Blame SOURCES/scap-security-guide-0.1.44-cpe-pam-systemd-yum.patch

2b7fd2
From 32caed89b5cf14f86e5d842569c4f73cdae6ed26 Mon Sep 17 00:00:00 2001
2b7fd2
From: Shawn Wells <shawn@redhat.com>
2b7fd2
Date: Wed, 3 Apr 2019 16:49:38 -0400
2b7fd2
Subject: [PATCH 01/11] create PAM package CPE
2b7fd2
2b7fd2
---
2b7fd2
 .../oval/installed_env_has_pam_package.xml    | 25 +++++++++++++++++++
2b7fd2
 1 file changed, 25 insertions(+)
2b7fd2
 create mode 100644 shared/checks/oval/installed_env_has_pam_package.xml
2b7fd2
2b7fd2
diff --git a/shared/checks/oval/installed_env_has_pam_package.xml b/shared/checks/oval/installed_env_has_pam_package.xml
2b7fd2
new file mode 100644
2b7fd2
index 0000000000..b6376575b2
2b7fd2
--- /dev/null
2b7fd2
+++ b/shared/checks/oval/installed_env_has_pam_package.xml
2b7fd2
@@ -0,0 +1,25 @@
2b7fd2
+<def-group>
2b7fd2
+
2b7fd2
+  
2b7fd2
+  id="installed_env_has_pam_package" version="1">
2b7fd2
+    <metadata>
2b7fd2
+      <title>Package pam is installed</title>
2b7fd2
+      <affected family="unix">
2b7fd2
+        <platform>multi_platform_all</platform>
2b7fd2
+      </affected>
2b7fd2
+      <description>Checks if package pam is installed.</description>
2b7fd2
+      <reference ref_id="cpe:/a:pam" source="CPE" />
2b7fd2
+    </metadata>
2b7fd2
+    <criteria>
2b7fd2
+      <criterion comment="Package pam is installed" test_ref="test_env_has_pam_installed" />
2b7fd2
+    </criteria>
2b7fd2
+  </definition>
2b7fd2
+
2b7fd2
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package pam installed" id="test_env_has_pam_installed" version="1">
2b7fd2
+    <linux:object object_ref="obj_env_has_pam_installed" />
2b7fd2
+  </linux:rpminfo_test>
2b7fd2
+  <linux:rpminfo_object id="obj_env_has_pam_installed" version="1">
2b7fd2
+    <linux:name>pam</linux:name>
2b7fd2
+  </linux:rpminfo_object>
2b7fd2
+
2b7fd2
+</def-group>
2b7fd2
2b7fd2
From 213a472a89b3b591a4fd441bcf0f0f3ba633afe3 Mon Sep 17 00:00:00 2001
2b7fd2
From: Shawn Wells <shawn@redhat.com>
2b7fd2
Date: Wed, 3 Apr 2019 16:49:53 -0400
2b7fd2
Subject: [PATCH 02/11] add PAM CPE to constants
2b7fd2
2b7fd2
---
2b7fd2
 ssg/constants.py | 1 +
2b7fd2
 1 file changed, 1 insertion(+)
2b7fd2
2b7fd2
diff --git a/ssg/constants.py b/ssg/constants.py
2b7fd2
index f96fd51790..e87eb7f43c 100644
2b7fd2
--- a/ssg/constants.py
2b7fd2
+++ b/ssg/constants.py
2b7fd2
@@ -376,6 +376,7 @@
2b7fd2
 XCCDF_PLATFORM_TO_CPE = {
2b7fd2
     "machine": "cpe:/a:machine",
2b7fd2
     "container": "cpe:/a:container",
2b7fd2
+    "pam": "cpe:/a:pam",
2b7fd2
     "shadow-utils": "cpe:/a:shadow-utils",
2b7fd2
 }
2b7fd2
 
2b7fd2
2b7fd2
From 6afde50cf7a4a75829ed092c8e30116df7a99601 Mon Sep 17 00:00:00 2001
2b7fd2
From: Watson Sato <wsato@redhat.com>
2b7fd2
Date: Mon, 8 Apr 2019 15:43:04 +0200
2b7fd2
Subject: [PATCH 03/11] Update rules for PAM CPE check
2b7fd2
2b7fd2
---
0d5c10
 .../accounts_password_pam_dcredit/rule.yml                      | 2 ++
0d5c10
 .../accounts_password_pam_difok/rule.yml                        | 2 ++
0d5c10
 .../accounts_password_pam_maxclassrepeat/rule.yml               | 2 ++
0d5c10
 .../accounts_password_pam_minclass/rule.yml                     | 2 ++
0d5c10
 .../accounts_password_pam_minlen/rule.yml                       | 2 ++
0d5c10
 .../accounts_max_concurrent_login_sessions/rule.yml             | 2 ++
2b7fd2
 6 files changed, 12 insertions(+)
2b7fd2
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
2b7fd2
index 72fc5970ea..fe997d97c8 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
2b7fd2
@@ -52,3 +52,5 @@ ocil: |-
2b7fd2
     
$ grep dcredit /etc/security/pwquality.conf
2b7fd2
     The <tt>dcredit</tt> parameter (as a negative number) will indicate how many digits are required.
2b7fd2
     The DoD requires at least one digit in a password. This would appear as <tt>dcredit = -1</tt>.
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
2b7fd2
index 931f0aa9e4..d1855a2cf4 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
2b7fd2
@@ -53,3 +53,5 @@ ocil: |-
2b7fd2
     To check how many characters must differ during a password change, run the following command:
2b7fd2
     
$ grep difok /etc/security/pwquality.conf
2b7fd2
     The <tt>difok</tt> parameter will indicate how many characters must differ.
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
2b7fd2
index 35de1318d5..d964a5e3ea 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
2b7fd2
@@ -43,3 +43,5 @@ ocil: |-
2b7fd2
     To check the value for maximum consecutive repeating characters, run the following command:
2b7fd2
     
