|
|
76240a |
From bb5c2983be3b11c3cd1070cf1d3daca27cb700ee Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Matthew Burket <mburket@redhat.com>
|
|
|
76240a |
Date: Thu, 19 Aug 2021 08:02:55 -0500
|
|
|
76240a |
Subject: [PATCH] Add a new rules RHEL-08-010001 and RHEL-07-020019
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
.../agent_mfetpd_running/oval/shared.xml | 16 ++++++
|
|
|
76240a |
.../agent_mfetpd_running/rule.yml | 39 ++++++++++++++
|
|
|
76240a |
.../group.yml | 7 +++
|
|
|
76240a |
.../package_mcafeetp_installed/rule.yml | 51 +++++++++++++++++++
|
|
|
76240a |
products/rhel7/profiles/stig.profile | 2 +
|
|
|
76240a |
products/rhel8/profiles/stig.profile | 4 ++
|
|
|
76240a |
shared/references/cce-redhat-avail.txt | 4 --
|
|
|
76240a |
.../data/profile_stability/rhel8/stig.profile | 2 +
|
|
|
76240a |
.../profile_stability/rhel8/stig_gui.profile | 2 +
|
|
|
76240a |
9 files changed, 123 insertions(+), 4 deletions(-)
|
|
|
76240a |
create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml
|
|
|
76240a |
create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml
|
|
|
76240a |
create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml
|
|
|
76240a |
create mode 100644 linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml
|
|
|
76240a |
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..9900d8bd724
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/oval/shared.xml
|
|
|
76240a |
@@ -0,0 +1,16 @@
|
|
|
76240a |
+<def-group>
|
|
|
76240a |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
76240a |
+ {{{ oval_metadata("Ensure that McAfee Endpoint Security for Linux (ENSL) is running.") }}}
|
|
|
76240a |
+ <criteria>
|
|
|
76240a |
+ <criterion comment="McAfee ENSL is running" test_ref="test_{{{ rule_id }}}"/>
|
|
|
76240a |
+ </criteria>
|
|
|
76240a |
+ </definition>
|
|
|
76240a |
+ <unix:process58_test check="all" id="test_{{{ rule_id }}}" comment="is mfetpd running" version="1">
|
|
|
76240a |
+ <unix:object object_ref="obj_{{{ rule_id }}}"/>
|
|
|
76240a |
+ </unix:process58_test>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:process58_object id="obj_{{{ rule_id }}}" version="1">
|
|
|
76240a |
+ <unix:command_line operation="pattern match">^mfetpd.*$</unix:command_line>
|
|
|
76240a |
+ <unix:pid datatype="int" operation="greater than">0</unix:pid>
|
|
|
76240a |
+ </unix:process58_object>
|
|
|
76240a |
+</def-group>
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..32c934467da
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml
|
|
|
76240a |
@@ -0,0 +1,39 @@
|
|
|
76240a |
+documentation_complete: true
|
|
|
76240a |
+
|
|
|
76240a |
+prodtype: rhel7,rhel8
|
|
|
76240a |
+
|
|
|
76240a |
+title: 'Ensure McAfee Endpoint Security for Linux (ENSL) is running'
|
|
|
76240a |
+
|
|
|
76240a |
+description: |-
|
|
|
76240a |
+ Install McAfee Endpoint Security for Linux antivirus software
|
|
|
76240a |
+ which is provided for DoD systems and uses signatures to search for the
|
|
|
76240a |
+ presence of viruses on the filesystem.
|
|
|
76240a |
+
|
|
|
76240a |
+rationale: |-
|
|
|
76240a |
+ Virus scanning software can be used to detect if a system has been compromised by
|
|
|
76240a |
+ computer viruses, as well as to limit their spread to other systems.
