Blame SOURCES/scap-security-guide-0.1.58-RHEL_08_020320-PR_7303.patch

76240a
From d6f7334d642fb311d32d7a171c460cd05e6625b8 Mon Sep 17 00:00:00 2001
76240a
From: Matthew Burket <mburket@redhat.com>
76240a
Date: Fri, 6 Aug 2021 10:48:46 -0500
76240a
Subject: [PATCH] Add rule for RHEL-08-020320
76240a
76240a
---
76240a
 .../ansible/shared.yml                           |  0
76240a
 .../bash/shared.sh                               |  2 +-
76240a
 .../oval/shared.xml                              |  2 +-
76240a
 .../accounts_authorized_local_users/rule.yml     | 12 +++++++++---
76240a
 .../tests/bad_user.fail.sh                       |  2 ++
76240a
 .../tests/default.pass.sh                        | 16 ++++++++++++++++
76240a
 ...var_accounts_authorized_local_users_regex.var |  1 +
76240a
 products/rhel8/profiles/stig.profile             |  3 ++-
76240a
 shared/references/cce-redhat-avail.txt           |  1 -
76240a
 tests/data/profile_stability/rhel8/stig.profile  |  2 ++
76240a
 .../profile_stability/rhel8/stig_gui.profile     |  2 ++
76240a
 11 files changed, 36 insertions(+), 7 deletions(-)
76240a
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/ansible/shared.yml (100%)
76240a
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/bash/shared.sh (95%)
76240a
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/oval/shared.xml (98%)
76240a
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/rule.yml (88%)
76240a
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
76240a
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
76240a
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/var_accounts_authorized_local_users_regex.var (81%)
76240a
76240a
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml
76240a
similarity index 100%
76240a
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/ansible/shared.yml
76240a
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml
76240a
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
76240a
similarity index 95%
76240a
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
76240a
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
76240a
index c342acf36d1..fedb02d84ce 100644
76240a
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
76240a
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
76240a
@@ -10,7 +10,7 @@ default_os_user="root"
76240a
 for username in $( sed 's/:.*//' /etc/passwd ) ; do
76240a
 	if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]];
76240a
         then
76240a
-		userdel $username ; 
76240a
+		userdel $username ;
76240a
 	fi
76240a
 done
76240a
 
76240a
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
76240a
similarity index 98%
76240a
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml
76240a
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
76240a
index 4e42081d0dc..c56799ded20 100644
76240a
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml
76240a
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
76240a
@@ -32,6 +32,6 @@
76240a
     var_ref="var_accounts_authorized_local_users_regex"></ind:subexpression>
76240a
   </ind:textfilecontent54_state>
76240a
 
76240a
-  
76240a
+  
76240a
   comment="accounts authorized local users on operating system"/>
76240a
 </def-group>
76240a
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
76240a
similarity index 88%
76240a
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml
76240a
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
76240a
index ddbda30afe6..e2311f6a5c3 100644
76240a
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml
76240a
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
76240a
@@ -1,6 +1,6 @@
76240a
 documentation_complete: true
76240a
 
76240a
-prodtype: ol7,sle12,sle15
76240a
+prodtype: ol7,sle12,sle15,fedora,rhel8
76240a
 
76240a
 title: 'Only Authorized Local User Accounts Exist on Operating System'
76240a
 
76240a
@@ -26,11 +26,10 @@ rationale: |-
76240a
 severity: medium
76240a
 
76240a
 identifiers:
76240a
+    cce@rhel8: CCE-85987-6
76240a
     cce@sle12: CCE-83195-8
76240a
     cce@sle15: CCE-85561-9
76240a
 
76240a
-severity: medium
76240a
-
76240a
 references:
76240a
     disa: CCI-000366
76240a
     nist@sle12: CM-6(b),CM-6.1(iv)
76240a
@@ -41,6 +40,13 @@ references:
76240a
 
76240a
 ocil_clause: 'there are unauthorized local user accounts on the system'
76240a
 
76240a
+{{% if 'rhel' in product %}}
76240a
+warnings:
76240a
+    - general: |-
76240a
+        Automatic remediation of this control is not available. Due the unique
76240a
+        requirements of each system.
76240a
+{{% endif %}}
76240a
+
76240a
 ocil: |-
76240a
     To verify that there are no unauthorized local user accounts, run the following command:
76240a
     
