rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   dac76ab332cb6f7ca5cdbec311d2754a26f6d91e
  2.   SOURCES
  3.   scap-security-guide-0.1.50-check_banner_owners_and_groupowners_PR_5335.patch
Blob Blame History Raw 
From db7bff613cb14543378661c1bf78582ada09d84a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 24 Mar 2020 09:31:41 +0100
Subject: [PATCH 1/4] Add rules to check owners of /etc/issue

---
 .../file_groupowner_etc_issue/rule.yml        | 35 +++++++++++++++++++
 .../file_owner_etc_issue/rule.yml             | 35 +++++++++++++++++++
 .../file_permissions_etc_issue/rule.yml       |  2 ++
 shared/references/cce-redhat-avail.txt        |  4 ---
 4 files changed, 72 insertions(+), 4 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml

diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
new file mode 100644
index 0000000000..fe22c4ceda
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+
+title: 'Verify group ownership of System Login Banner'
+
+description: |-
+    {{{ describe_file_group_owner(file="/etc/issue", group="root") }}}
+
+rationale: |-
+    Display of a standardized and approved use notification before granting
+    access to the operating system ensures privacy and security notification
+    verbiage used is consistent with applicable federal laws, Executive Orders,
+    directives, policies, regulations, standards, and guidance.<br />
+    Proper group ownership will ensure that only root user can modify the banner.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: 83707-0
+    cce@rhel8: 83708-8
+
+references:
+    cis@rhel7: 1.7.1.5
+    cis@rhel8: 1.8.1.5
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/issue", group="root") }}}'
+
+ocil: '{{{ ocil_file_group_owner(file="/etc/issue", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/issue
+        filegid: '0'
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml
new file mode 100644
index 0000000000..1a96fc1bee
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+
+title: 'Verify ownership of System Login Banner'
+
+description: |-
+    {{{ describe_file_owner(file="/etc/issue", owner="root") }}}
+
+rationale: |-
+    Display of a standardized and approved use notification before granting
+    access to the operating system ensures privacy and security notification
+    verbiage used is consistent with applicable federal laws, Executive Orders,
+    directives, policies, regulations, standards, and guidance.<br />
+    Proper ownership will ensure that only root user can modify the banner.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: 83717-9
+    cce@rhel8: 83718-7
+
+references:
+    cis@rhel7: 1.7.1.5
+    cis@rhel8: 1.8.1.5
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/issue", owner="root") }}}'
+
+ocil: '{{{ ocil_file_owner(file="/etc/issue", owner="root") }}}'
+
+template:
+    name: file_owner
+    vars:
+        filepath: /etc/issue
+        fileuid: '0'
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
index 323c3b93b6..6082783b89 100644
--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml
@@ -1,5 +1,7 @@
 documentation_complete: true
 
+prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+
 title: 'Verify permissions on System Login Banner'
 
 description: |-
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 4a8668ed97..565be50dcf 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -394,8 +394,6 @@ CCE-83703-9
 CCE-83704-7
 CCE-83705-4
 CCE-83706-2
-CCE-83707-0
-CCE-83708-8
 CCE-83709-6
 CCE-83710-4
 CCE-83711-2
@@ -404,8 +402,6 @@ CCE-83713-8
 CCE-83714-6
 CCE-83715-3
 CCE-83716-1
-CCE-83717-9
-CCE-83718-7
 CCE-83719-5
 CCE-83720-3
 CCE-83721-1

From ac323a919cd97ee34d17d96ca20d10e8ad25ac43 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 24 Mar 2020 09:50:54 +0100
Subject: [PATCH 2/4] Add rules to check owners of /etc/motd

---
 .../file_groupowner_etc_motd/rule.yml         | 35 +++++++++++++++++++
 .../file_owner_etc_motd/rule.yml              | 35 +++++++++++++++++++
 .../file_permissions_etc_motd/rule.yml        |  2 ++
 shared/references/cce-redhat-avail.txt        |  4 ---
 4 files changed, 72 insertions(+), 4 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml

diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
new file mode 100644
index 0000000000..21ff3fb62a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+
+title: 'Verify group ownership of Message of the Day Banner'
+
+description: |-
+    {{{ describe_file_group_owner(file="/etc/motd", group="root") }}}
+
+rationale: |-
+    Display of a standardized and approved use notification before granting
+    access to the operating system ensures privacy and security notification
+    verbiage used is consistent with applicable federal laws, Executive Orders,
+    directives, policies, regulations, standards, and guidance.<br />
+    Proper group ownerhip will ensure that only root user can modify the banner.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: 83727-8
+    cce@rhel8: 83728-6
+
+references:
+    cis@rhel7: 1.7.1.4
+    cis@rhel8: 1.8.1.4
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/motd", group="root") }}}'
+
+ocil: '{{{ ocil_file_group_owner(file="/etc/motd", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/motd
+        filegid: '0'
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
new file mode 100644
index 0000000000..27fed965fb
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+
+title: 'Verify ownership of Message of the Day Banner'
+
+description: |-
+    {{{ describe_file_owner(file="/etc/motd", owner="root") }}}
+
+rationale: |-
+    Display of a standardized and approved use notification before granting
+    access to the operating system ensures privacy and security notification
+    verbiage used is consistent with applicable federal laws, Executive Orders,
+    directives, policies, regulations, standards, and guidance.<br />
+    Proper ownerhip will ensure that only root user can modify the banner.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: 83737-7
+    cce@rhel8: 83738-5
+
+references:
+    cis@rhel7: 1.7.1.4
+    cis@rhel8: 1.8.1.4
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/motd", owner="root") }}}'
+
+ocil: '{{{ ocil_file_owner(file="/etc/motd", owner="root") }}}'
+
+template:
+    name: file_owner
+    vars:
+        filepath: /etc/motd
+        fileuid: '0'
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
index 6d81eb43d1..ca789dc6f8 100644
--- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml
@@ -1,5 +1,7 @@
 documentation_complete: true
 
+prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
+
 title: 'Verify permissions on Message of the Day Banner'
 
 description: |-
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 565be50dcf..5986154a5a 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -410,8 +410,6 @@ CCE-83723-7
 CCE-83724-5
 CCE-83725-2
 CCE-83726-0
-CCE-83727-8
-CCE-83728-6
 CCE-83729-4
 CCE-83730-2
 CCE-83731-0
@@ -420,8 +418,6 @@ CCE-83733-6
 CCE-83734-4
 CCE-83735-1
 CCE-83736-9
-CCE-83737-7
-CCE-83738-5
 CCE-83739-3
 CCE-83740-1
 CCE-83741-9

From 3f0c74420e052b6ea18cef45896a48f24cd3c5df Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Tue, 24 Mar 2020 13:32:34 +0100
Subject: [PATCH 3/4] Update
 linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Jan Černý <jcerny@redhat.com>
---
 .../accounts/accounts-banners/file_groupowner_etc_motd/rule.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
index 21ff3fb62a..9cebc074dd 100644
--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
@@ -12,7 +12,7 @@ rationale: |-
     access to the operating system ensures privacy and security notification
     verbiage used is consistent with applicable federal laws, Executive Orders,
     directives, policies, regulations, standards, and guidance.<br />
-    Proper group ownerhip will ensure that only root user can modify the banner.
+    Proper group ownership will ensure that only root user can modify the banner.
 
 severity: medium
 

From 3138bbcee2a997eb0c8f74eabdcac9f71944e191 Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Tue, 24 Mar 2020 13:33:40 +0100
Subject: [PATCH 4/4] Fix typo in title of rule
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Jan Černý <jcerny@redhat.com>
---
 .../accounts-banners/file_groupowner_etc_issue/rule.yml         | 2 +-
 .../accounts/accounts-banners/file_groupowner_etc_motd/rule.yml | 2 +-
 .../accounts/accounts-banners/file_owner_etc_motd/rule.yml      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
index fe22c4ceda..6ff4e0a95a 100644
--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
 
-title: 'Verify group ownership of System Login Banner'
+title: 'Verify Group Ownership of System Login Banner'
 
 description: |-
     {{{ describe_file_group_owner(file="/etc/issue", group="root") }}}
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
index 9cebc074dd..8c66e997ac 100644
--- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019
 
-title: 'Verify group ownership of Message of the Day Banner'
+title: 'Verify Group Ownership of Message of the Day Banner'
 
 description: |-
     {{{ describe_file_group_owner(file="/etc/motd", group="root") }}}
diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
index 27fed965fb..8d963ae75d 100644
--- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml
@@ -12,7 +12,7 @@ rationale: |-
     access to the operating system ensures privacy and security notification
     verbiage used is consistent with applicable federal laws, Executive Orders,
     directives, policies, regulations, standards, and guidance.<br />
-    Proper ownerhip will ensure that only root user can modify the banner.
+    Proper ownership will ensure that only root user can modify the banner.
 
 severity: medium

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation