|
 |
362bfa |
From d6f7334d642fb311d32d7a171c460cd05e6625b8 Mon Sep 17 00:00:00 2001
|
|
|
362bfa |
From: Matthew Burket <mburket@redhat.com>
|
|
|
362bfa |
Date: Fri, 6 Aug 2021 10:48:46 -0500
|
|
|
362bfa |
Subject: [PATCH] Add rule for RHEL-08-020320
|
|
|
362bfa |
|
|
|
362bfa |
---
|
|
|
362bfa |
.../ansible/shared.yml | 0
|
|
|
362bfa |
.../bash/shared.sh | 2 +-
|
|
|
362bfa |
.../oval/shared.xml | 2 +-
|
|
|
362bfa |
.../accounts_authorized_local_users/rule.yml | 12 +++++++++---
|
|
|
362bfa |
.../tests/bad_user.fail.sh | 2 ++
|
|
|
362bfa |
.../tests/default.pass.sh | 16 ++++++++++++++++
|
|
|
362bfa |
...var_accounts_authorized_local_users_regex.var | 1 +
|
|
|
362bfa |
products/rhel8/profiles/stig.profile | 3 ++-
|
|
|
362bfa |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
362bfa |
tests/data/profile_stability/rhel8/stig.profile | 2 ++
|
|
|
362bfa |
.../profile_stability/rhel8/stig_gui.profile | 2 ++
|
|
|
362bfa |
11 files changed, 36 insertions(+), 7 deletions(-)
|
|
|
362bfa |
rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/ansible/shared.yml (100%)
|
|
|
362bfa |
rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/bash/shared.sh (95%)
|
|
|
362bfa |
rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/oval/shared.xml (98%)
|
|
|
362bfa |
rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/rule.yml (88%)
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
|
|
|
362bfa |
rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/var_accounts_authorized_local_users_regex.var (81%)
|
|
|
362bfa |
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml
|
|
|
362bfa |
similarity index 100%
|
|
|
362bfa |
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/ansible/shared.yml
|
|
|
362bfa |
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
|
|
|
362bfa |
similarity index 95%
|
|
|
362bfa |
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
|
|
|
362bfa |
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
|
|
|
362bfa |
index c342acf36d1..fedb02d84ce 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
|
|
|
362bfa |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
|
|
|
362bfa |
@@ -10,7 +10,7 @@ default_os_user="root"
|
|
|
362bfa |
for username in $( sed 's/:.*//' /etc/passwd ) ; do
|
|
|
362bfa |
if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]];
|
|
|
362bfa |
then
|
|
|
362bfa |
- userdel $username ;
|
|
|
362bfa |
+ userdel $username ;
|
|
|
362bfa |
fi
|
|
|
362bfa |
done
|
|
|
362bfa |
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
|
|
|
362bfa |
similarity index 98%
|
|
|
362bfa |
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml
|
|
|
362bfa |
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
|
|
|
362bfa |
index 4e42081d0dc..c56799ded20 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml
|
|
|
362bfa |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
|
|
|
362bfa |
@@ -32,6 +32,6 @@
|
|
|
362bfa |
var_ref="var_accounts_authorized_local_users_regex"></ind:subexpression>
|
|
|
362bfa |
</ind:textfilecontent54_state>
|
|
|
362bfa |
|
|
|
362bfa |
-
|
|
|
362bfa |
+
|
|
|
362bfa |
comment="accounts authorized local users on operating system"/>
|
|
|
362bfa |
</def-group>
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
|
|
|
362bfa |
similarity index 88%
|
|
|
362bfa |
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml
|
|
|
362bfa |
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
|
|
|
362bfa |
