|
|
2b7fd2 |
From 32caed89b5cf14f86e5d842569c4f73cdae6ed26 Mon Sep 17 00:00:00 2001
|
|
|
2b7fd2 |
From: Shawn Wells <shawn@redhat.com>
|
|
|
2b7fd2 |
Date: Wed, 3 Apr 2019 16:49:38 -0400
|
|
|
2b7fd2 |
Subject: [PATCH 01/11] create PAM package CPE
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
---
|
|
|
2b7fd2 |
.../oval/installed_env_has_pam_package.xml | 25 +++++++++++++++++++
|
|
|
2b7fd2 |
1 file changed, 25 insertions(+)
|
|
|
2b7fd2 |
create mode 100644 shared/checks/oval/installed_env_has_pam_package.xml
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
diff --git a/shared/checks/oval/installed_env_has_pam_package.xml b/shared/checks/oval/installed_env_has_pam_package.xml
|
|
|
2b7fd2 |
new file mode 100644
|
|
|
2b7fd2 |
index 0000000000..b6376575b2
|
|
|
2b7fd2 |
--- /dev/null
|
|
|
2b7fd2 |
+++ b/shared/checks/oval/installed_env_has_pam_package.xml
|
|
|
2b7fd2 |
@@ -0,0 +1,25 @@
|
|
|
2b7fd2 |
+<def-group>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="installed_env_has_pam_package" version="1">
|
|
|
2b7fd2 |
+ <metadata>
|
|
|
2b7fd2 |
+ <title>Package pam is installed</title>
|
|
|
2b7fd2 |
+ <affected family="unix">
|
|
|
2b7fd2 |
+ <platform>multi_platform_all</platform>
|
|
|
2b7fd2 |
+ </affected>
|
|
|
2b7fd2 |
+ <description>Checks if package pam is installed.</description>
|
|
|
2b7fd2 |
+ <reference ref_id="cpe:/a:pam" source="CPE" />
|
|
|
2b7fd2 |
+ </metadata>
|
|
|
2b7fd2 |
+ <criteria>
|
|
|
2b7fd2 |
+ <criterion comment="Package pam is installed" test_ref="test_env_has_pam_installed" />
|
|
|
2b7fd2 |
+ </criteria>
|
|
|
2b7fd2 |
+ </definition>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package pam installed" id="test_env_has_pam_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:object object_ref="obj_env_has_pam_installed" />
|
|
|
2b7fd2 |
+ </linux:rpminfo_test>
|
|
|
2b7fd2 |
+ <linux:rpminfo_object id="obj_env_has_pam_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:name>pam</linux:name>
|
|
|
2b7fd2 |
+ </linux:rpminfo_object>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+</def-group>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
From 213a472a89b3b591a4fd441bcf0f0f3ba633afe3 Mon Sep 17 00:00:00 2001
|
|
|
2b7fd2 |
From: Shawn Wells <shawn@redhat.com>
|
|
|
2b7fd2 |
Date: Wed, 3 Apr 2019 16:49:53 -0400
|
|
|
2b7fd2 |
Subject: [PATCH 02/11] add PAM CPE to constants
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
---
|
|
|
2b7fd2 |
ssg/constants.py | 1 +
|
|
|
2b7fd2 |
1 file changed, 1 insertion(+)
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
diff --git a/ssg/constants.py b/ssg/constants.py
|
|
|
2b7fd2 |
index f96fd51790..e87eb7f43c 100644
|
|
|
2b7fd2 |
--- a/ssg/constants.py
|
|
|
2b7fd2 |
+++ b/ssg/constants.py
|
|
|
2b7fd2 |
@@ -376,6 +376,7 @@
|
|
|
2b7fd2 |
XCCDF_PLATFORM_TO_CPE = {
|
|
|
2b7fd2 |
"machine": "cpe:/a:machine",
|
|
|
2b7fd2 |
"container": "cpe:/a:container",
|
|
|
2b7fd2 |
+ "pam": "cpe:/a:pam",
|
|
|
2b7fd2 |
"shadow-utils": "cpe:/a:shadow-utils",
|
|
|
2b7fd2 |
}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
From 6afde50cf7a4a75829ed092c8e30116df7a99601 Mon Sep 17 00:00:00 2001
|
|
|
2b7fd2 |
From: Watson Sato <wsato@redhat.com>
|
|
|
2b7fd2 |
Date: Mon, 8 Apr 2019 15:43:04 +0200
|
|
|
2b7fd2 |
Subject: [PATCH 03/11] Update rules for PAM CPE check
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
---
|
|
|
0d5c10 |
.../accounts_password_pam_dcredit/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_password_pam_difok/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_password_pam_maxclassrepeat/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_password_pam_minclass/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_password_pam_minlen/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_max_concurrent_login_sessions/rule.yml | 2 ++
|
|
|
2b7fd2 |
6 files changed, 12 insertions(+)
|
|
|
2b7fd2 |
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
|
|
|
2b7fd2 |
index 72fc5970ea..fe997d97c8 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
|
|
|
2b7fd2 |
@@ -52,3 +52,5 @@ ocil: |-
|
|
|
2b7fd2 |
$ grep dcredit /etc/security/pwquality.conf
|
|
|
2b7fd2 |
The <tt>dcredit</tt> parameter (as a negative number) will indicate how many digits are required.
