From f027c56e45e703663c25dea18f78111d5d8a7e0f Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Thu, 19 Aug 2021 11:16:08 -0500

Subject: [PATCH] Added rule for RHEL-08-010400

---

 .../ansible/shared.yml                        | 27 +++++++++++++

 .../bash/shared.sh                            | 33 +++++++++++++++

 .../oval/shared.xml                           | 30 ++++++++++++++

 .../sssd_certificate_verification/rule.yml    | 40 +++++++++++++++++++

 .../tests/correct_value.pass.sh               |  6 +++

 .../tests/correct_with_others_before.pass.sh  |  6 +++

 .../tests/not_configured.fail.sh              |  5 +++

 .../tests/partial_config.fail.sh              |  6 +++

 .../tests/wrong_section.fail.sh               |  6 +++

 .../tests/wrong_value.fail.sh                 |  6 +++

 ...rtificate_verification_digest_function.var | 20 ++++++++++

 products/rhel8/profiles/stig.profile          |  2 +

 shared/references/cce-redhat-avail.txt        |  1 -

 .../data/profile_stability/rhel8/stig.profile |  4 +-

 .../profile_stability/rhel8/stig_gui.profile  |  4 +-

 15 files changed, 193 insertions(+), 3 deletions(-)

 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml

 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh

 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml

 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml

 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh

 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh

 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh

 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh

 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh

 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh

 create mode 100644 linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var

diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml

new file mode 100644

index 00000000000..8e36f0974fd

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml

@@ -0,0 +1,27 @@

+# platform = multi_platform_fedora,multi_platform_rhel

+# reboot = false

+# strategy = configure

+# complexity = low

+# disruption = medium

+

+- name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf

+  ini_file:

+      path: /etc/sssd/sssd.conf

+      section: sssd

+      option: certificate_verification

+      state: absent

+

+- name: 'Ensure that "certificate_verification" is not set in  /etc/sssd/conf.d/*.conf'

+  ini_file:

+      path: /etc/sssd/conf.d/*.conf

+      section: sssd

+      option: certificate_verification

+      state: absent

+

+- name: Ensure that "certificate_verification" is set

+  ini_file:

+      path: /etc/sssd/conf.d/certificate_verification.conf

+      section: sssd

+      option: certificate_verification

+      value: "ocsp_dgst = sha1"

+      state: present

diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh

new file mode 100644

index 00000000000..8f9e5514480

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh

@@ -0,0 +1,33 @@

+# platform = multi_platform_rhel,multi_platform_fedora

+# reboot = false

+# strategy = configure

+# complexity = low

+# disruption = medium

+

+# include our remediation functions library

+. /usr/share/scap-security-guide/remediation_functions

+

+{{{ bash_instantiate_variables("var_sssd_certificate_verification_digest_function") }}}

+

+found=false

+for f in /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf; do

+	if [ ! -e "$f" ]; then

+		continue

+	fi

+	cert=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1} f{nu=gensub("^\\s*certificate_verification\\s*=\\s*ocsp_dgst\\s*=\\s*(\\w+).*","\\1",1); if($0!=nu){cert=nu}} END{print cert}' "$f" )

+	if [ -n "$cert" ] ; then

+		if [ "$cert" != $var_sssd_certificate_verification_digest_function ] ; then

+			sed -i "s/^certificate_verification\s*=.*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f"

+		fi

+		found=true

+	fi

+done

+

+if ! $found ; then

+	SSSD_CONF="/etc/sssd/conf.d/certificate_verification.conf"

+	mkdir -p $( dirname $SSSD_CONF )

+	touch $SSSD_CONF

+	chown root:root $SSSD_CONF

+	chmod 600 $SSSD_CONF

+	echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> $SSSD_CONF

+fi

diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml b/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml

new file mode 100644

index 00000000000..77736f54f03

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml

@@ -0,0 +1,30 @@

+<def-group>

+    <definition class="compliance" id="{{{ rule_id }}}" version="1">

+           {{{ oval_metadata("SSSD should be configured with the correct ocsp_dgst

