rpms / scap-security-guide

Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.59-new_rule_group_unique_name-PR_7676.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   9be3b2b3a7baf71e5aae9dcb7cfb5328882f332d
  2.   SOURCES
  3.   scap-security-guide-0.1.59-new_rule_group_unique_name-PR_7676.patch
Blob History Raw
9be3b2 
From b80a9766e9157177edaa01f77841acd7472e64f7 Mon Sep 17 00:00:00 2001
9be3b2 
From: Matthew Burket <mburket@redhat.com>
9be3b2 
Date: Thu, 30 Sep 2021 09:26:27 -0500
9be3b2 
Subject: [PATCH] Add rule "Ensure All Groups on the System Have Unique Group
9be3b2 
 Names" to fix #5500
9be3b2
9be3b2 
---
9be3b2 
 controls/cis_rhel7.yml                        |  4 +-
9be3b2 
 controls/cis_rhel8.yml                        |  6 +--
9be3b2 
 .../group_unique_name/oval/shared.xml         | 50 +++++++++++++++++++
9be3b2 
 .../group_unique_name/rule.yml                | 37 ++++++++++++++
9be3b2 
 .../tests/correct_value.pass.sh               |  4 ++
9be3b2 
 .../tests/wrong_value.fail.sh                 |  5 ++
9be3b2 
 shared/references/cce-redhat-avail.txt        |  2 -
9be3b2 
 7 files changed, 102 insertions(+), 6 deletions(-)
9be3b2 
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml
9be3b2 
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
9be3b2 
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh
9be3b2 
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh
9be3b2
9be3b2 
diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
9be3b2 
index bd68e32ed99..c07855c259e 100644
9be3b2 
--- a/controls/cis_rhel7.yml
9be3b2 
+++ b/controls/cis_rhel7.yml
9be3b2 
@@ -2212,7 +2212,9 @@ controls:
9be3b2 
     levels:
9be3b2 
     - l1_server
9be3b2 
     - l1_workstation
9be3b2 
-    automated: no # rule missing
9be3b2 
+    automated: yes
9be3b2 
+    rules:
9be3b2 
+      - group_unique_name
9be3b2
9be3b2 
   - id: 6.2.7
9be3b2 
     title: Ensure no duplicate UIDs exist (Automated)
9be3b2 
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
9be3b2 
index cbe1fc4e6a4..08ba462dfeb 100644
9be3b2 
--- a/controls/cis_rhel8.yml
9be3b2 
+++ b/controls/cis_rhel8.yml
9be3b2 
@@ -2294,14 +2294,14 @@ controls:
9be3b2 
     rules:
9be3b2 
       - account_unique_name
9be3b2
9be3b2 
-  # NEEDS RULE
9be3b2 
-  # https://github.com/ComplianceAsCode/content/issues/5500
9be3b2 
   - id: 6.2.18
9be3b2 
     title: Ensure no duplicate group names exist (Automated)
9be3b2 
     levels:
9be3b2 
       - l1_server
9be3b2 
       - l1_workstation
9be3b2 
-    automated: no
9be3b2 
+    status: automated
9be3b2 
+    rules:
9be3b2 
+      - group_unique_name
9be3b2
9be3b2 
   # NEEDS RULE
9be3b2 
   # https://github.com/ComplianceAsCode/content/issues/5499
9be3b2 
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml
9be3b2 
new file mode 100644
9be3b2 
index 00000000000..a1d46bbd7c7
9be3b2 
--- /dev/null
9be3b2 
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml
9be3b2 
@@ -0,0 +1,50 @@
9be3b2 
+<def-group>
9be3b2 
+    <definition class="compliance" id="{{{rule_id}}}" version="1">
9be3b2 
+        {{{ oval_metadata("All groups on the system should have unique names for proper accountability.") }}}
9be3b2 
+        <criteria comment="There should not exist duplicate group names entries in /etc/passwd">
9be3b2 
+            <criterion test_ref="test_etc_group_no_duplicate_group_names"/>
9be3b2 
+        </criteria>
9be3b2 
+    </definition>
9be3b2 
+
9be3b2 
+    <ind:textfilecontent54_object id="obj_all_group_names" version="1" comment="Get all group names">
9be3b2 
+        <ind:filepath>/etc/group</ind:filepath>
9be3b2 
+        <ind:pattern operation="pattern match">^(.+):.+</ind:pattern>
9be3b2 
+        <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
9be3b2 
+    </ind:textfilecontent54_object>
9be3b2 
+
9be3b2 
+
9be3b2 
+
9be3b2 
+                    comment="Count of all group names (including duplicates if any)">
9be3b2 
+        <count>
9be3b2 
+            <object_component item_field="subexpression" object_ref="obj_all_group_names"/>
9be3b2 
+        </count>
9be3b2 
+    </local_variable>
9be3b2 
+
9be3b2 
+
9be3b2 
+
9be3b2 
+                    comment="Count of unique group names">
9be3b2 
+        <count>
9be3b2 
+            <unique>
9be3b2 
+                <object_component item_field="subexpression" object_ref="obj_all_group_names"/>
9be3b2 
+            </unique>
9be3b2 
+        </count>
9be3b2 
+    </local_variable>
9be3b2 
+
9be3b2 
+
9be3b2 
+       (for use in <variable_test> below)-->
9be3b2 
+    <ind:variable_object id="obj_count_of_all_group_names" version="1">
9be3b2 
+        <ind:var_ref>variable_count_of_all_group_names</ind:var_ref>
9be3b2 
+    </ind:variable_object>
9be3b2 
+
9be3b2 
+
9be3b2 
+    <ind:variable_state id="state_no_duplicate_group_names" version="1">
9be3b2 
+
9be3b2 
+                   operation="equals" var_check="at least one"/>
9be3b2 
+    </ind:variable_state>
9be3b2 
+
9be3b2 
+
9be3b2 
+                       comment="There should not exist duplicate group names in /etc/passwd" version="1">
9be3b2 
+        <ind:object object_ref="obj_count_of_all_group_names"/>
9be3b2 
+        <ind:state state_ref="state_no_duplicate_group_names"/>
9be3b2 
+    </ind:variable_test>
9be3b2 
+</def-group>
9be3b2 
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
9be3b2 
new file mode 100644
9be3b2 
index 00000000000..e56fc785274
9be3b2 
--- /dev/null
9be3b2 
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
9be3b2 
@@ -0,0 +1,37 @@
9be3b2 
+documentation_complete: true
9be3b2 
+
9be3b2 
+prodtype: fedora,rhel7,rhel8
9be3b2 
+
9be3b2 
+title: 'Ensure All Groups on the System Have Unique Group Names'
9be3b2 
+
9be3b2 
+description: 'Change the group name or delete groups, so each has a unique name.'
9be3b2 
+
9be3b2 
+rationale: 'To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.'
9be3b2 
+
9be3b2 
+severity: medium
9be3b2 
+
9be3b2 
+identifiers:
9be3b2 
+    cce@rhel7: CCE-86327-4
9be3b2 
+    cce@rhel8: CCE-86328-2
9be3b2 
+
9be3b2 
+
9be3b2 
+references:
9be3b2 
+    cis@rhel7: 6.2.6
9be3b2 
+    cis@rhel8: 6.2.18
9be3b2 
+
9be3b2 
+
9be3b2 
+ocil_clause: 'has duplicate group ids'
9be3b2 
+
9be3b2 
+ocil: |-
9be3b2 
+    Run the following command to check for duplicate group names:
9be3b2 
+    Check that the operating system contains no duplicate group names for interactive users by running the following command:
9be3b2 
+    