$ grep maxclassrepeat /etc/security/pwquality.conf
2b7fd2
     For DoD systems, the output should show <tt>maxclassrepeat</tt>=4.
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
2b7fd2
index 7f99aba143..dc3377de0b 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
2b7fd2
@@ -60,3 +60,5 @@ ocil: |-
2b7fd2
     The <tt>minclass</tt> parameter will indicate how many character classes must be used. If
2b7fd2
     the requirement was for the password to contain characters from three different categories,
2b7fd2
     then this would appear as <tt>minclass = 3</tt>.
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
2b7fd2
index d6462579fe..0799aecf01 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
2b7fd2
@@ -49,3 +49,5 @@ ocil: |-
2b7fd2
     To check how many characters are required in a password, run the following command:
2b7fd2
     
$ grep minlen /etc/security/pwquality.conf
2b7fd2
     Your output should contain <tt>minlen = <sub idref="var_password_pam_minlen" /></tt>
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
2b7fd2
index bd53c19c08..f9d9a08706 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
0d5c10
@@ -45,3 +45,5 @@ ocil: |-
0d5c10
     
# grep "maxlogins" /etc/security/limits.conf
0d5c10
     You should receive output similar to the following:
0d5c10
     
*\t\thard\tmaxlogins\t<sub idref="var_accounts_max_concurrent_login_sessions" />
2b7fd2
+
2b7fd2
+platform: pam
2b7fd2
2b7fd2
From 351ee6945df37a28cc4f4589b17eb4c35066b00b Mon Sep 17 00:00:00 2001
2b7fd2
From: Shawn Wells <shawn@redhat.com>
2b7fd2
Date: Wed, 3 Apr 2019 17:17:40 -0400
2b7fd2
Subject: [PATCH 04/11] add libuser CPE
2b7fd2
2b7fd2
---
2b7fd2
 .../installed_env_has_libuser_package.xml     | 24 +++++++++++++++++++
2b7fd2
 1 file changed, 24 insertions(+)
2b7fd2
 create mode 100644 shared/checks/oval/installed_env_has_libuser_package.xml
2b7fd2
2b7fd2
diff --git a/shared/checks/oval/installed_env_has_libuser_package.xml b/shared/checks/oval/installed_env_has_libuser_package.xml
2b7fd2
new file mode 100644
2b7fd2
index 0000000000..ee79b19f8a
2b7fd2
--- /dev/null
2b7fd2
+++ b/shared/checks/oval/installed_env_has_libuser_package.xml
2b7fd2
@@ -0,0 +1,24 @@
2b7fd2
+<def-group>
2b7fd2
+  
2b7fd2
+  id="installed_env_has_libuser_package" version="1">
2b7fd2
+    <metadata>
2b7fd2
+      <title>Package libuser is installed</title>
2b7fd2
+      <affected family="unix">
2b7fd2
+        <platform>multi_platform_all</platform>
2b7fd2
+      </affected>
2b7fd2
+      <description>Checks if package libuser is installed.</description>
2b7fd2
+      <reference ref_id="cpe:/a:libuser" source="CPE" />
2b7fd2
+    </metadata>
2b7fd2
+    <criteria>
2b7fd2
+      <criterion comment="Package libuser is installed" test_ref="test_env_has_libuser_installed" />
2b7fd2
+    </criteria>
2b7fd2
+  </definition>
2b7fd2
+
2b7fd2
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package libuser installed" id="test_env_has_libuser_installed" version="1">
2b7fd2
+    <linux:object object_ref="obj_env_has_libuser_installed" />
2b7fd2
+  </linux:rpminfo_test>
2b7fd2
+  <linux:rpminfo_object id="obj_env_has_libuser_installed" version="1">
2b7fd2
+    <linux:name>libuser</linux:name>
2b7fd2
+  </linux:rpminfo_object>
2b7fd2
+
2b7fd2
+</def-group>
2b7fd2
2b7fd2
From e0b2db79f718b2f64ec25c39f01b53d4e9a80b00 Mon Sep 17 00:00:00 2001
2b7fd2
From: Shawn Wells <shawn@redhat.com>
2b7fd2
Date: Wed, 3 Apr 2019 17:17:50 -0400
2b7fd2
Subject: [PATCH 05/11] add systemd CPE
2b7fd2
2b7fd2
---
2b7fd2
 .../installed_env_has_systemd_package.xml     | 24 +++++++++++++++++++
2b7fd2
 1 file changed, 24 insertions(+)
2b7fd2
 create mode 100644 shared/checks/oval/installed_env_has_systemd_package.xml
2b7fd2
2b7fd2
diff --git a/shared/checks/oval/installed_env_has_systemd_package.xml b/shared/checks/oval/installed_env_has_systemd_package.xml
2b7fd2
new file mode 100644
2b7fd2
index 0000000000..99706ee1c6
2b7fd2
--- /dev/null
2b7fd2
+++ b/shared/checks/oval/installed_env_has_systemd_package.xml
2b7fd2
@@ -0,0 +1,24 @@
2b7fd2
+<def-group>
2b7fd2
+  
2b7fd2
+  id="installed_env_has_systemd_package" version="1">
2b7fd2
+    <metadata>
2b7fd2
+      <title>Package systemd is installed</title>
2b7fd2
+      <affected family="unix">
2b7fd2
+        <platform>multi_platform_all</platform>
2b7fd2
+      </affected>
2b7fd2
+      <description>Checks if package systemd is installed.</description>
2b7fd2
+      <reference ref_id="cpe:/a:systemd" source="CPE" />
2b7fd2
+    </metadata>
2b7fd2
+    <criteria>
2b7fd2
+      <criterion comment="Package systemd is installed" test_ref="test_env_has_systemd_installed" />
2b7fd2
+    </criteria>
2b7fd2
+  </definition>
2b7fd2
+
2b7fd2
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package systemd installed" id="test_env_has_systemd_installed" version="1">
2b7fd2
+    <linux:object object_ref="obj_env_has_systemd_installed" />
2b7fd2
+  </linux:rpminfo_test>
2b7fd2
+  <linux:rpminfo_object id="obj_env_has_systemd_installed" version="1">
2b7fd2
+    <linux:name>systemd</linux:name>
2b7fd2
+  </linux:rpminfo_object>
2b7fd2
+
2b7fd2
+</def-group>
2b7fd2
2b7fd2
From 2ec6e5654ef63232c973d91cdee6f8eb9156eb9b Mon Sep 17 00:00:00 2001
2b7fd2
From: Watson Sato <wsato@redhat.com>
2b7fd2
Date: Mon, 8 Apr 2019 15:45:01 +0200
2b7fd2
Subject: [PATCH 06/11] Update rules with package CPEs
2b7fd2
2b7fd2
---
0d5c10
 .../accounts/accounts-pam/display_login_attempts/rule.yml       | 2 ++
0d5c10
 .../accounts_password_pam_unix_remember/rule.yml                | 2 ++
0d5c10
 .../accounts_passwords_pam_faillock_deny/rule.yml               | 2 ++
0d5c10
 .../accounts_passwords_pam_faillock_deny_root/rule.yml          | 2 ++
0d5c10
 .../accounts_passwords_pam_faillock_interval/rule.yml           | 2 ++
0d5c10
 .../accounts_passwords_pam_faillock_unlock_time/rule.yml        | 2 ++
0d5c10
 .../accounts_password_pam_lcredit/rule.yml                      | 2 ++
0d5c10
 .../accounts_password_pam_ocredit/rule.yml                      | 2 ++
0d5c10
 .../accounts_password_pam_retry/rule.yml                        | 2 ++
0d5c10
 .../accounts_password_pam_ucredit/rule.yml                      | 2 ++
0d5c10
 .../set_password_hashing_algorithm_libuserconf/rule.yml         | 2 ++
0d5c10
 .../set_password_hashing_algorithm_logindefs/rule.yml           | 2 ++
0d5c10
 .../set_password_hashing_algorithm_systemauth/rule.yml          | 2 ++
0d5c10
 .../accounts-physical/disable_ctrlaltdel_burstaction/rule.yml   | 2 ++
0d5c10
 .../user_umask/accounts_umask_etc_login_defs/rule.yml           | 2 ++
2b7fd2
 ssg/constants.py                                                | 2 ++
2b7fd2
 16 files changed, 32 insertions(+)
2b7fd2
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
2b7fd2
index 5c2287a4d3..baeece4b59 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
2b7fd2
@@ -47,3 +47,5 @@ ocil: |-
2b7fd2
     the following command:
2b7fd2
     