|
|
|
2b7fd2 |
The DoD requires at least one digit in a password. This would appear as <tt>dcredit = -1</tt>.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
|
|
|
2b7fd2 |
index 931f0aa9e4..d1855a2cf4 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
|
|
|
2b7fd2 |
@@ -53,3 +53,5 @@ ocil: |-
|
|
|
2b7fd2 |
To check how many characters must differ during a password change, run the following command:
|
|
|
2b7fd2 |
$ grep difok /etc/security/pwquality.conf
|
|
|
2b7fd2 |
The <tt>difok</tt> parameter will indicate how many characters must differ.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
|
|
2b7fd2 |
index 35de1318d5..d964a5e3ea 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
|
|
|
2b7fd2 |
@@ -43,3 +43,5 @@ ocil: |-
|
|
|
2b7fd2 |
To check the value for maximum consecutive repeating characters, run the following command:
|
|
|
2b7fd2 |
$ grep maxclassrepeat /etc/security/pwquality.conf
|
|
|
2b7fd2 |
For DoD systems, the output should show <tt>maxclassrepeat</tt>=4.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
|
|
|
2b7fd2 |
index 7f99aba143..dc3377de0b 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
|
|
|
2b7fd2 |
@@ -60,3 +60,5 @@ ocil: |-
|
|
|
2b7fd2 |
The <tt>minclass</tt> parameter will indicate how many character classes must be used. If
|
|
|
2b7fd2 |
the requirement was for the password to contain characters from three different categories,
|
|
|
2b7fd2 |
then this would appear as <tt>minclass = 3</tt>.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
|
|
|
2b7fd2 |
index d6462579fe..0799aecf01 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
|
|
|
2b7fd2 |
@@ -49,3 +49,5 @@ ocil: |-
|
|
|
2b7fd2 |
To check how many characters are required in a password, run the following command:
|
|
|
2b7fd2 |
$ grep minlen /etc/security/pwquality.conf
|
|
|
2b7fd2 |
Your output should contain <tt>minlen = <sub idref="var_password_pam_minlen" /></tt>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
|
|
2b7fd2 |
index bd53c19c08..f9d9a08706 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
|
|
0d5c10 |
@@ -45,3 +45,5 @@ ocil: |-
|
|
|
0d5c10 |
# grep "maxlogins" /etc/security/limits.conf
|
|
|
0d5c10 |
You should receive output similar to the following:
|
|
|
0d5c10 |
*\t\thard\tmaxlogins\t<sub idref="var_accounts_max_concurrent_login_sessions" />
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
From 351ee6945df37a28cc4f4589b17eb4c35066b00b Mon Sep 17 00:00:00 2001
|
|
|
2b7fd2 |
From: Shawn Wells <shawn@redhat.com>
|
|
|
2b7fd2 |
Date: Wed, 3 Apr 2019 17:17:40 -0400
|
|
|
2b7fd2 |
Subject: [PATCH 04/11] add libuser CPE
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
---
|
|
|
2b7fd2 |
.../installed_env_has_libuser_package.xml | 24 +++++++++++++++++++
|
|
|
2b7fd2 |
1 file changed, 24 insertions(+)
|
|
|
2b7fd2 |
create mode 100644 shared/checks/oval/installed_env_has_libuser_package.xml
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
diff --git a/shared/checks/oval/installed_env_has_libuser_package.xml b/shared/checks/oval/installed_env_has_libuser_package.xml
|
|
|
2b7fd2 |
new file mode 100644
|
|
|
2b7fd2 |
index 0000000000..ee79b19f8a
|
|
|
2b7fd2 |
--- /dev/null
|
|
|
2b7fd2 |
+++ b/shared/checks/oval/installed_env_has_libuser_package.xml
|
|
|
2b7fd2 |
@@ -0,0 +1,24 @@
|
|
|
2b7fd2 |
+<def-group>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="installed_env_has_libuser_package" version="1">
|
|
|
2b7fd2 |
+ <metadata>
|
|
|
2b7fd2 |
+ <title>Package libuser is installed</title>
|
|
|
2b7fd2 |
+ <affected family="unix">
|
|
|
2b7fd2 |
+ <platform>multi_platform_all</platform>
|
|
|
2b7fd2 |
+ </affected>
|
|
|
2b7fd2 |
+ <description>Checks if package libuser is installed.</description>
|
|
|
2b7fd2 |
+ <reference ref_id="cpe:/a:libuser" source="CPE" />
|
|
|
2b7fd2 |
+ </metadata>
|
|
|
2b7fd2 |
+ <criteria>
|
|
|
2b7fd2 |
+ <criterion comment="Package libuser is installed" test_ref="test_env_has_libuser_installed" />
|
|
|
2b7fd2 |
+ </criteria>
|
|
|
2b7fd2 |
+ </definition>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package libuser installed" id="test_env_has_libuser_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:object object_ref="obj_env_has_libuser_installed" />
|
|
|
2b7fd2 |
+ </linux:rpminfo_test>
|
|
|
2b7fd2 |
+ <linux:rpminfo_object id="obj_env_has_libuser_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:name>libuser</linux:name>
|
|
|
2b7fd2 |
+ </linux:rpminfo_object>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+</def-group>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
From e0b2db79f718b2f64ec25c39f01b53d4e9a80b00 Mon Sep 17 00:00:00 2001
|
|
|
2b7fd2 |
From: Shawn Wells <shawn@redhat.com>
|
|
|
2b7fd2 |
Date: Wed, 3 Apr 2019 17:17:50 -0400
|
|
|
2b7fd2 |
Subject: [PATCH 05/11] add systemd CPE
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
---
|
|
|
2b7fd2 |
.../installed_env_has_systemd_package.xml | 24 +++++++++++++++++++
|
|
|
2b7fd2 |
1 file changed, 24 insertions(+)
|
|
|
2b7fd2 |
create mode 100644 shared/checks/oval/installed_env_has_systemd_package.xml
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
diff --git a/shared/checks/oval/installed_env_has_systemd_package.xml b/shared/checks/oval/installed_env_has_systemd_package.xml
|
|
|
2b7fd2 |
new file mode 100644
|
|
|
2b7fd2 |
index 0000000000..99706ee1c6
|
|
|
2b7fd2 |
--- /dev/null
|
|
|
2b7fd2 |
+++ b/shared/checks/oval/installed_env_has_systemd_package.xml
|
|
|
2b7fd2 |
@@ -0,0 +1,24 @@
|
|
|
2b7fd2 |
+<def-group>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="installed_env_has_systemd_package" version="1">
|
|
|
2b7fd2 |
+ <metadata>
|
|
|
2b7fd2 |
+ <title>Package systemd is installed</title>
|
|
|
2b7fd2 |
+ <affected family="unix">
|
|
|
2b7fd2 |
+ <platform>multi_platform_all</platform>
|
|
|
2b7fd2 |
+ </affected>
|
|
|
2b7fd2 |
+ <description>Checks if package systemd is installed.</description>
|
|
|
2b7fd2 |
+ <reference ref_id="cpe:/a:systemd" source="CPE" />
|
|
|
2b7fd2 |
+ </metadata>
|
|
|
2b7fd2 |
+ <criteria>
|
|
|
2b7fd2 |
+ <criterion comment="Package systemd is installed" test_ref="test_env_has_systemd_installed" />
