From e71555b8fcefcb433f0aa26bc8989477093361e5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 07 2023 09:26:22 +0000 Subject: import scap-security-guide-0.1.66-1.el7_9 --- diff --git a/.gitignore b/.gitignore index 719f18c..6109c1a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 -SOURCES/scap-security-guide-0.1.63.tar.bz2 +SOURCES/scap-security-guide-0.1.66.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 31d7902..6ec1dbc 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1,2 +1,2 @@ b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 -b77c67caa4f8818e95fa6a4c74adf3173ed8e3d2 SOURCES/scap-security-guide-0.1.63.tar.bz2 +fdef63150c650bc29c06eea0aba6092688ab60a9 SOURCES/scap-security-guide-0.1.66.tar.bz2 diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch index d1c7ab0..f883e6a 100644 --- a/SOURCES/disable-not-in-good-shape-profiles.patch +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -1,12 +1,12 @@ -From 668ecb9af2db8fb63a6a3198d3f9f3419b023969 Mon Sep 17 00:00:00 2001 +From 746381a4070fc561651ad65ec0fe9610e8590781 Mon Sep 17 00:00:00 2001 From: Watson Sato -Date: Mon, 8 Aug 2022 11:31:13 +0200 -Subject: [PATCH 1/5] Disable profiles not in a good shape +Date: Mon, 6 Feb 2023 14:44:17 +0100 +Subject: [PATCH] Disable profiles not in good shape Patch-name: disable-not-in-good-shape-profiles.patch -Patch-status: |- - Disable profiles that are not in good shape for products/rhel8 Patch-id: 0 +Patch-status: | + Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream --- products/rhel8/CMakeLists.txt | 1 - products/rhel8/profiles/cjis.profile | 2 +- @@ -27,7 +27,7 @@ index 9c044b68ab..8f6ca03de8 100644 ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi") diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile -index 30843b692e..18394802b9 100644 +index 22ae5aac72..f60b65bc06 100644 --- a/products/rhel8/profiles/cjis.profile +++ b/products/rhel8/profiles/cjis.profile @@ -1,4 +1,4 @@ @@ -37,7 +37,7 @@ index 30843b692e..18394802b9 100644 metadata: version: 5.4 diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile -index e8e7e3a72f..d293c779bb 100644 +index b192461f95..ae1e7d5a15 100644 --- a/products/rhel8/profiles/rht-ccp.profile +++ b/products/rhel8/profiles/rht-ccp.profile @@ -1,4 +1,4 @@ @@ -57,5 +57,5 @@ index a63ae2cf32..da669bb843 100644 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' -- -2.37.2 +2.39.1 diff --git a/SOURCES/scap-security-guide-0.1.64-accept_sudoers_without_includes-PR_9283.patch b/SOURCES/scap-security-guide-0.1.64-accept_sudoers_without_includes-PR_9283.patch deleted file mode 100644 index 29f2870..0000000 --- a/SOURCES/scap-security-guide-0.1.64-accept_sudoers_without_includes-PR_9283.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 64fa70eeb2bc45e08a102fc10573fd256b4388fd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 3 Aug 2022 13:08:25 +0200 -Subject: [PATCH 2/7] Merge pull request #9283 from - yuumasato/accept_sudoers_without_includes - -Patch-name: scap-security-guide-0.1.64-accept_sudoers_without_includes-PR_9283.patch -Patch-status: Accept sudoers files without includes as compliant ---- - .../oval/shared.xml | 24 +++++++++++++++---- - .../sudo/sudoers_default_includedir/rule.yml | 8 ++++--- - ...cludedir.fail.sh => no_includedir.pass.sh} | 2 +- - 3 files changed, 26 insertions(+), 8 deletions(-) - rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%) - -diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml -index 59cab0b89d..82095acc6e 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml -+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml -@@ -1,10 +1,16 @@ - - - {{{ oval_metadata("Check if sudo includes only the default includedir") }}} -- -- -- -- -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - - - -@@ -32,6 +38,16 @@ - 1 - - -+ -+ -+ -+ -+ /etc/sudoers -+ ^#includedir[\s]+.*$ -+ 1 -+ -+ - - -diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml -index aa2aaee19f..83bfb0183b 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml -@@ -8,9 +8,11 @@ description: |- - Administrators can configure authorized sudo users via drop-in files, and it is possible to include - other directories and configuration files from the file currently being parsed. - -- Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d. -- The /etc/sudoers should contain only one #includedir directive pointing to -- /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories. -+ Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d, -+ or that no drop-in file is included. -+ Either the /etc/sudoers should contain only one #includedir directive pointing to -+ /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories; -+ Or the /etc/sudoers should not contain any #include or #includedir directives. - Note that the '#' character doesn't denote a comment in the configuration file. - - rationale: |- -diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh -similarity index 51% -rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh -rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh -index 1e0ab8aea9..fe73cb2507 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh -+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh -@@ -1,4 +1,4 @@ - #!/bin/bash - # platform = multi_platform_all - --sed -i "/#includedir.*/d" /etc/sudoers -+sed -i "/#include(dir)?.*/d" /etc/sudoers --- -2.37.2 - diff --git a/SOURCES/scap-security-guide-0.1.64-add_auid_filters_kernel_module_rules-PR_9290.patch b/SOURCES/scap-security-guide-0.1.64-add_auid_filters_kernel_module_rules-PR_9290.patch deleted file mode 100644 index d04dfa8..0000000 --- a/SOURCES/scap-security-guide-0.1.64-add_auid_filters_kernel_module_rules-PR_9290.patch +++ /dev/null @@ -1,342 +0,0 @@ -From 4bd9695d78e003ee788b0386822213198c2c0f70 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 10 Aug 2022 08:52:20 +0200 -Subject: [PATCH 4/7] Merge pull request #9290 from - yuumasato/rhel7_audit_auid_stig - -Patch-name: scap-security-guide-0.1.64-add_auid_filters_kernel_module_rules-PR_9290.patch -Patch-status: Add the AUID filters on RHEL7 audit kernel module rules ---- - .../ansible/shared.yml | 2 +- - .../bash/shared.sh | 2 +- - .../oval/shared.xml | 8 ++++---- - .../audit_rules_kernel_module_loading_delete/rule.yml | 2 +- - .../tests/correct_rules.pass.sh | 2 +- - .../tests/wrong_list_action.fail.sh | 2 +- - .../tests/wrong_syscall.fail.sh | 2 +- - .../ansible/shared.yml | 2 +- - .../bash/shared.sh | 2 +- - .../oval/shared.xml | 8 ++++---- - .../audit_rules_kernel_module_loading_finit/rule.yml | 4 ++-- - .../tests/correct_rules.pass.sh | 2 +- - .../ansible/shared.yml | 2 +- - .../audit_rules_kernel_module_loading_init/bash/shared.sh | 2 +- - .../oval/shared.xml | 8 ++++---- - .../audit_rules_kernel_module_loading_init/rule.yml | 2 +- - .../tests/correct_rules.pass.sh | 2 +- - 17 files changed, 27 insertions(+), 27 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml -index b4d1eb01c0..fa60d212f2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml -@@ -4,7 +4,7 @@ - # disruption = low - # strategy = configure - --{{% if product in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - {{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}} - {{% else %}} - {{% set auid_filters = "" %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh -index 73ee785b21..c85ee267a1 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/bash/shared.sh -@@ -12,7 +12,7 @@ for ARCH in "${RULE_ARCHS[@]}" - do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" - {{% else %}} - AUID_FILTERS="" -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/oval/shared.xml -index 4ee0382673..0aeb4bd660 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/oval/shared.xml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/oval/shared.xml -@@ -36,7 +36,7 @@ - - - ^/etc/audit/rules\.d/.*\.rules$ -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - {{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -@@ -49,7 +49,7 @@ - - - ^/etc/audit/rules\.d/.*\.rules$ -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - {{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -@@ -62,7 +62,7 @@ - - - /etc/audit/audit.rules -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - {{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -@@ -75,7 +75,7 @@ - - - /etc/audit/audit.rules -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - {{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -index 56463078fc..dba9e967da 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -@@ -7,7 +7,7 @@ title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_m - description: |- - To capture kernel module unloading events, use following line, setting ARCH to - either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - 
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
- {{% else %}} - 
-a always,exit -F arch=ARCH -S delete_module -F key=modules
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/tests/correct_rules.pass.sh -index 2da82fb1f1..46ff5d7607 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/tests/correct_rules.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/tests/correct_rules.pass.sh -@@ -7,7 +7,7 @@ - - rm -f /etc/audit/rules.d/* - > /etc/audit/audit.rules --{{% if product in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - echo "-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules" >> /etc/audit/rules.d/modules.rules - echo "-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules" >> /etc/audit/rules.d/modules.rules - {{% else %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/tests/wrong_list_action.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/tests/wrong_list_action.fail.sh -index 97faceec0a..1ee0a9b683 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/tests/wrong_list_action.fail.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/tests/wrong_list_action.fail.sh -@@ -7,7 +7,7 @@ - - rm -f /etc/audit/rules.d/* - > /etc/audit/audit.rules\ --{{% if product not in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - echo "-a never,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules" >> /etc/audit/rules.d/modules.rules - echo "-a never,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules" >> /etc/audit/rules.d/modules.rules - {{% else %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/tests/wrong_syscall.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/tests/wrong_syscall.fail.sh -index b31fb66a5a..eff32e6052 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/tests/wrong_syscall.fail.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/tests/wrong_syscall.fail.sh -@@ -7,7 +7,7 @@ - - rm -f /etc/audit/rules.d/* - > /etc/audit/audit.rules --{{% if product not in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - echo "-a always,exit -F arch=b32 -S delete -F auid>=1000 -F auid!=unset -F key=modules" >> /etc/audit/rules.d/modules.rules - echo "-a always,exit -F arch=b64 -S delete -F auid>=1000 -F auid!=unset -F key=modules" >> /etc/audit/rules.d/modules.rules - {{% else %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml -index a0a6793b6c..a40faad4a7 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml -@@ -4,7 +4,7 @@ - # disruption = low - # strategy = configure - --{{% if product in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - {{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}} - {{% else %}} - {{% set auid_filters = "" %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh -index 74d3ef0b99..01ea32a079 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/bash/shared.sh -@@ -12,7 +12,7 @@ for ARCH in "${RULE_ARCHS[@]}" - do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" - {{% else %}} - AUID_FILTERS="" -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml -index 2fc711314f..d5ffcdd04c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml -@@ -36,7 +36,7 @@ - - - ^/etc/audit/rules\.d/.*\.rules$ -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - {{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -@@ -49,7 +49,7 @@ - - - ^/etc/audit/rules\.d/.*\.rules$ -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - {{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -@@ -62,7 +62,7 @@ - - - /etc/audit/audit.rules -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - {{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -@@ -75,7 +75,7 @@ - - - /etc/audit/audit.rules -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - {{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -index c3e5d7a702..9350781563 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -@@ -9,7 +9,7 @@ description: |- - to read audit rules during daemon startup (the default), add the following lines to a file - with suffix .rules in the directory /etc/audit/rules.d to capture kernel module - loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - 
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
- {{% else %}} - 
-a always,exit -F arch=ARCH -S finit_module -F key=modules
-@@ -17,7 +17,7 @@ description: |- - rules during daemon startup, add the following lines to /etc/audit/audit.rules file - in order to capture kernel module loading and unloading events, setting ARCH to either b32 or - b64 as appropriate for your system: -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - 
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
- {{% else %}} - 
-a always,exit -F arch=ARCH -S finit_module -F key=modules
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/correct_rules.pass.sh -index c764950951..fddac1f81e 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/correct_rules.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/correct_rules.pass.sh -@@ -5,7 +5,7 @@ - # packages = audit - {{% endif %}} - --{{% if product in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - echo "-a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules - echo "-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules - {{% else %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml -index e1bf467c03..1a3c0b000e 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml -@@ -4,7 +4,7 @@ - # disruption = low - # strategy = configure - --{{% if product in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - {{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}} - {{% else %}} - {{% set auid_filters = "" %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh -index 09b6c06d8d..13a487a230 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/bash/shared.sh -@@ -12,7 +12,7 @@ for ARCH in "${RULE_ARCHS[@]}" - do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" - {{% else %}} - AUID_FILTERS="" -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml -index c6e598963e..0e580fede7 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml -@@ -36,7 +36,7 @@ - - - ^/etc/audit/rules\.d/.*\.rules$ -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - {{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -@@ -49,7 +49,7 @@ - - - ^/etc/audit/rules\.d/.*\.rules$ -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - {{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -@@ -62,7 +62,7 @@ - - - /etc/audit/audit.rules -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - {{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -@@ -75,7 +75,7 @@ - - - /etc/audit/audit.rules -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ - {{% else %}} - ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -index 334165f75e..3b2e05424f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -@@ -7,7 +7,7 @@ title: 'Ensure auditd Collects Information on Kernel Module Loading - init_modul - description: |- - To capture kernel module loading events, use following line, setting ARCH to - either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - 
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
- {{% else %}} - 
-a always,exit -F arch=ARCH -S init_module -F key=modules
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/correct_rules.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/correct_rules.pass.sh -index 38232603b4..43b4adacb8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/correct_rules.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/correct_rules.pass.sh -@@ -5,7 +5,7 @@ - # packages = audit - {{% endif %}} - --{{% if product in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - echo "-a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules - echo "-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules - {{% else %}} --- -2.37.2 - diff --git a/SOURCES/scap-security-guide-0.1.64-add_perm_x_privileged_commands-PR_9289.patch b/SOURCES/scap-security-guide-0.1.64-add_perm_x_privileged_commands-PR_9289.patch deleted file mode 100644 index eca72b2..0000000 --- a/SOURCES/scap-security-guide-0.1.64-add_perm_x_privileged_commands-PR_9289.patch +++ /dev/null @@ -1,268 +0,0 @@ -From 7bc00d986b80c6337a2a9df2cb216ab72e63c76a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Fri, 5 Aug 2022 08:52:26 +0200 -Subject: [PATCH 3/7] Merge pull request #9289 from - yuumasato/rhel7_privileged_commands_perm_x - -Patch-name: scap-security-guide-0.1.64-add_perm_x_privileged_commands-PR_9289.patch -Patch-status: Add -F perm=x filter on RHEL7 privileged commands rules ---- - .../audit_rules_execution_chcon/rule.yml | 2 +- - .../audit_rules_execution_semanage/rule.yml | 2 +- - .../audit_rules_execution_setfiles/rule.yml | 2 +- - .../audit_rules_execution_setsebool/rule.yml | 2 +- - .../audit_rules_privileged_commands_chage/rule.yml | 2 +- - .../audit_rules_privileged_commands_chsh/rule.yml | 2 +- - .../audit_rules_privileged_commands_crontab/rule.yml | 2 +- - .../audit_rules_privileged_commands_gpasswd/rule.yml | 2 +- - .../audit_rules_privileged_commands_mount/rule.yml | 2 +- - .../audit_rules_privileged_commands_newgrp/rule.yml | 2 +- - .../rule.yml | 3 +-- - .../audit_rules_privileged_commands_passwd/rule.yml | 2 +- - .../audit_rules_privileged_commands_postdrop/rule.yml | 2 +- - .../audit_rules_privileged_commands_postqueue/rule.yml | 2 +- - .../audit_rules_privileged_commands_ssh_keysign/rule.yml | 2 +- - .../audit_rules_privileged_commands_su/rule.yml | 2 +- - .../audit_rules_privileged_commands_sudo/rule.yml | 2 +- - .../audit_rules_privileged_commands_umount/rule.yml | 2 +- - .../audit_rules_privileged_commands_unix_chkpwd/rule.yml | 2 +- - .../audit_rules_privileged_commands_userhelper/rule.yml | 2 +- - .../templates/audit_rules_privileged_commands/ansible.template | 2 +- - shared/templates/audit_rules_privileged_commands/bash.template | 2 +- - shared/templates/audit_rules_privileged_commands/oval.template | 2 +- - 23 files changed, 23 insertions(+), 24 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml -index a04042e373..3aec6edbee 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml -index 3622ba4a9f..c8fe891d54 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml -index ccefe56643..c87e75cc86 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml -index 137d22aad4..2dbd03c88c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml -index f00b43da54..19831a1fea 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml -index b4ef8a6bbb..550a364578 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml -index 5cc83a5b9f..a36468a7fc 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml -index 79e1ae164d..efc3865fdd 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml -index 92ffffc236..7a64458213 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml -index bf25761849..bc41dc2545 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml -index 8c8c9e6058..d0ef2f99ec 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml -@@ -1,5 +1,4 @@ -- --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml -index fa89ec6ed6..ff94781872 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml -index ca767a829d..f5feeb22bf 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postdrop/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml -index 51aaec9510..1b1580c738 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_postqueue/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml -index 28185012cb..f81de80c4b 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml -index 33e174cf5d..0ac0d4db71 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml -index f384c1bfeb..c078ad59e8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml -index 733f106265..07e098cbe2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml -index fc71d40245..ad2900efbe 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml -index bd496cfb8e..4fde5415dd 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_userhelper/rule.yml -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="-F perm=x " %}} - {{%- endif %}} - -diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template -index a6c72166ae..56eb2280e6 100644 ---- a/shared/templates/audit_rules_privileged_commands/ansible.template -+++ b/shared/templates/audit_rules_privileged_commands/ansible.template -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x=" -F perm=x" %}} - {{%- endif %}} - # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu -diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template -index 7e4b02f764..68e1e1b525 100644 ---- a/shared/templates/audit_rules_privileged_commands/bash.template -+++ b/shared/templates/audit_rules_privileged_commands/bash.template -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x=" -F perm=x" %}} - {{%- endif %}} - # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu -diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template -index c240a73635..13f01f1f9c 100644 ---- a/shared/templates/audit_rules_privileged_commands/oval.template -+++ b/shared/templates/audit_rules_privileged_commands/oval.template -@@ -1,4 +1,4 @@ --{{%- if product in ["fedora", "ol8", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} -+{{%- if product in ["fedora", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004"] %}} - {{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}} - {{%- endif %}} - --- -2.37.2 - diff --git a/SOURCES/scap-security-guide-0.1.64-add_warning_audit_rules_for_ospp-PR_9303.patch b/SOURCES/scap-security-guide-0.1.64-add_warning_audit_rules_for_ospp-PR_9303.patch deleted file mode 100644 index 6d2d0c0..0000000 --- a/SOURCES/scap-security-guide-0.1.64-add_warning_audit_rules_for_ospp-PR_9303.patch +++ /dev/null @@ -1,31 +0,0 @@ -From fc1b1304b1143c361fd33b440457816979a408d8 Mon Sep 17 00:00:00 2001 -From: Watson Yuuma Sato -Date: Tue, 9 Aug 2022 08:33:34 +0200 -Subject: [PATCH 7/7] Merge pull request #9303 from vojtapolasek/rhbz1993822 - -Patch-name: scap-security-guide-0.1.64-add_warning_audit_rules_for_ospp-PR_9303.patch -Patch-status: add warning to audit_rules_for_ospp ---- - .../auditing/policy_rules/audit_rules_for_ospp/rule.yml | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml -index 8461089f50..1cc1f231ff 100644 ---- a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml -+++ b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/rule.yml -@@ -67,3 +67,12 @@ fixtext: |- - Then, run the following command to load all audit rules: - - $ sudo augenrules --load -+ -+warnings: -+ - performance: -+ It might happen that Audit buffer configured by this rule is not large -+ enough for certain use cases. If that is the case, the buffer size can -+ be overridden by placing 