$ grep pam_lastlog.so /etc/pam.d/postlogin
2b7fd2
     The output should show output <tt>showfailed</tt>.
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
2b7fd2
index dcde239e85..a63e0e6d1d 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
2b7fd2
@@ -56,3 +56,5 @@ ocil: |-
2b7fd2
     
$ grep remember /etc/pam.d/system-auth
2b7fd2
     The output should show the following at the end of the line:
2b7fd2
     
remember=<sub idref="var_password_pam_unix_remember" />
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
2b7fd2
index c8147e7c17..e10b0a1b67 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
2b7fd2
@@ -56,3 +56,5 @@ ocil: |-
2b7fd2
     To ensure the failed password attempt policy is configured correctly, run the following command:
2b7fd2
     
$ grep pam_faillock /etc/pam.d/system-auth
2b7fd2
     The output should show <tt>deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /></tt>.
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
2b7fd2
index b5283b052e..b4c4df7186 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
2b7fd2
@@ -50,3 +50,5 @@ ocil: |-
2b7fd2
     attempts, run the following command:
2b7fd2
     
$ grep even_deny_root /etc/pam.d/system-auth
2b7fd2
     The output should show <tt>even_deny_root</tt>.
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
2b7fd2
index 485fb7970d..ac21fe4c81 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
0d5c10
@@ -65,3 +65,5 @@ ocil: |-
0d5c10
     For each file, the output should show <tt>fail_interval=<interval-in-seconds></tt> where <tt>interval-in-seconds</tt> is <tt><sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></tt> or greater.
0d5c10
     If the <tt>fail_interval</tt> parameter is not set, the default setting
0d5c10
     of 900 seconds is acceptable.
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
2b7fd2
index 9abd02feea..f4bfaec622 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
2b7fd2
@@ -59,3 +59,5 @@ ocil: |-
2b7fd2
     To ensure the failed password attempt policy is configured correctly, run the following command:
2b7fd2
     
$ grep pam_faillock /etc/pam.d/system-auth
2b7fd2
     The output should show <tt>unlock_time=<some-large-number></tt> or <tt>never</tt>.
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
2b7fd2
index ba0be4ebeb..21d86585ed 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
2b7fd2
@@ -51,3 +51,5 @@ ocil: |-
2b7fd2
     