$ less /etc/passwd 
76240a
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
76240a
new file mode 100644
76240a
index 00000000000..6dabaff6bc6
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
76240a
@@ -0,0 +1,2 @@
76240a
+#! /bin/bash
76240a
+adduser testuser
76240a
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
76240a
new file mode 100644
76240a
index 00000000000..d942f81d04f
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
76240a
@@ -0,0 +1,16 @@
76240a
+#! /bin/bash
76240a
+# platform = multi_platform_rhel
76240a
+
76240a
+var_accounts_authorized_local_users_regex="^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
76240a
+
76240a
+# never delete the root user
76240a
+default_os_user="root"
76240a
+
76240a
+# delete users that is in /etc/passwd but neither in default_os_user
76240a
+# nor in var_accounts_authorized_local_users_regex
76240a
+for username in $( sed 's/:.*//' /etc/passwd ) ; do
76240a
+	if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]];
76240a
+        then
76240a
+		echo $username ;
76240a
+	fi
76240a
+done
76240a
diff --git a/linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
76240a
similarity index 81%
76240a
rename from linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var
76240a
rename to linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
76240a
index 81626307321..2f456764617 100644
76240a
--- a/linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var
76240a
+++ b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
76240a
@@ -22,5 +22,6 @@ operator: pattern match
76240a
 interactive: true
76240a
 
76240a
 options:
76240a
+    rhel8: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"
76240a
     ol7forsap: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
76240a
     saponol7 : "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$"
76240a
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
76240a
index f66b2a24a75..ec2929e8dc4 100644
76240a
--- a/products/rhel8/profiles/stig.profile
76240a
+++ b/products/rhel8/profiles/stig.profile
76240a
@@ -54,6 +54,7 @@ selections:
76240a
     - sshd_approved_macs=stig
76240a
     - sshd_approved_ciphers=stig
76240a
     - sshd_idle_timeout_value=10_minutes
76240a
+    - var_accounts_authorized_local_users_regex=rhel8
76240a
     - var_accounts_passwords_pam_faillock_deny=3
76240a
     - var_accounts_passwords_pam_faillock_fail_interval=900
76240a
     - var_accounts_passwords_pam_faillock_unlock_time=never
76240a
@@ -576,7 +577,7 @@ selections:
76240a
     - accounts_logon_fail_delay
76240a
 
76240a
     # RHEL-08-020320
76240a
-    # - accounts_authorized_local_users
76240a
+    - accounts_authorized_local_users
76240a
 
76240a
     # RHEL-08-020330
76240a
     - sshd_disable_empty_passwords
76240a
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
76240a
index 1d54e8ec15f..3047c2d9b92 100644
76240a
--- a/shared/references/cce-redhat-avail.txt
76240a
+++ b/shared/references/cce-redhat-avail.txt
76240a
@@ -115,7 +115,6 @@ CCE-85983-5
76240a
 CCE-85984-3
76240a
 CCE-85985-0
76240a
 CCE-85986-8
76240a
-CCE-85987-6
76240a
 CCE-85988-4
76240a
 CCE-85989-2
76240a
 CCE-85990-0
76240a
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
76240a
index fcae79f6d88..9496f1e1d1d 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig.profile
76240a
@@ -27,6 +27,7 @@ selections:
76240a
 - account_emergency_expire_date
76240a
 - account_temp_expire_date
76240a
 - account_unique_id
76240a
+- accounts_authorized_local_users
76240a
 - accounts_have_homedir_login_defs
76240a
 - accounts_logon_fail_delay
76240a
 - accounts_max_concurrent_login_sessions
76240a
@@ -358,6 +359,7 @@ selections:
76240a
 - var_auditd_disk_error_action=halt
76240a
 - var_auditd_max_log_file_action=syslog
76240a
 - var_auditd_disk_full_action=halt
76240a
+- var_accounts_authorized_local_users_regex=rhel8
76240a
 - var_system_crypto_policy=fips
76240a
 - var_sudo_timestamp_timeout=always_prompt
76240a
 title: DISA STIG for Red Hat Enterprise Linux 8
76240a
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
index 2bbd1881f51..9e0c648a5f8 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
@@ -38,6 +38,7 @@ selections:
76240a
 - account_emergency_expire_date
76240a
 - account_temp_expire_date
76240a
 - account_unique_id
76240a
+- accounts_authorized_local_users
76240a
 - accounts_have_homedir_login_defs
76240a
 - accounts_logon_fail_delay
76240a
 - accounts_max_concurrent_login_sessions
76240a
@@ -368,6 +369,7 @@ selections:
76240a
 - var_auditd_disk_error_action=halt
76240a
 - var_auditd_max_log_file_action=syslog
76240a
 - var_auditd_disk_full_action=halt
76240a
+- var_accounts_authorized_local_users_regex=rhel8
76240a
 - var_system_crypto_policy=fips
76240a
 - var_sudo_timestamp_timeout=always_prompt
76240a
 title: DISA STIG with GUI for Red Hat Enterprise Linux 8