-b larger_buffer_size
into a file -+ within /etc/audit/rules.d directory, replacing -+ larger_file_size with the desired value. The file name should -+ start with a number higher than 10 and lower than 99. --- -2.37.2 - diff --git a/SOURCES/scap-security-guide-0.1.64-auid_filter_audit_rules_kernel_module_loading-PR_9371.patch b/SOURCES/scap-security-guide-0.1.64-auid_filter_audit_rules_kernel_module_loading-PR_9371.patch deleted file mode 100644 index 7c18811..0000000 --- a/SOURCES/scap-security-guide-0.1.64-auid_filter_audit_rules_kernel_module_loading-PR_9371.patch +++ /dev/null @@ -1,120 +0,0 @@ -From ca5ff8615cb502245391ca3fd7fa6aa6c68b37bc Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Fri, 19 Aug 2022 14:26:08 +0200 -Subject: [PATCH 5/7] Merge pull request #9371 from - yuumasato/auid_filters_on_audit_rules_kernel_module_loading - -Patch-name: scap-security-guide-0.1.64-auid_filter_audit_rules_kernel_module_loading-PR_9371.patch -Patch-status: Add AUID filters on audit_rules_kernel_module_loading ---- - .../audit_rules_kernel_module_loading/ansible/shared.yml | 2 +- - .../audit_rules_kernel_module_loading/bash/shared.sh | 2 +- - .../tests/auditctl_syscalls_multiple_per_arg.pass.sh | 2 +- - .../tests/auditctl_syscalls_one_per_arg.pass.sh | 2 +- - .../tests/auditctl_syscalls_one_per_line.pass.sh | 2 +- - .../tests/augen_syscalls_multiple_per_arg.pass.sh | 2 +- - .../tests/augen_syscalls_one_per_arg.pass.sh | 2 +- - .../tests/augen_syscalls_one_per_line.pass.sh | 2 +- - 8 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -index 4c659a70a1..5e607da798 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/ansible/shared.yml -@@ -4,7 +4,7 @@ - # complexity = low - # disruption = low - --{{% if product in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - {{% set auid_filters = "-F auid>=" ~ auid ~ " -F auid!=unset" %}} - {{% else %}} - {{% set auid_filters = "" %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh -index caa825fbf0..f2cc7b782f 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/bash/shared.sh -@@ -12,7 +12,7 @@ for ARCH in "${RULE_ARCHS[@]}" - do - ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - OTHER_FILTERS="" -- {{% if product in ["ol8", "rhel8"] %}} -+ {{% if product in ["ol8"] or 'rhel' in product %}} - AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=unset" - {{% else %}} - AUID_FILTERS="" -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh -index 3e000a1c23..6eccda6e3a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_multiple_per_arg.pass.sh -@@ -10,6 +10,6 @@ rm -f /etc/audit/rules.d/* - # cut out irrelevant rules for this test - sed '1,8d' test_audit.rules > /etc/audit/audit.rules - sed -i '4,7d' /etc/audit/audit.rules --{{% if product in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - sed -i 's/-k modules/-F auid>=1000 -F auid!=unset -k modules/g' /etc/audit/audit.rules - {{% endif %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh -index 0a0333803b..65fc2b6f59 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_arg.pass.sh -@@ -9,6 +9,6 @@ rm -f /etc/audit/rules.d/* - - # cut out irrelevant rules for this test - sed '1,12d' test_audit.rules > /etc/audit/audit.rules --{{% if product in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - sed -i 's/-k modules/-F auid>=1000 -F auid!=unset -k modules/g' /etc/audit/audit.rules - {{% endif %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh -index 940d9fb120..63f96022e2 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/auditctl_syscalls_one_per_line.pass.sh -@@ -9,6 +9,6 @@ rm -f /etc/audit/rules.d/* - - # cut out irrelevant rules for this test - sed '8,15d' test_audit.rules > /etc/audit/audit.rules --{{% if product in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - sed -i 's/-k modules/-F auid>=1000 -F auid!=unset -k modules/g' /etc/audit/audit.rules - {{% endif %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh -index c2438f9bd6..f7b9fb9cb0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_multiple_per_arg.pass.sh -@@ -7,6 +7,6 @@ rm -f /etc/audit/rules.d/* - # cut out irrelevant rules for this test - sed '1,8d' test_audit.rules > /etc/audit/rules.d/test.rules - sed -i '4,7d' /etc/audit/rules.d/test.rules --{{% if product in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - sed -i 's/-k modules/-F auid>=1000 -F auid!=unset -k modules/g' /etc/audit/rules.d/test.rules - {{% endif %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh -index ec55e46152..1ef064868e 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_arg.pass.sh -@@ -6,6 +6,6 @@ rm -f /etc/audit/rules.d/* - - # cut out irrelevant rules for this test - sed '1,12d' test_audit.rules > /etc/audit/rules.d/test.rules --{{% if product in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - sed -i 's/-k modules/-F auid>=1000 -F auid!=unset -k modules/g' /etc/audit/rules.d/test.rules - {{% endif %}} -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh -index 99299f7ca4..de8763bf8c 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/tests/augen_syscalls_one_per_line.pass.sh -@@ -5,6 +5,6 @@ rm -f /etc/audit/rules.d/* - - # cut out irrelevant rules for this test - sed '8,15d' test_audit.rules > /etc/audit/rules.d/test.rules --{{% if product in ["ol8", "rhel8"] %}} -+{{% if product in ["ol8"] or 'rhel' in product %}} - sed -i 's/-k modules/-F auid>=1000 -F auid!=unset -k modules/g' /etc/audit/rules.d/test.rules - {{% endif %}} --- -2.37.2 - diff --git a/SOURCES/scap-security-guide-0.1.64-fix_fips_enable_fips_mode_x390x-PR_9355.patch b/SOURCES/scap-security-guide-0.1.64-fix_fips_enable_fips_mode_x390x-PR_9355.patch deleted file mode 100644 index 77e78f9..0000000 --- a/SOURCES/scap-security-guide-0.1.64-fix_fips_enable_fips_mode_x390x-PR_9355.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f78ca701b71fc489ee1b22ede3205fc9dc63c119 Mon Sep 17 00:00:00 2001 -From: Milan Lysonek -Date: Wed, 17 Aug 2022 09:36:19 +0200 -Subject: [PATCH 08/11] Merge pull request #9355 from - yuumasato/enable_fips_mode_s390x_no_grubenv - -Patch-name: scap-security-guide-0.1.64-fix_fips_enable_fips_mode_x390x-PR_9355.patch -Patch-status: Don't fail enable_fips_mode if /etc/grubenv is missing on s390x ---- - .../integrity/fips/enable_fips_mode/oval/shared.xml | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -index 65056a654c..7af675de0d 100644 ---- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -@@ -7,9 +7,16 @@ - - - -- {{% if product in ["ol8","rhel8"] %}} -+ {{% if product in ["ol8"] %}} - -+ {{% elif product in ["rhel8"] %}} -+ -+ -+ -+ - {{% endif %}} - - --- -2.37.2 - diff --git a/SOURCES/scap-security-guide-0.1.64-fix_smartcard_auth_rhel7-PR_9387.patch b/SOURCES/scap-security-guide-0.1.64-fix_smartcard_auth_rhel7-PR_9387.patch deleted file mode 100644 index 93cdfc6..0000000 --- a/SOURCES/scap-security-guide-0.1.64-fix_smartcard_auth_rhel7-PR_9387.patch +++ /dev/null @@ -1,251 +0,0 @@ -From c9dfb2665c2cb21dca5b19434c7cb41ecec247e3 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 23 Aug 2022 12:05:54 +0200 -Subject: [PATCH 11/11] Ensure check and remediation work on RHEL7 regardless - of authconfig runs - -Patch-name: scap-security-guide-0.1.64-fix_smartcard_auth_rhel7-PR_9387.patch -Patch-status: Ensure smartcard_auth check and remediation work on RHEL7 ---- - .../smartcard_auth/bash/shared.sh | 44 ++++++++++----- - .../smartcard_auth/oval/shared.xml | 2 + - .../tests/installed_with_authconfig.fail.sh | 53 +++++++++++++++++++ - .../installed_with_pam_faildelay.pass.sh | 11 ++++ - .../installed_without_authconfig.fail.sh | 52 ++++++++++++++++++ - 5 files changed, 150 insertions(+), 12 deletions(-) - create mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_authconfig.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_pam_faildelay.pass.sh - create mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_without_authconfig.fail.sh - -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh -index 9d421063f7..925ec7bd8e 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh -@@ -23,6 +23,7 @@ - SYSTEM_AUTH_CONF="/etc/pam.d/system-auth" - # Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF - PAM_ENV_SO="auth.*required.*pam_env.so" -+PAM_FAIL_DELAY="auth.*required.*pam_faildelay.so" - - # Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF - SYSTEM_AUTH_PAM_SUCCEED="\ -@@ -37,31 +38,50 @@ pam_pkcs11.so nodebug" - # Define smartcard-auth config location - SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth" - # Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF --SMARTCARD_AUTH_SECTION="\ --auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card" -+SMARTCARD_AUTH_SECTION="auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card" - # Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF - PAM_PERMIT_SO="account.*required.*pam_permit.so" - # Define 'pam_pkcs11.so' password section --SMARTCARD_PASSWORD_SECTION="\ --password required pam_pkcs11.so" -+SMARTCARD_PASSWORD_SECTION="password required pam_pkcs11.so" - - # First Correct the SYSTEM_AUTH_CONF configuration - if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF" - then -- # Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file -- # and append (expected) pam_pkcs11.so row right after the pam_succeed_if.so we just added -- # in SYSTEM_AUTH_CONF file -- # This will preserve any other already existing row equal to "$SYSTEM_AUTH_PAM_SUCCEED" -- echo "$(awk '/^'"$PAM_ENV_SO"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF" -+ # Append pam_succeed_if.so row after pam_env.so or after pam_faildelay.so when it exists. -+ # Then append pam_pkcs11.so row right after the pam_succeed_if.so we just added -+ # in SYSTEM_AUTH_CONF file -+ # This will preserve any other already existing row equal to "$SYSTEM_AUTH_PAM_SUCCEED" -+ if ! grep -q 'pam_faildelay.so' "$SYSTEM_AUTH_CONF" -+ then -+ echo "$(awk '/^'"$PAM_ENV_SO"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF" -+ else -+ echo "$(awk '/^'"$PAM_FAIL_DELAY"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF" -+ fi -+ - fi - - # Then also correct the SMARTCARD_AUTH_CONF --if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF" -+if ! grep -q 'auth.*pam_pkcs11.so' "$SMARTCARD_AUTH_CONF" - then - # Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file -- sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF" -+ sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a \ -+ '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF" -+else -+ if ! grep -q 'auth.*pam_pkcs11.so.*no_debug.*wait_for_card' "$SMARTCARD_AUTH_CONF" -+ then -+ sed -i --follow-symlinks -e 's/^auth.*pam_pkcs11.so.*/'"$SMARTCARD_AUTH_SECTION"'/' "$SMARTCARD_AUTH_CONF" -+ fi -+fi -+if ! grep -q 'password.*pam_pkcs11.so' "$SMARTCARD_AUTH_CONF" -+then - # Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file -- sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF" -+ sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a \ -+ '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF" -+else -+ if ! grep -q 'password.*required.*pam_pkcs11.so' "$SMARTCARD_AUTH_CONF" -+ then -+ sed -i --follow-symlinks -e 's/password.*pam_pkcs11.so.*/'"$SMARTCARD_PASSWORD_SECTION"'/' "$SMARTCARD_AUTH_CONF" -+ fi - fi - - # Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml -index 343da51124..e284636e8a 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml -@@ -46,6 +46,7 @@ - comment="Regular expression to check if smartcard authentication is enabled in /etc/pam.d/system-auth" version="1"> - - \nauth[\s]+required[\s]+pam_env.so -+ (\nauth[\s]+required[\s]+pam_faildelay.so[\s]+delay=2000000)? - \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] - login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid - \nauth[\s]+\[success=done[\s]authinfo_unavail=ignore[\s]ignore=ignore[\s]default=die\][\s] -@@ -70,6 +71,7 @@ - comment="Regular expressiion to check if smartcard authentication is required in /etc/pam.d/system-auth" version="1"> - - \nauth[\s]+required[\s]+pam_env.so -+ (\nauth[\s]+required[\s]+pam_faildelay.so[\s]+delay=2000000)? - \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] - login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid - \nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s] -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_authconfig.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_authconfig.fail.sh -new file mode 100644 -index 0000000000..b0bbd7a8c0 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_authconfig.fail.sh -@@ -0,0 +1,53 @@ -+#!/bin/bash -+# packages = pcsc-lite pam_pkcs11 esc -+ -+systemctl enable pcscd.socket -+systemctl start pcscd.socket -+ -+cat << EOF > "/etc/pam.d/system-auth" -+#%PAM-1.0 -+# This file is auto-generated. -+# User changes will be destroyed the next time authconfig is run. -+auth required pam_env.so -+auth required pam_faildelay.so delay=2000000 -+auth sufficient pam_unix.so nullok try_first_pass -+auth requisite pam_succeed_if.so uid >= 1000 quiet_success -+auth required pam_deny.so -+ -+account required pam_unix.so -+account sufficient pam_localuser.so -+account sufficient pam_succeed_if.so uid < 1000 quiet -+account required pam_permit.so -+ -+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= -+password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -+EOF -+ -+cat << EOF > "/etc/pam.d/smartcard-auth" -+#%PAM-1.0 -+# This file is auto-generated. -+# User changes will be destroyed the next time authconfig is run. -+auth required pam_env.so -+auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card -+auth required pam_deny.so -+ -+account required pam_unix.so -+account sufficient pam_localuser.so -+account sufficient pam_succeed_if.so uid < 1000 quiet -+account required pam_permit.so -+ -+password required pam_pkcs11.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -+session required pam_unix.so -+EOF -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_pam_faildelay.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_pam_faildelay.pass.sh -new file mode 100644 -index 0000000000..c36ecbdb02 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_pam_faildelay.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# packages = pcsc-lite pam_pkcs11 esc -+ -+systemctl enable pcscd.socket -+systemctl start pcscd.socket -+ -+. ./configure_pam_stack.sh -+ -+# Add pam_faildelay line to system-auth -+PAM_ENV_SO="auth.*required.*pam_env.so" -+sed -i --follow-symlinks '/auth.*required.*pam_env.so/ a auth required pam_faildelay.so delay=2000000' /etc/pam.d/system-auth -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_without_authconfig.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_without_authconfig.fail.sh -new file mode 100644 -index 0000000000..83f4a81f08 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_without_authconfig.fail.sh -@@ -0,0 +1,52 @@ -+#!/bin/bash -+# packages = pcsc-lite pam_pkcs11 esc -+ -+systemctl enable pcscd.socket -+systemctl start pcscd.socket -+ -+cat << EOF > "/etc/pam.d/system-auth" -+#%PAM-1.0 -+# This file is auto-generated. -+# User changes will be destroyed the next time authconfig is run. -+auth required pam_env.so -+auth sufficient pam_unix.so try_first_pass nullok -+auth required pam_deny.so -+ -+account required pam_unix.so -+ -+password requisite pam_pwquality.so try_first_pass local_users_only retry -+=3 authtok_type= -+password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 s -+hadow -+password required pam_deny.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet -+use_uid -+session required pam_unix.so -+EOF -+ -+cat << EOF > "/etc/pam.d/smartcard-auth" -+#%PAM-1.0 -+# This file is auto-generated. -+# User changes will be destroyed the next time authconfig is run. -+auth required pam_env.so -+auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card -+auth required pam_deny.so -+ -+account required pam_unix.so -+account sufficient pam_localuser.so -+account sufficient pam_succeed_if.so uid < 500 quiet -+account required pam_permit.so -+ -+password optional pam_pkcs11.so -+ -+session optional pam_keyinit.so revoke -+session required pam_limits.so -+-session optional pam_systemd.so -+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet -+use_uid -+session required pam_unix.so -+EOF --- -2.37.2 - diff --git a/SOURCES/scap-security-guide-0.1.64-grub2_not_on_s390x-PR_9394.patch b/SOURCES/scap-security-guide-0.1.64-grub2_not_on_s390x-PR_9394.patch deleted file mode 100644 index abe0b33..0000000 --- a/SOURCES/scap-security-guide-0.1.64-grub2_not_on_s390x-PR_9394.patch +++ /dev/null @@ -1,28 +0,0 @@ -From a236dadf8c6f04f5f0f4ba68dd09baf4efda8a3e Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 24 Aug 2022 10:10:40 +0200 -Subject: [PATCH 10/11] GRUB2 is not available on s390x - -Patch-name: scap-security-guide-0.1.64-grub2_not_on_s390x-PR_9394.patch -Patch-status: GRUB2 is not available on s390x ---- - .../software/integrity/fips/grub2_enable_fips_mode/rule.yml | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml -index 5c1fc45ad0..8b6f4b4faf 100644 ---- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml -+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml -@@ -29,6 +29,9 @@ rationale: |- - - severity: high - -+platforms: -+ - grub2 -+ - identifiers: - cce@rhel7: CCE-80359-3 - --- -2.37.2 - diff --git a/SOURCES/scap-security-guide-0.1.64-pam_pkcs11_not_on_s390x-PR_9389.patch b/SOURCES/scap-security-guide-0.1.64-pam_pkcs11_not_on_s390x-PR_9389.patch deleted file mode 100644 index 0dd80cb..0000000 --- a/SOURCES/scap-security-guide-0.1.64-pam_pkcs11_not_on_s390x-PR_9389.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 39b3893a5fd4217ed3c5b09bbd017ac3caa85485 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 24 Aug 2022 09:28:47 +0200 -Subject: [PATCH 09/11] Merge pull request #9389 from - yuumasato/pam_pkcs11_not_available_s390x - -Patch-name: scap-security-guide-0.1.64-pam_pkcs11_not_on_s390x-PR_9389.patch -Patch-status: Put smartcard rules with pam_pkcs11 out of s390x ---- - .../smart_card_login/install_smartcard_packages/rule.yml | 2 ++ - .../screen_locking/smart_card_login/smartcard_auth/rule.yml | 3 ++- - .../smartcard_configure_cert_checking/rule.yml | 3 +++ - 3 files changed, 7 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml -index 9b33ac18a8..03fa6cccaa 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml -@@ -37,6 +37,8 @@ rationale: |- - - severity: medium - -+platform: not_s390x_arch -+ - identifiers: - cce@rhel7: CCE-80519-2 - cce@rhel8: CCE-84029-8 -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml -index 8153b31177..0f513b8972 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml -@@ -28,7 +28,8 @@ rationale: |- - - severity: medium - --platform: machine # The check uses service_... extended definition, which doesnt support offline mode -+platforms: -+ - not_s390x_arch - - identifiers: - cce@rhel7: CCE-80207-4 -diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml -index 49bd5d1762..e416d99372 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml -@@ -24,6 +24,9 @@ rationale: |- - - severity: medium - -+platforms: -+ - not_s390x_arch -+ - identifiers: - cce@rhel7: CCE-80520-0 - cce@rhel8: CCE-82475-5 --- -2.37.2 - diff --git a/SOURCES/scap-security-guide-0.1.64-update_rhel7_stig_to_v3r8-PR_9317.patch b/SOURCES/scap-security-guide-0.1.64-update_rhel7_stig_to_v3r8-PR_9317.patch deleted file mode 100644 index f70dec3..0000000 --- a/SOURCES/scap-security-guide-0.1.64-update_rhel7_stig_to_v3r8-PR_9317.patch +++ /dev/null @@ -1,3245 +0,0 @@ -From 1387b1732099246d62ad56b3accb2ae8dfe13a2d Mon Sep 17 00:00:00 2001 -From: Matthew Burket -Date: Tue, 9 Aug 2022 08:36:38 -0500 -Subject: [PATCH 6/7] Merge pull request #9317 from - yuumasato/update-rhel7-stig-to-v3r8 - -Patch-name: scap-security-guide-0.1.64-update_rhel7_stig_to_v3r8-PR_9317.patch -Patch-status: Update RHEL7 STIG to V3R8 ---- - products/rhel7/profiles/stig.profile | 4 +- - products/rhel7/profiles/stig_gui.profile | 4 +- - ... => disa-stig-rhel7-v3r8-xccdf-manual.xml} | 413 ++++++----- - ...ml => disa-stig-rhel7-v3r8-xccdf-scap.xml} | 697 +++++++++--------- - 4 files changed, 565 insertions(+), 553 deletions(-) - rename shared/references/{disa-stig-rhel7-v3r7-xccdf-manual.xml => disa-stig-rhel7-v3r8-xccdf-manual.xml} (97%) - rename shared/references/{disa-stig-rhel7-v3r7-xccdf-scap.xml => disa-stig-rhel7-v3r8-xccdf-scap.xml} (97%) - mode change 100644 => 100755 - -diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile -index 6cac22ec9e..032707728d 100644 ---- a/products/rhel7/profiles/stig.profile -+++ b/products/rhel7/profiles/stig.profile -@@ -1,7 +1,7 @@ - documentation_complete: true - - metadata: -- version: V3R7 -+ version: V3R8 - SMEs: - - ggbecker - -@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7' - - description: |- - This profile contains configuration checks that align to the -- DISA STIG for Red Hat Enterprise Linux V3R7. -+ DISA STIG for Red Hat Enterprise Linux V3R8. - - In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this - configuration baseline as applicable to the operating system tier of -diff --git a/products/rhel7/profiles/stig_gui.profile b/products/rhel7/profiles/stig_gui.profile -index 24f2b886a7..7b41b6d22a 100644 ---- a/products/rhel7/profiles/stig_gui.profile -+++ b/products/rhel7/profiles/stig_gui.profile -@@ -1,7 +1,7 @@ - documentation_complete: true - - metadata: -- version: V3R7 -+ version: V3R8 - SMEs: - - ggbecker - -@@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 7' - - description: |- - This profile contains configuration checks that align to the -- DISA STIG with GUI for Red Hat Enterprise Linux V3R7. -+ DISA STIG with GUI for Red Hat Enterprise Linux V3R8. - - In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this - configuration baseline as applicable to the operating system tier of -diff --git a/shared/references/disa-stig-rhel7-v3r7-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v3r8-xccdf-manual.xml -similarity index 97% -rename from shared/references/disa-stig-rhel7-v3r7-xccdf-manual.xml -rename to shared/references/disa-stig-rhel7-v3r8-xccdf-manual.xml -index 2c680d73ac..f5ca2a007a 100644 ---- a/shared/references/disa-stig-rhel7-v3r7-xccdf-manual.xml -+++ b/shared/references/disa-stig-rhel7-v3r8-xccdf-manual.xml -@@ -1,4 +1,4 @@ --acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 7 Benchmark Date: 27 Apr 20223.3.0.273751.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. -+acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 8 Benchmark Date: 27 Jul 20223.3.0.273751.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>RHEL-07-010010The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.