$ grep lcredit /etc/security/pwquality.conf
2b7fd2
     The <tt>lcredit</tt> parameter (as a negative number) will indicate how many special characters are required.
2b7fd2
     The DoD and FISMA require at least one lowercase character in a password. This would appear as <tt>lcredit = -1</tt>.
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
2b7fd2
index c39cc2a09b..d7f7083d27 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
2b7fd2
@@ -53,3 +53,5 @@ ocil: |-
2b7fd2
     The <tt>ocredit</tt> parameter (as a negative number) will indicate how many special characters are required.
2b7fd2
     The DoD and FISMA require at least one special character in a password.
2b7fd2
     This would appear as <tt>ocredit = -1</tt>.
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
2b7fd2
index c0f8ed8d6d..fea35e37a3 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
2b7fd2
@@ -46,3 +46,5 @@ ocil: |-
2b7fd2
     The <tt>retry</tt> parameter will indicate how many attempts are permitted.
2b7fd2
     The DoD required value is less than or equal to 3.
2b7fd2
     This would appear as <tt>retry=3</tt>, or a lower value.
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
2b7fd2
index 2222ac2297..a4ecdf969d 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
2b7fd2
@@ -50,3 +50,5 @@ ocil: |-
2b7fd2
     The <tt>ucredit</tt> parameter (as a negative number) will indicate how many uppercase characters are required.
2b7fd2
     The DoD and FISMA require at least one uppercase character in a password.
2b7fd2
     This would appear as <tt>ucredit = -1</tt>.
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml
2b7fd2
index 0f6cf57e57..397bad4ea6 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml
2b7fd2
@@ -55,3 +55,5 @@ ocil: |-
2b7fd2
     Inspect <tt>/etc/libuser.conf</tt> and ensure the following line appears
2b7fd2
     in the <tt>[default]</tt> section:
2b7fd2
     
crypt_style = sha512
2b7fd2
+
2b7fd2
+platform: libuser
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml
2b7fd2
index a23a7863c9..84212c7648 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml
2b7fd2
@@ -47,3 +47,5 @@ ocil_clause: 'it does not'
2b7fd2
 ocil: |-
2b7fd2
     Inspect <tt>/etc/login.defs</tt> and ensure the following line appears:
2b7fd2
     
ENCRYPT_METHOD SHA512
2b7fd2
+
2b7fd2
+platform: shadow-utils
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
2b7fd2
index 070e65fc3a..48e8ac427d 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
2b7fd2
@@ -65,3 +65,5 @@ ocil: |-
2b7fd2
     ensure that the <tt>pam_unix.so</tt> module includes the argument
2b7fd2
     <tt>sha512</tt>:
2b7fd2
     
$ grep sha512 /etc/pam.d/system-auth
2b7fd2
+
2b7fd2
+platform: pam
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml
2b7fd2
index e215a41a91..d68bf2be38 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml
2b7fd2
@@ -53,3 +53,5 @@ warnings:
2b7fd2
         key sequence if running in <tt>runlevel 6</tt> (e.g. in GNOME, KDE, etc.)! The
2b7fd2
         <tt>Ctrl-Alt-Del</tt> key sequence will only be disabled if running in
2b7fd2
         the non-graphical <tt>runlevel 3</tt>.
2b7fd2
+
2b7fd2
+platform: systemd
0d5c10
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
2b7fd2
index e9e327352b..a087ca8f6a 100644
0d5c10
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
0d5c10
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
2b7fd2
@@ -41,3 +41,5 @@ ocil: |-
2b7fd2
     All output must show the value of <tt>umask</tt> set as shown in the below:
2b7fd2
     
# grep -i "UMASK" /etc/login.defs
2b7fd2
     umask <sub idref="var_accounts_user_umask" />
2b7fd2
+
2b7fd2
+platform: shadow-utils
2b7fd2
diff --git a/ssg/constants.py b/ssg/constants.py
2b7fd2
index e87eb7f43c..8b3a792f10 100644
2b7fd2
--- a/ssg/constants.py
2b7fd2
+++ b/ssg/constants.py
2b7fd2
@@ -376,8 +376,10 @@
2b7fd2
 XCCDF_PLATFORM_TO_CPE = {
2b7fd2
     "machine": "cpe:/a:machine",
2b7fd2
     "container": "cpe:/a:container",
2b7fd2
+    "libuser": "cpe:/a:libuser",
2b7fd2
     "pam": "cpe:/a:pam",
2b7fd2
     "shadow-utils": "cpe:/a:shadow-utils",
2b7fd2
+    "systemd": "cpe:/a:systemd",
2b7fd2
 }
2b7fd2
 
2b7fd2
 # Application constants
2b7fd2
2b7fd2
From e884c6f090bf4a7963721b4948f18b05193cc0bb Mon Sep 17 00:00:00 2001
2b7fd2
From: Shawn Wells <shawn@redhat.com>
2b7fd2
Date: Wed, 3 Apr 2019 17:45:31 -0400
2b7fd2
Subject: [PATCH 07/11] Update LDAP check to evaluate for nss-pam-ldapd CPE
2b7fd2
2b7fd2
---
0d5c10
 .../ldap_client_start_tls/rule.yml            |  2 ++
2b7fd2
 ...nstalled_env_has_nss-pam-ldapd_package.xml | 24 +++++++++++++++++++
2b7fd2
 ssg/constants.py                              |  1 +
2b7fd2
 3 files changed, 27 insertions(+)
2b7fd2
 create mode 100644 shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml
2b7fd2
0d5c10
diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml
2b7fd2
index c4839d7de5..22a9fd60d9 100644
0d5c10
--- a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml
0d5c10
+++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml
2b7fd2
@@ -48,3 +48,5 @@ ocil: |-
2b7fd2
     
$ grep start_tls /etc/pam_ldap.conf
2b7fd2
     The result should contain:
2b7fd2
     