|
|
|
76240a |
+
|
|
|
76240a |
+severity: high
|
|
|
76240a |
+
|
|
|
76240a |
+identifiers:
|
|
|
76240a |
+ cce@rhel7: CCE-86262-3
|
|
|
76240a |
+ cce@rhel8: CCE-86261-5
|
|
|
76240a |
+
|
|
|
76240a |
+references:
|
|
|
76240a |
+ disa: CCI-001233
|
|
|
76240a |
+ nist: SI-2(2)
|
|
|
76240a |
+ srg: SRG-OS-000191-GPOS-00080
|
|
|
76240a |
+ stigid@rhel7: RHEL-07-020019
|
|
|
76240a |
+ stigid@rhel8: RHEL-08-010001
|
|
|
76240a |
+
|
|
|
76240a |
+ocil_clause: 'virus scanning software is not running'
|
|
|
76240a |
+
|
|
|
76240a |
+ocil: |-
|
|
|
76240a |
+ To verify that McAfee Endpoint Security for Linux is
|
|
|
76240a |
+ running, run the following command:
|
|
|
76240a |
+ $ sudo ps -ef | grep -i mfetpd
|
|
|
76240a |
+
|
|
|
76240a |
+warnings:
|
|
|
76240a |
+ - general: |-
|
|
|
76240a |
+ Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software,
|
|
|
76240a |
+ automated remediation is not available for this configuration check.
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..f2e4e89851a
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/group.yml
|
|
|
76240a |
@@ -0,0 +1,7 @@
|
|
|
76240a |
+documentation_complete: true
|
|
|
76240a |
+
|
|
|
76240a |
+title: 'McAfee Endpoint Security for Linux (ENSL)'
|
|
|
76240a |
+
|
|
|
76240a |
+description: |-
|
|
|
76240a |
+ McAfee Endpoint Security for Linux (ENSL) is a suite of software applications
|
|
|
76240a |
+ used to monitor, detect, and defend computer networks and systems.
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..16587792eff
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml
|
|
|
76240a |
@@ -0,0 +1,51 @@
|
|
|
76240a |
+documentation_complete: true
|
|
|
76240a |
+
|
|
|
76240a |
+prodtype: rhel7,rhel8
|
|
|
76240a |
+
|
|
|
76240a |
+title: 'Install McAfee Endpoint Security for Linux (ENSL)'
|
|
|
76240a |
+
|
|
|
76240a |
+description: |-
|
|
|
76240a |
+ Install McAfee Endpoint Security for Linux antivirus software
|
|
|
76240a |
+ which is provided for DoD systems and uses signatures to search for the
|
|
|
76240a |
+ presence of viruses on the filesystem.
|
|
|
76240a |
+
|
|
|
76240a |
+ {{{ describe_package_install(package="mcafeetp") }}}
|
|
|
76240a |
+
|
|
|
76240a |
+rationale: |-
|
|
|
76240a |
+ Virus scanning software can be used to detect if a system has been compromised by
|
|
|
76240a |
+ computer viruses, as well as to limit their spread to other systems.
|
|
|
76240a |
+
|
|
|
76240a |
+severity: high
|
|
|
76240a |
+
|
|
|
76240a |
+identifiers:
|
|
|
76240a |
+ cce@rhel7: CCE-86257-3
|
|
|
76240a |
+ cce@rhel8: CCE-86260-7
|
|
|
76240a |
+
|
|
|
76240a |
+references:
|
|
|
76240a |
+ disa: CCI-001233
|
|
|
76240a |
+ nist: SI-2(2)
|
|
|
76240a |
+ srg: SRG-OS-000191-GPOS-00080
|
|
|
76240a |
+ stigid@rhel7: RHEL-07-020019
|
|
|
76240a |
+ stigid@rhel8: RHEL-08-010001
|
|
|
76240a |
+
|
|
|
76240a |
+ocil_clause: 'the package is not installed'
|
|
|
76240a |
+
|
|
|
76240a |
+ocil: '{{{ ocil_package(package="mcafeetp") }}}'
|
|
|
76240a |
+
|
|
|
76240a |
+warnings:
|
|
|
76240a |
+ - general: |-
|
|
|
76240a |
+ Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software,
|
|
|
76240a |
+ automated remediation is not available for this configuration check.