<VulnDiscussion>Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. - - Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71849SV-86473CCI-001494CCI-001496CCI-002165CCI-002235Run the following command to determine which package owns the file: - -@@ -768,25 +768,25 @@ auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_in - auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 - account required pam_faillock.so - --If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010340The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. -+If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010340The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - - When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. - --Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71947SV-86571CCI-002038Configure the operating system to require users to supply a password for privilege escalation. -+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71947SV-86571CCI-002038Configure the operating system to require users to supply a password for privilege escalation. - - Check the configuration of the "/etc/sudoers" file with the following command: --# visudo -+$ sudo visudo - --Remove any occurrences of "NOPASSWD" tags in the file. -+Remove any occurrences of "NOPASSWD" tags in the file. - - Check the configuration of the /etc/sudoers.d/* files with the following command: --# grep -i nopasswd /etc/sudoers.d/* -+$ sudo grep -ir nopasswd /etc/sudoers.d - --Remove any occurrences of "NOPASSWD" tags in the file.Verify the operating system requires users to supply a password for privilege escalation. -+Remove any occurrences of "NOPASSWD" tags in the file.Verify the operating system requires users to supply a password for privilege escalation. - - Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command: - --# grep -i nopasswd /etc/sudoers /etc/sudoers.d/* -+$ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d - - If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010350The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -@@ -1263,13 +1263,15 @@ Verify that the /etc/selinux/config file is configured to the "SELINUXTYPE" to " - - SELINUXTYPE = targeted - --If no results are returned or "SELINUXTYPE" is not set to "targeted", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020230The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86617V-71993CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command: -+If no results are returned or "SELINUXTYPE" is not set to "targeted", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020230The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86617V-71993CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: -+ -+$ sudo systemctl disable ctrl-alt-del.target - --# systemctl mask ctrl-alt-del.targetVerify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. -+$ sudo systemctl mask ctrl-alt-del.targetVerify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. - - Check that the ctrl-alt-del.target is masked and not active with the following command: - --# systemctl status ctrl-alt-del.target -+$ sudo systemctl status ctrl-alt-del.target - - ctrl-alt-del.target - Loaded: masked (/dev/null; bad) -@@ -2384,85 +2386,85 @@ If both the "b32" and "b64" audit rules are not defined for the "creat", "open", - - If the output does not produce rules containing "-F exit=-EPERM", this is a finding. - --If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030560The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030560The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - - Audit records can be generated from various components within the information system (e.g., module or policy filter). - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86759V-72135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur. -+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86759V-72135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "semanage" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "semanage" command occur. - - Check the file system rule in "/etc/audit/audit.rules" with the following command: - --# grep -i /usr/sbin/semanage /etc/audit/audit.rules -+$ sudo grep -w "/usr/sbin/semanage" /etc/audit/audit.rules - ---a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030570The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -+If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030570The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - - Audit records can be generated from various components within the information system (e.g., module or policy filter). - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72137SV-86761CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur. -+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72137SV-86761CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setsebool" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setsebool" command occur. - - Check the file system rule in "/etc/audit/audit.rules" with the following command: - --# grep -i /usr/sbin/setsebool /etc/audit/audit.rules -+$ sudo grep -w "/usr/sbin/setsebool" /etc/audit/audit.rules - ---a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030580The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -+If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030580The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - - Audit records can be generated from various components within the information system (e.g., module or policy filter). - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72139SV-86763CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur. -+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72139SV-86763CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chcon" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chcon" command occur. - - Check the file system rule in "/etc/audit/audit.rules" with the following command: - --# grep -i /usr/bin/chcon /etc/audit/audit.rules -+$ sudo grep -w "/usr/bin/chcon" /etc/audit/audit.rules - ---a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030590The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -+If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030590The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - - Audit records can be generated from various components within the information system (e.g., module or policy filter). - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72141SV-86765CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur. -+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72141SV-86765CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setfiles" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setfiles" command occur. - - Check the file system rule in "/etc/audit/audit.rules" with the following command: - --# grep -iw /usr/sbin/setfiles /etc/audit/audit.rules -+$ sudo grep -w "/usr/sbin/setfiles" /etc/audit/audit.rules - ---a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - - If the command does not return any output, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>RHEL-07-030610The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -@@ -2500,145 +2502,145 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma - - -w /var/log/lastlog -p wa -k logins - --If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030630The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030630The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - --When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86773V-72149CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. -+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86773V-72149CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur. - - Check the file system rule in "/etc/audit/audit.rules" with the following command: - --# grep -i /usr/bin/passwd /etc/audit/audit.rules -+$ sudo grep -w "/usr/bin/passwd" /etc/audit/audit.rules - ---a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - --If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030640The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030640The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86775V-72151CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. -+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86775V-72151CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. - - Check the file system rule in "/etc/audit/audit.rules" with the following command: - --# grep -iw /usr/sbin/unix_chkpwd /etc/audit/audit.rules -+$ sudo grep -w "/usr/sbin/unix_chkpwd" /etc/audit/audit.rules - ---a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - --If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030650The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030650The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86777V-72153CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. -+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86777V-72153CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - --The audit daemon must be restarted for the changes to take effect. Verify the operating system generates audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. - - Check the file system rule in "/etc/audit/audit.rules" with the following command: - --# grep -i /usr/bin/gpasswd /etc/audit/audit.rules -+$ sudo grep -w "/usr/bin/gpasswd" /etc/audit/audit.rules - ---a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - --If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030660The Red Hat Enterprise Linux operating system must audit all uses of the chage command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030660The Red Hat Enterprise Linux operating system must audit all uses of the chage command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86779V-72155CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur. -+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86779V-72155CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chage" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chage" command occur. - - Check the file system rule in "/etc/audit/audit.rules" with the following command: - --# grep -i /usr/bin/chage /etc/audit/audit.rules -+$ sudo grep -w "/usr/bin/chage" /etc/audit/audit.rules - ---a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - --If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030670The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030670The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86781V-72157CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur. -+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86781V-72157CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "userhelper" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "userhelper" command occur. - - Check the file system rule in "/etc/audit/audit.rules" with the following command: - --# grep -i /usr/sbin/userhelper /etc/audit/audit.rules -+$ sudo grep -w "/usr/sbin/userhelper" /etc/audit/audit.rules - ---a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - --If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030680The Red Hat Enterprise Linux operating system must audit all uses of the su command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030680The Red Hat Enterprise Linux operating system must audit all uses of the su command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86783V-72159CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. -+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86783V-72159CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur. - - Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - --# grep -iw /usr/bin/su /etc/audit/audit.rules -+$ sudo grep -w "/usr/bin/su" /etc/audit/audit.rules - ---a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030690The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030690The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72161SV-86785CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur. -+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72161SV-86785CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudo" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudo" command occur. - - Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - --# grep -iw /usr/bin/sudo /etc/audit/audit.rules -+$ sudo grep -w "/usr/bin/sudo" /etc/audit/audit.rules - ---a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - - If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030700The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - -@@ -2664,255 +2666,255 @@ Check for modification of the following files being audited by performing the fo - - -w /etc/sudoers.d/ -p wa -k privileged-actions - --If the commands do not return output that match the examples, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030710The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the commands do not return output that match the examples, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030710The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72165SV-86789CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur. -+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72165SV-86789CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "newgrp" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "newgrp" command occur. - - Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - --# grep -i /usr/bin/newgrp /etc/audit/audit.rules -+$ sudo grep -w "/usr/bin/newgrp" /etc/audit/audit.rules - ---a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030720The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the command does not return any output, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-07-030720The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86791V-72167CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur. -+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86791V-72167CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chsh" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chsh" command occur. - - Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - --# grep -i /usr/bin/chsh /etc/audit/audit.rules -+$ sudo grep -w "/usr/bin/chsh" /etc/audit/audit.rules - ---a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - --If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030740The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030740The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72171SV-86795CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. -+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72171SV-86795CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. - - Add or update the following rules in "/etc/audit/rules.d/audit.rules": - - -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount - -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount ---a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -k privileged-mount -+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. - - Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": - --# grep -iw "mount" /etc/audit/audit.rules -+$ sudo grep -w "mount" /etc/audit/audit.rules - - -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount - -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount ---a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -k privileged-mount -+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - - If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding. - --If all uses of the "mount" command are not being audited, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030750The Red Hat Enterprise Linux operating system must audit all uses of the umount command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If all uses of the "mount" command are not being audited, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030750The Red Hat Enterprise Linux operating system must audit all uses of the umount command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72173SV-86797CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur. -+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72173SV-86797CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -k privileged-mount -+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur. - - Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": - --# grep -iw "/usr/bin/umount" /etc/audit/audit.rules -+$ sudo grep -w "/usr/bin/umount" /etc/audit/audit.rules - ---a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -k privileged-mount -+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - --If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030760The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030760The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72175SV-86799CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur. -+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72175SV-86799CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -k privileged-postfix -+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur. - - Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - --# grep -iw /usr/sbin/postdrop /etc/audit/audit.rules -+$ sudo grep -w "/usr/sbin/postdrop" /etc/audit/audit.rules - ---a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -k privileged-postfix -+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix - --If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030770The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030770The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86801V-72177CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. -+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86801V-72177CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -k privileged-postfix -+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. - - Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - --# grep -iw /usr/sbin/postqueue /etc/audit/audit.rules -+$ sudo grep -w "/usr/sbin/postqueue" /etc/audit/audit.rules - ---a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -k privileged-postfix -+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix - --If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030780The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030780The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86803V-72179CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. -+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86803V-72179CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -k privileged-ssh -+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. - - Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - --# grep -iw /usr/libexec/openssh/ssh-keysign /etc/audit/audit.rules -+$ sudo grep -w "/usr/libexec/openssh/ssh-keysign" /etc/audit/audit.rules - ---a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -k privileged-ssh -+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh - --If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030800The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -+If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030800The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - - When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - --Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86807V-72183CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. -+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86807V-72183CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -k privileged-cron -+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. - - Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": - --# grep -iw /usr/bin/crontab /etc/audit/audit.rules -+$ sudo grep -w "/usr/bin/crontab" /etc/audit/audit.rules - ---a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -k privileged-cron -+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron - --If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>RHEL-07-030810The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -+If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>RHEL-07-030810The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - --When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72185SV-86809CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. -+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72185SV-86809CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -k privileged-pam -+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. - - Check the auditing rules in "/etc/audit/audit.rules" with the following command: - --# grep -iw "/usr/sbin/pam_timestamp_check" /etc/audit/audit.rules -+$ sudo grep -w "/usr/sbin/pam_timestamp_check" /etc/audit/audit.rules - ---a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -k privileged-pam -+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam - --If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030819The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -+If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030819The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - - Audit records can be generated from various components within the information system (e.g., module or policy filter). - --Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78999SV-93705CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. -+Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78999SV-93705CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. - - Add or update the following rules in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F arch=b32 -S create_module -k module-change -+-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change - ---a always,exit -F arch=b64 -S create_module -k module-change -+-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. - - Check the auditing rules in "/etc/audit/audit.rules" with the following command: - --# grep -iw create_module /etc/audit/audit.rules -+$ sudo grep -w "create_module" /etc/audit/audit.rules - ---a always,exit -F arch=b32 -S create_module -k module-change -+-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change - ---a always,exit -F arch=b64 -S create_module -k module-change -+-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change - --If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030820The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -- --Audit records can be generated from various components within the information system (e.g., module or policy filter). -- --The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. -- --Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72187SV-86811CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. -- --Add or update the following rules in "/etc/audit/rules.d/audit.rules": -- ---a always,exit -F arch=b32 -S init_module,finit_module -k modulechange -- ---a always,exit -F arch=b64 -S init_module,finit_module -k modulechange -- --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. -- --Check the auditing rules in "/etc/audit/audit.rules" with the following command: -- --# grep init_module /etc/audit/audit.rules -- ---a always,exit -F arch=b32 -S init_module,finit_module -k modulechange -- ---a always,exit -F arch=b64 -S init_module,finit_module -k modulechange -- --If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030830The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -+If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030820The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - - Audit records can be generated from various components within the information system (e.g., module or policy