9be3b2

+        cut -d : -f 1 /etc/group | uniq -d






9be3b2

+    






9be3b2

+    If output is produced, this is a finding.






9be3b2

+    Configure the operating system to contain no duplicate names for groups.






9be3b2

+    Edit the file "/etc/group" and provide each group that has a duplicate group name with a unique group name.






9be3b2

+






9be3b2

+warnings:






9be3b2

+    - general: |-






9be3b2

+          Automatic remediation of this control is not available. Due the unique requirements of each system.






9be3b2

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh






9be3b2

new file mode 100644






9be3b2

index 00000000000..031b46c8265






9be3b2

--- /dev/null






9be3b2

+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh






9be3b2

@@ -0,0 +1,4 @@






9be3b2

+#!/bin/bash






9be3b2

+# remediation = no






9be3b2

+






9be3b2

+groupadd cac_test$(date +%s)






9be3b2

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh






9be3b2

new file mode 100644






9be3b2

index 00000000000..e375c555d5b






9be3b2

--- /dev/null






9be3b2

+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh






9be3b2

@@ -0,0 +1,5 @@






9be3b2

+#!/bin/bash






9be3b2

+# remediation = no






9be3b2

+






9be3b2

+echo "testgroup:x:1004:" >> /etc/group






9be3b2

+echo "testgroup:x:1005:" >> /etc/group






9be3b2

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt






9be3b2

index 6b841f9b26b..421543a16e3 100644






9be3b2

--- a/shared/references/cce-redhat-avail.txt






9be3b2

+++ b/shared/references/cce-redhat-avail.txt






9be3b2

@@ -424,8 +424,6 @@ CCE-86323-3






9be3b2

 CCE-86324-1






9be3b2

 CCE-86325-8






9be3b2

 CCE-86326-6






9be3b2

-CCE-86327-4






9be3b2

-CCE-86328-2






9be3b2

 CCE-86329-0






9be3b2

 CCE-86330-8






9be3b2

 CCE-86331-6





  

 
 




    


        

        

            

         Powered by
          Pagure
          5.14.1
            

            
SSH Hostkey/Fingerprint | Documentation