|
|
|
2b7fd2 |
+ </criteria>
|
|
|
2b7fd2 |
+ </definition>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package systemd installed" id="test_env_has_systemd_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:object object_ref="obj_env_has_systemd_installed" />
|
|
|
2b7fd2 |
+ </linux:rpminfo_test>
|
|
|
2b7fd2 |
+ <linux:rpminfo_object id="obj_env_has_systemd_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:name>systemd</linux:name>
|
|
|
2b7fd2 |
+ </linux:rpminfo_object>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+</def-group>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
From 2ec6e5654ef63232c973d91cdee6f8eb9156eb9b Mon Sep 17 00:00:00 2001
|
|
|
2b7fd2 |
From: Watson Sato <wsato@redhat.com>
|
|
|
2b7fd2 |
Date: Mon, 8 Apr 2019 15:45:01 +0200
|
|
|
2b7fd2 |
Subject: [PATCH 06/11] Update rules with package CPEs
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
---
|
|
|
0d5c10 |
.../accounts/accounts-pam/display_login_attempts/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_password_pam_unix_remember/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_passwords_pam_faillock_deny/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_passwords_pam_faillock_deny_root/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_passwords_pam_faillock_interval/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_passwords_pam_faillock_unlock_time/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_password_pam_lcredit/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_password_pam_ocredit/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_password_pam_retry/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts_password_pam_ucredit/rule.yml | 2 ++
|
|
|
0d5c10 |
.../set_password_hashing_algorithm_libuserconf/rule.yml | 2 ++
|
|
|
0d5c10 |
.../set_password_hashing_algorithm_logindefs/rule.yml | 2 ++
|
|
|
0d5c10 |
.../set_password_hashing_algorithm_systemauth/rule.yml | 2 ++
|
|
|
0d5c10 |
.../accounts-physical/disable_ctrlaltdel_burstaction/rule.yml | 2 ++
|
|
|
0d5c10 |
.../user_umask/accounts_umask_etc_login_defs/rule.yml | 2 ++
|
|
|
2b7fd2 |
ssg/constants.py | 2 ++
|
|
|
2b7fd2 |
16 files changed, 32 insertions(+)
|
|
|
2b7fd2 |
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
|
|
|
2b7fd2 |
index 5c2287a4d3..baeece4b59 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml
|
|
|
2b7fd2 |
@@ -47,3 +47,5 @@ ocil: |-
|
|
|
2b7fd2 |
the following command:
|
|
|
2b7fd2 |
$ grep pam_lastlog.so /etc/pam.d/postlogin
|
|
|
2b7fd2 |
The output should show output <tt>showfailed</tt>.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
|
|
|
2b7fd2 |
index dcde239e85..a63e0e6d1d 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
|
|
|
2b7fd2 |
@@ -56,3 +56,5 @@ ocil: |-
|
|
|
2b7fd2 |
$ grep remember /etc/pam.d/system-auth
|
|
|
2b7fd2 |
The output should show the following at the end of the line:
|
|
|
2b7fd2 |
remember=<sub idref="var_password_pam_unix_remember" />
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
|
|
|
2b7fd2 |
index c8147e7c17..e10b0a1b67 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
|
|
|
2b7fd2 |
@@ -56,3 +56,5 @@ ocil: |-
|
|
|
2b7fd2 |
To ensure the failed password attempt policy is configured correctly, run the following command:
|
|
|
2b7fd2 |
$ grep pam_faillock /etc/pam.d/system-auth
|
|
|
2b7fd2 |
The output should show <tt>deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /></tt>.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
|
|
|
2b7fd2 |
index b5283b052e..b4c4df7186 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
|
|
|
2b7fd2 |
@@ -50,3 +50,5 @@ ocil: |-
|
|
|
2b7fd2 |
attempts, run the following command:
|
|
|
2b7fd2 |
$ grep even_deny_root /etc/pam.d/system-auth
|
|
|
2b7fd2 |
The output should show <tt>even_deny_root</tt>.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
|
|
|
2b7fd2 |
index 485fb7970d..ac21fe4c81 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
|
|
|
0d5c10 |
@@ -65,3 +65,5 @@ ocil: |-
|
|
|
0d5c10 |
For each file, the output should show <tt>fail_interval=<interval-in-seconds></tt> where <tt>interval-in-seconds</tt> is <tt><sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></tt> or greater.
|
|
|
0d5c10 |
If the <tt>fail_interval</tt> parameter is not set, the default setting
|
|
|
0d5c10 |
of 900 seconds is acceptable.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
|
|
|
2b7fd2 |
index 9abd02feea..f4bfaec622 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
|
|
|
2b7fd2 |
@@ -59,3 +59,5 @@ ocil: |-
|
|
|
2b7fd2 |
To ensure the failed password attempt policy is configured correctly, run the following command:
|
|
|
2b7fd2 |
$ grep pam_faillock /etc/pam.d/system-auth
|
|
|
2b7fd2 |
The output should show <tt>unlock_time=<some-large-number></tt> or <tt>never</tt>.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
|
|
|
2b7fd2 |
index ba0be4ebeb..21d86585ed 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
|
|
|
2b7fd2 |
@@ -51,3 +51,5 @@ ocil: |-
|
|
|
2b7fd2 |
$ grep lcredit /etc/security/pwquality.conf
|
|
|
2b7fd2 |
The <tt>lcredit</tt> parameter (as a negative number) will indicate how many special characters are required.
|
|
|
2b7fd2 |
The DoD and FISMA require at least one lowercase character in a password. This would appear as <tt>lcredit = -1</tt>.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
|
|
|
2b7fd2 |
index c39cc2a09b..d7f7083d27 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
|
|
|
2b7fd2 |
@@ -53,3 +53,5 @@ ocil: |-
|
|
|
2b7fd2 |
The <tt>ocredit</tt> parameter (as a negative number) will indicate how many special characters are required.
|
|
|
2b7fd2 |
The DoD and FISMA require at least one special character in a password.
|
|
|
2b7fd2 |
This would appear as <tt>ocredit = -1</tt>.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
|
|
2b7fd2 |
index c0f8ed8d6d..fea35e37a3 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
|
|
2b7fd2 |
@@ -46,3 +46,5 @@ ocil: |-
|
|
|
2b7fd2 |
The <tt>retry</tt> parameter will indicate how many attempts are permitted.
|
|
|
2b7fd2 |
The DoD required value is less than or equal to 3.
