|
 |
dac76a |
From 6429aa7d29a6c93a6c6826d6fa99cee162ed1c22 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
dac76a |
Date: Mon, 20 Apr 2020 12:50:27 +0200
|
|
|
dac76a |
Subject: [PATCH 01/10] Add warning to package_xorg-x11-server-common_removed.
|
|
|
dac76a |
|
|
|
dac76a |
When this package is removed from a GUI environment system, it may end up with a black
|
|
|
dac76a |
screen after restarting it.
|
|
|
dac76a |
---
|
|
|
dac76a |
.../package_xorg-x11-server-common_removed/rule.yml | 12 ++++++++++--
|
|
|
dac76a |
1 file changed, 10 insertions(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
|
|
|
dac76a |
index 4ce51a8141..04ee90b4d5 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
|
|
|
dac76a |
@@ -9,8 +9,8 @@ description: |-
|
|
|
dac76a |
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
|
|
|
dac76a |
This prevents the system from being accidentally or maliciously booted into a <tt>graphical.target</tt>
|
|
|
dac76a |
mode. To do so, run the following command:
|
|
|
dac76a |
- $ sudo yum groupremove "X Window System"
|
|
|
dac76a |
- $ sudo yum remove xorg-x11-server-common
|
|
|
dac76a |
+ $ sudo {{{ pkg_manager }}} groupremove "X Window System"
|
|
|
dac76a |
+ $ sudo {{{ pkg_manager }}} remove xorg-x11-server-common
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
|
|
|
dac76a |
@@ -47,6 +47,14 @@ ocil: |-
|
|
|
dac76a |
The output should be:
|
|
|
dac76a |
package xorg-x11-server-common is not installed
|
|
|
dac76a |
|
|
|
dac76a |
+warnings:
|
|
|
dac76a |
+ - functionality: |-
|
|
|
dac76a |
+ The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
|
|
|
dac76a |
+ overall security posture. Removing the package xorg-x11-server-common package can
|
|
|
dac76a |
+ potentially remove the graphical target which might bring your system to an inconsistent state requiring
|
|
|
dac76a |
+ additional configuration to access the system again. If a GUI is an operational requirement, a tailored profile
|
|
|
dac76a |
+ that removes this rule should used before continuing installation.
|
|
|
dac76a |
+
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: package_removed
|
|
|
dac76a |
vars:
|
|
|
dac76a |
|
|
|
dac76a |
From 9f767c7c60e1a5b35e30cbe7f9d81288dd26ac9e Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
dac76a |
Date: Mon, 20 Apr 2020 12:51:48 +0200
|
|
|
dac76a |
Subject: [PATCH 02/10] SSGTS: Encode string to UTF-8 before writing into file.
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
tests/ssg_test_suite/oscap.py | 4 ++--
|
|
|
dac76a |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/tests/ssg_test_suite/oscap.py b/tests/ssg_test_suite/oscap.py
|
|
|
dac76a |
index 301c326835..2858963373 100644
|
|
|
dac76a |
--- a/tests/ssg_test_suite/oscap.py
|
|
|
dac76a |
+++ b/tests/ssg_test_suite/oscap.py
|
|
|
dac76a |
@@ -170,7 +170,7 @@ def run_stage_remediation_ansible(run_type, formatting, verbose_path):
|
|
|
dac76a |
# Appends output of ansible-playbook to the verbose_path file.
|
|
|
dac76a |
with open(verbose_path, 'a') as f:
|
|
|
dac76a |
f.write('Stdout of "{}":'.format(command_string))
|
|
|
dac76a |
- f.write(output)
|
|
|
dac76a |
+ f.write(output.encode("utf-8"))
|
|
|
dac76a |
if returncode != 0:
|
|
|
dac76a |
msg = (
|
|
|
dac76a |
'Ansible playbook remediation run has '
|
|
|
dac76a |
@@ -199,7 +199,7 @@ def run_stage_remediation_bash(run_type, formatting, verbose_path):
|
|
|
dac76a |
# Appends output of script execution to the verbose_path file.
|
|
|
dac76a |
with open(verbose_path, 'a') as f:
|
|
|
dac76a |
f.write('Stdout of "{}":'.format(command_string))
|
|
|
dac76a |
- f.write(output)
|
|
|
dac76a |
+ f.write(output.encode("utf-8"))
|
|
|
dac76a |
if returncode != 0:
|
|
|
dac76a |
msg = (
|
|
|
dac76a |
'Bash script remediation run has exited with return code {} '
|
|
|
dac76a |
|
|
|
dac76a |
From 2cb9a0eac96e2dd44c2ca8e50c8460e9f220f977 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
dac76a |
Date: Mon, 20 Apr 2020 12:52:36 +0200
|
|
|
dac76a |
Subject: [PATCH 03/10] Add check and remediation for xwindows_runlevel_target.