filter). - --Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72189SV-86813CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. -+The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. -+ -+Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72187SV-86811CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. -+ -+Add or update the following rules in "/etc/audit/rules.d/audit.rules": -+ -+-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange -+ -+-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange -+ -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. -+ -+Check the auditing rules in "/etc/audit/audit.rules" with the following command: -+ -+$ sudo grep init_module /etc/audit/audit.rules -+ -+-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange -+ -+-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange -+ -+If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030830The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -+ -+Audit records can be generated from various components within the information system (e.g., module or policy filter). -+ -+Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72189SV-86813CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. - - Add or update the following rules in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F arch=b32 -S delete_module -k module-change -+-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change - ---a always,exit -F arch=b64 -S delete_module -k module-change -+-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change - --The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. -+The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. - - Check the auditing rules in "/etc/audit/audit.rules" with the following command: - --# grep -iw delete_module /etc/audit/audit.rules -+$ sudo grep -w "delete_module" /etc/audit/audit.rules - ---a always,exit -F arch=b32 -S delete_module -k module-change -+-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change - ---a always,exit -F arch=b64 -S delete_module -k module-change -+-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change - - If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030840The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -@@ -4408,23 +4410,22 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* - - If the either of the following entries are returned, this is a finding: - ALL ALL=(ALL) ALL --ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -+ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. - For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: - Defaults !targetpw - Defaults !rootpw --Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. -+Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. - --$ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' -+$ sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' - - /etc/sudoers:Defaults !targetpw - /etc/sudoers:Defaults !rootpw - /etc/sudoers:Defaults !runaspw - --If no results are returned, this is a finding. --If results are returned from more than one file location, this is a finding. -+If conflicting results are returned, this is a finding. - If "Defaults !targetpw" is not defined, this is a finding. - If "Defaults !rootpw" is not defined, this is a finding. --If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010343The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. -+If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010343The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - - When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. - -@@ -4434,21 +4435,25 @@ $ sudo visudo - - Add or modify the following line: - Defaults timestamp_timeout=[value] --Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. -+Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. - --$ sudo grep -i 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* -+$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d - /etc/sudoers:Defaults timestamp_timeout=0 - --If results are returned from more than one file location, this is a finding. -+If conflicting results are returned, this is a finding. - --If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010483Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. --The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000213Configure the system to have a unique name for the grub superusers account. -+If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010483Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. -+The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000213Configure the system to have a unique name for the grub superusers account. - --Edit the /boot/grub2/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: -+Edit the /etc/grub.d/01_users file and add or modify the following lines: - - set superusers="[someuniquestringhere]" - export superusers --password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}For systems that use UEFI, this is Not Applicable. -+password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} -+ -+Generate a new grub.cfg file with the following command: -+ -+$ sudo grub2-mkconfig -o /boot/grub2/grub.cfgFor systems that use UEFI, this is Not Applicable. - - For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. - -@@ -4458,14 +4463,18 @@ Verify that a unique name is set as the "superusers" account: - set superusers="[someuniquestringhere]" - export superusers - --If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010492Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. --The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000213Configure the system to have a unique name for the grub superusers account. -+If "superusers" is identical to any OS account name or is missing a name, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010492Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. -+The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000213Configure the system to have a unique name for the grub superusers account. - --Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: -+Edit the /etc/grub.d/01_users file and add or modify the following lines: - - set superusers="[someuniquestringhere]" - export superusers --password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}For systems that use BIOS, this is Not Applicable. -+password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} -+ -+Generate a new grub.cfg file with the following command: -+ -+$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgFor systems that use BIOS, this is Not Applicable. - - For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. - -@@ -4521,22 +4530,20 @@ Check the SELinux ssh_sysadm_login boolean with the following command: - $ sudo getsebool ssh_sysadm_login - ssh_sysadm_login --> off - --If the "ssh_sysadm_login" boolean is not "off" and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020023The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. -+If the "ssh_sysadm_login" boolean is not "off" and is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-07-020023The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - - Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002165CCI-002235Configure the operating system to elevate the SELinux context when an administrator calls the sudo command. - Edit a file in the /etc/sudoers.d directory with the following command: - $ sudo visudo -f /etc/sudoers.d/<customfile> - - Use the following example to build the <customfile> in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command: --%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALLNote: Per OPORD 16-0080, the preferred endpoint security tool is Endpoint Security for Linux (ENSL) in conjunction with SELinux. -- --Verify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command: -+%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALLVerify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command: - - This command must be ran as root: --# grep sysadm_r /etc/sudoers /etc/sudoers.d/* -+# grep -r sysadm_r /etc/sudoers /etc/sudoers.d - %wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL - --If results are returned from more than one file location, this is a finding. -+If conflicting results are returned, this is a finding. - - If a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to "sysadm_t" and "sysadm_r" with the use of the sudo command, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010291The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: - -@@ -4547,8 +4554,8 @@ $ sudo passwd -l [username]SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010339The Red Hat Enterprise Linux operating system must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. -- -+If the command returns any results, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010339The Red Hat Enterprise Linux operating system must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. -+ - It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure the /etc/sudoers file to only include the /etc/sudoers.d directory. - - Edit the /etc/sudoers file with the following command: -@@ -4556,7 +4563,9 @@ Edit the /etc/sudoers file with the following command: - $ sudo visudo - - Add or modify the following line: --#includedir /etc/sudoers.dVerify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: -+#includedir /etc/sudoers.dNote: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable. -+ -+Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: - - $ sudo grep include /etc/sudoers - -@@ -4566,7 +4575,7 @@ If the results are not "/etc/sudoers.d" or additional files or directories are s - - Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: - --$ sudo grep include /etc/sudoers.d/* -+$ sudo grep -r include /etc/sudoers.d - - If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010344The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -@@ -4583,17 +4592,17 @@ Check the configuration of the "/etc/pam.d/sudo" file with the following command - - $ sudo grep pam_succeed_if /etc/pam.d/sudo - --If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020029The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. -+If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-07-020029The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - - This requirement applies to the Red Hat Enterprise Linux operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002696Install the AIDE package by running the following command: - --$ sudo yum install aideVerify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. -+$ sudo yum install aideVerify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. - - Check that the AIDE package is installed with the following command: - - $ sudo rpm -q aide - --aide-0.16-14.el8.x86_64 -+aide-0.15.1-13.el7.x86_64 - - If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - -diff --git a/shared/references/disa-stig-rhel7-v3r7-xccdf-scap.xml b/shared/references/disa-stig-rhel7-v3r8-xccdf-scap.xml -old mode 100644 -new mode 100755 -similarity index 97% -rename from shared/references/disa-stig-rhel7-v3r7-xccdf-scap.xml -rename to shared/references/disa-stig-rhel7-v3r8-xccdf-scap.xml -index c648ce6449..5372091716 ---- a/shared/references/disa-stig-rhel7-v3r7-xccdf-scap.xml -+++ b/shared/references/disa-stig-rhel7-v3r8-xccdf-scap.xml -@@ -1,37 +1,37 @@ - -- -- -+ -+ - -- -+ - -- -+ - - - - -- -+ - -- -+ - - - - -- -- -+ -+ - - -- -+ - - - Red Hat Enterprise Linux 7 - -- oval:mil.disa.stig.rhel7:def:1 -+ oval:mil.disa.stig.rhel7:def:1 - - - -- -+ - -- accepted -+ accepted - Red Hat Enterprise Linux 7 Security Technical Implementation Guide - This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. - -@@ -41,11 +41,11 @@ - DISA - STIG.DOD.MIL - -- Release: 3.7 Benchmark Date: 27 Apr 2022 -+ Release: 3.8 Benchmark Date: 27 Jul 2022 - 3.3.0.27375 - 1.10.0 - -- 003.007 -+ 003.008 - - DISA - DISA -@@ -1559,7 +1559,7 @@ - - - -- -+ - - - -@@ -1599,32 +1599,32 @@ - - - -- -- -- -- -+ -+ -+ -+ - - -- -- -- -- -- -- -- -+ -+ -+ -+ -+ -+ -+ - -- -- -- -- -- -- -- -- -- -- -- -- -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - - - -@@ -1668,8 +1668,8 @@ - - - -- -- -+ -+ - - - remember -@@ -1948,7 +1948,7 @@ Update the system databases: - Users must log out and back in again before the system-wide settings take effect. - - -- -+ - - - -@@ -1994,7 +1994,7 @@ Update the system databases: - Users must log out and back in again before the system-wide settings take effect. - - -- -+ - - - -@@ -2038,7 +2038,7 @@ Update the system databases: - # dconf update - - -- -+ - - - -@@ -2084,7 +2084,7 @@ Users must log out and back in again before the system-wide settings take effect - - - -- -+ - - - -@@ -2121,7 +2121,7 @@ Add the setting to lock the screensaver lock delay: - /org/gnome/desktop/screensaver/lock-delay - - -- -+ - - - -@@ -2164,7 +2164,7 @@ Update the system databases: - Users must log out and back in again before the system-wide settings take effect. - - -- -+ - - - -@@ -2202,7 +2202,7 @@ Add the setting to lock the screensaver idle-activation-enabled setting: - /org/gnome/desktop/screensaver/idle-activation-enabled - - -- -+ - - - -@@ -2246,7 +2246,7 @@ Update the system databases: - Users must log out and back in again before the system-wide settings take effect. - - -- -+ - - - -@@ -2274,7 +2274,7 @@ Add the following line to "/etc/pam.d/passwd" (or modify the line to have the re - password substack system-auth - - -- -+ - - - -@@ -2305,7 +2305,7 @@ password required pam_pwquality.so retry=3 - Note: The value of "retry" should be between "1" and "3". - - -- -+ - - - -@@ -2337,7 +2337,7 @@ ucredit = -1 - - - -- -+ - - - -@@ -2370,7 +2370,7 @@ lcredit = -1 - - - -- -+ - - - -@@ -2402,7 +2402,7 @@ dcredit = -1 - - - -- -+ - - - -@@ -2434,7 +2434,7 @@ ocredit = -1 - - - -- -+ - - - -@@ -2466,7 +2466,7 @@ difok = 8 - - - -- -+ - - - -@@ -2498,7 +2498,7 @@ minclass = 4 - - - -- -+ - - - -@@ -2530,7 +2530,7 @@ maxrepeat = 3 - - - -- -+ - - - -@@ -2562,7 +2562,7 @@ maxclassrepeat = 4 - - - -- -+ - - - -@@ -2595,7 +2595,7 @@ pam_unix.so sha512 shadow try_first_pass use_authtok - Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement. - - -- -+ - - - -@@ -2624,7 +2624,7 @@ Add or update the following line in "/etc/login.defs": - ENCRYPT_METHOD SHA512 - - -- -+ - - - -@@ -2653,7 +2653,7 @@ Add or update the following line in "/etc/libuser.conf" in the [defaults] sectio - crypt_style = sha512 - - -- -+ - - - -@@ -2683,7 +2683,7 @@ PASS_MIN_DAYS 1 - - - -- -+ - - - -@@ -2709,7 +2709,7 @@ PASS_MIN_DAYS 1 - # chage -m 1 [user] - - -- -+ - - - -@@ -2739,7 +2739,7 @@ PASS_MAX_DAYS 60 - - - -- -+ - - - -@@ -2765,7 +2765,7 @@ PASS_MAX_DAYS 60 - # chage -M 60 [user] - - -- -+ - - - -@@ -2797,7 +2797,7 @@ Note: Manual changes to the listed files may be overwritten by the "authconfig" - - - -- -+ - - - -@@ -2829,7 +2829,7 @@ minlen = 15 - - - -- -+ - - - -@@ -2858,7 +2858,7 @@ Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/et - Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement. - - -- -+ - - - -@@ -2887,7 +2887,7 @@ PermitEmptyPasswords no - The SSH service must be restarted for changes to take effect. Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. - - -- -+ - - - -@@ -2919,14 +2919,14 @@ INACTIVE=35 - DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires. - - -- -+ - - - - - SRG-OS-000373-GPOS-00156 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-010340 - The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation. - <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. -@@ -2945,20 +2945,20 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO - V-71947 - SV-86571 - CCI-002038 -- Configure the operating system to require users to supply a password for privilege escalation. -+ Configure the operating system to require users to supply a password for privilege escalation. - - Check the configuration of the "/etc/sudoers" file with the following command: --# visudo -+$ sudo visudo - --Remove any occurrences of "NOPASSWD" tags in the file. -+Remove any occurrences of "NOPASSWD" tags in the file. - - Check the configuration of the /etc/sudoers.d/* files with the following command: --# grep -i nopasswd /etc/sudoers.d/* -+$ sudo grep -ir nopasswd /etc/sudoers.d - - Remove any occurrences of "NOPASSWD" tags in the file. -- -+ - -- -+ - - - -@@ -2997,7 +2997,7 @@ Check the configuration of the "/etc/sudoers.d/*" files with the following comma - Remove any occurrences of "!authenticate" tags in the file(s). - - -- -+ - - - -@@ -3029,7 +3029,7 @@ FAIL_DELAY 4 - - - -- -+ - - - -@@ -3061,7 +3061,7 @@ Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] se - AutomaticLoginEnable=false - - -- -+ - - - -@@ -3093,7 +3093,7 @@ Add or edit the line for the "TimedLoginEnable" parameter in the [daemon] sectio - TimedLoginEnable=false - - -- -+ - - - -@@ -3124,7 +3124,7 @@ PermitUserEnvironment no - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -3155,7 +3155,7 @@ HostbasedAuthentication no - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -3183,7 +3183,7 @@ Add or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" t - ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" - - -- -+ - - - -@@ -3214,7 +3214,7 @@ Enter password: - Confirm password: - - -- -+ - - - -@@ -3245,7 +3245,7 @@ Enter password: - Confirm password: - - -- -+ - - - -@@ -3278,7 +3278,7 @@ If a privileged user were to log on using this service, the privileged user pass - # yum remove rsh-server - - -- -+ - - - -@@ -3305,7 +3305,7 @@ If a privileged user were to log on using this service, the privileged user pass - # yum remove ypserv - - -- -+ - - - -@@ -3337,7 +3337,7 @@ Detecting such changes and providing an automated response can help avoid uninte - /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil - - -- -+ - - - -@@ -3368,7 +3368,7 @@ Verifying the authenticity of the software prior to installation validates the i - gpgcheck=1 - - -- -+ - - - -@@ -3399,7 +3399,7 @@ Verifying the authenticity of the software prior to installation validates the i - localpkg_gpgcheck=1 - - -- -+ - - - -@@ -3443,7 +3443,7 @@ Add or update the line: - blacklist usb-storage - - -- -+ - - - -@@ -3483,7 +3483,7 @@ Add or update the line: - blacklist dccp - - -- -+ - - - -@@ -3519,7 +3519,7 @@ Turn off the automount service with the following commands: - If "autofs" is required for Network File System (NFS), it must be documented with the ISSO. - - -- -+ - - - -@@ -3548,7 +3548,7 @@ Set the "clean_requirements_on_remove" option to "1" in the "/etc/yum.conf" file - clean_requirements_on_remove=1 - - -- -+ - - - -@@ -3578,7 +3578,7 @@ UMASK 077 - - - -- -+ - - - -@@ -3605,7 +3605,7 @@ Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise - Upgrade to a supported version of the operating system. - - -- -+ - - - -@@ -3630,7 +3630,7 @@ Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise - Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group". - - -- -+ - - - -@@ -3657,7 +3657,7 @@ Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise - If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. - - -- -+ - - - -@@ -3684,7 +3684,7 @@ If the account is associated with system commands or applications, the UID shoul - CREATE_HOME yes - - -- -+ - - - -@@ -3717,7 +3717,7 @@ Note: The example will be for the user smithj, who has a home directory of "/hom - # chmod 0750 /home/smithj - - -- -+ - - - -@@ -3742,7 +3742,7 @@ Note: The example will be for the user smithj, who has a home directory of "/hom - Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS. - - -- -+ - - - -@@ -3767,7 +3767,7 @@ Note: The example will be for the user smithj, who has a home directory of "/hom - Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS. - - -- -+ - - - -@@ -3794,7 +3794,7 @@ The only authorized public directories are those temporary directories supplied - All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group. - - -- -+ - - - -@@ -3821,7 +3821,7 @@ The only authorized public directories are those temporary directories supplied - # chown root /etc/cron.allow - - -- -+ - - - -@@ -3848,7 +3848,7 @@ The only authorized public directories are those temporary directories supplied - # chgrp root /etc/cron.allow - - -- -+ - - - -@@ -3873,7 +3873,7 @@ The only authorized public directories are those temporary directories supplied - Migrate the "/home" directory onto a separate file system/partition. - - -- -+ - - - -@@ -3898,7 +3898,7 @@ The only authorized public directories are those temporary directories supplied - Migrate the "/var" path onto a separate file system. - - -- -+ - - - -@@ -3922,7 +3922,7 @@ The only authorized public directories are those temporary directories supplied - Migrate the system audit data path onto a separate file system. - - -- -+ - - - -@@ -3953,7 +3953,7 @@ OR - Edit the "/etc/fstab" file and ensure the "/tmp" directory is defined in the fstab with a device and mount point. - - -- -+ - - - -@@ -4034,7 +4034,7 @@ If the file /etc/system-fips does not exists, recreate it: - Reboot the system for the changes to take effect. - - -- -+ - - - -@@ -4065,7 +4065,7 @@ Examples of non-essential capabilities include, but are not limited to, games, s - # yum remove telnet-server - - -- -+ - - - -@@ -4101,7 +4101,7 @@ Enable the auditd service with the following command: - # systemctl start auditd.service - - -- -+ - - - -@@ -4152,7 +4152,7 @@ Kernel log monitoring must also be configured to properly alert designated staff - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -4190,7 +4190,7 @@ The audit daemon must be restarted for changes to take effect: - # service auditd restart - - -- -+ - - - -@@ -4226,7 +4226,7 @@ The audit daemon must be restarted for changes to take effect: - # service auditd restart - - -- -+ - - - -@@ -4262,7 +4262,7 @@ The audit daemon must be restarted for changes to take effect: - # service auditd restart - - -- -+ - - - -@@ -4292,7 +4292,7 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion - Set the remote server option in "/etc/audisp/audisp-remote.conf" with the IP address of the log aggregation server. - - -- -+ - - - -@@ -4324,7 +4324,7 @@ Uncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set i - enable_krb5 = yes - - -- -+ - - - -@@ -4353,7 +4353,7 @@ Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.co - disk_full_action = single - - -- -+ - - - -@@ -4382,7 +4382,7 @@ Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf - network_failure_action = syslog - - -- -+ - - - -@@ -4410,7 +4410,7 @@ Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" an - space_left_action = email - - -- -+ - - - -@@ -4440,7 +4440,7 @@ action_mail_acct = root - - - -- -+ - - - -@@ -4473,7 +4473,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -4513,7 +4513,7 @@ Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -4554,7 +4554,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -4595,7 +4595,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -4641,14 +4641,14 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030560 - The Red Hat Enterprise Linux operating system must audit all uses of the semanage command. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -@@ -4670,23 +4670,23 @@ Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPO - V-72135 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030570 - The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -@@ -4708,23 +4708,23 @@ Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPO - SV-86761 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030580 - The Red Hat Enterprise Linux operating system must audit all uses of the chcon command. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -@@ -4746,23 +4746,23 @@ Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPO - SV-86763 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000392-GPOS-00172 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030590 - The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -@@ -4783,16 +4783,16 @@ Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPO - SV-86765 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - -@@ -4829,7 +4829,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -4866,21 +4866,21 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030630 - The Red Hat Enterprise Linux operating system must audit all uses of the passwd command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. - - At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. - --When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. - - Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - -@@ -4896,23 +4896,23 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPO - CCI-000135 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030640 - The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -4935,23 +4935,23 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPO - CCI-000135 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030650 - The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -4974,23 +4974,23 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPO - CCI-000135 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030660 - The Red Hat Enterprise Linux operating system must audit all uses of the chage command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -5013,23 +5013,23 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPO - CCI-000135 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030670 - The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -5052,23 +5052,23 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPO - CCI-000135 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -k privileged-passwd -+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030680 - The Red Hat Enterprise Linux operating system must audit all uses of the su command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -5092,23 +5092,23 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPO - CCI-000135 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030690 - The Red Hat Enterprise Linux operating system must audit all uses of the sudo command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -5132,16 +5132,16 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPO - CCI-000135 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - -@@ -5181,14 +5181,14 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030710 - The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -5212,23 +5212,23 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPO - CCI-000135 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000037-GPOS-00015 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030720 - The Red Hat Enterprise Linux operating system must audit all uses of the chsh command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -5252,23 +5252,23 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPO - CCI-000135 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -k privileged-priv_change -+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030740 - The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -5290,25 +5290,25 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion - SV-86795 - CCI-000135 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. - - Add or update the following rules in "/etc/audit/rules.d/audit.rules": - - -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount - -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount ---a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -k privileged-mount -+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030750 - The Red Hat Enterprise Linux operating system must audit all uses of the umount command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -5330,23 +5330,23 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion - SV-86797 - CCI-000135 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -k privileged-mount -+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030760 - The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -5368,23 +5368,23 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion - SV-86799 - CCI-000135 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -k privileged-postfix -+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030770 - The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -5406,23 +5406,23 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion - V-72177 - CCI-000135 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -k privileged-postfix -+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030780 - The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -5445,23 +5445,23 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPO - CCI-000135 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -k privileged-ssh -+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030800 - The Red Hat Enterprise Linux operating system must audit all uses of the crontab command. - <VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. -@@ -5484,23 +5484,23 @@ Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPO - CCI-000135 - CCI-000172 - CCI-002884 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -k privileged-cron -+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000471-GPOS-00215 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030810 - The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -@@ -5517,23 +5517,23 @@ When a user logs on, the auid is set to the uid of the account that is being aut - V-72185 - SV-86809 - CCI-000172 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. - - Add or update the following rule in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -k privileged-pam -+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000471-GPOS-00216 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030819 - The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -@@ -5551,25 +5551,25 @@ Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion - V-78999 - SV-93705 - CCI-000172 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. - - Add or update the following rules in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F arch=b32 -S create_module -k module-change -+-a always,exit -F arch=b32 -S create_module -F auid>=1000 -F auid!=unset -k module-change - ---a always,exit -F arch=b64 -S create_module -k module-change -+-a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000471-GPOS-00216 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030820 - The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -@@ -5590,25 +5590,25 @@ Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion - V-72187 - SV-86811 - CCI-000172 -- Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. -+ Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. - - Add or update the following rules in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F arch=b32 -S init_module,finit_module -k modulechange -+-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange - ---a always,exit -F arch=b64 -S init_module,finit_module -k modulechange -+-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - - - SRG-OS-000471-GPOS-00216 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-030830 - The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -@@ -5627,18 +5627,18 @@ Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion - V-72189 - SV-86813 - CCI-000172 -- Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. -+ Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. - - Add or update the following rules in "/etc/audit/rules.d/audit.rules": - ---a always,exit -F arch=b32 -S delete_module -k module-change -+-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change - ---a always,exit -F arch=b64 -S delete_module -k module-change -+-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change - - The audit daemon must be restarted for the changes to take effect. -- -+ - -- -+ - - - -@@ -5674,7 +5674,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5712,7 +5712,7 @@ Add or update the following rule "/etc/audit/rules.d/audit.rules": - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5748,7 +5748,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5784,7 +5784,7 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5820,7 +5820,7 @@ Add or update the following file system rule in "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5857,7 +5857,7 @@ The audit daemon must be restarted for the changes to take effect: - # systemctl restart auditd - - -- -+ - - - -@@ -5897,7 +5897,7 @@ Add the following rules in "/etc/audit/rules.d/audit.rules": - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5929,7 +5929,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con - - - -- -+ - - - -@@ -5970,7 +5970,7 @@ Ciphers aes256-ctr,aes192-ctr,aes128-ctr - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -6005,7 +6005,7 @@ Create a script to enforce the inactivity timeout (for example /etc/profile.d/tm - declare -xr TMOUT=900 - - -- -+ - - - -@@ -6037,7 +6037,7 @@ Issue the following command to make the changes take effect: - # sysctl --system - - -- -+ - - - -@@ -6073,7 +6073,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO - # yum install openssh-server.x86_64 - - -- -+ - - - -@@ -6110,7 +6110,7 @@ The SSH service must be restarted for changes to take effect. - - - -- -+ - - - -@@ -6141,7 +6141,7 @@ RhostsRSAAuthentication no - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -6177,7 +6177,7 @@ ClientAliveCountMax 0 - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -6206,7 +6206,7 @@ Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set - IgnoreRhosts yes - - -- -+ - - - -@@ -6237,7 +6237,7 @@ PrintLastLog yes - The SSH service must be restarted for changes to "sshd_config" to take effect. - - -- -+ - - - -@@ -6268,7 +6268,7 @@ PermitRootLogin no - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -6299,7 +6299,7 @@ IgnoreUserKnownHosts yes - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -6331,7 +6331,7 @@ Protocol 2 - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -6362,7 +6362,7 @@ MACs hmac-sha2-512,hmac-sha2-256 - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -6391,7 +6391,7 @@ Change the mode of public host key files under "/etc/ssh" to "0644" with the fol - # chmod 0644 /etc/ssh/*.key.pub - - -- -+ - - - -@@ -6418,7 +6418,7 @@ Change the mode of public host key files under "/etc/ssh" to "0644" with the fol - # chmod 0600 /path/to/file/ssh_host*key - - -- -+ - - - -@@ -6452,7 +6452,7 @@ The SSH service must be restarted for changes to take effect. - If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO. - - -- -+ - - - -@@ -6487,7 +6487,7 @@ The SSH service must be restarted for changes to take effect. - If Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO. - - -- -+ - - - -@@ -6516,7 +6516,7 @@ StrictModes yes - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -6545,7 +6545,7 @@ UsePrivilegeSeparation sandbox - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -6573,7 +6573,7 @@ Compression no - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -6601,7 +6601,7 @@ Add the following line to the top of "/etc/pam.d/postlogin": - session required pam_lastlog.so showfailed - - -- -+ - - - -@@ -6627,7 +6627,7 @@ session required pam_lastlog.so showfailed - # rm /[path]/[to]/[file]/.shosts - - -- -+ - - - -@@ -6653,7 +6653,7 @@ session required pam_lastlog.so showfailed - # rm /[path]/[to]/[file]/shosts.equiv - - -- -+ - - - -@@ -6685,7 +6685,7 @@ Issue the following command to make the changes take effect: - - - -- -+ - - - -@@ -6717,7 +6717,7 @@ Issue the following command to make the changes take effect: - - - -- -+ - - - -@@ -6749,7 +6749,7 @@ Issue the following command to make the changes take effect: - - - -- -+ - - - -@@ -6781,7 +6781,7 @@ Issue the following command to make the changes take effect: - - - -- -+ - - - -@@ -6813,7 +6813,7 @@ Issue the following command to make the changes take effect: - - - -- -+ - - - -@@ -6846,7 +6846,7 @@ Issue the following command to make the changes take effect: - # sysctl --system - - -- -+ - - - -@@ -6879,7 +6879,7 @@ Issue the following command to make the changes take effect: - # sysctl --system - - -- -+ - - - -@@ -6905,7 +6905,7 @@ Issue the following command to make the changes take effect: - # yum remove vsftpd - - -- -+ - - - -@@ -6936,7 +6936,7 @@ Issue the following command to make the changes take effect: - # yum remove tftp-server - - -- -+ - - - -@@ -6969,7 +6969,7 @@ The SSH service must be restarted for changes to take effect: - # systemctl restart sshd - - -- -+ - - - -@@ -7002,7 +7002,7 @@ $ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-ut - A reboot is required for the changes to take effect. - - -- -+ - - - -@@ -7033,7 +7033,7 @@ Issue the following command to make the changes take effect: - # sysctl --system - - -- -+ - - - -@@ -7058,7 +7058,7 @@ Issue the following command to make the changes take effect: - If the "/etc/snmp/snmpd.conf" file exists, modify any lines that contain a community string value of "public" or "private" to another string value. - - -- -+ - - - -@@ -7090,7 +7090,7 @@ Issue the following command to make the changes take effect: - - - -- -+ - - - -@@ -7130,7 +7130,7 @@ Install the pam_pkcs11 package with the following command: - # yum install pam_pkcs11 - - -- -+ - - - -@@ -7169,7 +7169,7 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPO - Modify all of the services lines in "/etc/sssd/sssd.conf" or in configuration files found under "/etc/sssd/conf.d" to include pam. - - -- -+ - - - -@@ -7207,7 +7207,7 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPO - Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on". - - -- -+ - - - -@@ -7244,7 +7244,7 @@ Alternatively, the package can be reinstalled from trusted media using the comma - # sudo rpm -Uvh <packagename> - - -- -+ - - - -@@ -7268,14 +7268,14 @@ ALL ALL=(ALL) ALL - ALL ALL=(ALL:ALL) ALL - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-010342 - The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo". - <VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -@@ -7294,14 +7294,14 @@ Defaults !rootpw - Defaults !runaspw - - -- -+ - - - - - SRG-OS-000373-GPOS-00156 - <GroupDescription></GroupDescription> -- -+ - RHEL-07-010343 - The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command. - <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. -@@ -7326,18 +7326,18 @@ Defaults timestamp_timeout=[value] - Note: The "[value]" must be a number that is greater than or equal to "0". - - -- -+ - - - - - -- -+ - - - repotool - 5.10 -- 2022-03-28T12:32:37 -+ 2022-06-28T15:26:15 - - - -@@ -7711,7 +7711,7 @@ By specifying a hash algorithm list with the order of hashes being in a "stronge - - - -- -+ - - RHEL-07-010342 - The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo". - -@@ -7721,21 +7721,21 @@ By specifying a hash algorithm list with the order of hashes being in a "stronge - For more information on each of the listed configurations, reference the sudoers(5) manual page. - - -- -+ - - - -- -+ - - - -- -+ - - - - - -- -+ - - RHEL-07-010343 - The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command. - -@@ -7747,9 +7747,8 @@ When operating systems provide the capability to escalate a functional capabilit - - If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. - -- -- -- -+ -+ - - - -@@ -12114,30 +12113,26 @@ The ability to enable/disable a session lock is given to the user by default. Di - - - -- -+ - - -- -+ - - -- -+ - - -- -+ - - -- -+ - - -- -+ - - -- -- -- -- -- -- -+ -+ - - - -@@ -14366,50 +14361,58 @@ The ability to enable/disable a session lock is given to the user by default. Di - ^\s*ALL\s+ALL\=\(ALL(?:|\:ALL)\)\s+ALL\s*$ - 1 - -- -+ - /etc/sudoers -- ^\s*Defaults\s+\!targetpw\s*$ -+ ^\s*(?i)Defaults\s+\!targetpw\s*$ - 1 - -- -- /etc/sudoers.d -+ -+ ^/etc/sudoers\.d.* - ^.*$ -- ^\s*Defaults\s+\!targetpw\s*$ -+ ^\s*(?i)Defaults\s+\!targetpw\s*$ - 1 - -- -+ - /etc/sudoers -- ^\s*Defaults\s+\!rootpw\s*$ -+ ^\s*(?i)Defaults\s+\!rootpw\s*$ - 1 - -- -- /etc/sudoers.d -+ -+ ^/etc/sudoers\.d.* - ^.*$ -- ^\s*Defaults\s+\!rootpw\s*$ -+ ^\s*(?i)Defaults\s+\!rootpw\s*$ - 1 - -- -+ - /etc/sudoers -- ^\s*Defaults\s+\!runaspw\s*$ -+ ^\s*(?i)Defaults\s+\!runaspw\s*$ - 1 - -- -- /etc/sudoers.d -+ -+ ^/etc/sudoers\.d.* - ^.*$ -- ^\s*Defaults\s+\!runaspw\s*$ -+ ^\s*(?i)Defaults\s+\!runaspw\s*$ - 1 - -- -+ -+ - /etc/sudoers -- ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ -+ ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ - 1 - -- -+ -+ - /etc/sudoers.d - ^.*$ -- ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ -+ ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ - 1 - -+ -+ -+ oval:mil.disa.stig.rhel7:obj:17900 -+ oval:mil.disa.stig.rhel7:obj:17901 -+ -+ - - /etc/audit/rules.d - .*\.rules$ -@@ -15430,12 +15433,12 @@ The ability to enable/disable a session lock is given to the user by default. Di - - - -- -+ - - - repotool - 5.10 -- 2022-03-28T12:32:37 -+ 2022-06-28T15:26:15 - - - --- -2.37.2 - diff --git a/SOURCES/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch b/SOURCES/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch new file mode 100644 index 0000000..34ddc1e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch @@ -0,0 +1,106 @@ +From c533f1e46ba25490af04a362a7a74ba2736281e5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 15 Feb 2023 16:25:47 +0100 +Subject: [PATCH 4/6] Change custom zones check in firewalld_sshd_port_enabled + +Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch +Patch-status: Change custom zones check in firewalld_sshd_port_enabled +--- + .../oval/shared.xml | 68 +++++++++++++++---- + 1 file changed, 54 insertions(+), 14 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +index 4adef2e53f..d7c96665b4 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +@@ -133,9 +133,10 @@ + OVAL resources in order to detect and assess only active zone, which are zones with at + least one NIC assigned to it. Since it was possible to easily have the list of active + zones, it was cumbersome to use that list in other OVAL objects without introduce a high +- level of complexity to make sure environments with multiple NICs and multiple zones are +- in use. So, in favor of simplicity and readbility it was decided to work with a static +- list. It means that, in the future, it is possible this list needs to be updated. --> ++ level of complexity to ensure proper assessment in environments where multiple NICs and ++ multiple zones are in use. So, in favor of simplicity and readbility it was decided to ++ work with a static list. It means that, in the future, it is possible this list needs to ++ be updated. --> + +@@ -145,23 +146,62 @@ + +- ++ +- +- +- ++ ++ ++ ++ ++ ++ var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count ++ ++ ++ ++ ++ ++ ++ + + +- /etc/firewalld/zones +- ^.*\.xml$ +- /zone/service[@name='ssh'] ++ /etc/firewalld/zones ++ ^.*\.xml$ ++ /zone/service[@name='ssh'] + + +- +- /zone/service[@name='ssh'] +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/firewalld/zones ++ ^.*\.xml$ ++ + + + +- +- /etc/rsyslog.conf +- ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ +- 1 +- state_permissions_ignore_hidden_paths +- +- +- +- +- ^.*\/\..*$ +- +- +- +- +- +- +- +- +- +- +- +- +- +- var_rfp_include_config_regex +- +- +- +- ^/etc/rsyslog.conf$ +- +- +- +- var_rfp_syslog_config +- +- +- +- +- +- object_var_rfp_include_config_regex +- object_var_rfp_syslog_config +- +- +- +- +- +- +- +- +- +- +- +- +- ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$ +- 1 +- state_permissions_ignore_include_paths +- +- +- +- +- (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- regular +- false +- {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204", "sle15", "sle12"] %}} +- true +- {{% else %}} +- false +- {{% endif %}} +- false +- false +- false +- false +- false +- +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml +index 508ff73cde..042c35362d 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml +@@ -1,18 +1,24 @@ ++{{%- if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204", "sle15", "sle12"] %}} ++ {{%- set rsyslog_perm='640' %}} ++{{%- else %}} ++ {{%- set rsyslog_perm='600' %}} ++{{%- endif %}} ++ + documentation_complete: true + + title: 'Ensure System Log Files Have Correct Permissions' + + description: |- + The file permissions for all log files written by rsyslog should +- be set to 600, or more restrictive. These log files are determined by the ++ be set to {{{ rsyslog_perm }}}, or more restrictive. These log files are determined by the + second part of each Rule line in /etc/rsyslog.conf and typically + all appear in /var/log. For each log file LOGFILE + referenced in /etc/rsyslog.conf, run the following command to + inspect the file's permissions: + 
$ ls -l LOGFILE
+- If the permissions are not 600 or more restrictive, run the following ++ If the permissions are not {{{ rsyslog_perm }}} or more restrictive, run the following + command to correct this: +- 
$ sudo chmod 0600 LOGFILE
" ++ 
$ sudo chmod {{{ rsyslog_perm }}} LOGFILE
" + + rationale: |- + Log files can contain valuable information regarding system +@@ -46,9 +52,23 @@ ocil_clause: 'the permissions are not correct' + + ocil: |- + The file permissions for all log files written by rsyslog should +- be set to 600, or more restrictive. These log files are determined by the ++ be set to {{{ rsyslog_perm }}}, or more restrictive. These log files are determined by the + second part of each Rule line in /etc/rsyslog.conf and typically + all appear in /var/log. To see the permissions of a given log + file, run the following command: + 
$ ls -l LOGFILE