index ddbda30afe6..e2311f6a5c3 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml
|
|
|
362bfa |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
|
|
|
362bfa |
@@ -1,6 +1,6 @@
|
|
|
362bfa |
documentation_complete: true
|
|
|
362bfa |
|
|
|
362bfa |
-prodtype: ol7,sle12,sle15
|
|
|
362bfa |
+prodtype: ol7,sle12,sle15,fedora,rhel8
|
|
|
362bfa |
|
|
|
362bfa |
title: 'Only Authorized Local User Accounts Exist on Operating System'
|
|
|
362bfa |
|
|
|
362bfa |
@@ -26,11 +26,10 @@ rationale: |-
|
|
|
362bfa |
severity: medium
|
|
|
362bfa |
|
|
|
362bfa |
identifiers:
|
|
|
362bfa |
+ cce@rhel8: CCE-85987-6
|
|
|
362bfa |
cce@sle12: CCE-83195-8
|
|
|
362bfa |
cce@sle15: CCE-85561-9
|
|
|
362bfa |
|
|
|
362bfa |
-severity: medium
|
|
|
362bfa |
-
|
|
|
362bfa |
references:
|
|
|
362bfa |
disa: CCI-000366
|
|
|
362bfa |
nist@sle12: CM-6(b),CM-6.1(iv)
|
|
|
362bfa |
@@ -41,6 +40,13 @@ references:
|
|
|
362bfa |
|
|
|
362bfa |
ocil_clause: 'there are unauthorized local user accounts on the system'
|
|
|
362bfa |
|
|
|
362bfa |
+{{% if 'rhel' in product %}}
|
|
|
362bfa |
+warnings:
|
|
|
362bfa |
+ - general: |-
|
|
|
362bfa |
+ Automatic remediation of this control is not available. Due the unique
|
|
|
362bfa |
+ requirements of each system.
|
|
|
362bfa |
+{{% endif %}}
|
|
|
362bfa |
+
|
|
|
362bfa |
ocil: |-
|
|
|
362bfa |
To verify that there are no unauthorized local user accounts, run the following command:
|
|
|
362bfa |
$ less /etc/passwd
|
|
|
362bfa |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..6dabaff6bc6
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
|
|
|
362bfa |
@@ -0,0 +1,2 @@
|
|
|
362bfa |
+#! /bin/bash
|
|
|
362bfa |
+adduser testuser
|
|
|
362bfa |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..d942f81d04f
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
|
|
|
362bfa |
@@ -0,0 +1,16 @@
|
|
|
362bfa |
+#! /bin/bash
|
|
|
362bfa |
+# platform = multi_platform_rhel
|
|
|
362bfa |
+
|
|
|
362bfa |
+var_accounts_authorized_local_users_regex="^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
|
|
|
362bfa |
+
|
|
|
362bfa |
+# never delete the root user
|
|
|
362bfa |
+default_os_user="root"
|
|
|
362bfa |
+
|
|
|
362bfa |
+# delete users that is in /etc/passwd but neither in default_os_user
|
|
|
362bfa |
+# nor in var_accounts_authorized_local_users_regex
|
|
|
362bfa |
+for username in $( sed 's/:.*//' /etc/passwd ) ; do
|
|
|
362bfa |
+ if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]];
|
|
|
362bfa |
+ then
|
|
|
362bfa |
+ echo $username ;
|
|
|
362bfa |
+ fi
|
|
|
362bfa |
+done
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
|
|
|
362bfa |
similarity index 81%
|
|
|
362bfa |
rename from linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var
|
|
|
362bfa |
rename to linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
|
|
|
362bfa |
index 81626307321..2f456764617 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var
|
|
|
362bfa |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
|
|
|
362bfa |
@@ -22,5 +22,6 @@ operator: pattern match
|
|
|
362bfa |
interactive: true
|
|
|
362bfa |
|
|
|
362bfa |
options:
|
|
|
362bfa |
+ rhel8: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"
|
|
|
362bfa |
ol7forsap: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
|
|
|
362bfa |
saponol7 : "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$"
|
|
|
362bfa |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
362bfa |
index f66b2a24a75..ec2929e8dc4 100644