|
|
|
dac76a |
|
|
|
dac76a |
Select this rule in profiles (RHEL6 profiles are not included) that select
|
|
|
dac76a |
package_xorg-x11-server-common_removed since this rule removes a
|
|
|
dac76a |
package that is dependent when using a system with GUI and the target
|
|
|
dac76a |
needs to be changed from graphical.target to multi-user.target otherwise
|
|
|
dac76a |
the system ends with having a black screen after restarting it.
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ansible/shared.yml | 12 +++++
|
|
|
dac76a |
.../xwindows_runlevel_target/bash/shared.sh | 7 +++
|
|
|
dac76a |
.../xwindows_runlevel_target/oval/shared.xml | 49 +++++++++++++++++++
|
|
|
dac76a |
.../xwindows_runlevel_target/rule.yml | 3 +-
|
|
|
dac76a |
.../tests/correct_target.pass.sh | 5 ++
|
|
|
dac76a |
.../tests/wrong_target.fail.sh | 5 ++
|
|
|
dac76a |
rhel7/profiles/cis.profile | 1 +
|
|
|
dac76a |
10 files changed, 84 insertions(+), 1 deletion(-)
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..49cdaeb7aa
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
|
|
|
dac76a |
@@ -0,0 +1,12 @@
|
|
|
dac76a |
+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
|
|
|
dac76a |
+# reboot = true
|
|
|
dac76a |
+# strategy = restrict
|
|
|
dac76a |
+# complexity = low
|
|
|
dac76a |
+# disruption = low
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: get default target
|
|
|
dac76a |
+ command: systemctl get-default
|
|
|
dac76a |
+ register: default_target
|
|
|
dac76a |
+- name: Switch to multi-user runlevel
|
|
|
dac76a |
+ command: systemctl set-default multi-user.target
|
|
|
dac76a |
+ when: default_target.stdout != "multi-user.target"
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..289a38483c
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/bash/shared.sh
|
|
|
dac76a |
@@ -0,0 +1,7 @@
|
|
|
dac76a |
+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
|
|
|
dac76a |
+# reboot = true
|
|
|
dac76a |
+# strategy = restrict
|
|
|
dac76a |
+# complexity = low
|
|
|
dac76a |
+# disruption = low
|
|
|
dac76a |
+
|
|
|
dac76a |
+systemctl set-default multi-user.target
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..94c372ffec
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
|
|
|
dac76a |
@@ -0,0 +1,49 @@
|
|
|
dac76a |
+{{%- if init_system == "systemd" and target_oval_version == [5, 10] -%}}
|
|
|
dac76a |
+{{# this is the only scenario this definition cannot handle, there is no good alternative for symlink_test for OVAL 5.10 #}}
|
|
|
dac76a |
+{{%- else -%}}
|
|
|
dac76a |
+<def-group>
|
|
|
dac76a |
+ <definition class="compliance" id="xwindows_runlevel_target" version="1">
|
|
|
dac76a |
+ <metadata>
|
|
|
dac76a |
+ <title>Disable X Windows Startup By Setting Default SystemD Target</title>
|
|
|
dac76a |
+ {{{- oval_affected(products) }}}
|
|
|
dac76a |
+ {{%- if init_system == "systemd" %}}
|
|
|
dac76a |
+ <description>Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target.</description>
|
|
|
dac76a |
+ {{%- else %}}
|
|
|
dac76a |
+ <description>Checks /etc/inittab to ensure that default runlevel is set to 3.</description>
|
|
|
dac76a |
+ {{%- endif %}}
|
|
|
dac76a |
+ </metadata>
|
|
|
dac76a |
+ {{%- if init_system == "systemd" %}}
|
|
|
dac76a |
+ <criteria>
|
|
|
dac76a |
+ <criterion comment="default.target systemd softlink exists" test_ref="test_disable_xwindows_runlevel_target" />
|
|
|
dac76a |
+ </criteria>
|
|
|
dac76a |
+ {{%- else %}}
|
|
|
dac76a |
+ <criteria>
|
|
|
dac76a |
+ <criterion comment="default runlevel is 3" test_ref="test_etc_inittab_default_runlevel_target" />
|
|
|
dac76a |
+ </criteria>
|
|
|
dac76a |
+ {{%- endif %}}
|
|
|
dac76a |
+ </definition>
|
|
|
dac76a |
+ {{%- if init_system == "systemd" %}}
|
|
|
dac76a |
+ <unix:symlink_test check="all" check_existence="all_exist" comment="default.target systemd softlink exists" id="test_disable_xwindows_runlevel_target" version="1">