|
|
|
76240a |
+
|
|
|
76240a |
+platform: machine
|
|
|
76240a |
+
|
|
|
76240a |
+template:
|
|
|
76240a |
+ name: package_installed
|
|
|
76240a |
+ vars:
|
|
|
76240a |
+ pkgname: mcafeetp
|
|
|
76240a |
+ backends:
|
|
|
76240a |
+ bash: "off"
|
|
|
76240a |
+ ansible: "off"
|
|
|
76240a |
+ anaconda: "off"
|
|
|
76240a |
+ puppet: "off"
|
|
|
76240a |
+ blueprint: "off"
|
|
|
76240a |
diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
|
|
|
76240a |
index f5761c891f2..9ca13600057 100644
|
|
|
76240a |
--- a/products/rhel7/profiles/stig.profile
|
|
|
76240a |
+++ b/products/rhel7/profiles/stig.profile
|
|
|
76240a |
@@ -316,3 +316,5 @@ selections:
|
|
|
76240a |
- file_permissions_var_log_audit
|
|
|
76240a |
- sysctl_net_ipv4_conf_all_rp_filter
|
|
|
76240a |
- sysctl_net_ipv4_conf_default_rp_filter
|
|
|
76240a |
+ - package_mcafeetp_installed
|
|
|
76240a |
+ - agent_mfetpd_running
|
|
|
76240a |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
index 9dc9360e899..36f384621ae 100644
|
|
|
76240a |
--- a/products/rhel8/profiles/stig.profile
|
|
|
76240a |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
@@ -84,6 +84,10 @@ selections:
|
|
|
76240a |
# RHEL-08-010000
|
|
|
76240a |
- installed_OS_is_vendor_supported
|
|
|
76240a |
|
|
|
76240a |
+ # RHEL-08-010001
|
|
|
76240a |
+ - package_mcafeetp_installed
|
|
|
76240a |
+ - agent_mfetpd_running
|
|
|
76240a |
+
|
|
|
76240a |
# RHEL-08-010010
|
|
|
76240a |
- security_patches_up_to_date
|
|
|
76240a |
|
|
|
76240a |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
index 3b24e19da06..08013e6de22 100644
|
|
|
76240a |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
@@ -372,12 +372,8 @@ CCE-86253-2
|
|
|
76240a |
CCE-86254-0
|
|
|
76240a |
CCE-86255-7
|
|
|
76240a |
CCE-86256-5
|
|
|
76240a |
-CCE-86257-3
|
|
|
76240a |
CCE-86258-1
|
|
|
76240a |
CCE-86259-9
|
|
|
76240a |
-CCE-86260-7
|
|
|
76240a |
-CCE-86261-5
|
|
|
76240a |
-CCE-86262-3
|
|
|
76240a |
CCE-86263-1
|
|
|
76240a |
CCE-86264-9
|
|
|
76240a |
CCE-86265-6
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
index e9ba0f0adbf..f3e6c4fa1a1 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
@@ -65,6 +65,7 @@ selections:
|
|
|
76240a |
- accounts_user_interactive_home_directory_defined
|
|
|
76240a |
- accounts_user_interactive_home_directory_exists
|
|
|
76240a |
- aide_check_audit_tools
|
|
|
76240a |
+- agent_mfetpd_running
|
|
|
76240a |
- aide_scan_notification
|
|
|
76240a |
- aide_verify_acls
|
|
|
76240a |
- aide_verify_ext_attributes
|
|
|
76240a |
@@ -280,6 +281,7 @@ selections:
|
|
|
76240a |
- package_gssproxy_removed
|
|
|
76240a |
- package_iprutils_removed
|
|
|
76240a |
- package_krb5-workstation_removed
|
|
|
76240a |
+- package_mcafeetp_installed
|
|
|
76240a |
- package_opensc_installed
|
|
|
76240a |
- package_openssh-server_installed
|
|
|
76240a |
- package_policycoreutils_installed
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
index c8540f9392e..b5b60349a83 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
@@ -76,6 +76,7 @@ selections:
|
|
|
76240a |
- accounts_user_interactive_home_directory_defined
|
|
|
76240a |
- accounts_user_interactive_home_directory_exists
|
|
|
76240a |
- aide_check_audit_tools
|
|
|
76240a |
+- agent_mfetpd_running
|
|
|
76240a |
- aide_scan_notification
|
|
|
76240a |
- aide_verify_acls
|
|
|
76240a |
- aide_verify_ext_attributes
|
|
|
76240a |
@@ -291,6 +292,7 @@ selections:
|
|
|
76240a |
- package_gssproxy_removed
|
|
|
76240a |
- package_iprutils_removed
|
|
|
76240a |
- package_krb5-workstation_removed
|
|
|
76240a |
+- package_mcafeetp_installed
|
|
|
76240a |
- package_opensc_installed
|
|
|
76240a |
- package_openssh-server_installed
|
|
|
76240a |
- package_policycoreutils_installed
|