|
|
|
362bfa |
--- a/products/rhel8/profiles/stig.profile
|
|
|
362bfa |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
362bfa |
@@ -54,6 +54,7 @@ selections:
|
|
|
362bfa |
- sshd_approved_macs=stig
|
|
|
362bfa |
- sshd_approved_ciphers=stig
|
|
|
362bfa |
- sshd_idle_timeout_value=10_minutes
|
|
|
362bfa |
+ - var_accounts_authorized_local_users_regex=rhel8
|
|
|
362bfa |
- var_accounts_passwords_pam_faillock_deny=3
|
|
|
362bfa |
- var_accounts_passwords_pam_faillock_fail_interval=900
|
|
|
362bfa |
- var_accounts_passwords_pam_faillock_unlock_time=never
|
|
|
362bfa |
@@ -576,7 +577,7 @@ selections:
|
|
|
362bfa |
- accounts_logon_fail_delay
|
|
|
362bfa |
|
|
|
362bfa |
# RHEL-08-020320
|
|
|
362bfa |
- # - accounts_authorized_local_users
|
|
|
362bfa |
+ - accounts_authorized_local_users
|
|
|
362bfa |
|
|
|
362bfa |
# RHEL-08-020330
|
|
|
362bfa |
- sshd_disable_empty_passwords
|
|
|
362bfa |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
362bfa |
index 1d54e8ec15f..3047c2d9b92 100644
|
|
|
362bfa |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
362bfa |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
362bfa |
@@ -115,7 +115,6 @@ CCE-85983-5
|
|
|
362bfa |
CCE-85984-3
|
|
|
362bfa |
CCE-85985-0
|
|
|
362bfa |
CCE-85986-8
|
|
|
362bfa |
-CCE-85987-6
|
|
|
362bfa |
CCE-85988-4
|
|
|
362bfa |
CCE-85989-2
|
|
|
362bfa |
CCE-85990-0
|
|
|
362bfa |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
362bfa |
index fcae79f6d88..9496f1e1d1d 100644
|
|
|
362bfa |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
362bfa |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
362bfa |
@@ -27,6 +27,7 @@ selections:
|
|
|
362bfa |
- account_emergency_expire_date
|
|
|
362bfa |
- account_temp_expire_date
|
|
|
362bfa |
- account_unique_id
|
|
|
362bfa |
+- accounts_authorized_local_users
|
|
|
362bfa |
- accounts_have_homedir_login_defs
|
|
|
362bfa |
- accounts_logon_fail_delay
|
|
|
362bfa |
- accounts_max_concurrent_login_sessions
|
|
|
362bfa |
@@ -358,6 +359,7 @@ selections:
|
|
|
362bfa |
- var_auditd_disk_error_action=halt
|
|
|
362bfa |
- var_auditd_max_log_file_action=syslog
|
|
|
362bfa |
- var_auditd_disk_full_action=halt
|
|
|
362bfa |
+- var_accounts_authorized_local_users_regex=rhel8
|
|
|
362bfa |
- var_system_crypto_policy=fips
|
|
|
362bfa |
- var_sudo_timestamp_timeout=always_prompt
|
|
|
362bfa |
title: DISA STIG for Red Hat Enterprise Linux 8
|
|
|
362bfa |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
362bfa |
index 2bbd1881f51..9e0c648a5f8 100644
|
|
|
362bfa |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
362bfa |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
362bfa |
@@ -38,6 +38,7 @@ selections:
|
|
|
362bfa |
- account_emergency_expire_date
|
|
|
362bfa |
- account_temp_expire_date
|
|
|
362bfa |
- account_unique_id
|
|
|
362bfa |
+- accounts_authorized_local_users
|
|
|
362bfa |
- accounts_have_homedir_login_defs
|
|
|
362bfa |
- accounts_logon_fail_delay
|
|
|
362bfa |
- accounts_max_concurrent_login_sessions
|
|
|
362bfa |
@@ -368,6 +369,7 @@ selections:
|
|
|
362bfa |
- var_auditd_disk_error_action=halt
|
|
|
362bfa |
- var_auditd_max_log_file_action=syslog
|
|
|
362bfa |
- var_auditd_disk_full_action=halt
|
|
|
362bfa |
+- var_accounts_authorized_local_users_regex=rhel8
|
|
|
362bfa |
- var_system_crypto_policy=fips
|
|
|
362bfa |
- var_sudo_timestamp_timeout=always_prompt
|
|
|
362bfa |
title: DISA STIG with GUI for Red Hat Enterprise Linux 8
|