ssl start_tls
2b7fd2
+
2b7fd2
+platform: nss-pam-ldapd
2b7fd2
diff --git a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml
2b7fd2
new file mode 100644
2b7fd2
index 0000000000..0637e4a64e
2b7fd2
--- /dev/null
2b7fd2
+++ b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml
2b7fd2
@@ -0,0 +1,24 @@
2b7fd2
+<def-group>
2b7fd2
+  
2b7fd2
+  id="installed_env_has_nss-pam-ldapd_package" version="1">
2b7fd2
+    <metadata>
2b7fd2
+      <title>Package nss-pam-ldapd is installed</title>
2b7fd2
+      <affected family="unix">
2b7fd2
+        <platform>multi_platform_all</platform>
2b7fd2
+      </affected>
2b7fd2
+      <description>Checks if package nss-pam-ldapd is installed.</description>
2b7fd2
+      <reference ref_id="cpe:/a:nss-pam-ldapd" source="CPE" />
2b7fd2
+    </metadata>
2b7fd2
+    <criteria>
2b7fd2
+      <criterion comment="Package nss-pam-ldapd is installed" test_ref="test_env_has_nss-pam-ldapd_installed" />
2b7fd2
+    </criteria>
2b7fd2
+  </definition>
2b7fd2
+
2b7fd2
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package nss-pam-ldapd installed" id="test_env_has_nss-pam-ldapd_installed" version="1">
2b7fd2
+    <linux:object object_ref="obj_env_has_nss-pam-ldapd_installed" />
2b7fd2
+  </linux:rpminfo_test>
2b7fd2
+  <linux:rpminfo_object id="obj_env_has_nss-pam-ldapd_installed" version="1">
2b7fd2
+    <linux:name>nss-pam-ldapd</linux:name>
2b7fd2
+  </linux:rpminfo_object>
2b7fd2
+
2b7fd2
+</def-group>
2b7fd2
diff --git a/ssg/constants.py b/ssg/constants.py
2b7fd2
index 8b3a792f10..8d7a4cc290 100644
2b7fd2
--- a/ssg/constants.py
2b7fd2
+++ b/ssg/constants.py
2b7fd2
@@ -377,6 +377,7 @@
2b7fd2
     "machine": "cpe:/a:machine",
2b7fd2
     "container": "cpe:/a:container",
2b7fd2
     "libuser": "cpe:/a:libuser",
2b7fd2
+    "nss-pam-ldapd": "cpe:/a:nss-pam-ldapd",
2b7fd2
     "pam": "cpe:/a:pam",
2b7fd2
     "shadow-utils": "cpe:/a:shadow-utils",
2b7fd2
     "systemd": "cpe:/a:systemd",
2b7fd2
2b7fd2
From 7cbbe94a051f3978592edb207b5fb178fd6d0e2f Mon Sep 17 00:00:00 2001
2b7fd2
From: Watson Sato <wsato@redhat.com>
2b7fd2
Date: Mon, 8 Apr 2019 15:55:08 +0200
2b7fd2
Subject: [PATCH 08/11] Update FIPS checks to evaluate if in machine
2b7fd2
 environment
2b7fd2
2b7fd2
---
0d5c10
 .../software/integrity/fips/enable_dracut_fips_module/rule.yml  | 2 ++
0d5c10
 .../integrity/fips/grub_legacy_enable_fips_mode/rule.yml        | 2 ++
0d5c10
 .../integrity/fips/package_dracut-fips_installed/rule.yml       | 2 ++
2b7fd2
 3 files changed, 6 insertions(+)
2b7fd2
0d5c10
diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
0d5c10
index 08faf42259..dbdf64d526 100644
0d5c10
--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
0d5c10
+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
0d5c10
@@ -48,3 +48,5 @@ warnings:
0d5c10
         

0d5c10
         See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}
0d5c10
         for a list of FIPS certified vendors.
0d5c10
+
0d5c10
+platform: machine
0d5c10
diff --git a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml
2b7fd2
index f112bddacd..6761b8736d 100644
0d5c10
--- a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml
0d5c10
+++ b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml
2b7fd2
@@ -50,3 +50,5 @@ warnings:
2b7fd2
         

2b7fd2
         See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}
2b7fd2
         for a list of FIPS certified vendors.
2b7fd2
+
2b7fd2
+platform: machine
0d5c10
diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml
2b7fd2
index c1f6e515e6..055ec8f774 100644
0d5c10
--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml
0d5c10
+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml
2b7fd2
@@ -37,3 +37,5 @@ references:
2b7fd2
 ocil_clause: 'the package is not installed'
2b7fd2
 
2b7fd2
 ocil: '{{{ ocil_package(package="dracut-fips") }}}'
2b7fd2
+
2b7fd2
+platform: machine
2b7fd2
2b7fd2
From 86704595eb3500a8ef15f5fc0c1412d000c201d1 Mon Sep 17 00:00:00 2001
2b7fd2
From: Watson Sato <wsato@redhat.com>
2b7fd2
Date: Mon, 8 Apr 2019 16:15:45 +0200
2b7fd2
Subject: [PATCH 09/11] Update CPE package check to handle deb packages
2b7fd2
2b7fd2
---
2b7fd2
 .../oval/installed_env_has_libuser_package.xml    | 15 ++++++++++++++-
2b7fd2
 .../installed_env_has_nss-pam-ldapd_package.xml   | 15 ++++++++++++++-
2b7fd2
 .../checks/oval/installed_env_has_pam_package.xml | 15 ++++++++++++++-
2b7fd2
 .../installed_env_has_shadow-utils_package.xml    | 15 ++++++++++++++-
2b7fd2
 .../oval/installed_env_has_systemd_package.xml    | 15 ++++++++++++++-
2b7fd2
 5 files changed, 70 insertions(+), 5 deletions(-)
2b7fd2
2b7fd2
diff --git a/shared/checks/oval/installed_env_has_libuser_package.xml b/shared/checks/oval/installed_env_has_libuser_package.xml
2b7fd2
index ee79b19f8a..b848337b0e 100644
2b7fd2
--- a/shared/checks/oval/installed_env_has_libuser_package.xml
2b7fd2
+++ b/shared/checks/oval/installed_env_has_libuser_package.xml
2b7fd2
@@ -14,11 +14,24 @@
2b7fd2
     </criteria>
2b7fd2
   </definition>
2b7fd2
 