+            digest function") }}}

+        <criteria>

+            

+                       test_ref="test_{{{rule_id}}}" />

+        </criteria>

+    </definition>

+

+    

+        certificate_verification in sssd configuration" id="test_{{{rule_id}}}" version="1">

+        <ind:object object_ref="obj_{{{rule_id}}}" />

+        <ind:state state_ref="state_{{{rule_id}}}" />

+    </ind:textfilecontent54_test>

+

+    <ind:textfilecontent54_object id="obj_{{{rule_id}}}" version="1">

+        <ind:filepath operation="pattern match">^/etc/sssd/(sssd|conf\.d/.*)\.conf$</ind:filepath>

+        <ind:pattern operation="pattern match">^[\s]*\[sssd](?:[^\n\[]*\n+)+?[\s]*certificate_verification\s*=\s*ocsp_dgst\s*=\s*(\w+)$</ind:pattern>

+        <ind:instance datatype="int">1</ind:instance>

+    </ind:textfilecontent54_object>

+

+    <ind:textfilecontent54_state comment="value of certificate_verification" id="state_{{{rule_id}}}" version="1">

+        

+                           var_ref="var_sssd_certificate_verification_digest_function" />

+    </ind:textfilecontent54_state>

+

+    

+                       id="var_sssd_certificate_verification_digest_function" version="1" />

+</def-group>

diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml

new file mode 100644

index 00000000000..182e75a2aab

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml

@@ -0,0 +1,40 @@

+documentation_complete: true

+

+prodtype: fedora,rhel8

+

+title: 'Certificate certificate status checking in SSSD'

+

+description: |-

+    Multifactor solutions that require devices separate from information systems gaining access include,

+    for example, hardware tokens providing time-based or challenge-response authenticators and smart cards.

+    By configuring <tt>certificate_verification</tt> to <tt>ocsp_dgst=sha1</tt> sures that certificates for

+    multifactor solutions are checked via Online Certificate Status Protocol (OCSP).

+

+rationale: |-

+    Enusring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP)

+    ensures the security of the system.

+

+severity: medium

+

+identifiers:

+   cce@rhel8: CCE-86120-3

+

+references:

+    disa: CCI-001948

+    nist: IA-2(11)

+    srg: SRG-OS-000375-GPOS-00160,SRG-OS-000377-GPOS-00162

+    stigid@rhel8: RHEL-08-010400

+

+

+ocil_clause: 'certificate_verification in sssd is not configured'

+

+ocil: |-

+    Check to see if Online Certificate Status Protocol (OCSP)

+    is enabled and using the proper digest value on the system with the following command:

+    
$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#"

+    If configured properly, output should look like

+    

+        certificate_verification = ocsp_dgst=sha1

+    

+    The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:

+    
$ sudo systemctl restart sssd.service

diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh

new file mode 100644

index 00000000000..24c19f44fdc

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# packages = sssd-common

+

+mkdir -p /etc/sssd/conf.d

+touch /etc/sssd/sssd.conf

+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf

diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh

new file mode 100644

index 00000000000..982450fc81b

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# packages = sssd-common

+

+mkdir -p /etc/sssd/conf.d

+touch /etc/sssd/sssd.conf

+echo -e "[sssd]\ndifferent_option = test\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf

diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh

new file mode 100644

index 00000000000..ed011f9d4bc

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+# packages = sssd-common

+

+mkdir -p /etc/sssd/conf.d

+touch /etc/sssd/sssd.conf

diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh

new file mode 100644

index 00000000000..3c7c468b9d5

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# packages = sssd-common

+

+mkdir -p /etc/sssd/conf.d

+touch /etc/sssd/sssd.conf

+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=" >> /etc/sssd/sssd.conf

diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh

new file mode 100644

index 00000000000..635ca4bebcc

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# packages = sssd-common

+

+mkdir -p /etc/sssd/conf.d

+touch /etc/sssd/sssd.conf

+echo -e "[ssd]\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf

diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh

new file mode 100644

index 00000000000..93f363edc04

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# packages = sssd-common

+

+mkdir -p /etc/sssd/conf.d

+touch /etc/sssd/sssd.conf

+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha256" >> /etc/sssd/sssd.conf

diff --git a/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var b/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var

new file mode 100644

index 00000000000..cdbd0a13576

--- /dev/null

+++ b/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var

@@ -0,0 +1,20 @@

+documentation_complete: true

+

+title: 'SSSD certificate_verification option'

+

+description: |-

+    Value of the certificate_verification option in

+    the SSSD config.

