From 50ad7f3c4eb762de5d9b0a8b70aade2c04620eed Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 25 2020 18:36:26 +0000 Subject: import scap-security-guide-0.1.50-11.el8 --- diff --git a/SOURCES/scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch b/SOURCES/scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch new file mode 100644 index 0000000..3da1764 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch @@ -0,0 +1,23 @@ +From 602e57d4c643be443110bbc772e6e5546b1a3cd3 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 26 Jun 2020 16:56:52 +0200 +Subject: [PATCH] Update RHEL7 documentation link for + grub2_uefi_admin_username. + +--- + .../system/bootloader-grub2/grub2_uefi_admin_username/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml +index 1926837db7..0c69e59553 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml +@@ -28,7 +28,7 @@ rationale: |- + For more information on how to configure the grub2 superuser account and password, + please refer to + + {{% endif %}} + diff --git a/SOURCES/scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch b/SOURCES/scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch new file mode 100644 index 0000000..9ad2d13 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch @@ -0,0 +1,375 @@ +From 62bf1be5a2f2789196a9b81ca7cd246d148dfb5b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Jun 2020 10:54:51 +0200 +Subject: [PATCH 1/3] no_shelllogin_for_systemaccounts: add tests + +--- + .../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 4 ++++ + .../tests/no_sys_uids.pass.sh | 7 +++++++ + .../tests/only_system_users.pass.sh | 6 ++++++ + .../tests/system_user_with_shell.fail.sh | 6 ++++++ + 4 files changed, 23 insertions(+) + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh +new file mode 100644 +index 0000000000..6d48ad78fd +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh +@@ -0,0 +1,4 @@ ++# remediation = none ++ ++#!/bin/bash ++true +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh +new file mode 100644 +index 0000000000..bc4f9cee8c +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh +@@ -0,0 +1,7 @@ ++# remediation = none ++ ++#!/bin/bash ++ ++# Force unset of SYS_UID values ++sed -i '/^SYS_UID_MIN/d' /etc/login.defs ++sed -i '/^SYS_UID_MAX/d' /etc/login.defs +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh +new file mode 100644 +index 0000000000..0cdb820bbb +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh +@@ -0,0 +1,6 @@ ++# remediation = none ++ ++#!/bin/bash ++ ++# remove any non-system user ++sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh +new file mode 100644 +index 0000000000..7639a8809d +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh +@@ -0,0 +1,6 @@ ++# remediation = none ++ ++#!/bin/bash ++ ++# change system user "mail" shell to bash ++usermod --shell /bin/bash mail + +From 403cf63228a838bb80e09d8a6750bc5ee8597ce4 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Jun 2020 11:27:48 +0200 +Subject: [PATCH 2/3] no_shelllogin_for_systemaccounts: simplify check for + range of UIDs + +There is no need to make calculations on top of the UIDs, we can compare +the collected UIDs with shell againt the states that define the valid range. + +Avoiding the calculations has the added benefit of not using/referencing +a variable that can be empty (when no user has shell, except root). +--- + .../oval/shared.xml | 198 +++--------------- + 1 file changed, 33 insertions(+), 165 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml +index 7e68441867..d0e836515b 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml +@@ -79,13 +79,6 @@ + 1 + + +- +- +- +- +- + + +- +- +- +- +- +- +- +- +- +- +- +- +- +- -1 +- +- +- +- +- -1 +- +- +- +- +- +- +- +- +- variable_default_range_quad_expr +- +- +- +- +- 0 +- +- + + +- +- +- +- ++ ++ ++ ++ ++ ++ ++ 0 ++ ++ ++ ++ + + + + + +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- -1 +- +- +- +- +- +- +- +- +- variable_reserved_range_quad_expr +- +- +- +- +- 0 +- +- + + +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- -1 +- +- +- +- +- +- +- +- +- +- -1 +- +- +- +- +- +- +- +- +- variable_dynalloc_range_quad_expr +- ++ ++ ++ ++ + +- +- +- 0 +- ++ ++ ++ + + + +- +- +- +- ++ ++ ++ ++ + ++ ++ ++ ++ ++ ++ + + +From 31654f72ee7cd30f937f84889c870fd330e7c366 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 4 Jun 2020 14:04:37 +0200 +Subject: [PATCH 3/3] no_shelllogin_for_systemaccounts: Fix text shebangs + +--- + .../no_shelllogin_for_systemaccounts/tests/default.pass.sh | 2 +- + .../no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh | 3 +-- + .../tests/only_system_users.pass.sh | 3 +-- + .../tests/system_user_with_shell.fail.sh | 3 +-- + 4 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh +index 6d48ad78fd..833831f79d 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/default.pass.sh +@@ -1,4 +1,4 @@ ++#!