Blame SOURCES/scap-security-guide-0.1.58-RHEL_08_010001-PR_7344.patch

76240a
From bb5c2983be3b11c3cd1070cf1d3daca27cb700ee Mon Sep 17 00:00:00 2001
76240a
From: Matthew Burket <mburket@redhat.com>
76240a
Date: Thu, 19 Aug 2021 08:02:55 -0500
76240a
Subject: [PATCH] Add a new rules RHEL-08-010001 and RHEL-07-020019
76240a
76240a
---
76240a
 .../agent_mfetpd_running/oval/shared.xml      | 16 ++++++
76240a
 .../agent_mfetpd_running/rule.yml             | 39 ++++++++++++++
76240a
 .../group.yml                                 |  7 +++
76240a
 .../package_mcafeetp_installed/rule.yml       | 51 +++++++++++++++++++
76240a
 products/rhel7/profiles/stig.profile          |  2 +
76240a
 products/rhel8/profiles/stig.profile          |  4 ++
76240a
 shared/references/cce-redhat-avail.txt        |  4 --
76240a
 .../data/profile_stability/rhel8/stig.profile |  2 +
76240a
 .../profile_stability/rhel8/stig_gui.profile  |  2 +
76240a
 9 files changed, 123 insertions(+), 4 deletions(-)
76240a
 create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml
76240a
 create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml
76240a
 create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml
76240a
 create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml
76240a
76240a
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml
76240a
new file mode 100644
76240a
index 00000000000..9900d8bd724
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml
76240a
@@ -0,0 +1,16 @@
76240a
+<def-group>
76240a
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
76240a
+        {{{ oval_metadata("Ensure that McAfee Endpoint Security for Linux (ENSL) is running.") }}}
76240a
+        <criteria>
76240a
+            <criterion comment="McAfee ENSL is running" test_ref="test_{{{ rule_id }}}"/>
76240a
+        </criteria>
76240a
+    </definition>
76240a
+    <unix:process58_test check="all" id="test_{{{ rule_id }}}" comment="is mfetpd running" version="1">
76240a
+        <unix:object object_ref="obj_{{{ rule_id }}}"/>
76240a
+    </unix:process58_test>
76240a
+
76240a
+    <unix:process58_object id="obj_{{{ rule_id }}}" version="1">
76240a
+        <unix:command_line operation="pattern match">^mfetpd.*$</unix:command_line>
76240a
+        <unix:pid datatype="int" operation="greater than">0</unix:pid>
76240a
+    </unix:process58_object>
76240a
+</def-group>
76240a
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml
76240a
new file mode 100644
76240a
index 00000000000..32c934467da
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml
76240a
@@ -0,0 +1,39 @@
76240a
+documentation_complete: true
76240a
+
76240a
+prodtype: rhel7,rhel8
76240a
+
76240a
+title: 'Ensure McAfee Endpoint Security for Linux (ENSL) is running'
76240a
+
76240a
+description: |-
76240a
+    Install McAfee Endpoint Security for Linux antivirus software
76240a
+    which is provided for DoD systems and uses signatures to search for the
76240a
+    presence of viruses on the filesystem.
76240a
+
76240a
+rationale: |-
76240a
+    Virus scanning software can be used to detect if a system has been compromised by
76240a
+    computer viruses, as well as to limit their spread to other systems.
76240a
+
76240a
+severity: high
76240a
+
76240a
+identifiers:
76240a
+    cce@rhel7: CCE-86262-3
76240a
+    cce@rhel8: CCE-86261-5
76240a
+
76240a
+references:
76240a
+    disa: CCI-001233
76240a
+    nist: SI-2(2)
76240a
+    srg: SRG-OS-000191-GPOS-00080
76240a
+    stigid@rhel7: RHEL-07-020019
76240a
+    stigid@rhel8: RHEL-08-010001
76240a
+
76240a
+ocil_clause: 'virus scanning software is not running'
76240a
+
76240a
+ocil: |-
76240a
+    To verify that McAfee Endpoint Security for Linux is
76240a
+    running, run the following command:
76240a
+    
$ sudo ps -ef | grep -i mfetpd
76240a
+
76240a
+warnings:
76240a
+    - general: |-
76240a
+        Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software,
76240a
+        automated remediation is not available for this configuration check.
76240a
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml
76240a
new file mode 100644
76240a
index 00000000000..f2e4e89851a
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml
76240a
@@ -0,0 +1,7 @@
76240a
+documentation_complete: true
76240a
+
76240a
+title: 'McAfee Endpoint Security for Linux (ENSL)'
76240a
+
76240a
+description: |-
76240a
+    McAfee Endpoint Security for Linux (ENSL) is a suite of software applications
76240a
+    used to monitor, detect, and defend computer networks and systems.
76240a
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml
76240a
new file mode 100644
76240a
index 00000000000..16587792eff
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml
76240a
@@ -0,0 +1,51 @@
76240a
+documentation_complete: true
76240a
+
76240a
+prodtype: rhel7,rhel8
76240a
+
76240a
+title: 'Install McAfee Endpoint Security for Linux (ENSL)'
76240a
+
76240a
+description: |-
76240a
+    Install McAfee Endpoint Security for Linux antivirus software
76240a
+    which is provided for DoD systems and uses signatures to search for the
76240a
+    presence of viruses on the filesystem.
76240a
+
76240a
+    {{{ describe_package_install(package="mcafeetp") }}}
76240a
+
76240a
+rationale: |-
76240a
+    Virus scanning software can be used to detect if a system has been compromised by
76240a
+    computer viruses, as well as to limit their spread to other systems.
76240a
+
76240a
+severity: high
76240a
+
76240a
+identifiers:
76240a
+    cce@rhel7: CCE-86257-3
76240a
+    cce@rhel8: CCE-86260-7
76240a
+
76240a
+references:
76240a
+    disa: CCI-001233
76240a
+    nist: SI-2(2)
76240a
+    srg: SRG-OS-000191-GPOS-00080
76240a
+    stigid@rhel7: RHEL-07-020019
76240a
+    stigid@rhel8: RHEL-08-010001
76240a
+
76240a
+ocil_clause: 'the package is not installed'
76240a
+
76240a
+ocil: '{{{ ocil_package(package="mcafeetp") }}}'
76240a
+
76240a
+warnings:
76240a
+    - general: |-
76240a
+        Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software,
76240a
+        automated remediation is not available for this configuration check.
76240a
+
76240a
+platform: machine
76240a
+
76240a
+template:
76240a
+    name: package_installed
76240a
+    vars:
76240a
+        pkgname: mcafeetp
76240a
+    backends:
76240a
+        bash: "off"
76240a
+        ansible: "off"
76240a
+        anaconda: "off"
76240a
+        puppet: "off"
76240a
+        blueprint: "off"
76240a
diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
76240a
index f5761c891f2..9ca13600057 100644
76240a
--- a/products/rhel7/profiles/stig.profile
76240a
+++ b/products/rhel7/profiles/stig.profile
76240a
@@ -316,3 +316,5 @@ selections:
76240a
     - file_permissions_var_log_audit
76240a
     - sysctl_net_ipv4_conf_all_rp_filter
76240a
     - sysctl_net_ipv4_conf_default_rp_filter
76240a
+    - package_mcafeetp_installed
76240a
+    - agent_mfetpd_running
76240a
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
76240a
index 9dc9360e899..36f384621ae 100644
76240a
--- a/products/rhel8/profiles/stig.profile
76240a
+++ b/products/rhel8/profiles/stig.profile
76240a
@@ -84,6 +84,10 @@ selections:
76240a
     # RHEL-08-010000
76240a
     - installed_OS_is_vendor_supported
76240a
 