|
|
|
dac76a |
+ <unix:object object_ref="object_disable_xwindows_runlevel_target" />
|
|
|
dac76a |
+ <unix:state state_ref="state_disable_xwindows_runlevel_target" />
|
|
|
dac76a |
+ </unix:symlink_test>
|
|
|
dac76a |
+ <unix:symlink_object comment="default.target systemd softlink exists" id="object_disable_xwindows_runlevel_target" version="1">
|
|
|
dac76a |
+ <unix:filepath>/etc/systemd/system/default.target</unix:filepath>
|
|
|
dac76a |
+ </unix:symlink_object>
|
|
|
dac76a |
+ <unix:symlink_state comment="default.target is linked to multi-user.target" id="state_disable_xwindows_runlevel_target" version="1">
|
|
|
dac76a |
+ <unix:filepath>/etc/systemd/system/default.target</unix:filepath>
|
|
|
dac76a |
+ <unix:canonical_path operation="pattern match">^/usr/lib/systemd/system/multi-user.target$</unix:canonical_path>
|
|
|
dac76a |
+ </unix:symlink_state>
|
|
|
dac76a |
+ {{%- else %}}
|
|
|
dac76a |
+ <ind:textfilecontent54_test check="all" comment="default runlevel is 3" id="test_etc_inittab_default_runlevel_target" version="1">
|
|
|
dac76a |
+ <ind:object object_ref="object_etc_inittab_default_runlevel_target" />
|
|
|
dac76a |
+ </ind:textfilecontent54_test>
|
|
|
dac76a |
+ <ind:textfilecontent54_object id="object_etc_inittab_default_runlevel_target" version="1">
|
|
|
dac76a |
+ <ind:filepath>/etc/inittab</ind:filepath>
|
|
|
dac76a |
+ <ind:pattern operation="pattern match">^[\s]*id:3:initdefault:[\s]*$</ind:pattern>
|
|
|
dac76a |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
dac76a |
+ </ind:textfilecontent54_object>
|
|
|
dac76a |
+ {{%- endif %}}
|
|
|
dac76a |
+</def-group>
|
|
|
dac76a |
+{{%- endif -%}}
|
|
|
dac76a |
+
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
|
|
dac76a |
index ed5882941c..cd04fcde8f 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
|
|
dac76a |
@@ -1,6 +1,6 @@
|
|
|
dac76a |
documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
-prodtype: fedora,rhel7,rhel8
|
|
|
dac76a |
+prodtype: fedora,rhel7,rhel8,sle12,rhv4
|
|
|
dac76a |
|
|
|
dac76a |
title: 'Disable X Windows Startup By Setting Default Target'
|
|
|
dac76a |
|
|
|
dac76a |
@@ -24,6 +24,7 @@ severity: medium
|
|
|
dac76a |
|
|
|
dac76a |
identifiers:
|
|
|
dac76a |
cce@rhel7: 27285-6
|
|
|
dac76a |
+ cce@rhel8: 83380-6
|
|
|
dac76a |
|
|
|
dac76a |
references:
|
|
|
dac76a |
disa: "366"
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..33835c8f50
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,5 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+rm -f /etc/systemd/system/default.target
|
|
|
dac76a |
+ln -s /usr/lib/systemd/system/multi-user.target /etc/systemd/system/default.target
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..9313dbb5a2
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,5 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+rm -f /etc/systemd/system/default.target
|
|
|
dac76a |
+ln -s /usr/lib/systemd/system/graphical.target /etc/systemd/system/default.target
|
|
|
dac76a |
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
|
|
dac76a |
index 886e9a963a..0826a49547 100644
|
|
|
dac76a |
--- a/rhel7/profiles/cis.profile
|
|
|
dac76a |
+++ b/rhel7/profiles/cis.profile
|
|
|
dac76a |
@@ -226,6 +226,7 @@ selections:
|
|
|
dac76a |
|
|
|
dac76a |
### 2.2.2 Ensure X Window System is not installed (Scored)
|
|
|
dac76a |
- package_xorg-x11-server-common_removed
|
|
|
dac76a |
+ - xwindows_runlevel_target
|
|
|
dac76a |
|
|
|
dac76a |
### 2.2.3 Ensure Avahi Server is not enabled (Scored)
|
|
|
dac76a |
- service_avahi-daemon_disabled
|
|
|
dac76a |
|
|
|
dac76a |
From 3e1381a89b54591b7ca6a6b54cf56c6594cb87c0 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
dac76a |
Date: Mon, 20 Apr 2020 17:46:08 +0200
|
|
|
dac76a |
Subject: [PATCH 04/10] Simplify xwindows_runlevel_target artifacts.
