Tree - rpms/scap-security-guide

rpms / scap-security-guide

Files

Commit: a8c580020dc7e53bf0519dbd5961e4fd02890909
Blob Blame History Raw
From eb3d5f4bd1f15419f105b7f543493c28ccf6b2bd Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 14 Apr 2021 16:37:51 +0200
Subject: [PATCH 1/4] update tests to test also for files in /etc/profile.d
 directory

---
 .../{comment.fail.sh => comment_profile.fail.sh}      |  2 ++
 .../accounts_tmout/tests/comment_profile_d.fail.sh    | 11 +++++++++++
 ...ct_value.pass.sh => correct_value_profile.pass.sh} |  2 ++
 .../tests/correct_value_profile_d.pass.sh             | 11 +++++++++++
 .../accounts_tmout/tests/line_not_there.fail.sh       |  1 +
 .../{multiline.fail.sh => multiline_profile.fail.sh}  |  2 ++
 .../accounts_tmout/tests/multiline_profile_d.fail.sh  | 11 +++++++++++
 .../accounts_tmout/tests/multiline_profile_d.pass.sh  |  9 +++++++++
 ...liance.pass.sh => supercompliance_profile.pass.sh} |  2 ++
 .../tests/supercompliance_profile_d.pass.sh           | 11 +++++++++++
 ...rong_value.fail.sh => wrong_value_profile.fail.sh} |  2 ++
 .../tests/wrong_value_profile_d.fail.sh               | 11 +++++++++++
 12 files changed, 75 insertions(+)
 rename linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/{comment.fail.sh => comment_profile.fail.sh} (80%)
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/comment_profile_d.fail.sh
 rename linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/{correct_value.pass.sh => correct_value_profile.pass.sh} (80%)
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/correct_value_profile_d.pass.sh
 rename linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/{multiline.fail.sh => multiline_profile.fail.sh} (84%)
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline_profile_d.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline_profile_d.pass.sh
 rename linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/{supercompliance.pass.sh => supercompliance_profile.pass.sh} (80%)
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/supercompliance_profile_d.pass.sh
 rename linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/{wrong_value.fail.sh => wrong_value_profile.fail.sh} (80%)
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/wrong_value_profile_d.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/comment.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/comment_profile.fail.sh
similarity index 80%
rename from linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/comment.fail.sh
rename to linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/comment_profile.fail.sh
index ef123cd177e..91f258d5a9d 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/comment.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/comment_profile.fail.sh
@@ -2,6 +2,8 @@
 
 # variables = var_accounts_tmout=600
 
+sed -i "/.*TMOUT.*/d" /etc/profile.d/*.sh
+
 if grep -q "^TMOUT" /etc/profile; then
 	sed -i "s/^TMOUT.*/# TMOUT=600/" /etc/profile
 else
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/comment_profile_d.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/comment_profile_d.fail.sh
new file mode 100644
index 00000000000..0d7d5135586
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/comment_profile_d.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# variables = var_accounts_tmout=600
+
+sed -i "/.*TMOUT.*/d" /etc/profile
+
+if grep -q "^TMOUT" /etc/profile.d/tmout.sh; then
+	sed -i "s/^TMOUT.*/# TMOUT=600/" /etc/profile.d/tmout.sh
+else
+	echo "# TMOUT=600" >> /etc/profile.d/tmout.sh
+fi
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/correct_value_profile.pass.sh
similarity index 80%
rename from linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/correct_value.pass.sh
rename to linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/correct_value_profile.pass.sh
index 0d1b360dbdc..725ec381200 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/correct_value_profile.pass.sh
@@ -2,6 +2,8 @@
 