76240a
+    # RHEL-08-010001
76240a
+    - package_mcafeetp_installed
76240a
+    - agent_mfetpd_running
76240a
+
76240a
     # RHEL-08-010010
76240a
     - security_patches_up_to_date
76240a
 
76240a
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
76240a
index 3b24e19da06..08013e6de22 100644
76240a
--- a/shared/references/cce-redhat-avail.txt
76240a
+++ b/shared/references/cce-redhat-avail.txt
76240a
@@ -372,12 +372,8 @@ CCE-86253-2
76240a
 CCE-86254-0
76240a
 CCE-86255-7
76240a
 CCE-86256-5
76240a
-CCE-86257-3
76240a
 CCE-86258-1
76240a
 CCE-86259-9
76240a
-CCE-86260-7
76240a
-CCE-86261-5
76240a
-CCE-86262-3
76240a
 CCE-86263-1
76240a
 CCE-86264-9
76240a
 CCE-86265-6
76240a
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
76240a
index e9ba0f0adbf..f3e6c4fa1a1 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig.profile
76240a
@@ -65,6 +65,7 @@ selections:
76240a
 - accounts_user_interactive_home_directory_defined
76240a
 - accounts_user_interactive_home_directory_exists
76240a
 - aide_check_audit_tools
76240a
+- agent_mfetpd_running
76240a
 - aide_scan_notification
76240a
 - aide_verify_acls
76240a
 - aide_verify_ext_attributes
76240a
@@ -280,6 +281,7 @@ selections:
76240a
 - package_gssproxy_removed
76240a
 - package_iprutils_removed
76240a
 - package_krb5-workstation_removed
76240a
+- package_mcafeetp_installed
76240a
 - package_opensc_installed
76240a
 - package_openssh-server_installed
76240a
 - package_policycoreutils_installed
76240a
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
index c8540f9392e..b5b60349a83 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
@@ -76,6 +76,7 @@ selections:
76240a
 - accounts_user_interactive_home_directory_defined
76240a
 - accounts_user_interactive_home_directory_exists
76240a
 - aide_check_audit_tools
76240a
+- agent_mfetpd_running
76240a
 - aide_scan_notification
76240a
 - aide_verify_acls
76240a
 - aide_verify_ext_attributes
76240a
@@ -291,6 +292,7 @@ selections:
76240a
 - package_gssproxy_removed
76240a
 - package_iprutils_removed
76240a
 - package_krb5-workstation_removed
76240a
+- package_mcafeetp_installed
76240a
 - package_opensc_installed
76240a
 - package_openssh-server_installed
76240a
 - package_policycoreutils_installed