|
|
|
2b7fd2 |
This would appear as <tt>retry=3</tt>, or a lower value.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
|
|
|
2b7fd2 |
index 2222ac2297..a4ecdf969d 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
|
|
|
2b7fd2 |
@@ -50,3 +50,5 @@ ocil: |-
|
|
|
2b7fd2 |
The <tt>ucredit</tt> parameter (as a negative number) will indicate how many uppercase characters are required.
|
|
|
2b7fd2 |
The DoD and FISMA require at least one uppercase character in a password.
|
|
|
2b7fd2 |
This would appear as <tt>ucredit = -1</tt>.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml
|
|
|
2b7fd2 |
index 0f6cf57e57..397bad4ea6 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/rule.yml
|
|
|
2b7fd2 |
@@ -55,3 +55,5 @@ ocil: |-
|
|
|
2b7fd2 |
Inspect <tt>/etc/libuser.conf</tt> and ensure the following line appears
|
|
|
2b7fd2 |
in the <tt>[default]</tt> section:
|
|
|
2b7fd2 |
crypt_style = sha512
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: libuser
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml
|
|
|
2b7fd2 |
index a23a7863c9..84212c7648 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml
|
|
|
2b7fd2 |
@@ -47,3 +47,5 @@ ocil_clause: 'it does not'
|
|
|
2b7fd2 |
ocil: |-
|
|
|
2b7fd2 |
Inspect <tt>/etc/login.defs</tt> and ensure the following line appears:
|
|
|
2b7fd2 |
ENCRYPT_METHOD SHA512
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: shadow-utils
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
|
|
2b7fd2 |
index 070e65fc3a..48e8ac427d 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
|
|
|
2b7fd2 |
@@ -65,3 +65,5 @@ ocil: |-
|
|
|
2b7fd2 |
ensure that the <tt>pam_unix.so</tt> module includes the argument
|
|
|
2b7fd2 |
<tt>sha512</tt>:
|
|
|
2b7fd2 |
$ grep sha512 /etc/pam.d/system-auth
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: pam
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml
|
|
|
2b7fd2 |
index e215a41a91..d68bf2be38 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml
|
|
|
2b7fd2 |
@@ -53,3 +53,5 @@ warnings:
|
|
|
2b7fd2 |
key sequence if running in <tt>runlevel 6</tt> (e.g. in GNOME, KDE, etc.)! The
|
|
|
2b7fd2 |
<tt>Ctrl-Alt-Del</tt> key sequence will only be disabled if running in
|
|
|
2b7fd2 |
the non-graphical <tt>runlevel 3</tt>.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: systemd
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
|
|
|
2b7fd2 |
index e9e327352b..a087ca8f6a 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
|
|
|
2b7fd2 |
@@ -41,3 +41,5 @@ ocil: |-
|
|
|
2b7fd2 |
All output must show the value of <tt>umask</tt> set as shown in the below:
|
|
|
2b7fd2 |
# grep -i "UMASK" /etc/login.defs
|
|
|
2b7fd2 |
umask <sub idref="var_accounts_user_umask" />
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: shadow-utils
|
|
|
2b7fd2 |
diff --git a/ssg/constants.py b/ssg/constants.py
|
|
|
2b7fd2 |
index e87eb7f43c..8b3a792f10 100644
|
|
|
2b7fd2 |
--- a/ssg/constants.py
|
|
|
2b7fd2 |
+++ b/ssg/constants.py
|
|
|
2b7fd2 |
@@ -376,8 +376,10 @@
|
|
|
2b7fd2 |
XCCDF_PLATFORM_TO_CPE = {
|
|
|
2b7fd2 |
"machine": "cpe:/a:machine",
|
|
|
2b7fd2 |
"container": "cpe:/a:container",
|
|
|
2b7fd2 |
+ "libuser": "cpe:/a:libuser",
|
|
|
2b7fd2 |
"pam": "cpe:/a:pam",
|
|
|
2b7fd2 |
"shadow-utils": "cpe:/a:shadow-utils",
|
|
|
2b7fd2 |
+ "systemd": "cpe:/a:systemd",
|
|
|
2b7fd2 |
}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
# Application constants
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
From e884c6f090bf4a7963721b4948f18b05193cc0bb Mon Sep 17 00:00:00 2001
|
|
|
2b7fd2 |
From: Shawn Wells <shawn@redhat.com>
|
|
|
2b7fd2 |
Date: Wed, 3 Apr 2019 17:45:31 -0400
|
|
|
2b7fd2 |
Subject: [PATCH 07/11] Update LDAP check to evaluate for nss-pam-ldapd CPE
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
---
|
|
|
0d5c10 |
.../ldap_client_start_tls/rule.yml | 2 ++
|
|
|
2b7fd2 |
...nstalled_env_has_nss-pam-ldapd_package.xml | 24 +++++++++++++++++++
|
|
|
2b7fd2 |
ssg/constants.py | 1 +
|
|
|
2b7fd2 |
3 files changed, 27 insertions(+)
|
|
|
2b7fd2 |
create mode 100644 shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml
|
|
|
2b7fd2 |
|
|
|
0d5c10 |
diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml
|
|
|
2b7fd2 |
index c4839d7de5..22a9fd60d9 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml
|
|
|
2b7fd2 |
@@ -48,3 +48,5 @@ ocil: |-
|
|
|
2b7fd2 |
$ grep start_tls /etc/pam_ldap.conf
|
|
|
2b7fd2 |
The result should contain:
|
|
|
2b7fd2 |
ssl start_tls
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: nss-pam-ldapd
|
|
|
2b7fd2 |
diff --git a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml
|
|
|
2b7fd2 |
new file mode 100644
|
|
|
2b7fd2 |
index 0000000000..0637e4a64e
|
|
|
2b7fd2 |
--- /dev/null
|
|
|
2b7fd2 |
+++ b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml
|
|
|
2b7fd2 |
@@ -0,0 +1,24 @@
|
|
|
2b7fd2 |
+<def-group>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="installed_env_has_nss-pam-ldapd_package" version="1">
|
|