 # variables = var_accounts_tmout=700
 
+sed -i "/.*TMOUT.*/d" /etc/profile.d/*.sh
+
 if grep -q "TMOUT" /etc/profile; then
 	sed -i "s/.*TMOUT.*/TMOUT=700/" /etc/profile
 else
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/correct_value_profile_d.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/correct_value_profile_d.pass.sh
new file mode 100644
index 00000000000..1cd8d26c357
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/correct_value_profile_d.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# variables = var_accounts_tmout=700
+
+sed -i "/.*TMOUT.*/d" /etc/profile
+
+if grep -q "TMOUT" /etc/profile.d/tmout.sh; then
+	sed -i "s/.*TMOUT.*/TMOUT=700/" /etc/profile.d/tmout.sh
+else
+	echo "TMOUT=700" >> /etc/profile.d/tmout.sh
+fi
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/line_not_there.fail.sh
index af62eb12d51..4c36c1a842c 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/line_not_there.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/line_not_there.fail.sh
@@ -1,3 +1,4 @@
 #!/bin/bash
 
 sed -i "/^TMOUT.*/d" /etc/profile
+sed -i "/^TMOUT.*/d" /etc/profile.d/*.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline_profile.fail.sh
similarity index 84%
rename from linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline.fail.sh
rename to linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline_profile.fail.sh
index 12aee2fe43a..fdf62efe723 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline_profile.fail.sh
@@ -2,6 +2,8 @@
 
 # variables = var_accounts_tmout=700
 
+sed -i "/.*TMOUT.*/d" /etc/profile.d/*.sh
+
 if grep -q "TMOUT" /etc/profile; then
 	sed -i "s/.*TMOUT.*/TMOUT=900; readonly TMOUT; export TMOUT/" /etc/profile
 else
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline_profile_d.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline_profile_d.fail.sh
new file mode 100644
index 00000000000..25e77d33ae5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline_profile_d.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# variables = var_accounts_tmout=900
+
+sed -i "/.*TMOUT.*/d" /etc/profile
+
+if grep -q "TMOUT" /etc/profile.d/tmout.sh; then
+	sed -i "s/.*TMOUT.*/TMOUT=950; readonly TMOUT; export TMOUT/" /etc/profile.d/tmout.sh
+else
+	echo "TMOUT=950; readonly TMOUT; export TMOUT" >> /etc/profile.d/tmout.sh
+fi
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline_profile_d.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline_profile_d.pass.sh
new file mode 100644
index 00000000000..5b3f169a469
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/multiline_profile_d.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# variables = var_accounts_tmout=700
+
+if grep -q "TMOUT" /etc/profile.d/tmout.sh; then
+	sed -i "s/.*TMOUT.*/TMOUT=700; readonly TMOUT; export TMOUT/" /etc/profile.d/tmout.sh
+else
+	echo "TMOUT=700; readonly TMOUT; export TMOUT" >> /etc/profile.d/tmout.sh
+fi
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/supercompliance.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/supercompliance_profile.pass.sh
similarity index 80%
rename from linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/supercompliance.pass.sh
rename to linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/supercompliance_profile.pass.sh
index 50f97e14c91..9927bf7b5da 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/supercompliance.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/supercompliance_profile.pass.sh
@@ -2,6 +2,8 @@
 
 # variables = var_accounts_tmout=900
 
+sed -i "/.*TMOUT.*/d" /etc/profile.d/*.sh
+
 if grep -q "TMOUT" /etc/profile; then
 	sed -i "s/.*TMOUT.*/TMOUT=800/" /etc/profile
 else
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/supercompliance_profile_d.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/supercompliance_profile_d.pass.sh
new file mode 100644
index 00000000000..6316152a56b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/supercompliance_profile_d.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# variables = var_accounts_tmout=900
+
+sed -i "/.*TMOUT.*/d" /etc/profile
+
+if grep -q "TMOUT" /etc/profile.d/tmout.sh; then
+	sed -i "s/.*TMOUT.*/TMOUT=800/" /etc/profile.d/tmout.sh
+else
+	echo "TMOUT=800" >> /etc/profile.d/tmout.sh
+fi
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/wrong_value_profile.fail.sh
similarity index 80%
rename from linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/wrong_value.fail.sh
rename to linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/wrong_value_profile.fail.sh
index a19002a4041..88b4ed6583f 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/wrong_value_profile.fail.sh
@@ -2,6 +2,8 @@
 