2b7fd2
-  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package libuser installed" id="test_env_has_libuser_installed" version="1">
2b7fd2
+{{% if pkg_system == "rpm" %}}
2b7fd2
+  
2b7fd2
+  id="test_env_has_libuser_installed" version="1"
2b7fd2
+  comment="system has package libuser installed">
2b7fd2
     <linux:object object_ref="obj_env_has_libuser_installed" />
2b7fd2
   </linux:rpminfo_test>
2b7fd2
   <linux:rpminfo_object id="obj_env_has_libuser_installed" version="1">
2b7fd2
     <linux:name>libuser</linux:name>
2b7fd2
   </linux:rpminfo_object>
2b7fd2
+{{% elif pkg_system == "dpkg" %}}
2b7fd2
+  
2b7fd2
+  id="test_env_has_libuser_installed" version="1"
2b7fd2
+  comment="system has package libuser installed">
2b7fd2
+    <linux:object object_ref="obj_env_has_libuser_installed" />
2b7fd2
+  </linux:dpkginfo_test>
2b7fd2
+  <linux:dpkginfo_object id="obj_env_has_libuser_installed" version="1">
2b7fd2
+    <linux:name>libuser</linux:name>
2b7fd2
+  </linux:dpkginfo_object>
2b7fd2
+{{% endif %}}
2b7fd2
 
2b7fd2
 </def-group>
2b7fd2
diff --git a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml
2b7fd2
index 0637e4a64e..748f68f60f 100644
2b7fd2
--- a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml
2b7fd2
+++ b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml
2b7fd2
@@ -14,11 +14,24 @@
2b7fd2
     </criteria>
2b7fd2
   </definition>
2b7fd2
 
2b7fd2
-  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package nss-pam-ldapd installed" id="test_env_has_nss-pam-ldapd_installed" version="1">
2b7fd2
+{{% if pkg_system == "rpm" %}}
2b7fd2
+  
2b7fd2
+  id="test_env_has_nss-pam-ldapd_installed" version="1"
2b7fd2
+  comment="system has package nss-pam-ldapd installed">
2b7fd2
     <linux:object object_ref="obj_env_has_nss-pam-ldapd_installed" />
2b7fd2
   </linux:rpminfo_test>
2b7fd2
   <linux:rpminfo_object id="obj_env_has_nss-pam-ldapd_installed" version="1">
2b7fd2
     <linux:name>nss-pam-ldapd</linux:name>
2b7fd2
   </linux:rpminfo_object>
2b7fd2
+{{% elif pkg_system == "dpkg" %}}
2b7fd2
+  
2b7fd2
+  id="test_env_has_nss-pam-ldapd_installed" version="1"
2b7fd2
+  comment="system has package nss-pam-ldapd installed">
2b7fd2
+    <linux:object object_ref="obj_env_has_nss-pam-ldapd_installed" />
2b7fd2
+  </linux:dpkginfo_test>
2b7fd2
+  <linux:dpkginfo_object id="obj_env_has_nss-pam-ldapd_installed" version="1">
2b7fd2
+    <linux:name>nss-pam-ldapd</linux:name>
2b7fd2
+  </linux:dpkginfo_object>
2b7fd2
+{{% endif %}}
2b7fd2
 
2b7fd2
 </def-group>
2b7fd2
diff --git a/shared/checks/oval/installed_env_has_pam_package.xml b/shared/checks/oval/installed_env_has_pam_package.xml
2b7fd2
index b6376575b2..dee3bcd26f 100644
2b7fd2
--- a/shared/checks/oval/installed_env_has_pam_package.xml
2b7fd2
+++ b/shared/checks/oval/installed_env_has_pam_package.xml
2b7fd2
@@ -15,11 +15,24 @@
2b7fd2
     </criteria>
2b7fd2
   </definition>
2b7fd2
 
2b7fd2
-  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package pam installed" id="test_env_has_pam_installed" version="1">
2b7fd2
+{{% if pkg_system == "rpm" %}}
2b7fd2
+  
2b7fd2
+  id="test_env_has_pam_installed" version="1"
2b7fd2
+  comment="system has package pam installed">
2b7fd2
     <linux:object object_ref="obj_env_has_pam_installed" />
2b7fd2
   </linux:rpminfo_test>
2b7fd2
   <linux:rpminfo_object id="obj_env_has_pam_installed" version="1">
2b7fd2
     <linux:name>pam</linux:name>
2b7fd2
   </linux:rpminfo_object>
2b7fd2
+{{% elif pkg_system == "dpkg" %}}
2b7fd2
+  
2b7fd2
+  id="test_env_has_pam_installed" version="1"
2b7fd2
+  comment="system has package pam installed">
2b7fd2
+    <linux:object object_ref="obj_env_has_pam_installed" />
2b7fd2
+  </linux:dpkginfo_test>
2b7fd2
+  <linux:dpkginfo_object id="obj_env_has_pam_installed" version="1">
2b7fd2
+    <linux:name>pam</linux:name>
2b7fd2
+  </linux:dpkginfo_object>
2b7fd2
+{{% endif %}}
2b7fd2
 
2b7fd2
 </def-group>
2b7fd2
diff --git a/shared/checks/oval/installed_env_has_shadow-utils_package.xml b/shared/checks/oval/installed_env_has_shadow-utils_package.xml
2b7fd2
index 12dd5bd565..11f40a324f 100644
2b7fd2
--- a/shared/checks/oval/installed_env_has_shadow-utils_package.xml
2b7fd2
+++ b/shared/checks/oval/installed_env_has_shadow-utils_package.xml
2b7fd2
@@ -14,11 +14,24 @@
2b7fd2
     </criteria>
2b7fd2
   </definition>
2b7fd2
 