|
2b7fd2 |
+ <metadata>
|
|
|
2b7fd2 |
+ <title>Package nss-pam-ldapd is installed</title>
|
|
|
2b7fd2 |
+ <affected family="unix">
|
|
|
2b7fd2 |
+ <platform>multi_platform_all</platform>
|
|
|
2b7fd2 |
+ </affected>
|
|
|
2b7fd2 |
+ <description>Checks if package nss-pam-ldapd is installed.</description>
|
|
|
2b7fd2 |
+ <reference ref_id="cpe:/a:nss-pam-ldapd" source="CPE" />
|
|
|
2b7fd2 |
+ </metadata>
|
|
|
2b7fd2 |
+ <criteria>
|
|
|
2b7fd2 |
+ <criterion comment="Package nss-pam-ldapd is installed" test_ref="test_env_has_nss-pam-ldapd_installed" />
|
|
|
2b7fd2 |
+ </criteria>
|
|
|
2b7fd2 |
+ </definition>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package nss-pam-ldapd installed" id="test_env_has_nss-pam-ldapd_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:object object_ref="obj_env_has_nss-pam-ldapd_installed" />
|
|
|
2b7fd2 |
+ </linux:rpminfo_test>
|
|
|
2b7fd2 |
+ <linux:rpminfo_object id="obj_env_has_nss-pam-ldapd_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:name>nss-pam-ldapd</linux:name>
|
|
|
2b7fd2 |
+ </linux:rpminfo_object>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+</def-group>
|
|
|
2b7fd2 |
diff --git a/ssg/constants.py b/ssg/constants.py
|
|
|
2b7fd2 |
index 8b3a792f10..8d7a4cc290 100644
|
|
|
2b7fd2 |
--- a/ssg/constants.py
|
|
|
2b7fd2 |
+++ b/ssg/constants.py
|
|
|
2b7fd2 |
@@ -377,6 +377,7 @@
|
|
|
2b7fd2 |
"machine": "cpe:/a:machine",
|
|
|
2b7fd2 |
"container": "cpe:/a:container",
|
|
|
2b7fd2 |
"libuser": "cpe:/a:libuser",
|
|
|
2b7fd2 |
+ "nss-pam-ldapd": "cpe:/a:nss-pam-ldapd",
|
|
|
2b7fd2 |
"pam": "cpe:/a:pam",
|
|
|
2b7fd2 |
"shadow-utils": "cpe:/a:shadow-utils",
|
|
|
2b7fd2 |
"systemd": "cpe:/a:systemd",
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
From 7cbbe94a051f3978592edb207b5fb178fd6d0e2f Mon Sep 17 00:00:00 2001
|
|
|
2b7fd2 |
From: Watson Sato <wsato@redhat.com>
|
|
|
2b7fd2 |
Date: Mon, 8 Apr 2019 15:55:08 +0200
|
|
|
2b7fd2 |
Subject: [PATCH 08/11] Update FIPS checks to evaluate if in machine
|
|
|
2b7fd2 |
environment
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
---
|
|
|
0d5c10 |
.../software/integrity/fips/enable_dracut_fips_module/rule.yml | 2 ++
|
|
|
0d5c10 |
.../integrity/fips/grub_legacy_enable_fips_mode/rule.yml | 2 ++
|
|
|
0d5c10 |
.../integrity/fips/package_dracut-fips_installed/rule.yml | 2 ++
|
|
|
2b7fd2 |
3 files changed, 6 insertions(+)
|
|
|
2b7fd2 |
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
|
|
|
0d5c10 |
index 08faf42259..dbdf64d526 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
|
|
|
0d5c10 |
@@ -48,3 +48,5 @@ warnings:
|
|
|
0d5c10 |
|
|
|
0d5c10 |
See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}
|
|
|
0d5c10 |
for a list of FIPS certified vendors.
|
|
|
0d5c10 |
+
|
|
|
0d5c10 |
+platform: machine
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml
|
|
|
2b7fd2 |
index f112bddacd..6761b8736d 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/software/integrity/fips/grub_legacy_enable_fips_mode/rule.yml
|
|
|
2b7fd2 |
@@ -50,3 +50,5 @@ warnings:
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}
|
|
|
2b7fd2 |
for a list of FIPS certified vendors.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: machine
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml
|
|
|
2b7fd2 |
index c1f6e515e6..055ec8f774 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml
|
|
|
2b7fd2 |
@@ -37,3 +37,5 @@ references:
|
|
|
2b7fd2 |
ocil_clause: 'the package is not installed'
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
ocil: '{{{ ocil_package(package="dracut-fips") }}}'
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: machine
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
From 86704595eb3500a8ef15f5fc0c1412d000c201d1 Mon Sep 17 00:00:00 2001
|
|
|
2b7fd2 |
From: Watson Sato <wsato@redhat.com>
|
|
|
2b7fd2 |
Date: Mon, 8 Apr 2019 16:15:45 +0200
|
|
|
2b7fd2 |
Subject: [PATCH 09/11] Update CPE package check to handle deb packages
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
---
|
|
|
2b7fd2 |
.../oval/installed_env_has_libuser_package.xml | 15 ++++++++++++++-
|
|
|
2b7fd2 |
.../installed_env_has_nss-pam-ldapd_package.xml | 15 ++++++++++++++-
|
|
|
2b7fd2 |
.../checks/oval/installed_env_has_pam_package.xml | 15 ++++++++++++++-
|
|
|
2b7fd2 |
.../installed_env_has_shadow-utils_package.xml | 15 ++++++++++++++-
|
|
|
2b7fd2 |
.../oval/installed_env_has_systemd_package.xml | 15 ++++++++++++++-
|
|
|
2b7fd2 |
5 files changed, 70 insertions(+), 5 deletions(-)
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
diff --git a/shared/checks/oval/installed_env_has_libuser_package.xml b/shared/checks/oval/installed_env_has_libuser_package.xml
|
|
|
2b7fd2 |
index ee79b19f8a..b848337b0e 100644
|
|
|
2b7fd2 |
--- a/shared/checks/oval/installed_env_has_libuser_package.xml
|
|
|
2b7fd2 |
+++ b/shared/checks/oval/installed_env_has_libuser_package.xml
|
|
|
2b7fd2 |
@@ -14,11 +14,24 @@
|
|
|
2b7fd2 |
</criteria>
|
|
|
2b7fd2 |