+- The permissions should be 600, or more restrictive. ++ The permissions should be {{{ rsyslog_perm }}}, or more restrictive. ++ ++template: ++ name: rsyslog_logfiles_attributes_modify ++ vars: ++ attribute: permissions ++ value: '0600' ++ value@debian10: '0640' ++ value@debian11: '0640' ++ value@sle12: '0640' ++ value@sle15: '0640' ++ value@ubuntu1604: '0640' ++ value@ubuntu1804: '0640' ++ value@ubuntu2004: '0640' ++ value@ubuntu2204: '0640' +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0600.pass.sh +deleted file mode 100755 +index c27e7874d9..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0600.pass.sh ++++ /dev/null +@@ -1,40 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from $IncludeConfig passes. +-# test $IncludeConfig with wildcard (*.conf) +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0601.fail.sh +deleted file mode 100755 +index 124b5e863e..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0601.fail.sh ++++ /dev/null +@@ -1,41 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0601 from $IncludeConfig fails. +-# test $IncludeConfig with wildcard (*.conf) +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0600.pass.sh +deleted file mode 100755 +index a6ff6a1109..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0600.pass.sh ++++ /dev/null +@@ -1,39 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from $IncludeConfig passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0601.fail.sh +deleted file mode 100755 +index 2ae5c89a4e..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0601.fail.sh ++++ /dev/null +@@ -1,40 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0601 from $IncludeConfig fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +deleted file mode 100755 +index a5a2f67fad..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh ++++ /dev/null +@@ -1,85 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from $IncludeConfig passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 5 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[3]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[4]} +- +-# create test configuration files +-conf_subdir=${RSYSLOG_TEST_DIR}/subdir +-conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir +-mkdir ${conf_subdir} +-mkdir ${conf_hiddir} +- +-test_conf_in_subdir=${conf_subdir}/in_subdir.conf +-test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak +- +-test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf +-test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf +- +-cat << EOF > ${test_conf_in_subdir} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-cat << EOF > ${test_conf_name_bak} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-cat << EOF > ${test_conf_in_hiddir} +-# rsyslog configuration file +-# not used +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[3]} +-EOF +- +-cat << EOF > ${test_conf_dot_name} +-# rsyslog configuration file +-# not used +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[4]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") +-include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") +-include(file="${RSYSLOG_TEST_DIR}" mode="optional") +- +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +-\$IncludeConfig ${RSYSLOG_TEST_DIR} +- +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +deleted file mode 100755 +index fe4db0a3c9..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh ++++ /dev/null +@@ -1,86 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0601 from $IncludeConfig fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 5 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]} +- +-# create test configuration files +-conf_subdir=${RSYSLOG_TEST_DIR}/subdir +-conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir +-mkdir ${conf_subdir} +-mkdir ${conf_hiddir} +- +-test_conf_in_subdir=${conf_subdir}/in_subdir.conf +-test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak +- +-test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf +-test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf +- +-cat << EOF > ${test_conf_in_subdir} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-cat << EOF > ${test_conf_name_bak} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-cat << EOF > ${test_conf_in_hiddir} +-# rsyslog configuration file +-# not used +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[3]} +-EOF +- +-cat << EOF > ${test_conf_dot_name} +-# rsyslog configuration file +-# not used +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[4]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") +-include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") +-include(file="${RSYSLOG_TEST_DIR}" mode="optional") +- +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +-\$IncludeConfig ${RSYSLOG_TEST_DIR} +- +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_multiline_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_multiline_perms_0600.pass.sh +deleted file mode 100755 +index eabcb21956..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_multiline_perms_0600.pass.sh ++++ /dev/null +@@ -1,41 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from multiline include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include( +- file="${test_conf}" +-) +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600.pass.sh +deleted file mode 100755 +index 32cd4c334a..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600.pass.sh ++++ /dev/null +@@ -1,39 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0600.pass.sh +deleted file mode 100755 +index 357d4f9718..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0600.pass.sh ++++ /dev/null +@@ -1,52 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permisssions 0600 from rules and +-# log file permissions 0600 from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601.fail.sh +deleted file mode 100755 +index 7bdb830c00..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601.fail.sh ++++ /dev/null +@@ -1,53 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permisssions 0600 from rules and +-# log file permissions 0601 from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh +deleted file mode 100644 +index 9b0185c6b2..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh ++++ /dev/null +@@ -1,53 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permisssions 0600 from rules and +-# log file permissions 0601 from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create hidden test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh +deleted file mode 100644 +index b929f2a94a..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh ++++ /dev/null +@@ -1,45 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permisssions 0600 from rules and +-# log file permissions 0601 from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# Skip creation test2 configuration file +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_cloudinit.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_cloudinit.pass.sh +deleted file mode 100644 +index 2eb515a43e..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_cloudinit.pass.sh ++++ /dev/null +@@ -1,23 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[@]} +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +-:syslogtag, isequal, "[CLOUDINIT]" ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601.fail.sh +deleted file mode 100755 +index fd3f9e92ec..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601.fail.sh ++++ /dev/null +@@ -1,41 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0601 from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_FAIL=0601 +- +-PERMS_PASS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601_cloudinit.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601_cloudinit.fail.sh +deleted file mode 100644 +index 7a598626d0..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601_cloudinit.fail.sh ++++ /dev/null +@@ -1,22 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-source $SHARED/rsyslog_log_utils.sh +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod 0600 ${RSYSLOG_TEST_LOGS[0]} +-chmod 0601 ${RSYSLOG_TEST_LOGS[1]} +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +-:syslogtag, isequal, "[CLOUDINIT]" ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_group_read.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_group_read.pass.sh +new file mode 100755 +index 0000000000..b3846fec47 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_group_read.pass.sh +@@ -0,0 +1,25 @@ ++#!/bin/bash ++# platform = multi_platform_sle,multi_platform_ubuntu ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++CHATTR="chmod" ++ATTR_VALUE="0640" ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_stricter.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_stricter.pass.sh +new file mode 100755 +index 0000000000..0b4cb5dce0 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_stricter.pass.sh +@@ -0,0 +1,25 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++CHATTR="chmod" ++ATTR_VALUE="0400" ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0600.pass.sh +deleted file mode 100755 +index fbdcd18f77..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0600.pass.sh ++++ /dev/null +@@ -1,35 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with permissions 0600 in rsyslog.conf passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 4 +- +-# setup all files with incorrect permission +-chmod 0601 "${RSYSLOG_TEST_LOGS[@]}" +- +-# setup the real logfile with correct permissions +-chmod $PERMS "${RSYSLOG_TEST_LOGS[0]}" +- +-# add rule with 0600 permissions log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +- *.* ${RSYSLOG_TEST_LOGS[1]} +- +-authpriv.* /nonexistent_file +- +-# *.* /irrelevant_file +- +-\$something /irrelevant_file +- +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0601.fail.sh +deleted file mode 100755 +index 75e9558c63..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0601.fail.sh ++++ /dev/null +@@ -1,34 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with permissions 0601 in rsyslog.conf fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0601 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log file and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +- +-# add rule with 0601 permissions log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-cron.* /nonexistent_file +- +- authpriv.* /irrelevant_file +- +-# *.* /irrelevant_file +- +-\$something /irrelevant_file +- +-something.* ${RSYSLOG_TEST_LOGS[2]} +- +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template +index fc9e8844b6..81d6220415 100644 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template +@@ -20,7 +20,7 @@ + - name: '{{{ rule_title }}} - Get include files directives' + ansible.builtin.shell: | + set -o pipefail +- grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true ++ awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' {{ rsyslog_etc_config }} || true + register: rsyslog_new_inc + changed_when: False + +@@ -61,8 +61,9 @@ + - name: '{{{ rule_title }}} -Setup log files attribute' + ansible.builtin.file: + path: "{{ item }}" +- owner: '{{ ( "{{{ ATTRIBUTE }}}" is match("owner")) | ternary({{{ VALUE }}}, omit) }}' +- group: '{{ ( "{{{ ATTRIBUTE }}}" is match("groupowner")) | ternary({{{ VALUE }}} , omit) }}' ++ {{{ 'owner: ' ~ VALUE if ATTRIBUTE == "owner" }}} ++ {{{- 'group: ' ~ VALUE if ATTRIBUTE == "groupowner" }}} ++ {{{- 'mode: ' ~ VALUE if ATTRIBUTE == "permissions" }}} + state: file + loop: "{{ log_files | list | flatten | unique }}" + failed_when: false +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +index ab4a563dc5..d6755d5692 100644 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +@@ -48,7 +48,8 @@ do + # * Strip quotes and closing brackets from paths. + # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files + # * From the remaining valid rows select only fields constituting a log file path +- # Text file column is understood to represent a log file path if and only if all of the following are met: ++ # Text file column is understood to represent a log file path if and only if all of the ++ # following are met: + # * it contains at least one slash '/' character, + # * it is preceded by space + # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters +@@ -60,8 +61,8 @@ do + FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") + CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") + MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") +- # Since above sed command might return more than one item (delimited by newline), split the particular +- # matches entries into new array specific for this log file ++ # Since above sed command might return more than one item (delimited by newline), split ++ # the particular matches entries into new array specific for this log file + readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" + # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with + # items from newly created array for this log file +@@ -71,7 +72,8 @@ do + fi + done + +-# Check for RainerScript action log format which might be also multiline so grep regex is a bit curly ++# Check for RainerScript action log format which might be also multiline so grep regex is a bit ++# curly: + # extract possibly multiline action omfile expressions + # extract File="logfile" expression + # match only "logfile" expression +@@ -82,22 +84,10 @@ do + LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")") + done + +-FILE_PARAM="{{{ ATTRIBUTE }}}" +-FILE_CMD="" +-case "$FILE_PARAM" in +- "groupowner") +- FILE_CMD=$(which chgrp) +- ;; +- "owner") +- FILE_CMD=$(which chown) +- ;; +- *) +- echo -n "Not supported file attribute! " +- exit 1 +- ;; +-esac +- +-# Correct the form o ++# Ensure the correct attribute if file exists ++{{{ 'FILE_CMD="chown"' if ATTRIBUTE == "owner" }}} ++{{{- 'FILE_CMD="chgrp"' if ATTRIBUTE == "groupowner" }}} ++{{{- 'FILE_CMD="chmod"' if ATTRIBUTE == "permissions" }}} + for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" + do + # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing +@@ -105,6 +95,5 @@ do + then + continue + fi +- +- $FILE_CMD "+{{{ VALUE }}}" "$LOG_FILE_PATH" ++ $FILE_CMD "{{{ VALUE }}}" "$LOG_FILE_PATH" + done +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +index 4f288df1c9..243d678852 100644 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +@@ -3,59 +3,57 @@ + {{{ oval_metadata("All syslog log files should have appropriate ownership.") }}} + + {{% if product in ["debian10", "debian11", "ubuntu1604"] %}} +- ++ + {{% endif %}} +- ++ + +- + + +- +- +- ++ ++ + /etc/rsyslog.conf + ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ ++ operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ + 1 + + + + ++ comment="rsyslog's include config values converted to regex."> + + + ++ object_ref="object_{{{ _RULE_ID }}}_include_config_value"/> + + + + +- +- ++ ++ + var_{{{ _RULE_ID }}}_include_config_regex + + +- ++ + ^/etc/rsyslog.conf$ + + +- ++ + var_{{{ _RULE_ID }}}_syslog_config + + +- +- ++ ++ + + object_var_{{{ _RULE_ID }}}_include_config_regex + object_var_{{{ _RULE_ID }}}_syslog_config +@@ -64,74 +62,72 @@ + + +- +- ++ ++ + + +- +- +- +- +- ^\s*[^(\s|#|\$)]+\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$ ++ ++ ++ ++ ++ ^\s*[^(\s|#|\$)]+\s+.*\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$ + 1 +- state_{{{ _RULE_ID }}}_ownership_ignore_include_paths ++ state_{{{ _RULE_ID }}}_ignore_include_paths + + +- +- ++ ++ + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) + + + ++ retrieved from the different rsyslog configuration files. --> + +- ++ comment="File paths of all rsyslog log files"> ++ + + +- +- +- ++ ++ ++ + + + +- +- ++ ++ + + + + regular + {{% if ATTRIBUTE == "groupowner" %}} + {{{ VALUE }}} +- {{% else %}} ++ {{% elif ATTRIBUTE == "owner" %}} + {{{ VALUE }}} ++ {{% else %}} ++ {{{ STATEMODE | indent(4) }}} + {{% endif %}} + +- + +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/template.py b/shared/templates/rsyslog_logfiles_attributes_modify/template.py +new file mode 100644 +index 0000000000..9ea31c9a6b +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/template.py +@@ -0,0 +1,18 @@ ++def preprocess(data, lang): ++ if lang == "oval" and data["attribute"] == 'permissions': ++ # create STATEMODE used in the OVAL template by processing the octal permission and ++ # creating the equivalent permission fields of "unix:file_state" element. ++ mode = data["value"] ++ fields = [ ++ 'oexec', 'owrite', 'oread', 'gexec', 'gwrite', 'gread', ++ 'uexec', 'uwrite', 'uread', 'sticky', 'sgid', 'suid'] ++ mode_int = int(mode, 8) ++ mode_str = "" ++ for field in fields: ++ if mode_int & 0x01 == 0: ++ mode_str = ( ++ "false\n{mode_str}".format( ++ field=field, mode_str=mode_str)) ++ mode_int = mode_int >> 1 ++ data["statemode"] = mode_str.rstrip("\n") ++ return data +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh +deleted file mode 100755 +index db7e5261eb..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh ++++ /dev/null +@@ -1,50 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# non root user log from $IncludeConfig fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" +-CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" +-CHATTR="chgrp" +-{{% endif %}} +- +-USER_TEST=testssg +-$ADDCOMMAND $USER_TEST +- +-USER_ROOT=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh +deleted file mode 100755 +index d79ae23cfc..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh ++++ /dev/null +@@ -1,50 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# non root user log from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" +-CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" +-CHATTR="chgrp" +-{{% endif %}} +- +-USER_TEST=testssg +-$ADDCOMMAND $USER_TEST +- +-USER_ROOT=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh +deleted file mode 100644 +index 7869a180a8..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh ++++ /dev/null +@@ -1,75 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" +-CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" +-CHATTR="chgrp" +-{{% endif %}} +- +-USER_TEST=testssg +-$ADDCOMMAND $USER_TEST +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files ownership +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-{{% if ATTRIBUTE == "owner" %}} +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +- +-*.* action(type="omfile" FileCreateMode="0640" fileOwner="$USER_TEST" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") +-EOF +-{{% else %}} +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +- +-*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="$USER_TEST" File="${RSYSLOG_TEST_LOGS[2]}") +-EOF +-{{% endif %}} +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh +deleted file mode 100755 +index e80395ca99..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh ++++ /dev/null +@@ -1,46 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh +deleted file mode 100755 +index e7b4905dc5..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh ++++ /dev/null +@@ -1,63 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# non root user log from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" +-CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" +-CHATTR="chgrp" +-{{% endif %}} +- +-USER_ROOT=root +- +-USER_TEST=testssg +-$ADDCOMMAND $USER_TEST +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files ownership +-$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[1]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh +deleted file mode 100755 +index 6389e6ea3b..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh ++++ /dev/null +@@ -1,58 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh +deleted file mode 100755 +index 6b81a77c2f..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh ++++ /dev/null +@@ -1,59 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +- +-*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh +deleted file mode 100755 +index 78b105abf3..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh ++++ /dev/null +@@ -1,47 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from multiline include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include( +- file="${test_conf}" +-) +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh +deleted file mode 100755 +index afce21fa27..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh ++++ /dev/null +@@ -1,30 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with root user in rsyslog.conf passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 1 +- +-# setup test log file ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +- +-# add rule with root user owned log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh +similarity index 53% +rename from shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh +index 1afe20823c..dc362ae003 100755 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh +@@ -1,33 +1,31 @@ + #!/bin/bash + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle + +-# Check if log file with non root user in rsyslog.conf fails. +- ++# Declare variables used for the tests and define the create_rsyslog_test_logs function + source $SHARED/rsyslog_log_utils.sh + + {{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" + CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} + CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" + {{% endif %}} + +-USER=testssg +- +-$ADDCOMMAND $USER +- +-# setup test data ++# create one test log file + create_rsyslog_test_logs 1 + +-# setup test log file ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} + +-# add rule with non-root user owned log file ++# add rule with test log file + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file + + #### RULES #### +- + *.* ${RSYSLOG_TEST_LOGS[0]} ++ + EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_correct_attr.pass.sh +similarity index 51% +rename from shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_correct_attr.pass.sh +index b03268fe3e..c742f41039 100755 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_correct_attr.pass.sh +@@ -1,45 +1,45 @@ + #!/bin/bash + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle + +-# Check rsyslog.conf with root user log from rules and +-# root user log from $IncludeConfig passes. +- ++# Declare variables used for the tests and define the create_rsyslog_test_logs function + source $SHARED/rsyslog_log_utils.sh + + {{% if ATTRIBUTE == "owner" %}} + CHATTR="chown" +-{{% else %}} ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} + CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" + {{% endif %}} + +-USER=root +- +-# setup test data ++# create two test log file + create_rsyslog_test_logs 2 + +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} + +-# create test configuration file ++# create test configuration file with rule for second test log file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf + cat << EOF > ${test_conf} +-# rsyslog configuration file ++# rsyslog test configuration file + + #### RULES #### +- + *.* ${RSYSLOG_TEST_LOGS[1]} ++ + EOF + +-# create rsyslog.conf configuration file ++# add rule with first test log file plus an include statement + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file + + #### RULES #### +- + *.* ${RSYSLOG_TEST_LOGS[0]} + + #### MODULES #### +- + \$IncludeConfig ${test_conf} ++ + EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..a12d0bc653 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_incorrect_attr.fail.sh +@@ -0,0 +1,50 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++\$IncludeConfig ${test_conf} ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..25430db033 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_incorrect_attr.fail.sh +@@ -0,0 +1,33 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create one test log file ++create_rsyslog_test_logs 1 ++ ++# setup test log file property ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[0]} ++ ++# add rule with non-root user owned log file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh +new file mode 100755 +index 0000000000..c1c5758d80 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh +@@ -0,0 +1,33 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_correct_attr.pass.sh +new file mode 100755 +index 0000000000..0235130534 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_correct_attr.pass.sh +@@ -0,0 +1,58 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 3 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[2]} ++ ++# create first test configuration file with legacy rule for second test log file ++test_conf1=${RSYSLOG_TEST_DIR}/legacy.conf ++cat << EOF > ${test_conf1} ++# rsyslog test configuration file with legacy syntax ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF ++ ++# create second test configuration file with RainerScript rule for third test log file ++test_conf2=${RSYSLOG_TEST_DIR}/rainerscript.conf ++cat << EOF > ${test_conf2} ++# rsyslog test configuration file with RainerScript syntax ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[2]}") ++ ++EOF ++ ++# add rule with first test log file plus two mixed include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++\$IncludeConfig ${test_conf1} ++ ++include(file="${test_conf2}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_legacy.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_legacy.fail.sh +new file mode 100755 +index 0000000000..bed0afaf5e +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_legacy.fail.sh +@@ -0,0 +1,63 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 3 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[2]} ++ ++# create first test configuration file with legacy rule for second test log file ++test_conf1=${RSYSLOG_TEST_DIR}/legacy.conf ++cat << EOF > ${test_conf1} ++# rsyslog test configuration file with legacy syntax ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF ++ ++# create second test configuration file with RainerScript rule for third test log file ++test_conf2=${RSYSLOG_TEST_DIR}/rainerscript.conf ++cat << EOF > ${test_conf2} ++# rsyslog test configuration file with RainerScript syntax ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[2]}") ++ ++EOF ++ ++# add rule with first test log file plus two mixed include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++\$IncludeConfig ${test_conf1} ++ ++include(file="${test_conf2}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_rainer.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_rainer.fail.sh +new file mode 100755 +index 0000000000..83c69b3a17 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_rainer.fail.sh +@@ -0,0 +1,63 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 3 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[2]} ++ ++# create first test configuration file with legacy rule for second test log file ++test_conf1=${RSYSLOG_TEST_DIR}/legacy.conf ++cat << EOF > ${test_conf1} ++# rsyslog test configuration file with legacy syntax ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF ++ ++# create second test configuration file with RainerScript rule for third test log file ++test_conf2=${RSYSLOG_TEST_DIR}/rainerscript.conf ++cat << EOF > ${test_conf2} ++# rsyslog test configuration file with RainerScript syntax ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[2]}") ++ ++EOF ++ ++# add rule with first test log file plus two mixed include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++\$IncludeConfig ${test_conf1} ++ ++include(file="${test_conf2}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_cloudinit.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_cloudinit.fail.sh +new file mode 100755 +index 0000000000..43a6f2648d +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_cloudinit.fail.sh +@@ -0,0 +1,38 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++:syslogtag, isequal, "[CLOUDINIT]" ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_legacy.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_legacy.fail.sh +new file mode 100755 +index 0000000000..f459e7377b +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_legacy.fail.sh +@@ -0,0 +1,38 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_rainer.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_rainer.fail.sh +new file mode 100755 +index 0000000000..67193b69d8 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_rainer.fail.sh +@@ -0,0 +1,38 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh +new file mode 100755 +index 0000000000..abdb09c485 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh +@@ -0,0 +1,31 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create one test log file ++create_rsyslog_test_logs 1 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++ ++# add rule with test log file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_correct_attr.pass.sh +new file mode 100755 +index 0000000000..8b73578e39 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_correct_attr.pass.sh +@@ -0,0 +1,45 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++#### MODULES #### ++include(file="${test_conf}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..4c25c09e2e +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_incorrect_attr.fail.sh +@@ -0,0 +1,50 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++#### MODULES #### ++include(file="${test_conf}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_correct_attr.pass.sh +new file mode 100755 +index 0000000000..508a5cf6eb +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_correct_attr.pass.sh +@@ -0,0 +1,47 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++#### MODULES #### ++include( ++ file="${test_conf}" ++) ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..49fada4cd4 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_incorrect_attr.fail.sh +@@ -0,0 +1,52 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++#### MODULES #### ++include( ++ file="${test_conf}" ++) ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..b17eb6b744 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_incorrect_attr.fail.sh +@@ -0,0 +1,33 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create one test log file ++create_rsyslog_test_logs 1 ++ ++# setup test log file property ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[0]} ++ ++# add rule with non-root user owned log file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++EOF +-- +2.39.1 + diff --git a/SOURCES/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch b/SOURCES/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch new file mode 100644 index 0000000..d97be0c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch @@ -0,0 +1,1950 @@ +From 359c275083297624abda4a38d30ac1f6b3b36578 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 15 Feb 2023 16:25:46 +0100 +Subject: [PATCH 2/6] Rsyslog files rules remediations + +Patch-name: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch +Patch-status: Rsyslog files rules remediations +--- + controls/cis_sle12.yml | 4 +- + controls/cis_sle15.yml | 4 +- + .../file_groupowner_logfiles_value.var | 18 --- + .../oval/shared.xml | 116 --------------- + .../rsyslog_files_groupownership/rule.yml | 39 ++++- + .../tests/IncludeConfig_is_other.fail.sh | 42 ------ + .../tests/IncludeConfig_is_root.pass.sh | 39 ----- + .../tests/include_is_other.fail.sh | 42 ------ + .../tests/include_is_root.pass.sh | 39 ----- + .../tests/include_multiline_is_root.pass.sh | 41 ------ + .../tests/is_other.fail.sh | 25 ---- + .../tests/is_root.pass.sh | 24 --- + .../rsyslog_files_ownership/oval/shared.xml | 114 --------------- + .../rsyslog_files_ownership/rule.yml | 44 +++++- + .../ansible/shared.yml | 12 ++ + .../rsyslog_logging_configured/bash/shared.sh | 7 + + .../oval/shared.xml | 41 ++++++ + .../rsyslog_logging_configured/rule.yml | 34 +++++ + ...with_everything_logged_to_messages.pass.sh | 13 ++ + .../rsyslog_file_with_no_logging.fail.sh | 12 ++ + .../profiles/anssi_np_nt28_average.profile | 2 - + products/debian10/profiles/standard.profile | 2 - + .../profiles/anssi_np_nt28_average.profile | 2 - + products/debian11/profiles/standard.profile | 2 - + products/rhel7/profiles/rht-ccp.profile | 2 - + products/rhel8/profiles/rht-ccp.profile | 2 - + .../profiles/anssi_bp28_intermediary.profile | 1 + + products/sle15/profiles/standard.profile | 2 - + .../profiles/anssi_np_nt28_average.profile | 2 - + products/ubuntu1604/profiles/standard.profile | 2 - + .../profiles/anssi_np_nt28_average.profile | 2 - + products/ubuntu1804/profiles/standard.profile | 2 - + products/ubuntu2004/profiles/standard.profile | 2 - + products/ubuntu2204/profiles/standard.profile | 2 - + shared/references/cce-sle12-avail.txt | 1 - + shared/references/cce-sle15-avail.txt | 1 - + .../ansible.template | 68 +++++++++ + .../bash.template | 110 ++++++++++++++ + .../oval.template | 137 ++++++++++++++++++ + .../template.yml | 4 + + .../tests/IncludeConfig_is_other.fail.sh | 14 +- + .../tests/IncludeConfig_is_root.pass.sh | 10 +- + .../tests/include_is_other.fail.sh | 14 +- + ...udeConfig_is_other_RainerLogClause.fail.sh | 37 ++++- + .../tests/include_is_root.pass.sh | 11 +- + ...ude_is_root_IncludeConfig_is_other.fail.sh | 16 +- + ...lude_is_root_IncludeConfig_is_root.pass.sh | 12 +- + ...ludeConfig_is_root_RainerLogClause.pass.sh | 22 +-- + .../tests/include_multiline_is_root.pass.sh | 10 +- + .../tests/is_other.fail.sh | 12 +- + .../tests/is_root.pass.sh | 8 +- + 51 files changed, 648 insertions(+), 576 deletions(-) + delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var + delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh + delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh + create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/ansible.template + create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/bash.template + create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/oval.template + create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/template.yml + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/IncludeConfig_is_other.fail.sh (75%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/IncludeConfig_is_root.pass.sh (81%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_other.fail.sh (75%) + rename linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh => shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh (50%) + mode change 100755 => 100644 + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root.pass.sh (81%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root_IncludeConfig_is_other.fail.sh (77%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root_IncludeConfig_is_root.pass.sh (82%) + rename linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh => shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh (65%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_multiline_is_root.pass.sh (81%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/is_other.fail.sh (70%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/is_root.pass.sh (77%) + +diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml +index 5c464fe556..8576343b9d 100644 +--- a/controls/cis_sle12.yml ++++ b/controls/cis_sle12.yml +@@ -1321,7 +1321,9 @@ controls: + levels: + - l1_server + - l1_workstation +- status: manual ++ automated: yes ++ rules: ++ - rsyslog_logging_configured + + - id: 4.2.1.5 + title: Ensure rsyslog is configured to send logs to a remote log host (Automated) +diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml +index 36d7616f90..f82341a038 100644 +--- a/controls/cis_sle15.yml ++++ b/controls/cis_sle15.yml +@@ -1469,7 +1469,9 @@ controls: + levels: + - l1_server + - l1_workstation +- status: manual ++ automated: yes ++ rules: ++ - rsyslog_logging_configured + + - id: 4.2.1.5 + title: Ensure rsyslog is configured to send logs to a remote log host (Automated) +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var +deleted file mode 100644 +index 7ebf8c191a..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var ++++ /dev/null +@@ -1,18 +0,0 @@ +-documentation_complete: true +- +-title: 'group who owns log files' +- +-description: |- +- Specify group owner of all logfiles specified in +- /etc/rsyslog.conf. +- +-type: string +- +-operator: equals +- +-interactive: false +- +-options: +- default: root +- adm: adm +- root: root +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml +deleted file mode 100644 +index 4567f4d411..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml ++++ /dev/null +@@ -1,116 +0,0 @@ +- +- +- {{{ oval_metadata("All syslog log files should be owned by the appropriate group.") }}} +- +- +- {{% if product in ["debian10", "debian11", "ubuntu1604"] %}} +- +- {{% endif %}} +- +- +- +- +- +- +- +- /etc/rsyslog.conf +- ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ +- 1 +- +- +- +- +- +- +- +- +- +- +- +- +- +- var_rfg_include_config_regex +- +- +- +- ^/etc/rsyslog.conf$ +- +- +- +- var_rfg_syslog_config +- +- +- +- +- +- object_var_rfg_include_config_regex +- object_var_rfg_syslog_config +- +- +- +- +- +- +- +- +- +- +- +- +- ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$ +- 1 +- state_groupownership_ignore_include_paths +- +- +- +- +- (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- regular +- {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu2004", "ubuntu2204"] %}} +- 4 +- {{% else %}} +- 0 +- {{% endif %}} +- +- +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml +index 4f797f4a21..13c89d90c5 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml +@@ -4,15 +4,30 @@ title: 'Ensure Log Files Are Owned By Appropriate Group' + + description: |- + The group-owner of all log files written by +- rsyslog should be {{{ xccdf_value("file_groupowner_logfiles_value") }}}. ++ rsyslog should be ++{{% if 'debian' in product or 'ubuntu' in product %}} ++ adm. ++{{% else %}} ++ root. ++{{% endif %}} + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + For each log file LOGFILE referenced in /etc/rsyslog.conf, + run the following command to inspect the file's group owner: + 
$ ls -l LOGFILE
+- If the owner is not {{{ xccdf_value("file_groupowner_logfiles_value") }}}, run the following command to ++ If the owner is not ++ {{% if 'debian' in product or 'ubuntu' in product %}} ++ adm, ++ {{% else %}} ++ root, ++ {{% endif %}} ++ run the following command to + correct this: +- 
$ sudo chgrp {{{ xccdf_value("file_groupowner_logfiles_value") }}} LOGFILE
++{{% if 'debian' in product or 'ubuntu' in product %}} ++ 
$ sudo chgrp adm LOGFILE
++{{% else %}} ++ 
$ sudo chgrp root LOGFILE
++{{% endif %}} + + rationale: |- + The log files generated by rsyslog contain valuable information regarding system +@@ -47,8 +62,24 @@ references: + ocil_clause: 'the group-owner is not correct' + + ocil: |- +- The group-owner of all log files written by rsyslog should be {{{ xccdf_value("file_groupowner_logfiles_value") }}}. ++ The group-owner of all log files written by rsyslog should be ++ {{% if 'debian' in product or 'ubuntu' in product %}} ++ adm. ++ {{% else %}} ++ root. ++ {{% endif %}} + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + To see the group-owner of a given log file, run the following command: + 
$ ls -l LOGFILE
++ ++template: ++ name: rsyslog_logfiles_attributes_modify ++ vars: ++ attribute: groupowner ++ value: 0 ++ value@debian10: 4 ++ value@debian11: 4 ++ value@ubuntu1604: 4 ++ value@ubuntu2004: 4 ++ value@ubuntu2204: 4 +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh +deleted file mode 100755 +index 575530ef2e..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh ++++ /dev/null +@@ -1,42 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# non root group-owner log from $IncludeConfig fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP_TEST=testssg +-groupadd $GROUP_TEST +- +-GROUP_ROOT=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh +deleted file mode 100755 +index 39efc1a4b7..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh ++++ /dev/null +@@ -1,39 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# root group-owner log from $IncludeConfig passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh +deleted file mode 100755 +index c0db7056b4..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh ++++ /dev/null +@@ -1,42 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# non root group-owner log from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP_TEST=testssg +-groupadd $GROUP_TEST +- +-GROUP_ROOT=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh +deleted file mode 100755 +index 1feaf762fc..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh ++++ /dev/null +@@ -1,39 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# root group-owner log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh +deleted file mode 100755 +index 5a357d029b..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh ++++ /dev/null +@@ -1,41 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# root group-owner log from multiline include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include( +- file="${test_conf}" +-) +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh +deleted file mode 100755 +index c7c01132f2..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh ++++ /dev/null +@@ -1,25 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with non root group-owner in rsyslog.conf fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=testssg +- +-groupadd $GROUP +- +-# setup test data +-create_rsyslog_test_logs 1 +- +-# setup test log file ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +- +-# add rule with non-root group owned log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh +deleted file mode 100755 +index 0ecbb35bd1..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh ++++ /dev/null +@@ -1,24 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with root group-owner in rsyslog.conf passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=root +- +-# setup test data +-create_rsyslog_test_logs 1 +- +-# setup test log file ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +- +-# add rule with root group owned log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml +deleted file mode 100644 +index 8e3f68db26..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml ++++ /dev/null +@@ -1,114 +0,0 @@ +- +- +- {{{ oval_metadata("All syslog log files should be owned by the appropriate user.") }}} +- +- +- +- +- +- +- +- +- +- /etc/rsyslog.conf +- ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ +- 1 +- +- +- +- +- +- +- +- +- +- +- +- +- +- var_rfo_include_config_regex +- +- +- +- ^/etc/rsyslog.conf$ +- +- +- +- var_rfo_syslog_config +- +- +- +- +- +- object_var_rfo_include_config_regex +- object_var_rfo_syslog_config +- +- +- +- +- +- +- +- +- +- +- +- +- ^[^(#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$ +- 1 +- state_owner_ignore_include_paths +- +- +- +- +- (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- regular +- +- {{% if product in ["ubuntu2004", "ubuntu2204"] %}} +- 104 +- {{% else %}} +- 0 +- {{% endif %}} +- +- +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml +index 37c87b07cd..0d9bf40f4b 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml +@@ -4,15 +4,36 @@ title: 'Ensure Log Files Are Owned By Appropriate User' + + description: |- + The owner of all log files written by +- rsyslog should be {{{ xccdf_value("file_owner_logfiles_value") }}}. ++ rsyslog should be ++ {{% if product in ['ubuntu2204','ubuntu2004'] %}} ++ syslog. ++ {{% elif 'debian' in product or 'ubuntu' in product %}} ++ adm. ++ {{% else %}} ++ root. ++ {{% endif %}} + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + For each log file LOGFILE referenced in /etc/rsyslog.conf, + run the following command to inspect the file's owner: + 
$ ls -l LOGFILE
+- If the owner is not {{{ xccdf_value("file_owner_logfiles_value") }}}, run the following command to ++ If the owner is not ++ {{% if product in ['ubuntu2204','ubuntu2004'] %}} ++ syslog, ++ {{% elif 'debian' in product or 'ubuntu' in product %}} ++ adm, ++ {{% else %}} ++ root, ++ {{% endif %}} ++ run the following command to + correct this: +- 
$ sudo chown {{{ xccdf_value("file_owner_logfiles_value") }}} LOGFILE
++ {{% if product in ['ubuntu2204','ubuntu2004'] %}} ++ 
$ sudo chown syslog LOGFILE
++ {{% elif 'debian' in product or 'ubuntu' in product %}} ++ 
$ sudo chown adm LOGFILE
++ {{% else %}} ++ 
$ sudo chown root LOGFILE
++ {{% endif %}} + + rationale: |- + The log files generated by rsyslog contain valuable information regarding system +@@ -47,8 +68,23 @@ references: + ocil_clause: 'the owner is not correct' + + ocil: |- +- The owner of all log files written by rsyslog should be {{{ xccdf_value("file_owner_logfiles_value") }}}. ++ The owner of all log files written by rsyslog should be ++ {{% if product in ['ubuntu2204','ubuntu2004'] %}} ++ syslog. ++ {{% elif 'debian' in product or 'ubuntu' in product %}} ++ adm. ++ {{% else %}} ++ root. ++ {{% endif %}} + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + To see the owner of a given log file, run the following command: + 
$ ls -l LOGFILE
++ ++template: ++ name: rsyslog_logfiles_attributes_modify ++ vars: ++ attribute: owner ++ value: 0 ++ value@ubuntu2004: 104 ++ value@ubuntu2204: 104 +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml +new file mode 100644 +index 0000000000..041e263155 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml +@@ -0,0 +1,12 @@ ++# platform = multi_platform_sle ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: "Set rsyslog remote loghost" ++ lineinfile: ++ dest: /etc/rsyslog.conf ++ regexp: "^\\*\\.\\*" ++ line: "*.* /var/log/messages" ++ create: yes +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh +new file mode 100644 +index 0000000000..d634610225 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_sle ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++{{{ bash_replace_or_append('/etc/rsyslog.conf', '^\*\.\*', "/var/log/messages", '%s %s') }}} +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml +new file mode 100644 +index 0000000000..89e1e7616e +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml +@@ -0,0 +1,41 @@ ++ ++ ++ {{{ oval_metadata("Syslog logs should be configured") }}} ++ ++ ++ {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804"] %}} ++ ++ {{% endif %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^[^(\s|#|\$)]+[\s]+.*[\s]+(\:\w+\:\S*|-?(\/+[^:;\s]+);*\.*)$ ++ 1 ++ ++ ++ ++ /etc/rsyslog.d ++ ^.+\.conf$ ++ ^[^(\s|#|\$)]+[\s]+.*[\s]+(\:\w+\:\S*|-?(\/+[^:;\s]+);*\.*)$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml +new file mode 100644 +index 0000000000..f9477de9e9 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++title: 'Ensure logging is configured' ++ ++description: |- ++ The /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files ++ specifies rules for logging and which files are to be used to log certain ++ classes of messages. ++ ++rationale: |- ++ A great deal of important security-related information is sent via ++ rsyslog (e.g., successful and failed su attempts, failed login attempts, ++ root login attempts, etc.). ++ ++severity: medium ++ ++identifiers: ++ cce@sle12: CCE-92379-7 ++ cce@sle15: CCE-92497-7 ++ ++references: ++ cis@sle12: 4.2.1.4 ++ cis@sle15: 4.2.1.4 ++ ++ocil_clause: 'no logging is configured' ++ ++ocil: |- ++ Review the contents of the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf ++ files to ensure appropriate logging is set. In addition, run the following command: ++ 