2b7fd2
-  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package shadow-utils installed" id="test_env_has_shadow-utils_installed" version="1">
2b7fd2
+{{% if pkg_system == "rpm" %}}
2b7fd2
+  
2b7fd2
+  id="test_env_has_shadow-utils_installed" version="1"
2b7fd2
+  comment="system has package shadow-utils installed">
2b7fd2
     <linux:object object_ref="obj_env_has_shadow-utils_installed" />
2b7fd2
   </linux:rpminfo_test>
2b7fd2
   <linux:rpminfo_object id="obj_env_has_shadow-utils_installed" version="1">
2b7fd2
     <linux:name>shadow-utils</linux:name>
2b7fd2
   </linux:rpminfo_object>
2b7fd2
+{{% elif pkg_system == "dpkg" %}}
2b7fd2
+  
2b7fd2
+  id="test_env_has_shadow-utils_installed" version="1"
2b7fd2
+  comment="system has package shadow-utils installed">
2b7fd2
+    <linux:object object_ref="obj_env_has_shadow-utils_installed" />
2b7fd2
+  </linux:dpkginfo_test>
2b7fd2
+  <linux:dpkginfo_object id="obj_env_has_shadow-utils_installed" version="1">
2b7fd2
+    <linux:name>shadow-utils</linux:name>
2b7fd2
+  </linux:dpkginfo_object>
2b7fd2
+{{% endif %}}
2b7fd2
 
2b7fd2
 </def-group>
2b7fd2
diff --git a/shared/checks/oval/installed_env_has_systemd_package.xml b/shared/checks/oval/installed_env_has_systemd_package.xml
2b7fd2
index 99706ee1c6..2dfdff10cc 100644
2b7fd2
--- a/shared/checks/oval/installed_env_has_systemd_package.xml
2b7fd2
+++ b/shared/checks/oval/installed_env_has_systemd_package.xml
2b7fd2
@@ -14,11 +14,24 @@
2b7fd2
     </criteria>
2b7fd2
   </definition>
2b7fd2
 
2b7fd2
-  <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package systemd installed" id="test_env_has_systemd_installed" version="1">
2b7fd2
+{{% if pkg_system == "rpm" %}}
2b7fd2
+  
2b7fd2
+  id="test_env_has_systemd_installed" version="1"
2b7fd2
+  comment="system has package systemd installed">
2b7fd2
     <linux:object object_ref="obj_env_has_systemd_installed" />
2b7fd2
   </linux:rpminfo_test>
2b7fd2
   <linux:rpminfo_object id="obj_env_has_systemd_installed" version="1">
2b7fd2
     <linux:name>systemd</linux:name>
2b7fd2
   </linux:rpminfo_object>
2b7fd2
+{{% elif pkg_system == "dpkg" %}}
2b7fd2
+  
2b7fd2
+  id="test_env_has_systemd_installed" version="1"
2b7fd2
+  comment="system has package systemd installed">
2b7fd2
+    <linux:object object_ref="obj_env_has_systemd_installed" />
2b7fd2
+  </linux:dpkginfo_test>
2b7fd2
+  <linux:dpkginfo_object id="obj_env_has_systemd_installed" version="1">
2b7fd2
+    <linux:name>systemd</linux:name>
2b7fd2
+  </linux:dpkginfo_object>
2b7fd2
+{{% endif %}}
2b7fd2
 
2b7fd2
 </def-group>
2b7fd2
2b7fd2
From d8dfd5c10412bc3ecd180325c4a1cc997e6e2b8f Mon Sep 17 00:00:00 2001
2b7fd2
From: Watson Sato <wsato@redhat.com>
2b7fd2
Date: Mon, 8 Apr 2019 16:25:27 +0200
2b7fd2
Subject: [PATCH 10/11] Add yum CPE and update rules plaforms
2b7fd2
2b7fd2
---
0d5c10
 .../clean_components_post_updating/rule.yml   |  2 +
0d5c10
 .../rule.yml                                  |  2 +
0d5c10
 .../ensure_gpgcheck_local_packages/rule.yml   |  2 +
0d5c10
 .../ensure_gpgcheck_repo_metadata/rule.yml    |  2 +
2b7fd2
 .../oval/installed_env_has_yum_package.xml    | 37 +++++++++++++++++++
2b7fd2
 ssg/constants.py                              |  1 +
2b7fd2
 6 files changed, 46 insertions(+)
2b7fd2
 create mode 100644 shared/checks/oval/installed_env_has_yum_package.xml
2b7fd2
0d5c10
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
2b7fd2
index d5f0756c2a..9bbcadea11 100644
0d5c10
--- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
0d5c10
+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
2b7fd2
@@ -40,3 +40,5 @@ ocil: |-
0d5c10
     
$ grep clean_requirements_on_remove {{{ pkg_manager_config_file }}}
2b7fd2
     The output should return something similar to:
2b7fd2
     
clean_requirements_on_remove=1
2b7fd2
+
2b7fd2
+platform: yum
0d5c10
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
2b7fd2
index 73e29ae1a5..b19e178026 100644
0d5c10
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
0d5c10
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
2b7fd2
@@ -67,3 +67,5 @@ ocil: |-
2b7fd2
     A value of <tt>1</tt> indicates that <tt>gpgcheck</tt> is enabled. Absence of a
2b7fd2
     <tt>gpgcheck</tt> line or a setting of <tt>0</tt> indicates that it is
2b7fd2
     disabled.
2b7fd2
+
2b7fd2
+platform: yum
0d5c10
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
2b7fd2
index 7d94688af4..d1ffba4d4e 100644
0d5c10
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
0d5c10
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
2b7fd2
@@ -47,3 +47,5 @@ ocil: |-
0d5c10
     
$ grep localpkg_gpgcheck {{{ pkg_manager_config_file }}}
2b7fd2
     The output should return something similar to:
2b7fd2
     
localpkg_gpgcheck=1
2b7fd2
+
2b7fd2
+platform: yum
0d5c10
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml
2b7fd2
index aa3aa83f70..4f8a76652c 100644
0d5c10
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml
0d5c10
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml
2b7fd2
@@ -55,3 +55,5 @@ ocil: |-
0d5c10
     