 # variables = var_accounts_tmout=200
 
+sed -i "/.*TMOUT.*/d" /etc/profile.d/*.sh
+
 if grep -q "^TMOUT" /etc/profile; then
 	sed -i "s/^TMOUT.*/TMOUT=250/" /etc/profile
 else
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/wrong_value_profile_d.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/wrong_value_profile_d.fail.sh
new file mode 100644
index 00000000000..1c98456e55e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/tests/wrong_value_profile_d.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# variables = var_accounts_tmout=900
+
+sed -i "/.*TMOUT.*/d" /etc/profile
+
+if grep -q "^TMOUT" /etc/profile.d/tmout.sh; then
+	sed -i "s/^TMOUT.*/TMOUT=950/" /etc/profile.d/tmout.sh
+else
+	echo "TMOUT=950" >> /etc/profile.d/tmout.sh
+fi

From 1bf99a57e35d6a41413bc6152313cb71e62c6e79 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 15 Apr 2021 15:38:46 +0200
Subject: [PATCH 2/4] update rule description

---
 .../system/accounts/accounts-session/accounts_tmout/rule.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
index 844ef8b1ddf..98306fc5266 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
@@ -7,7 +7,8 @@
 description: |-
     Setting the <tt>TMOUT</tt> option in <tt>/etc/profile</tt> ensures that
     all user sessions will terminate based on inactivity. The <tt>TMOUT</tt>
-    setting in <tt>/etc/profile</tt> should read as follows:
+    setting in a file loaded by <tt>/etc/profile</tt>, e.g.
+    <tt>/etc/profile.d/tmout.sh</tt> should read as follows:
     <pre>TMOUT={{{ xccdf_value("var_accounts_tmout") }}}</pre>
 
 rationale: |-
@@ -45,6 +46,6 @@
 ocil: |-
     Run the following command to ensure the <tt>TMOUT</tt> value is configured for all users
     on the system:
-    <pre>$ sudo grep TMOUT /etc/profile</pre>
+    <pre>$ sudo grep TMOUT /etc/profile /etc/profile.d/*.sh</pre>
     The output should return the following:
     <pre>TMOUT={{{ xccdf_value("var_accounts_tmout") }}}</pre>
 

From 37a7d0f665f5718b5979e955eaa47c83cff09f0e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 15 Apr 2021 15:39:04 +0200
Subject: [PATCH 3/4] update bash remediation

---
 .../accounts_tmout/bash/shared.sh              | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh
index ba01c7eca30..490617332a8 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh
@@ -2,9 +2,17 @@
 . /usr/share/scap-security-guide/remediation_functions
 {{{ bash_instantiate_variables("var_accounts_tmout") }}}
 
-if grep --silent '^\s*TMOUT' /etc/profile ; then
-        sed -i -E "s/^(\s*)TMOUT\s*=\s*(\w|\$)*(.*)$/\1TMOUT=$var_accounts_tmout\3/g" /etc/profile
-else
-        echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile
-        echo "TMOUT=$var_accounts_tmout" >> /etc/profile
+# if 0, no occurence of tmout found, if 1, occurence found
+tmout_found=0
+
+for f in /etc/profile /etc/profile.d/*.sh; do
+    if grep --silent '^\s*TMOUT' $f; then
+        sed -i -E "s/^(\s*)TMOUT\s*=\s*(\w|\$)*(.*)$/\1TMOUT=$var_accounts_tmout\3/g" $f
+        $tmout_found=1
+    fi
+done
+
+if [ $tmout_found -eq 0 ]; then
+        echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile.d/tmout.sh
+        echo "TMOUT=$var_accounts_tmout" >> /etc/profile.d/tmout.sh
 fi

From 29ff79f15efda649581fa74296329bbd3f5b4d9d Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 15 Apr 2021 15:39:23 +0200
Subject: [PATCH 4/4] update ansible remediation

---
 .../accounts/accounts-session/accounts_tmout/ansible/shared.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml
index 2c3049006da..f37ac94873c 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml
@@ -5,4 +5,4 @@
 # disruption = low
 {{{ ansible_instantiate_variables("var_accounts_tmout") }}}
 
-{{{ ansible_etc_profile_set(parameter='TMOUT', value='{{ var_accounts_tmout }}') }}}
+{{{ ansible_set_config_file(file='/etc/profile.d/tmout.sh', parameter='TMOUT', separator='=', separator_regex='=', value='{{ var_accounts_tmout }}', create='yes') }}}
rpms / scap-security-guide

Source Code

Files