/bin/bash + # remediation = none + +-#!/bin/bash + true +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh +index bc4f9cee8c..6769895eb2 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/no_sys_uids.pass.sh +@@ -1,6 +1,5 @@ +-# remediation = none +- + #!/bin/bash ++# remediation = none + + # Force unset of SYS_UID values + sed -i '/^SYS_UID_MIN/d' /etc/login.defs +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh +index 0cdb820bbb..06edf671ce 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/only_system_users.pass.sh +@@ -1,6 +1,5 @@ +-# remediation = none +- + #!/bin/bash ++# remediation = none + + # remove any non-system user + sed -Ei '/^root|nologin$|halt$|sync$|shutdown$/!d' /etc/passwd +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh +index 7639a8809d..10312593b8 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/tests/system_user_with_shell.fail.sh +@@ -1,6 +1,5 @@ +-# remediation = none +- + #!/bin/bash ++# remediation = none + + # change system user "mail" shell to bash + usermod --shell /bin/bash mail diff --git a/SOURCES/scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch b/SOURCES/scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch new file mode 100644 index 0000000..e734ce1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch @@ -0,0 +1,209 @@ +From 60f82f8d33cef82f3ff5e90073803c199bad02fb Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 7 Jul 2020 11:31:59 +0200 +Subject: [PATCH 1/3] modify rule description and ocil + +--- + .../selinux_all_devicefiles_labeled/rule.yml | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml +index 765fca583e..1667557740 100644 +--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml +@@ -6,18 +6,20 @@ title: 'Ensure No Device Files are Unlabeled by SELinux' + + description: |- + Device files, which are used for communication with important system +- resources, should be labeled with proper SELinux types. If any device +- files do not carry the SELinux type device_t, report the bug so +- that policy can be corrected. Supply information about what the device is +- and what programs use it. ++ resources, should be labeled with proper SELinux types. If any device files ++ carry the SELinux type device_t or unlabeled_t, report the ++ bug so that policy can be corrected. Supply information about what the ++ device is and what programs use it. +

+- To check for unlabeled device files, run the following command: ++ To check for incorrectly labeled device files, run following commands: +
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
++
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
+ It should produce no output in a well-configured system. + + rationale: |- +- If a device file carries the SELinux type device_t, then SELinux +- cannot properly restrict access to the device file. ++ If a device file carries the SELinux type device_t or ++ unlabeled_t, then SELinux cannot properly restrict access to the ++ device file. + + severity: medium + +@@ -45,8 +47,9 @@ references: + ocil_clause: 'there is output' + + ocil: |- +- To check for unlabeled device files, run the following command: ++ To check for incorrectly labeled device files, run following commands: +
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
++
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