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../rule.yml | 2 ++
|
|
|
dac76a |
.../ansible/shared.yml | 1 +
|
|
|
dac76a |
.../xwindows_runlevel_target/oval/shared.xml | 23 +------------------
|
|
|
dac76a |
.../tests/correct_target.pass.sh | 3 +--
|
|
|
dac76a |
.../tests/wrong_target.fail.sh | 3 +--
|
|
|
dac76a |
5 files changed, 6 insertions(+), 26 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
|
|
|
dac76a |
index 04ee90b4d5..934205472b 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
|
|
|
dac76a |
@@ -9,7 +9,9 @@ description: |-
|
|
|
dac76a |
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
|
|
|
dac76a |
This prevents the system from being accidentally or maliciously booted into a <tt>graphical.target</tt>
|
|
|
dac76a |
mode. To do so, run the following command:
|
|
|
dac76a |
+ {{%- if product != "rhel8" and product != "rhv4" -%}}
|
|
|
dac76a |
$ sudo {{{ pkg_manager }}} groupremove "X Window System"
|
|
|
dac76a |
+ {{%- endif %}}
|
|
|
dac76a |
$ sudo {{{ pkg_manager }}} remove xorg-x11-server-common
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
|
|
|
dac76a |
index 49cdaeb7aa..2677c96ac7 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
|
|
|
dac76a |
@@ -7,6 +7,7 @@
|
|
|
dac76a |
- name: get default target
|
|
|
dac76a |
command: systemctl get-default
|
|
|
dac76a |
register: default_target
|
|
|
dac76a |
+
|
|
|
dac76a |
- name: Switch to multi-user runlevel
|
|
|
dac76a |
command: systemctl set-default multi-user.target
|
|
|
dac76a |
when: default_target.stdout != "multi-user.target"
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
|
|
|
dac76a |
index 94c372ffec..16e15df8e1 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
|
|
|
dac76a |
@@ -6,23 +6,12 @@
|
|
|
dac76a |
<metadata>
|
|
|
dac76a |
<title>Disable X Windows Startup By Setting Default SystemD Target</title>
|
|
|
dac76a |
{{{- oval_affected(products) }}}
|
|
|
dac76a |
- {{%- if init_system == "systemd" %}}
|
|
|
dac76a |
- <description>Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target.</description>
|
|
|
dac76a |
- {{%- else %}}
|
|
|
dac76a |
- <description>Checks /etc/inittab to ensure that default runlevel is set to 3.</description>
|
|
|
dac76a |
- {{%- endif %}}
|
|
|
dac76a |
+ <description>Ensure that the default runlevel target is set to multi-user.target.</description>
|
|
|
dac76a |
</metadata>
|
|
|
dac76a |
- {{%- if init_system == "systemd" %}}
|
|
|
dac76a |
<criteria>
|
|
|
dac76a |
<criterion comment="default.target systemd softlink exists" test_ref="test_disable_xwindows_runlevel_target" />
|
|
|
dac76a |
</criteria>
|
|
|
dac76a |
- {{%- else %}}
|
|
|
dac76a |
- <criteria>
|
|
|
dac76a |
- <criterion comment="default runlevel is 3" test_ref="test_etc_inittab_default_runlevel_target" />
|
|
|
dac76a |
- </criteria>
|
|
|
dac76a |
- {{%- endif %}}
|
|
|
dac76a |
</definition>
|
|
|
dac76a |
- {{%- if init_system == "systemd" %}}
|
|
|
dac76a |
<unix:symlink_test check="all" check_existence="all_exist" comment="default.target systemd softlink exists" id="test_disable_xwindows_runlevel_target" version="1">
|
|
|
dac76a |
<unix:object object_ref="object_disable_xwindows_runlevel_target" />
|
|
|
dac76a |