</definition>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
- <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package libuser installed" id="test_env_has_libuser_installed" version="1">
|
|
|
2b7fd2 |
+{{% if pkg_system == "rpm" %}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="test_env_has_libuser_installed" version="1"
|
|
|
2b7fd2 |
+ comment="system has package libuser installed">
|
|
|
2b7fd2 |
<linux:object object_ref="obj_env_has_libuser_installed" />
|
|
|
2b7fd2 |
</linux:rpminfo_test>
|
|
|
2b7fd2 |
<linux:rpminfo_object id="obj_env_has_libuser_installed" version="1">
|
|
|
2b7fd2 |
<linux:name>libuser</linux:name>
|
|
|
2b7fd2 |
</linux:rpminfo_object>
|
|
|
2b7fd2 |
+{{% elif pkg_system == "dpkg" %}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="test_env_has_libuser_installed" version="1"
|
|
|
2b7fd2 |
+ comment="system has package libuser installed">
|
|
|
2b7fd2 |
+ <linux:object object_ref="obj_env_has_libuser_installed" />
|
|
|
2b7fd2 |
+ </linux:dpkginfo_test>
|
|
|
2b7fd2 |
+ <linux:dpkginfo_object id="obj_env_has_libuser_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:name>libuser</linux:name>
|
|
|
2b7fd2 |
+ </linux:dpkginfo_object>
|
|
|
2b7fd2 |
+{{% endif %}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
</def-group>
|
|
|
2b7fd2 |
diff --git a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml
|
|
|
2b7fd2 |
index 0637e4a64e..748f68f60f 100644
|
|
|
2b7fd2 |
--- a/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml
|
|
|
2b7fd2 |
+++ b/shared/checks/oval/installed_env_has_nss-pam-ldapd_package.xml
|
|
|
2b7fd2 |
@@ -14,11 +14,24 @@
|
|
|
2b7fd2 |
</criteria>
|
|
|
2b7fd2 |
</definition>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
- <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package nss-pam-ldapd installed" id="test_env_has_nss-pam-ldapd_installed" version="1">
|
|
|
2b7fd2 |
+{{% if pkg_system == "rpm" %}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="test_env_has_nss-pam-ldapd_installed" version="1"
|
|
|
2b7fd2 |
+ comment="system has package nss-pam-ldapd installed">
|
|
|
2b7fd2 |
<linux:object object_ref="obj_env_has_nss-pam-ldapd_installed" />
|
|
|
2b7fd2 |
</linux:rpminfo_test>
|
|
|
2b7fd2 |
<linux:rpminfo_object id="obj_env_has_nss-pam-ldapd_installed" version="1">
|
|
|
2b7fd2 |
<linux:name>nss-pam-ldapd</linux:name>
|
|
|
2b7fd2 |
</linux:rpminfo_object>
|
|
|
2b7fd2 |
+{{% elif pkg_system == "dpkg" %}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="test_env_has_nss-pam-ldapd_installed" version="1"
|
|
|
2b7fd2 |
+ comment="system has package nss-pam-ldapd installed">
|
|
|
2b7fd2 |
+ <linux:object object_ref="obj_env_has_nss-pam-ldapd_installed" />
|
|
|
2b7fd2 |
+ </linux:dpkginfo_test>
|
|
|
2b7fd2 |
+ <linux:dpkginfo_object id="obj_env_has_nss-pam-ldapd_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:name>nss-pam-ldapd</linux:name>
|
|
|
2b7fd2 |
+ </linux:dpkginfo_object>
|
|
|
2b7fd2 |
+{{% endif %}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
</def-group>
|
|
|
2b7fd2 |
diff --git a/shared/checks/oval/installed_env_has_pam_package.xml b/shared/checks/oval/installed_env_has_pam_package.xml
|
|
|
2b7fd2 |
index b6376575b2..dee3bcd26f 100644
|
|
|
2b7fd2 |
--- a/shared/checks/oval/installed_env_has_pam_package.xml
|
|
|
2b7fd2 |
+++ b/shared/checks/oval/installed_env_has_pam_package.xml
|
|
|
2b7fd2 |
@@ -15,11 +15,24 @@
|
|
|
2b7fd2 |
</criteria>
|
|
|
2b7fd2 |
</definition>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
- <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package pam installed" id="test_env_has_pam_installed" version="1">
|
|
|
2b7fd2 |
+{{% if pkg_system == "rpm" %}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="test_env_has_pam_installed" version="1"
|
|
|
2b7fd2 |
+ comment="system has package pam installed">
|
|
|
2b7fd2 |
<linux:object object_ref="obj_env_has_pam_installed" />
|
|
|
2b7fd2 |
</linux:rpminfo_test>
|
|
|
2b7fd2 |
<linux:rpminfo_object id="obj_env_has_pam_installed" version="1">
|
|
|
2b7fd2 |
<linux:name>pam</linux:name>
|
|
|
2b7fd2 |
</linux:rpminfo_object>
|
|
|
2b7fd2 |
+{{% elif pkg_system == "dpkg" %}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="test_env_has_pam_installed" version="1"
|
|
|
2b7fd2 |
+ comment="system has package pam installed">
|
|
|
2b7fd2 |
+ <linux:object object_ref="obj_env_has_pam_installed" />
|
|
|
2b7fd2 |
+ </linux:dpkginfo_test>
|
|
|
2b7fd2 |
+ <linux:dpkginfo_object id="obj_env_has_pam_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:name>pam</linux:name>
|
|
|
2b7fd2 |
+ </linux:dpkginfo_object>
|
|
|
2b7fd2 |
+{{% endif %}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
</def-group>
|
|
|
2b7fd2 |
diff --git a/shared/checks/oval/installed_env_has_shadow-utils_package.xml b/shared/checks/oval/installed_env_has_shadow-utils_package.xml
|
|
|
2b7fd2 |
index 12dd5bd565..11f40a324f 100644
|
|
|
2b7fd2 |
--- a/shared/checks/oval/installed_env_has_shadow-utils_package.xml