+

+type: string

+

+operator: equals

+

+interactive: true

+

+options:

+    sha1: sha1

+    sha256: sha256

+    sha384: sha384

+    sha512: sha512

+    default: sha1

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 9dc9360e899..5b1f709faaf 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -70,6 +70,7 @@ selections:

     - var_auditd_disk_error_action=halt

     - var_auditd_max_log_file_action=syslog

     - var_auditd_disk_full_action=halt

+    - var_sssd_certificate_verification_digest_function=sha1

     ### Enable / Configure FIPS

     - enable_fips_mode

@@ -275,6 +276,7 @@ selections:

     - install_smartcard_packages

     # RHEL-08-010400

+    - sssd_certificate_verification

     # RHEL-08-010410

     - package_opensc_installed

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 3b24e19da06..81f94f7dbca 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -236,7 +236,6 @@ CCE-86116-1

 CCE-86117-9

 CCE-86118-7

 CCE-86119-5

-CCE-86120-3

 CCE-86121-1

 CCE-86122-9

 CCE-86123-7

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index e9ba0f0adbf..baef93bba64 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -342,6 +342,7 @@ selections:

 - sshd_set_keepalive_0

 - sshd_use_strong_rng

 - sshd_x11_use_localhost

+- sssd_certificate_verification

 - sssd_enable_certmap

 - sssd_enable_smartcards

 - sssd_offline_cred_expiration

@@ -410,6 +411,7 @@ selections:

 - sshd_approved_macs=stig

 - sshd_approved_ciphers=stig

 - sshd_idle_timeout_value=10_minutes

+- var_accounts_authorized_local_users_regex=rhel8

 - var_accounts_passwords_pam_faillock_deny=3

 - var_accounts_passwords_pam_faillock_fail_interval=900

 - var_accounts_passwords_pam_faillock_unlock_time=never

@@ -425,7 +427,7 @@ selections:

 - var_auditd_disk_error_action=halt

 - var_auditd_max_log_file_action=syslog

 - var_auditd_disk_full_action=halt

-- var_accounts_authorized_local_users_regex=rhel8

+- var_sssd_certificate_verification_digest_function=sha1

 - var_system_crypto_policy=fips

 - var_sudo_timestamp_timeout=always_prompt

 title: DISA STIG for Red Hat Enterprise Linux 8

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile

index c8540f9392e..237f66c721f 100644

--- a/tests/data/profile_stability/rhel8/stig_gui.profile

+++ b/tests/data/profile_stability/rhel8/stig_gui.profile

@@ -353,6 +353,7 @@ selections:

 - sshd_set_keepalive_0

 - sshd_use_strong_rng

 - sshd_x11_use_localhost

+- sssd_certificate_verification

 - sssd_enable_certmap

 - sssd_enable_smartcards

 - sssd_offline_cred_expiration

@@ -420,6 +421,7 @@ selections:

 - sshd_approved_macs=stig

 - sshd_approved_ciphers=stig

 - sshd_idle_timeout_value=10_minutes

+- var_accounts_authorized_local_users_regex=rhel8

 - var_accounts_passwords_pam_faillock_deny=3

 - var_accounts_passwords_pam_faillock_fail_interval=900

 - var_accounts_passwords_pam_faillock_unlock_time=never

@@ -435,7 +437,7 @@ selections:

 - var_auditd_disk_error_action=halt

 - var_auditd_max_log_file_action=syslog

 - var_auditd_disk_full_action=halt

-- var_accounts_authorized_local_users_regex=rhel8

+- var_sssd_certificate_verification_digest_function=sha1

 - var_system_crypto_policy=fips

 - var_sudo_timestamp_timeout=always_prompt

 title: DISA STIG with GUI for Red Hat Enterprise Linux 8