<unix:state state_ref="state_disable_xwindows_runlevel_target" />
|
|
|
dac76a |
@@ -34,16 +23,6 @@
|
|
|
dac76a |
<unix:filepath>/etc/systemd/system/default.target</unix:filepath>
|
|
|
dac76a |
<unix:canonical_path operation="pattern match">^/usr/lib/systemd/system/multi-user.target$</unix:canonical_path>
|
|
|
dac76a |
</unix:symlink_state>
|
|
|
dac76a |
- {{%- else %}}
|
|
|
dac76a |
- <ind:textfilecontent54_test check="all" comment="default runlevel is 3" id="test_etc_inittab_default_runlevel_target" version="1">
|
|
|
dac76a |
- <ind:object object_ref="object_etc_inittab_default_runlevel_target" />
|
|
|
dac76a |
- </ind:textfilecontent54_test>
|
|
|
dac76a |
- <ind:textfilecontent54_object id="object_etc_inittab_default_runlevel_target" version="1">
|
|
|
dac76a |
- <ind:filepath>/etc/inittab</ind:filepath>
|
|
|
dac76a |
- <ind:pattern operation="pattern match">^[\s]*id:3:initdefault:[\s]*$</ind:pattern>
|
|
|
dac76a |
- <ind:instance datatype="int">1</ind:instance>
|
|
|
dac76a |
- </ind:textfilecontent54_object>
|
|
|
dac76a |
- {{%- endif %}}
|
|
|
dac76a |
</def-group>
|
|
|
dac76a |
{{%- endif -%}}
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
|
|
|
dac76a |
index 33835c8f50..f7837a25b7 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target.pass.sh
|
|
|
dac76a |
@@ -1,5 +1,4 @@
|
|
|
dac76a |
#!/bin/bash
|
|
|
dac76a |
# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
|
|
|
dac76a |
|
|
|
dac76a |
-rm -f /etc/systemd/system/default.target
|
|
|
dac76a |
-ln -s /usr/lib/systemd/system/multi-user.target /etc/systemd/system/default.target
|
|
|
dac76a |
+systemctl set-default multi-user.target
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
|
|
|
dac76a |
index 9313dbb5a2..5a20e8ce3a 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target.fail.sh
|
|
|
dac76a |
@@ -1,5 +1,4 @@
|
|
|
dac76a |
#!/bin/bash
|
|
|
dac76a |
# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
|
|
|
dac76a |
|
|
|
dac76a |
-rm -f /etc/systemd/system/default.target
|
|
|
dac76a |
-ln -s /usr/lib/systemd/system/graphical.target /etc/systemd/system/default.target
|
|
|
dac76a |
+systemctl set-default graphical.target
|
|
|
dac76a |
|
|
|
dac76a |
From bf0a5b6760b58ae5a7927781af3f24443b732554 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
dac76a |
Date: Mon, 20 Apr 2020 23:23:00 +0200
|
|
|
dac76a |
Subject: [PATCH 05/10] Update list of available CCE.
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
dac76a |
1 file changed, 1 deletion(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
dac76a |
index c10448ff8d..4debf015dd 100644
|
|
|
dac76a |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
dac76a |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
dac76a |
@@ -71,7 +71,6 @@ CCE-83376-4
|
|
|
dac76a |
CCE-83377-2
|
|
|
dac76a |
CCE-83378-0
|
|
|
dac76a |
CCE-83379-8
|
|
|
dac76a |
-CCE-83380-6
|
|
|
dac76a |
CCE-83381-4
|
|
|
dac76a |
CCE-83382-2
|
|
|
dac76a |
CCE-83383-0
|
|
|
dac76a |
|
|
|
dac76a |
From e4ab5d8502aba4e4f55aa1d6394fe47f893e68ff Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
dac76a |
Date: Thu, 23 Apr 2020 16:01:06 +0200
|
|
|
dac76a |
Subject: [PATCH 06/10] Update ansible remediation for xwindows_runlevel_target
|
|
|
dac76a |
to use file module.