|
|
|
2b7fd2 |
+++ b/shared/checks/oval/installed_env_has_shadow-utils_package.xml
|
|
|
2b7fd2 |
@@ -14,11 +14,24 @@
|
|
|
2b7fd2 |
</criteria>
|
|
|
2b7fd2 |
</definition>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
- <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package shadow-utils installed" id="test_env_has_shadow-utils_installed" version="1">
|
|
|
2b7fd2 |
+{{% if pkg_system == "rpm" %}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="test_env_has_shadow-utils_installed" version="1"
|
|
|
2b7fd2 |
+ comment="system has package shadow-utils installed">
|
|
|
2b7fd2 |
<linux:object object_ref="obj_env_has_shadow-utils_installed" />
|
|
|
2b7fd2 |
</linux:rpminfo_test>
|
|
|
2b7fd2 |
<linux:rpminfo_object id="obj_env_has_shadow-utils_installed" version="1">
|
|
|
2b7fd2 |
<linux:name>shadow-utils</linux:name>
|
|
|
2b7fd2 |
</linux:rpminfo_object>
|
|
|
2b7fd2 |
+{{% elif pkg_system == "dpkg" %}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="test_env_has_shadow-utils_installed" version="1"
|
|
|
2b7fd2 |
+ comment="system has package shadow-utils installed">
|
|
|
2b7fd2 |
+ <linux:object object_ref="obj_env_has_shadow-utils_installed" />
|
|
|
2b7fd2 |
+ </linux:dpkginfo_test>
|
|
|
2b7fd2 |
+ <linux:dpkginfo_object id="obj_env_has_shadow-utils_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:name>shadow-utils</linux:name>
|
|
|
2b7fd2 |
+ </linux:dpkginfo_object>
|
|
|
2b7fd2 |
+{{% endif %}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
</def-group>
|
|
|
2b7fd2 |
diff --git a/shared/checks/oval/installed_env_has_systemd_package.xml b/shared/checks/oval/installed_env_has_systemd_package.xml
|
|
|
2b7fd2 |
index 99706ee1c6..2dfdff10cc 100644
|
|
|
2b7fd2 |
--- a/shared/checks/oval/installed_env_has_systemd_package.xml
|
|
|
2b7fd2 |
+++ b/shared/checks/oval/installed_env_has_systemd_package.xml
|
|
|
2b7fd2 |
@@ -14,11 +14,24 @@
|
|
|
2b7fd2 |
</criteria>
|
|
|
2b7fd2 |
</definition>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
- <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="system has package systemd installed" id="test_env_has_systemd_installed" version="1">
|
|
|
2b7fd2 |
+{{% if pkg_system == "rpm" %}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="test_env_has_systemd_installed" version="1"
|
|
|
2b7fd2 |
+ comment="system has package systemd installed">
|
|
|
2b7fd2 |
<linux:object object_ref="obj_env_has_systemd_installed" />
|
|
|
2b7fd2 |
</linux:rpminfo_test>
|
|
|
2b7fd2 |
<linux:rpminfo_object id="obj_env_has_systemd_installed" version="1">
|
|
|
2b7fd2 |
<linux:name>systemd</linux:name>
|
|
|
2b7fd2 |
</linux:rpminfo_object>
|
|
|
2b7fd2 |
+{{% elif pkg_system == "dpkg" %}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="test_env_has_systemd_installed" version="1"
|
|
|
2b7fd2 |
+ comment="system has package systemd installed">
|
|
|
2b7fd2 |
+ <linux:object object_ref="obj_env_has_systemd_installed" />
|
|
|
2b7fd2 |
+ </linux:dpkginfo_test>
|
|
|
2b7fd2 |
+ <linux:dpkginfo_object id="obj_env_has_systemd_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:name>systemd</linux:name>
|
|
|
2b7fd2 |
+ </linux:dpkginfo_object>
|
|
|
2b7fd2 |
+{{% endif %}}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
</def-group>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
From d8dfd5c10412bc3ecd180325c4a1cc997e6e2b8f Mon Sep 17 00:00:00 2001
|
|
|
2b7fd2 |
From: Watson Sato <wsato@redhat.com>
|
|
|
2b7fd2 |
Date: Mon, 8 Apr 2019 16:25:27 +0200
|
|
|
2b7fd2 |
Subject: [PATCH 10/11] Add yum CPE and update rules plaforms
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
---
|
|
|
0d5c10 |
.../clean_components_post_updating/rule.yml | 2 +
|
|
|
0d5c10 |
.../rule.yml | 2 +
|
|
|
0d5c10 |
.../ensure_gpgcheck_local_packages/rule.yml | 2 +
|
|
|
0d5c10 |
.../ensure_gpgcheck_repo_metadata/rule.yml | 2 +
|
|
|
2b7fd2 |
.../oval/installed_env_has_yum_package.xml | 37 +++++++++++++++++++
|
|
|
2b7fd2 |
ssg/constants.py | 1 +
|
|
|
2b7fd2 |
6 files changed, 46 insertions(+)
|
|
|
2b7fd2 |
create mode 100644 shared/checks/oval/installed_env_has_yum_package.xml
|
|
|
2b7fd2 |
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
|
|
|
2b7fd2 |
index d5f0756c2a..9bbcadea11 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
|
|
|
2b7fd2 |
@@ -40,3 +40,5 @@ ocil: |-
|
|
|
0d5c10 |
$ grep clean_requirements_on_remove {{{ pkg_manager_config_file }}}
|
|
|
2b7fd2 |
The output should return something similar to:
|
|
|
2b7fd2 |
clean_requirements_on_remove=1
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: yum
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
|
|
2b7fd2 |
index 73e29ae1a5..b19e178026 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
|
|
2b7fd2 |
@@ -67,3 +67,5 @@ ocil: |-
|
|
|
2b7fd2 |
A value of <tt>1</tt> indicates that <tt>gpgcheck</tt> is enabled. Absence of a
|
|
|
2b7fd2 |
<tt>gpgcheck</tt> line or a setting of <tt>0</tt> indicates that it is
|
|
|
2b7fd2 |
disabled.