+ It should produce no output in a well-configured system. + + warnings: + +From e0cb2d04a9d95967e4adb3e05cc93a4a834a90b5 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 7 Jul 2020 11:32:57 +0200 +Subject: [PATCH 2/3] updated oval to check only device files + +--- + .../oval/shared.xml | 64 +++++++++++++------ + 1 file changed, 43 insertions(+), 21 deletions(-) + +diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml +index 51b68008af..7dcfb98577 100644 +--- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml ++++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml +@@ -2,32 +2,54 @@ + + + Device Files Have Proper SELinux Context +- +- Red Hat Enterprise Linux 6 +- Red Hat Enterprise Linux 7 +- Red Hat Enterprise Linux 8 +- Red Hat Virtualization 4 +- multi_platform_fedora +- multi_platform_ol +- multi_platform_wrlinux +- +- All device files in /dev should be assigned an SELinux security context other than 'device_t'. ++ {{{- oval_affected(products) }}} ++ All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'. + +- +- ++ ++ ++ + + +- +- +- ++ ++ ++ ++ ++ /dev ++ ^.*$ ++ state_block_or_char_device_file ++ ++ ++ ++ ^(block|character) special$ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +- +- +- /dev +- ^.*$ +- state_selinux_all_devicefiles_labeled ++ ++ ++ state_selinux_dev_device_t + +- ++ + device_t + ++ ++ ++ ++ ++ ++ ++ ++ state_selinux_dev_unlabeled_t ++ ++ ++ unlabeled_t ++ ++ + + +From 0bd95e6dbe3684524c86150cdb6beb0af05ff119 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 7 Jul 2020 11:33:26 +0200 +Subject: [PATCH 3/3] add tests + +--- + .../tests/block_device_device_t.fail.sh | 4 ++++ + .../tests/char_device_unlabeled_t.fail.sh | 14 ++++++++++++++ + .../tests/regular_file_device_t.pass.sh | 4 ++++ + .../tests/symlink_with_wrong_label.pass.sh | 4 ++++ + 4 files changed, 26 insertions(+) + create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh + create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh + create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh + create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh + +diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh +new file mode 100644 +index 0000000000..08c4142e5b +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++mknod /dev/foo b 1 5 ++chcon -t device_t /dev/foo +diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh +new file mode 100644 +index 0000000000..1da85c2034 +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh +@@ -0,0 +1,14 @@ ++#!/bin/bash ++ ++# selinux does not allow unlabeled_t in /dev ++# we have to modify the selinux policy to allow that ++ ++echo '(allow unlabeled_t device_t (filesystem (associate)))' > /tmp/unlabeled_t.cil ++semodule -i /tmp/unlabeled_t.cil ++ ++mknod /dev/foo c 1 5 ++chcon -t unlabeled_t /dev/foo ++ ++ ++mknod /dev/foo c 1 5 ++chcon -t device_t /dev/foo +diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh +new file mode 100644 +index 0000000000..d161951d7a +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++touch /dev/foo ++restorecon -F /dev/foo +diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh +new file mode 100644 +index 0000000000..a8280bf37e +--- /dev/null ++++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh +@@ -0,0 +1,4 @@ ++#!/bin/bash ++ ++ln -s /dev/cpu /dev/foo ++restorecon -F /dev/foo diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 7cd18e6..bbd63c3 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.50 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Security guidance and baselines in SCAP formats Group: Applications/System License: BSD @@ -30,6 +30,9 @@ Patch18: scap-security-guide-0.1.52-ospp_missing_ssh_srg-PR_6008.patch Patch19: scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch Patch20: scap-security-guide-0.1.51-parametrize-ssh-PR5782.patch Patch21: scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch +Patch22: scap-security-guide-0.1.52-selinux_all_devicefiles_labeled_fix-PR_5911.patch +Patch23: scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_5810.patch +Patch24: scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch BuildArch: noarch @@ -86,6 +89,9 @@ present in %{name} package. %patch19 -p1 %patch20 -p1 %patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 mkdir build %build @@ -120,6 +126,11 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Thu Aug 20 2020 Matěj Týč - 0.1.50-11 +- fixed link in a grub2 rule description (rhbz#1854854) +- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367) +- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873) + * Mon Aug 17 2020 Matěj Týč - 0.1.50-10 - Update the scapval invocation (RHBZ#1815007) - Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)