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../xwindows_runlevel_target/ansible/shared.yml | 11 +++++------
|
|
|
dac76a |
1 file changed, 5 insertions(+), 6 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
|
|
|
dac76a |
index 2677c96ac7..72a3c5415a 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/ansible/shared.yml
|
|
|
dac76a |
@@ -4,10 +4,9 @@
|
|
|
dac76a |
# complexity = low
|
|
|
dac76a |
# disruption = low
|
|
|
dac76a |
|
|
|
dac76a |
-- name: get default target
|
|
|
dac76a |
- command: systemctl get-default
|
|
|
dac76a |
- register: default_target
|
|
|
dac76a |
-
|
|
|
dac76a |
- name: Switch to multi-user runlevel
|
|
|
dac76a |
- command: systemctl set-default multi-user.target
|
|
|
dac76a |
- when: default_target.stdout != "multi-user.target"
|
|
|
dac76a |
+ file:
|
|
|
dac76a |
+ src: /usr/lib/systemd/system/multi-user.target
|
|
|
dac76a |
+ dest: /etc/systemd/system/default.target
|
|
|
dac76a |
+ state: link
|
|
|
dac76a |
+ force: yes
|
|
|
dac76a |
|
|
|
dac76a |
From d19185cd39abcb413351894384a8c603ee768470 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
dac76a |
Date: Thu, 23 Apr 2020 16:01:52 +0200
|
|
|
dac76a |
Subject: [PATCH 07/10] Update rule package_xorg-x11-server-common_removed
|
|
|
dac76a |
metadata.
|
|
|
dac76a |
|
|
|
dac76a |
For RHEL8 based products the group id that represents base Xorg packages
|
|
|
dac76a |
is called "base-x".
|
|
|
dac76a |
---
|
|
|
dac76a |
.../package_xorg-x11-server-common_removed/rule.yml | 12 +++++++-----
|
|
|
dac76a |
1 file changed, 7 insertions(+), 5 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
|
|
|
dac76a |
index 934205472b..099ef2bc7b 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
|
|
|
dac76a |
@@ -9,7 +9,9 @@ description: |-
|
|
|
dac76a |
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
|
|
|
dac76a |
This prevents the system from being accidentally or maliciously booted into a <tt>graphical.target</tt>
|
|
|
dac76a |
mode. To do so, run the following command:
|
|
|
dac76a |
- {{%- if product != "rhel8" and product != "rhv4" -%}}
|
|
|
dac76a |
+ {{%- if product == "rhel8" or product == "rhv4" -%}}
|
|
|
dac76a |
+ $ sudo {{{ pkg_manager }}} groupremove base-x
|
|
|
dac76a |
+ {{%- else %}}
|
|
|
dac76a |
$ sudo {{{ pkg_manager }}} groupremove "X Window System"
|
|
|
dac76a |
{{%- endif %}}
|
|
|
dac76a |
$ sudo {{{ pkg_manager }}} remove xorg-x11-server-common
|
|
|
dac76a |
@@ -52,10 +54,10 @@ ocil: |-
|
|
|
dac76a |
warnings:
|
|
|
dac76a |
- functionality: |-
|
|
|
dac76a |
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
|
|
|
dac76a |
- overall security posture. Removing the package xorg-x11-server-common package can
|
|
|
dac76a |
- potentially remove the graphical target which might bring your system to an inconsistent state requiring
|
|
|
dac76a |
- additional configuration to access the system again. If a GUI is an operational requirement, a tailored profile
|
|
|
dac76a |
- that removes this rule should used before continuing installation.
|
|
|
dac76a |
+ overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
|
|
|
dac76a |
+ which might bring your system to an inconsistent state requiring additional configuration to access the system
|
|
|
dac76a |
+ again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before
|
|
|
dac76a |
+ continuing installation.
|
|
|
dac76a |
|
|
|
dac76a |
template:
|
|
|
dac76a |
name: package_removed
|
|
|
dac76a |
|
|
|
dac76a |
From 568ea36774cd41778c5ffcb004c11b538697f39b Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
dac76a |
Date: Thu, 23 Apr 2020 17:13:58 +0200
|
|
|
dac76a |
Subject: [PATCH 08/10] OVAL Check for xwindows_runlevel_target consider files
|
|
|
dac76a |
from both /usr and /lib directory prefix.
