disable-selected-rules.patch @@ -0,0 +1,34 @@ +--- scap-security-guide-0.1.24/RHEL/7/input/profiles/pci-dss.xml.orig 2015-08-03 21:07:57.312866056 +0200 ++++ scap-security-guide-0.1.24/RHEL/7/input/profiles/pci-dss.xml 2015-08-03 21:14:25.502325114 +0200 +@@ -46,15 +46,15 @@ + + ++ + +- + + ++ + + +- +- + + + +- + + diff --git a/SOURCES/scap-security-guide-0.1.25-update-upstream-manual-page.patch b/SOURCES/scap-security-guide-0.1.25-update-upstream-manual-page.patch new file mode 100644 index 0000000..5c25653 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.25-update-upstream-manual-page.patch @@ -0,0 +1,20 @@ +--- scap-security-guide-0.1.25/docs/scap-security-guide.8.orig 2015-08-19 18:58:32.408884940 +0200 ++++ scap-security-guide-0.1.25/docs/scap-security-guide.8 2015-08-19 18:59:13.201694420 +0200 +@@ -105,17 +105,6 @@ The common profile is intended to be u + scanning of general-purpose Red Hat Enterprise Linux systems. + .RE + +-.SH Fedora PROFILES +-The Fedora SSG content is broken into 'profiles,' groupings of security settings that +-correlate to a known policy. Currently available profile: +- +-.I common +-.RS +-The common profile is intended to be used as a base, universal profile for +-scanning of general-purpose Fedora systems. +-.RE +- +- + .SH EXAMPLES + To scan your system utilizing the OpenSCAP utility against the + stig-rhel6-server-upstream profile: diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index ce8bb89..aa2cc05 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,29 +1,23 @@ -%global redhatssgversion 19 +%global redhatssgversion 25 Name: scap-security-guide Version: 0.1.%{redhatssgversion} -Release: 2%{?dist} +Release: 3%{?dist} Summary: Security guidance and baselines in SCAP formats Group: System Environment/Base License: Public Domain -URL: https://fedorahosted.org/scap-security-guide/ - -Source0: http://repos.ssgproject.org/sources/%{name}-%{version}.tar.gz -Patch1: scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch -Patch2: scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch -Patch3: scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch -Patch4: scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch -Patch5: scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch -Patch6: scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch -Patch7: scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch -Patch8: scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch -Patch9: scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch -Patch10: scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch +URL: https://github.com/OpenSCAP/scap-security-guide +Source0: %{name}-%{version}.tar.gz +Patch1: scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch +Patch2: scap-security-guide-0.1.25-update-upstream-manual-page.patch +Patch3: scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch +Patch4: scap-security-guide-0.1.25-downstream-rhel7-pci-dss-disable-selected-rules.patch +Patch5: scap-security-guide-0.1.25-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch BuildArch: noarch -BuildRequires: libxslt, expat, python, openscap-scanner >= 1.1.1, python-lxml -Requires: xml-common, openscap-scanner >= 1.1.1 +BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml +Requires: xml-common, openscap-scanner >= 1.2.5 %description The scap-security-guide project provides a guide for configuration of the @@ -36,31 +30,43 @@ Enterprise Linux 7 system administrator can use the oscap command-line tool from the openscap-utils package to verify that the system conforms to provided guideline. Refer to scap-security-guide(8) manual page for further information. +%package doc +Summary: HTML formatted documents containing security guides generated from XCCDF benchmarks. +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description doc +The %{name}-doc package contains HTML formatted documents containing security guides that have +been generated from XCCDF benchmarks present in %{name} package. + %prep %setup -q -n %{name}-%{version} -# For RHEL-7 include only RHT-CCP profile -%patch1 -p1 -b .rht-ccp-only -# Drop restorecond due to https://github.com/OpenSCAP/scap-security-guide/issues/258 -%patch2 -p1 -E -b .drop-restorecond # Drop cpuspeed rule since obsoleted in Fedora-16 by cpupower from kernel-tools RPM # http://marc.info/?l=fedora-devel-list&m=131107769617369&w=2 -%patch3 -p1 -b .drop-cpuspeed -# Update manual page to be more appropriate against RHEL-7 -%patch4 -p1 -b .manual-page -# Update pam.xml to use pam_pwquality instead of pam_cracklib -%patch5 -p1 -b .replace-pam_cracklib -# Fix 'Limit Password Reuse' remediation error -%patch6 -p1 -b .reuse -# Fix 'Set Deny For Failed Password Attempts' remediation error -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -b .set-deny -# Specify exact profile name when generating RHEL-7 HTML guide -%patch10 -p1 -b .exact-profile +%patch1 -p1 -b .drop-cpuspeed +# Update manual page to drop the part dedicated to Fedora content +%patch2 -p1 -b .man_page_update +# Downstream -- Add RHEL-7 remediation for 'audit_rules_time_adjtimex', 'audit_rules_time_settimeofday', and +# 'audit_rules_time_stime' rules +%patch3 -p1 -b .adjtimex_settimeofday_stime +# Downstream +# RHEL-7 PCI-DSS profile disable selected rules: +# * dconf_gnome_screensaver_idle_delay -- missing RHEL-7 remediation +# * dconf_gnome_screensaver_idle_activation -- missing RHEL-7 remediation +# * dconf_gnome_screensaver_lock_enabled -- missing RHEL-7 remediation +# * audit_rules_login_events -- incorrect OVAL, see https://github.com/OpenSCAP/scap-security-guide/issues/607 +# * audit_rules_privileged_commands -- missing RHEL-7 remediation, and +# * audit_rules_immutable -- missing RHEL-7 remediation +%patch4 -p1 -b .rhel7_pcidss_downstream_disabled +# Temporarily drop "Verify and Correct File Permissions with RPM" +# rule from RHEL-7's PCI-DSS profile (RH BZ#1267861) +%patch5 -p1 -b .rhel7_pcidss_drop_rpm_verify_permissions_rule %build -(cd RHEL/6 && make dist) (cd RHEL/7 && make dist) +(cd RHEL/6 && make dist) +(cd Firefox && make dist) +(cd JRE && make dist) %install @@ -68,21 +74,110 @@ mkdir -p %{buildroot}%{_datadir}/xml/scap/ssg/content mkdir -p %{buildroot}%{_mandir}/en/man8/ # Add in RHEL-7 core content (SCAP) -cp -a RHEL/7/dist/content/* %{buildroot}%{_datadir}/xml/scap/ssg/content/ +cp -a RHEL/7/dist/content/ssg-rhel7-cpe-dictionary.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ +cp -a RHEL/7/dist/content/ssg-rhel7-cpe-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ +cp -a RHEL/7/dist/content/ssg-rhel7-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ +cp -a RHEL/7/dist/content/ssg-rhel7-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ +cp -a RHEL/7/dist/content/ssg-rhel7-xccdf.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ # Add in RHEL-6 datastream (SCAP) cp -a RHEL/6/dist/content/ssg-rhel6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content +# Add in Firefox datastream (SCAP) +cp -a Firefox/dist/content/ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content + +# Add in Java Runtime Environment (JRE) datastream (SCAP) +cp -a JRE/dist/content/ssg-jre-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content + +# Add in library for remediations +mkdir -p %{buildroot}%{_datadir}/%{name} +cp -a shared/fixes/bash/templates/remediation_functions %{buildroot}%{_datadir}/%{name}/remediation_functions + +# Add in RHEL-6 kickstart files +mkdir -p %{buildroot}%{_datadir}/%{name}/kickstart +cp -a RHEL/6/kickstart/ssg-rhel6-stig-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart/ +cp -a RHEL/6/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart/ +# Add in RHEL-7 kickstart files +cp -a RHEL/7/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart/ + # Add in manpage -cp -a RHEL/6/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-guide.8 +cp -a docs/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-guide.8 %files %defattr(-,root,root,-) %{_datadir}/xml/scap +%{_datadir}/%{name} %lang(en) %{_mandir}/en/man8/scap-security-guide.8.gz -%doc RHEL/6/LICENSE RHEL/6/output/rhel6-guide.html RHEL/7/output/rhel7-ccp-guide.html RHEL/6/output/table-rhel6-cces.html RHEL/7/output/table-rhel7-cces.html RHEL/6/output/table-rhel6-nistrefs-common.html RHEL/6/output/table-rhel6-nistrefs.html RHEL/6/output/table-rhel6-srgmap-flat.html