Blob Blame History Raw
From d6f7334d642fb311d32d7a171c460cd05e6625b8 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Fri, 6 Aug 2021 10:48:46 -0500
Subject: [PATCH] Add rule for RHEL-08-020320

---
 .../ansible/shared.yml                           |  0
 .../bash/shared.sh                               |  2 +-
 .../oval/shared.xml                              |  2 +-
 .../accounts_authorized_local_users/rule.yml     | 12 +++++++++---
 .../tests/bad_user.fail.sh                       |  2 ++
 .../tests/default.pass.sh                        | 16 ++++++++++++++++
 ...var_accounts_authorized_local_users_regex.var |  1 +
 products/rhel8/profiles/stig.profile             |  3 ++-
 shared/references/cce-redhat-avail.txt           |  1 -
 tests/data/profile_stability/rhel8/stig.profile  |  2 ++
 .../profile_stability/rhel8/stig_gui.profile     |  2 ++
 11 files changed, 36 insertions(+), 7 deletions(-)
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/ansible/shared.yml (100%)
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/bash/shared.sh (95%)
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/oval/shared.xml (98%)
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/accounts_authorized_local_users/rule.yml (88%)
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
 rename linux_os/guide/system/{software/sap_host => accounts/accounts-restrictions}/var_accounts_authorized_local_users_regex.var (81%)

diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml
similarity index 100%
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/ansible/shared.yml
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
similarity index 95%
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
index c342acf36d1..fedb02d84ce 100644
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
@@ -10,7 +10,7 @@ default_os_user="root"
 for username in $( sed 's/:.*//' /etc/passwd ) ; do
 	if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]];
         then
-		userdel $username ; 
+		userdel $username ;
 	fi
 done
 
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
similarity index 98%
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
index 4e42081d0dc..c56799ded20 100644
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
@@ -32,6 +32,6 @@
     var_ref="var_accounts_authorized_local_users_regex"></ind:subexpression>
   </ind:textfilecontent54_state>
 
-  <external_variable id="var_accounts_authorized_local_users_regex" version="1" datatype="string" 
+  <external_variable id="var_accounts_authorized_local_users_regex" version="1" datatype="string"
   comment="accounts authorized local users on operating system"/>
 </def-group>
diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
similarity index 88%
rename from linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml
rename to linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
index ddbda30afe6..e2311f6a5c3 100644
--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol7,sle12,sle15
+prodtype: ol7,sle12,sle15,fedora,rhel8
 
 title: 'Only Authorized Local User Accounts Exist on Operating System'
 
@@ -26,11 +26,10 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-85987-6
     cce@sle12: CCE-83195-8
     cce@sle15: CCE-85561-9
 
-severity: medium
-
 references:
     disa: CCI-000366
     nist@sle12: CM-6(b),CM-6.1(iv)
@@ -41,6 +40,13 @@ references:
 
 ocil_clause: 'there are unauthorized local user accounts on the system'
 
+{{% if 'rhel' in product %}}
+warnings:
+    - general: |-
+        Automatic remediation of this control is not available. Due the unique
+        requirements of each system.
+{{% endif %}}
+
 ocil: |-
     To verify that there are no unauthorized local user accounts, run the following command:
     <pre>$ less /etc/passwd </pre>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
new file mode 100644
index 00000000000..6dabaff6bc6
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
@@ -0,0 +1,2 @@
+#! /bin/bash
+adduser testuser
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
new file mode 100644
index 00000000000..d942f81d04f
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
@@ -0,0 +1,16 @@
+#! /bin/bash
+# platform = multi_platform_rhel
+
+var_accounts_authorized_local_users_regex="^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
+
+# never delete the root user
+default_os_user="root"
+
+# delete users that is in /etc/passwd but neither in default_os_user
+# nor in var_accounts_authorized_local_users_regex
+for username in $( sed 's/:.*//' /etc/passwd ) ; do
+	if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]];
+        then
+		echo $username ;
+	fi
+done
diff --git a/linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
similarity index 81%
rename from linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var
rename to linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
index 81626307321..2f456764617 100644
--- a/linux_os/guide/system/software/sap_host/var_accounts_authorized_local_users_regex.var
+++ b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
@@ -22,5 +22,6 @@ operator: pattern match
 interactive: true
 
 options:
+    rhel8: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"
     ol7forsap: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
     saponol7 : "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$"
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index f66b2a24a75..ec2929e8dc4 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -54,6 +54,7 @@ selections:
     - sshd_approved_macs=stig
     - sshd_approved_ciphers=stig
     - sshd_idle_timeout_value=10_minutes
+    - var_accounts_authorized_local_users_regex=rhel8
     - var_accounts_passwords_pam_faillock_deny=3
     - var_accounts_passwords_pam_faillock_fail_interval=900
     - var_accounts_passwords_pam_faillock_unlock_time=never
@@ -576,7 +577,7 @@ selections:
     - accounts_logon_fail_delay
 
     # RHEL-08-020320
-    # - accounts_authorized_local_users
+    - accounts_authorized_local_users
 
     # RHEL-08-020330
     - sshd_disable_empty_passwords
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 1d54e8ec15f..3047c2d9b92 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -115,7 +115,6 @@ CCE-85983-5
 CCE-85984-3
 CCE-85985-0
 CCE-85986-8
-CCE-85987-6
 CCE-85988-4
 CCE-85989-2
 CCE-85990-0
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index fcae79f6d88..9496f1e1d1d 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -27,6 +27,7 @@ selections:
 - account_emergency_expire_date
 - account_temp_expire_date
 - account_unique_id
+- accounts_authorized_local_users
 - accounts_have_homedir_login_defs
 - accounts_logon_fail_delay
 - accounts_max_concurrent_login_sessions
@@ -358,6 +359,7 @@ selections:
 - var_auditd_disk_error_action=halt
 - var_auditd_max_log_file_action=syslog
 - var_auditd_disk_full_action=halt
+- var_accounts_authorized_local_users_regex=rhel8
 - var_system_crypto_policy=fips
 - var_sudo_timestamp_timeout=always_prompt
 title: DISA STIG for Red Hat Enterprise Linux 8
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 2bbd1881f51..9e0c648a5f8 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -38,6 +38,7 @@ selections:
 - account_emergency_expire_date
 - account_temp_expire_date
 - account_unique_id
+- accounts_authorized_local_users
 - accounts_have_homedir_login_defs
 - accounts_logon_fail_delay
 - accounts_max_concurrent_login_sessions
@@ -368,6 +369,7 @@ selections:
 - var_auditd_disk_error_action=halt
 - var_auditd_max_log_file_action=syslog
 - var_auditd_disk_full_action=halt
+- var_accounts_authorized_local_users_regex=rhel8
 - var_system_crypto_policy=fips
 - var_sudo_timestamp_timeout=always_prompt
 title: DISA STIG with GUI for Red Hat Enterprise Linux 8