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../xwindows_runlevel_target/oval/shared.xml | 2 +-
|
|
|
dac76a |
.../tests/correct_target_under_lib.pass.sh | 4 ++++
|
|
|
dac76a |
.../tests/wrong_target_under_lib.fail.sh | 4 ++++
|
|
|
dac76a |
3 files changed, 9 insertions(+), 1 deletion(-)
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
|
|
|
dac76a |
index 16e15df8e1..97f51c3140 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
|
|
|
dac76a |
@@ -21,7 +21,7 @@
|
|
|
dac76a |
</unix:symlink_object>
|
|
|
dac76a |
<unix:symlink_state comment="default.target is linked to multi-user.target" id="state_disable_xwindows_runlevel_target" version="1">
|
|
|
dac76a |
<unix:filepath>/etc/systemd/system/default.target</unix:filepath>
|
|
|
dac76a |
- <unix:canonical_path operation="pattern match">^/usr/lib/systemd/system/multi-user.target$</unix:canonical_path>
|
|
|
dac76a |
+ <unix:canonical_path operation="pattern match">^(/usr)?/lib/systemd/system/multi-user.target$</unix:canonical_path>
|
|
|
dac76a |
</unix:symlink_state>
|
|
|
dac76a |
</def-group>
|
|
|
dac76a |
{{%- endif -%}}
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..f7837a25b7
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,4 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+systemctl set-default multi-user.target
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..408409b9b1
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/wrong_target_under_lib.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,4 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target
|
|
|
dac76a |
|
|
|
dac76a |
From e39030c464385251d0688ccb609ad10718b22359 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
dac76a |
Date: Thu, 23 Apr 2020 17:14:51 +0200
|
|
|
dac76a |
Subject: [PATCH 09/10] Update command output from instructions on how to
|
|
|
dac76a |
manually set multi-user.target.
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../disabling_xwindows/xwindows_runlevel_target/rule.yml | 4 ++--
|
|
|
dac76a |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
|
|
dac76a |
index cd04fcde8f..79457b2b4f 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml
|
|
|
dac76a |
@@ -11,8 +11,8 @@ description: |-
|
|
|
dac76a |
<tt>multi-user.target</tt> will prevent automatic startup of the X server. To do so, run:
|
|
|
dac76a |
$ systemctl set-default multi-user.target
|
|
|
dac76a |
You should see the following output:
|
|
|
dac76a |
- rm '/etc/systemd/system/default.target'
|
|
|
dac76a |
- ln -s '/usr/lib/systemd/system/multi-user.target' '/etc/systemd/system/default.target'
|
|
|
dac76a |
+ Removed symlink /etc/systemd/system/default.target.
|
|
|
dac76a |
+ Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
Services that are not required for system and application processes
|
|
|
dac76a |
|
|
|
dac76a |
From 2965265fcaf9b14b53866e33d18eeb89f50902c1 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
dac76a |
Date: Thu, 23 Apr 2020 17:32:21 +0200
|
|
|
dac76a |
Subject: [PATCH 10/10] Fix location of symlink created by test scenario for
|
|
|
dac76a |
xwindows_runlevel_target.
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../tests/correct_target_under_lib.pass.sh | 2 +-
|
|
|
dac76a |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
|
|
|
dac76a |
index f7837a25b7..dc698edc50 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
|
|
|
dac76a |
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/tests/correct_target_under_lib.pass.sh
|
|
|
dac76a |
@@ -1,4 +1,4 @@
|
|
|
dac76a |
#!/bin/bash
|
|
|
dac76a |
# platform = multi_platform_sle,multi_platform_rhv,multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
|
|
|
dac76a |
|
|
|
dac76a |
-systemctl set-default multi-user.target
|
|
|
dac76a |
+ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
|