RHEL/6/output/table-rhel6-srgmap-flat.xhtml RHEL/6/output/table-rhel6-srgmap.html RHEL/6/output/table-rhel6-stig.html RHEL/6/input/auxiliary/DISCLAIMER +%doc ./LICENSE RHEL/6/output/table-rhel6-cces.html RHEL/7/output/table-rhel7-cces.html RHEL/6/output/table-rhel6-nistrefs-common.html RHEL/6/output/table-rhel6-nistrefs.html RHEL/6/output/table-rhel6-srgmap-flat.html RHEL/6/output/table-rhel6-srgmap-flat.xhtml RHEL/6/output/table-rhel6-srgmap.html RHEL/6/output/table-rhel6-stig.html RHEL/6/input/auxiliary/DISCLAIMER + +%files doc +%defattr(-,root,root,-) +%doc RHEL/6/output/ssg-rhel6-guide-*.html RHEL/7/output/ssg-rhel7-guide-*.html JRE/output/ssg-jre-guide-*.html Firefox/output/ssg-firefox-guide-*.html %changelog +* Fri Oct 02 2015 Jan iankko Lieskovsky 0.1.25-3 +- Drop "Verify and Correct File Permissions with RPM" rule from the PCI-DSS + profile for Red Hat Enterprise Linux 7 (RH BZ#1267861) + +* Wed Sep 09 2015 Jan iankko Lieskovsky 0.1.25-2 +- Update R and BR for the openscap-scanner package to 1.2.5 per RHBZ#1202762#c7 + +* Wed Aug 19 2015 Jan iankko Lieskovsky 0.1.25-1 +- Rebase to upstream 0.1.25 release + +* Tue Aug 04 2015 Jan iankko Lieskovsky 0.1.24-4 +- Fix false-positive in OVAL check for 'accounts_passwords_pam_faillock_deny' + rule + +* Mon Aug 03 2015 Jan iankko Lieskovsky 0.1.24-3 +- Add remediation script for 'accounts_passwords_pam_faillock_unlock_time' rule + for Red Hat Enterprise Linux 7 product +- Override title and description for all existing profiles for Red Hat + Enterprise Linux 6 product that are extending another SCAP profile + (RHBZ#1246529) +- Correct various issues in the included Oscap Anaconda Addon PCI-DSS profile + kickstart file for Red Hat Enterprise Linux 7 product +- Add remediation script for 'audit_rules_time_clock_settime' rule for + Red Hat Enterprise Linux 7 product +- Add remediation scripts for 'audit_rules_time_adjtimex', + 'audit_rules_time_settimeofday', and 'audit_rules_time_stime' rules for + Red Hat Enterprise Linux 7 product +- Tag current PCI-DSS profile for Red Hat Enterprise Linux 7 product with + "Draft" label +- Disable the following rules in the PCI-DSS profile for the Red Hat Enterprise + Linux 7 product: + * dconf_gnome_screensaver_idle_delay -- missing remediation script, + * dconf_gnome_screensaver_idle_activation -- missing remediation script, + * dconf_gnome_screensaver_lock_enabled -- missing remediation script, + * audit_rules_login_events -- incorrect OVAL check (upstream issue #607), + * audit_rules_privileged_commands -- missing remediation script, and + * audit_rules_immutable -- missing remediation script. + +* Mon Aug 03 2015 Martin Preisler 0.1.24-2 +- Break-down firewalld rule description for Red Hat Enterprise Linux 7 product + into multiple lines, prevents HTML guide UX issues + +* Tue Jul 07 2015 Jan iankko Lieskovsky 0.1.24-1 +- Rebase to upstream scap-security-guide-0.1.24 version +- Start producing the -doc subpackage to provide the HTML formatted + documents containing security guides generated from shipped XCCDF benchmarks + +* Mon Jun 22 2015 Jan iankko Lieskovsky 0.1.23-1 +- Rebase to upstream scap-security-guide-0.1.23 version +- Update upstream tarball source URL to GitHub archive location +- Drop the following patches that have been accepted upstream: + * scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch + * scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch + * scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch + * scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch + * scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch + * scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch + * scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch + * scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch + * scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch +- Include the datastream versions of Firefox and Java Runtime Environment (JRE) benchmarks +- Include USGCB and DISA STIG profile kickstart files for Red Hat Enterprise Linux 6 + * Tue Oct 21 2014 Jan iankko Lieskovsky 0.1.19-2 - Fix Limit Password Reuse remediation script error - Fix Set Deny For Failed Password Attempts remediation script error