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: yum
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
|
|
|
2b7fd2 |
index 7d94688af4..d1ffba4d4e 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml
|
|
|
2b7fd2 |
@@ -47,3 +47,5 @@ ocil: |-
|
|
|
0d5c10 |
$ grep localpkg_gpgcheck {{{ pkg_manager_config_file }}}
|
|
|
2b7fd2 |
The output should return something similar to:
|
|
|
2b7fd2 |
localpkg_gpgcheck=1
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: yum
|
|
|
0d5c10 |
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml
|
|
|
2b7fd2 |
index aa3aa83f70..4f8a76652c 100644
|
|
|
0d5c10 |
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml
|
|
|
0d5c10 |
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml
|
|
|
2b7fd2 |
@@ -55,3 +55,5 @@ ocil: |-
|
|
|
0d5c10 |
$ grep repo_gpgcheck {{{ pkg_manager_config_file }}}
|
|
|
2b7fd2 |
The output should return something similar to:
|
|
|
2b7fd2 |
repo_gpgcheck=1
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+platform: yum
|
|
|
2b7fd2 |
diff --git a/shared/checks/oval/installed_env_has_yum_package.xml b/shared/checks/oval/installed_env_has_yum_package.xml
|
|
|
2b7fd2 |
new file mode 100644
|
|
|
2b7fd2 |
index 0000000000..916d568062
|
|
|
2b7fd2 |
--- /dev/null
|
|
|
2b7fd2 |
+++ b/shared/checks/oval/installed_env_has_yum_package.xml
|
|
|
2b7fd2 |
@@ -0,0 +1,37 @@
|
|
|
2b7fd2 |
+<def-group>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="installed_env_has_yum_package" version="1">
|
|
|
2b7fd2 |
+ <metadata>
|
|
|
2b7fd2 |
+ <title>Package yum is installed</title>
|
|
|
2b7fd2 |
+ <affected family="unix">
|
|
|
2b7fd2 |
+ <platform>multi_platform_all</platform>
|
|
|
2b7fd2 |
+ </affected>
|
|
|
2b7fd2 |
+ <description>Checks if package yum is installed.</description>
|
|
|
2b7fd2 |
+ <reference ref_id="cpe:/a:yum" source="CPE" />
|
|
|
2b7fd2 |
+ </metadata>
|
|
|
2b7fd2 |
+ <criteria>
|
|
|
2b7fd2 |
+ <criterion comment="Package yum is installed" test_ref="test_env_has_yum_installed" />
|
|
|
2b7fd2 |
+ </criteria>
|
|
|
2b7fd2 |
+ </definition>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+{{% if pkg_system == "rpm" %}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="test_env_has_yum_installed" version="1"
|
|
|
2b7fd2 |
+ comment="system has package yum installed">
|
|
|
2b7fd2 |
+ <linux:object object_ref="obj_env_has_yum_installed" />
|
|
|
2b7fd2 |
+ </linux:rpminfo_test>
|
|
|
2b7fd2 |
+ <linux:rpminfo_object id="obj_env_has_yum_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:name>yum</linux:name>
|
|
|
2b7fd2 |
+ </linux:rpminfo_object>
|
|
|
2b7fd2 |
+{{% elif pkg_system == "dpkg" %}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ id="test_env_has_yum_installed" version="1"
|
|
|
2b7fd2 |
+ comment="system has package yum installed">
|
|
|
2b7fd2 |
+ <linux:object object_ref="obj_env_has_yum_installed" />
|
|
|
2b7fd2 |
+ </linux:dpkginfo_test>
|
|
|
2b7fd2 |
+ <linux:dpkginfo_object id="obj_env_has_yum_installed" version="1">
|
|
|
2b7fd2 |
+ <linux:name>yum</linux:name>
|
|
|
2b7fd2 |
+ </linux:dpkginfo_object>
|
|
|
2b7fd2 |
+{{% endif %}}
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+</def-group>
|
|
|
2b7fd2 |
diff --git a/ssg/constants.py b/ssg/constants.py
|
|
|
2b7fd2 |
index 8d7a4cc290..94d9d8c180 100644
|
|
|
2b7fd2 |
--- a/ssg/constants.py
|
|
|
2b7fd2 |
+++ b/ssg/constants.py
|
|
|
2b7fd2 |
@@ -381,6 +381,7 @@
|
|
|
2b7fd2 |
"pam": "cpe:/a:pam",
|
|
|
2b7fd2 |
"shadow-utils": "cpe:/a:shadow-utils",
|
|
|
2b7fd2 |
"systemd": "cpe:/a:systemd",
|
|
|
2b7fd2 |
+ "yum": "cpe:/a:yum",
|
|
|
2b7fd2 |
}
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
# Application constants
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
From b7250b641c3d533d10a8e633094cf6421b0c34dc Mon Sep 17 00:00:00 2001
|
|
|
2b7fd2 |
From: Watson Sato <wsato@redhat.com>
|
|
|
2b7fd2 |
Date: Mon, 8 Apr 2019 18:00:19 +0200
|
|
|
2b7fd2 |
Subject: [PATCH 11/11] Update rhel7 cpe-dictionary
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
---
|
|
|
2b7fd2 |
rhel7/cpe/rhel7-cpe-dictionary.xml | 25 +++++++++++++++++++++++++
|
|
|
2b7fd2 |
1 file changed, 25 insertions(+)
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
|
|
|
2b7fd2 |
index 44fe06f103..d64c18e846 100644
|
|
|
2b7fd2 |
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
|
|
|
2b7fd2 |
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
|
|
|
2b7fd2 |
@@ -47,9 +47,34 @@
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_is_a_machine</check>
|
|
|
2b7fd2 |
</cpe-item>
|
|
|
2b7fd2 |
+ <cpe-item name="cpe:/a:libuser">
|
|
|
2b7fd2 |
+ <title xml:lang="en-us">Package libuser is installed</title>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_libuser_package</check>
|
|
|
2b7fd2 |
+ </cpe-item>
|
|
|
2b7fd2 |
+ <cpe-item name="cpe:/a:nss-pam-ldapd">
|
|
|
2b7fd2 |
+ <title xml:lang="en-us">Package nss-pam-ldapd is installed</title>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_nss-pam-ldapd_package</check>
|
|
|
2b7fd2 |
+ </cpe-item>
|
|
|
2b7fd2 |
+ <cpe-item name="cpe:/a:pam">
|
|
|
2b7fd2 |
+ <title xml:lang="en-us">Package pam is installed</title>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_pam_package</check>
|
|
|
2b7fd2 |
+ </cpe-item>
|
|
|
2b7fd2 |
<cpe-item name="cpe:/a:shadow-utils">
|
|
|
2b7fd2 |
<title xml:lang="en-us">Package shadow-utils is installed</title>
|
|
|
2b7fd2 |
|
|
|
2b7fd2 |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_shadow-utils_package</check>
|
|
|
2b7fd2 |
</cpe-item>
|
|
|
2b7fd2 |
+ <cpe-item name="cpe:/a:systemd">
|
|
|
2b7fd2 |
+ <title xml:lang="en-us">Package systemd is installed</title>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_systemd_package</check>
|
|
|
2b7fd2 |
+ </cpe-item>
|
|
|
2b7fd2 |
+ <cpe-item name="cpe:/a:yum">
|
|
|
2b7fd2 |
+ <title xml:lang="en-us">Package yum is installed</title>
|
|
|
2b7fd2 |
+
|
|
|
2b7fd2 |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
|
|
|
2b7fd2 |
+ </cpe-item>
|
|
|
2b7fd2 |
</cpe-list>
|