$ grep repo_gpgcheck {{{ pkg_manager_config_file }}}
2b7fd2
     The output should return something similar to:
2b7fd2
     
repo_gpgcheck=1
2b7fd2
+
2b7fd2
+platform: yum
2b7fd2
diff --git a/shared/checks/oval/installed_env_has_yum_package.xml b/shared/checks/oval/installed_env_has_yum_package.xml
2b7fd2
new file mode 100644
2b7fd2
index 0000000000..916d568062
2b7fd2
--- /dev/null
2b7fd2
+++ b/shared/checks/oval/installed_env_has_yum_package.xml
2b7fd2
@@ -0,0 +1,37 @@
2b7fd2
+<def-group>
2b7fd2
+  
2b7fd2
+  id="installed_env_has_yum_package" version="1">
2b7fd2
+    <metadata>
2b7fd2
+      <title>Package yum is installed</title>
2b7fd2
+      <affected family="unix">
2b7fd2
+        <platform>multi_platform_all</platform>
2b7fd2
+      </affected>
2b7fd2
+      <description>Checks if package yum is installed.</description>
2b7fd2
+      <reference ref_id="cpe:/a:yum" source="CPE" />
2b7fd2
+    </metadata>
2b7fd2
+    <criteria>
2b7fd2
+      <criterion comment="Package yum is installed" test_ref="test_env_has_yum_installed" />
2b7fd2
+    </criteria>
2b7fd2
+  </definition>
2b7fd2
+
2b7fd2
+{{% if pkg_system == "rpm" %}}
2b7fd2
+  
2b7fd2
+  id="test_env_has_yum_installed" version="1"
2b7fd2
+  comment="system has package yum installed">
2b7fd2
+    <linux:object object_ref="obj_env_has_yum_installed" />
2b7fd2
+  </linux:rpminfo_test>
2b7fd2
+  <linux:rpminfo_object id="obj_env_has_yum_installed" version="1">
2b7fd2
+    <linux:name>yum</linux:name>
2b7fd2
+  </linux:rpminfo_object>
2b7fd2
+{{% elif pkg_system == "dpkg" %}}
2b7fd2
+  
2b7fd2
+  id="test_env_has_yum_installed" version="1"
2b7fd2
+  comment="system has package yum installed">
2b7fd2
+    <linux:object object_ref="obj_env_has_yum_installed" />
2b7fd2
+  </linux:dpkginfo_test>
2b7fd2
+  <linux:dpkginfo_object id="obj_env_has_yum_installed" version="1">
2b7fd2
+    <linux:name>yum</linux:name>
2b7fd2
+  </linux:dpkginfo_object>
2b7fd2
+{{% endif %}}
2b7fd2
+
2b7fd2
+</def-group>
2b7fd2
diff --git a/ssg/constants.py b/ssg/constants.py
2b7fd2
index 8d7a4cc290..94d9d8c180 100644
2b7fd2
--- a/ssg/constants.py
2b7fd2
+++ b/ssg/constants.py
2b7fd2
@@ -381,6 +381,7 @@
2b7fd2
     "pam": "cpe:/a:pam",
2b7fd2
     "shadow-utils": "cpe:/a:shadow-utils",
2b7fd2
     "systemd": "cpe:/a:systemd",
2b7fd2
+    "yum": "cpe:/a:yum",
2b7fd2
 }
2b7fd2
 
2b7fd2
 # Application constants
2b7fd2
2b7fd2
From b7250b641c3d533d10a8e633094cf6421b0c34dc Mon Sep 17 00:00:00 2001
2b7fd2
From: Watson Sato <wsato@redhat.com>
2b7fd2
Date: Mon, 8 Apr 2019 18:00:19 +0200
2b7fd2
Subject: [PATCH 11/11] Update rhel7 cpe-dictionary
2b7fd2
2b7fd2
---
2b7fd2
 rhel7/cpe/rhel7-cpe-dictionary.xml | 25 +++++++++++++++++++++++++
2b7fd2
 1 file changed, 25 insertions(+)
2b7fd2
2b7fd2
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
2b7fd2
index 44fe06f103..d64c18e846 100644
2b7fd2
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
2b7fd2
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
2b7fd2
@@ -47,9 +47,34 @@
2b7fd2
             
2b7fd2
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_is_a_machine</check>
2b7fd2
       </cpe-item>
2b7fd2
+      <cpe-item name="cpe:/a:libuser">
2b7fd2
+            <title xml:lang="en-us">Package libuser is installed</title>
2b7fd2
+            
2b7fd2
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_libuser_package</check>
2b7fd2
+      </cpe-item>
2b7fd2
+      <cpe-item name="cpe:/a:nss-pam-ldapd">
2b7fd2
+            <title xml:lang="en-us">Package nss-pam-ldapd is installed</title>
2b7fd2
+            
2b7fd2
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_nss-pam-ldapd_package</check>
2b7fd2
+      </cpe-item>
2b7fd2
+      <cpe-item name="cpe:/a:pam">
2b7fd2
+            <title xml:lang="en-us">Package pam is installed</title>
2b7fd2
+            
2b7fd2
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_pam_package</check>
2b7fd2
+      </cpe-item>
2b7fd2
       <cpe-item name="cpe:/a:shadow-utils">
2b7fd2
             <title xml:lang="en-us">Package shadow-utils is installed</title>
2b7fd2
             
2b7fd2
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_shadow-utils_package</check>
2b7fd2
       </cpe-item>
2b7fd2
+      <cpe-item name="cpe:/a:systemd">
2b7fd2
+            <title xml:lang="en-us">Package systemd is installed</title>
2b7fd2
+            
2b7fd2
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_systemd_package</check>
2b7fd2
+      </cpe-item>
2b7fd2
+      <cpe-item name="cpe:/a:yum">
2b7fd2
+            <title xml:lang="en-us">Package yum is installed</title>
2b7fd2
+            
2b7fd2
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
2b7fd2
+      </cpe-item>
2b7fd2
 </cpe-list>