ls -l /var/log/
++ and verify that the log files are logging information ++ ++fixtext: |- ++ Configure logging with selectors covering each priority +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh +new file mode 100644 +index 0000000000..a4fb1cf07a +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh +@@ -0,0 +1,13 @@ ++#!/bin/bash ++# platform = multi_platform_sle ++ ++# Check rsyslog.conf with no includes and all loggging facility/priority configured to go to /var/log/messages ++ ++source $SHARED/rsyslog_log_utils.sh ++cat << EOF > ${RSYSLOG_CONF} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* /var/log/messages ++EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh +new file mode 100644 +index 0000000000..158cf4c98d +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# platform = multi_platform_sle ++ ++# Check rsyslog.conf with no includes and no loggging facility/priority configured ++ ++source $SHARED/rsyslog_log_utils.sh ++cat << EOF > ${RSYSLOG_CONF} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++EOF +diff --git a/products/debian10/profiles/anssi_np_nt28_average.profile b/products/debian10/profiles/anssi_np_nt28_average.profile +index 600f1a6f71..4c42814719 100644 +--- a/products/debian10/profiles/anssi_np_nt28_average.profile ++++ b/products/debian10/profiles/anssi_np_nt28_average.profile +@@ -22,9 +22,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/debian10/profiles/standard.profile b/products/debian10/profiles/standard.profile +index 3784182fa1..446f5aca1d 100644 +--- a/products/debian10/profiles/standard.profile ++++ b/products/debian10/profiles/standard.profile +@@ -33,9 +33,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/debian11/profiles/anssi_np_nt28_average.profile b/products/debian11/profiles/anssi_np_nt28_average.profile +index 600f1a6f71..4c42814719 100644 +--- a/products/debian11/profiles/anssi_np_nt28_average.profile ++++ b/products/debian11/profiles/anssi_np_nt28_average.profile +@@ -22,9 +22,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/debian11/profiles/standard.profile b/products/debian11/profiles/standard.profile +index e1b2c718df..c21f8d592b 100644 +--- a/products/debian11/profiles/standard.profile ++++ b/products/debian11/profiles/standard.profile +@@ -33,9 +33,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/rhel7/profiles/rht-ccp.profile b/products/rhel7/profiles/rht-ccp.profile +index 12a3a25013..a246d5a094 100644 +--- a/products/rhel7/profiles/rht-ccp.profile ++++ b/products/rhel7/profiles/rht-ccp.profile +@@ -11,8 +11,6 @@ description: |- + selections: + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted +- - file_owner_logfiles_value=root +- - file_groupowner_logfiles_value=root + - sshd_idle_timeout_value=5_minutes + - var_accounts_minimum_age_login_defs=7 + - var_accounts_passwords_pam_faillock_deny=5 +diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile +index ae1e7d5a15..0a00d2f46b 100644 +--- a/products/rhel8/profiles/rht-ccp.profile ++++ b/products/rhel8/profiles/rht-ccp.profile +@@ -11,8 +11,6 @@ description: |- + selections: + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted +- - file_owner_logfiles_value=root +- - file_groupowner_logfiles_value=root + - sshd_idle_timeout_value=5_minutes + - var_logind_session_timeout=5_minutes + - var_accounts_minimum_age_login_defs=7 +diff --git a/products/sle12/profiles/anssi_bp28_intermediary.profile b/products/sle12/profiles/anssi_bp28_intermediary.profile +index 24a98fd824..22498b6b6f 100644 +--- a/products/sle12/profiles/anssi_bp28_intermediary.profile ++++ b/products/sle12/profiles/anssi_bp28_intermediary.profile +@@ -23,3 +23,4 @@ description: |- + + selections: + - anssi:all:intermediary ++ +diff --git a/products/sle15/profiles/standard.profile b/products/sle15/profiles/standard.profile +index 204804c2ee..1af0a865ef 100644 +--- a/products/sle15/profiles/standard.profile ++++ b/products/sle15/profiles/standard.profile +@@ -29,9 +29,7 @@ selections: + - service_cron_enabled + - service_ntp_enabled + - service_rsyslog_enabled +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - ensure_logrotate_activated +diff --git a/products/ubuntu1604/profiles/anssi_np_nt28_average.profile b/products/ubuntu1604/profiles/anssi_np_nt28_average.profile +index 600f1a6f71..4c42814719 100644 +--- a/products/ubuntu1604/profiles/anssi_np_nt28_average.profile ++++ b/products/ubuntu1604/profiles/anssi_np_nt28_average.profile +@@ -22,9 +22,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu1604/profiles/standard.profile b/products/ubuntu1604/profiles/standard.profile +index 6fd70f0da6..93001f3bfe 100644 +--- a/products/ubuntu1604/profiles/standard.profile ++++ b/products/ubuntu1604/profiles/standard.profile +@@ -34,9 +34,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu1804/profiles/anssi_np_nt28_average.profile b/products/ubuntu1804/profiles/anssi_np_nt28_average.profile +index 600f1a6f71..4c42814719 100644 +--- a/products/ubuntu1804/profiles/anssi_np_nt28_average.profile ++++ b/products/ubuntu1804/profiles/anssi_np_nt28_average.profile +@@ -22,9 +22,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu1804/profiles/standard.profile b/products/ubuntu1804/profiles/standard.profile +index d587d499d8..a17117818e 100644 +--- a/products/ubuntu1804/profiles/standard.profile ++++ b/products/ubuntu1804/profiles/standard.profile +@@ -32,9 +32,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu2004/profiles/standard.profile b/products/ubuntu2004/profiles/standard.profile +index 823a69a5d9..6ed27aa16d 100644 +--- a/products/ubuntu2004/profiles/standard.profile ++++ b/products/ubuntu2004/profiles/standard.profile +@@ -31,9 +31,7 @@ selections: + - sshd_disable_empty_passwords + - var_sshd_set_keepalive=0 + - sshd_set_keepalive +- - file_owner_logfiles_value=syslog + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu2204/profiles/standard.profile b/products/ubuntu2204/profiles/standard.profile +index c8bc5369c9..1bb9f43e7d 100644 +--- a/products/ubuntu2204/profiles/standard.profile ++++ b/products/ubuntu2204/profiles/standard.profile +@@ -31,9 +31,7 @@ selections: + - sshd_disable_empty_passwords + - var_sshd_set_keepalive=0 + - sshd_set_keepalive +- - file_owner_logfiles_value=syslog + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt +index c119834759..4e0a76f8de 100644 +--- a/shared/references/cce-sle12-avail.txt ++++ b/shared/references/cce-sle12-avail.txt +@@ -54,7 +54,6 @@ CCE-92375-5 + CCE-92376-3 + CCE-92377-1 + CCE-92378-9 +-CCE-92379-7 + CCE-92380-5 + CCE-92381-3 + CCE-92382-1 +diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt +index d04c40d31f..e39dae033e 100644 +--- a/shared/references/cce-sle15-avail.txt ++++ b/shared/references/cce-sle15-avail.txt +@@ -17,7 +17,6 @@ CCE-92492-8 + CCE-92493-6 + CCE-92495-1 + CCE-92496-9 +-CCE-92497-7 + CCE-92498-5 + CCE-92499-3 + CCE-92500-8 +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template +new file mode 100644 +index 0000000000..fc9e8844b6 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template +@@ -0,0 +1,68 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = medium ++ ++- name: '{{{ rule_title }}} - Set rsyslog logfile configuration facts' ++ ansible.builtin.set_fact: ++ rsyslog_etc_config: "/etc/rsyslog.conf" ++ ++# * And also the log file paths listed after rsyslog's $IncludeConfig directive ++# (store the result into array for the case there's shell glob used as value of IncludeConfig) ++- name: '{{{ rule_title }}} - Get IncludeConfig directive' ++ ansible.builtin.shell: | ++ set -o pipefail ++ grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true ++ register: rsyslog_old_inc ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Get include files directives' ++ ansible.builtin.shell: | ++ set -o pipefail ++ grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true ++ register: rsyslog_new_inc ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Aggregate rsyslog includes' ++ ansible.builtin.set_fact: ++ include_config_output: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}" ++ ++- name: '{{{ rule_title }}} - List all config files' ++ ansible.builtin.find: ++ paths: "{{ include_config_output | list | map('dirname') }}" ++ patterns: "{{ include_config_output | list | map('basename') }}" ++ hidden: no ++ follow: yes ++ register: rsyslog_config_files ++ failed_when: False ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Extract log files old format' ++ ansible.builtin.shell: | ++ set -o pipefail ++ grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item }} |awk '{print $NF}'|sed -e 's/^-//' || true ++ loop: "{{ rsyslog_config_files.files|map(attribute='path')|list|flatten|unique + [ rsyslog_etc_config ] }}" ++ register: log_files_old ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Extract log files new format' ++ ansible.builtin.shell: | ++ set -o pipefail ++ grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true ++ loop: "{{ rsyslog_config_files.files|map(attribute='path')|list|flatten|unique + [ rsyslog_etc_config ] }}" ++ register: log_files_new ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Sum all log files found' ++ ansible.builtin.set_fact: ++ log_files: "{{ log_files_new.results|map(attribute='stdout_lines')|list|flatten|unique + log_files_old.results|map(attribute='stdout_lines')|list|flatten|unique }}" ++ ++- name: '{{{ rule_title }}} -Setup log files attribute' ++ ansible.builtin.file: ++ path: "{{ item }}" ++ owner: '{{ ( "{{{ ATTRIBUTE }}}" is match("owner")) | ternary({{{ VALUE }}}, omit) }}' ++ group: '{{ ( "{{{ ATTRIBUTE }}}" is match("groupowner")) | ternary({{{ VALUE }}} , omit) }}' ++ state: file ++ loop: "{{ log_files | list | flatten | unique }}" ++ failed_when: false +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +new file mode 100644 +index 0000000000..ab4a563dc5 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +@@ -0,0 +1,110 @@ ++# platform = multi_platform_all ++ ++# List of log file paths to be inspected for correct permissions ++# * Primarily inspect log file paths listed in /etc/rsyslog.conf ++RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" ++# * And also the log file paths listed after rsyslog's $IncludeConfig directive ++# (store the result into array for the case there's shell glob used as value of IncludeConfig) ++readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) ++readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) ++readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) ++readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) ++ ++# Declare an array to hold the final list of different log file paths ++declare -a LOG_FILE_PATHS ++ ++# Array to hold all rsyslog config entries ++RSYSLOG_CONFIGS=() ++RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") ++ ++# Get full list of files to be checked ++# RSYSLOG_CONFIGS may contain globs such as ++# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule ++# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. ++RSYSLOG_CONFIG_FILES=() ++for ENTRY in "${RSYSLOG_CONFIGS[@]}" ++do ++ # If directory, rsyslog will search for config files in recursively. ++ # However, files in hidden sub-directories or hidden files will be ignored. ++ if [ -d "${ENTRY}" ] ++ then ++ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f) ++ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") ++ elif [ -f "${ENTRY}" ] ++ then ++ RSYSLOG_CONFIG_FILES+=("${ENTRY}") ++ else ++ echo "Invalid include object: ${ENTRY}" ++ fi ++done ++ ++# Browse each file selected above as containing paths of log files ++# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) ++for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" ++do ++ # From each of these files extract just particular log file path(s), thus: ++ # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, ++ # * Ignore empty lines, ++ # * Strip quotes and closing brackets from paths. ++ # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files ++ # * From the remaining valid rows select only fields constituting a log file path ++ # Text file column is understood to represent a log file path if and only if all of the following are met: ++ # * it contains at least one slash '/' character, ++ # * it is preceded by space ++ # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters ++ # Search log file for path(s) only in case it exists! ++ if [[ -f "${LOG_FILE}" ]] ++ then ++ NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") ++ LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") ++ FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") ++ CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") ++ MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") ++ # Since above sed command might return more than one item (delimited by newline), split the particular ++ # matches entries into new array specific for this log file ++ readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" ++ # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with ++ # items from newly created array for this log file ++ LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}") ++ # Delete the temporary array ++ unset ARRAY_FOR_LOG_FILE ++ fi ++done ++ ++# Check for RainerScript action log format which might be also multiline so grep regex is a bit curly ++# extract possibly multiline action omfile expressions ++# extract File="logfile" expression ++# match only "logfile" expression ++for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" ++do ++ ACTION_OMFILE_LINES=$(grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}") ++ OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)") ++ LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")") ++done ++ ++FILE_PARAM="{{{ ATTRIBUTE }}}" ++FILE_CMD="" ++case "$FILE_PARAM" in ++ "groupowner") ++ FILE_CMD=$(which chgrp) ++ ;; ++ "owner") ++ FILE_CMD=$(which chown) ++ ;; ++ *) ++ echo -n "Not supported file attribute! " ++ exit 1 ++ ;; ++esac ++ ++# Correct the form o ++for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" ++do ++ # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing ++ if [ -z "$LOG_FILE_PATH" ] ++ then ++ continue ++ fi ++ ++ $FILE_CMD "+{{{ VALUE }}}" "$LOG_FILE_PATH" ++done +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +new file mode 100644 +index 0000000000..4f288df1c9 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +@@ -0,0 +1,137 @@ ++ ++ ++ {{{ oval_metadata("All syslog log files should have appropriate ownership.") }}} ++ ++ {{% if product in ["debian10", "debian11", "ubuntu1604"] %}} ++ ++ {{% endif %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ var_{{{ _RULE_ID }}}_include_config_regex ++ ++ ++ ++ ^/etc/rsyslog.conf$ ++ ++ ++ ++ var_{{{ _RULE_ID }}}_syslog_config ++ ++ ++ ++ ++ ++ object_var_{{{ _RULE_ID }}}_include_config_regex ++ object_var_{{{ _RULE_ID }}}_syslog_config ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^\s*[^(\s|#|\$)]+\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$ ++ 1 ++ state_{{{ _RULE_ID }}}_ownership_ignore_include_paths ++ ++ ++ ++ ++ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ regular ++ {{% if ATTRIBUTE == "groupowner" %}} ++ {{{ VALUE }}} ++ {{% else %}} ++ {{{ VALUE }}} ++ {{% endif %}} ++ ++ ++ +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/template.yml b/shared/templates/rsyslog_logfiles_attributes_modify/template.yml +new file mode 100644 +index 0000000000..b57de6fbb6 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/template.yml +@@ -0,0 +1,4 @@ ++supported_languages: ++ - ansible ++ - bash ++ - oval +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh +similarity index 75% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh +index 6c82a1942f..db7e5261eb 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh +@@ -6,8 +6,16 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ + USER_TEST=testssg +-useradd $USER_TEST ++$ADDCOMMAND $USER_TEST + + USER_ROOT=root + +@@ -15,8 +23,8 @@ USER_ROOT=root + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chown $USER_TEST ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh +similarity index 81% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh +index b24e5e1699..b03268fe3e 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh +@@ -6,14 +6,20 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} +-chown $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh +similarity index 75% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh +index 18f43c6927..d79ae23cfc 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh +@@ -6,8 +6,16 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ + USER_TEST=testssg +-useradd $USER_TEST ++$ADDCOMMAND $USER_TEST + + USER_ROOT=root + +@@ -15,8 +23,8 @@ USER_ROOT=root + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chown $USER_TEST ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh +old mode 100755 +new mode 100644 +similarity index 50% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh +index 05dd50ed24..7869a180a8 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh +@@ -1,20 +1,31 @@ + #!/bin/bash + # platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle + +-# Check rsyslog.conf with root group-owner log from rules and +-# root group-owner log from include() passes. ++# Check rsyslog.conf with root user log from rules and ++# root user log from include() passes. + + source $SHARED/rsyslog_log_utils.sh + +-GROUP=root ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ ++USER_TEST=testssg ++$ADDCOMMAND $USER_TEST ++ ++USER=root + + # setup test data + create_rsyslog_test_logs 3 + + # setup test log files ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[2]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +@@ -28,13 +39,25 @@ EOF + + # create test2 configuration file + test_conf2=${RSYSLOG_TEST_DIR}/test2.conf ++{{% if ATTRIBUTE == "owner" %}} ++cat << EOF > ${test_conf2} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++ ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="$USER_TEST" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") ++EOF ++{{% else %}} + cat << EOF > ${test_conf2} + # rsyslog configuration file + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[2]} ++ ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="$USER_TEST" File="${RSYSLOG_TEST_LOGS[2]}") + EOF ++{{% endif %}} + + # create rsyslog.conf configuration file + cat << EOF > $RSYSLOG_CONF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh +similarity index 81% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh +index 69dead5135..e80395ca99 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh +@@ -6,14 +6,21 @@ + + source $SHARED/rsyslog_log_utils.sh + ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} +-chown $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh +similarity index 77% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh +index e725fb4d54..e7b4905dc5 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh +@@ -6,18 +6,26 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ + USER_ROOT=root + + USER_TEST=testssg +-useradd $USER_TEST ++$ADDCOMMAND $USER_TEST + + # setup test data + create_rsyslog_test_logs 3 + + # setup test log files ownership +-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[1]} +-chown $USER_TEST ${RSYSLOG_TEST_LOGS[2]} ++$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh +similarity index 82% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh +index ca47d453c1..6389e6ea3b 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh +@@ -6,15 +6,21 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 3 + + # setup test log files ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} +-chown $USER ${RSYSLOG_TEST_LOGS[1]} +-chown $USER ${RSYSLOG_TEST_LOGS[2]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh +similarity index 65% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh +index 9747e0b28b..6b81a77c2f 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh +@@ -1,23 +1,26 @@ + #!/bin/bash + # platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle + +-# Check rsyslog.conf with root group-owner log from rules and +-# non root group-owner log from include() fails. ++# Check rsyslog.conf with root user log from rules and ++# root user log from include() passes. + + source $SHARED/rsyslog_log_utils.sh + +-GROUP_ROOT=root ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} + +-GROUP_TEST=testssg +-groupadd $GROUP_TEST ++USER=root + + # setup test data + create_rsyslog_test_logs 3 + + # setup test log files ownership +-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[1]} +-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[2]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +@@ -36,7 +39,8 @@ cat << EOF > ${test_conf2} + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[2]} ++ ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") + EOF + + # create rsyslog.conf configuration file +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh +similarity index 81% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh +index d68cc2e67d..78b105abf3 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh +@@ -6,14 +6,20 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} +-chown $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh +similarity index 70% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh +index 7edbb17ea1..1afe20823c 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh +@@ -5,15 +5,23 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=testssg + +-useradd $USER ++$ADDCOMMAND $USER + + # setup test data + create_rsyslog_test_logs 1 + + # setup test log file ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} + + # add rule with non-root user owned log file + cat << EOF > $RSYSLOG_CONF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh +similarity index 77% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh +index e0e518bc50..afce21fa27 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh +@@ -5,13 +5,19 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 1 + + # setup test log file ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} + + # add rule with root user owned log file + cat << EOF > $RSYSLOG_CONF +-- +2.39.1 + diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index cdcc6fb..ff12810 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -6,7 +6,7 @@ %global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6 Name: scap-security-guide -Version: 0.1.63 +Version: 0.1.66 Release: 1%{?dist} Summary: Security guidance and baselines in SCAP formats @@ -16,28 +16,18 @@ URL: https://github.com/ComplianceAsCode/content Source0: %{name}-%{version}.tar.bz2 # Include tarball with last shipped rhel6 content Source1: %{_static_rhel6_content}.tar.bz2 -# Disable profiles that are not in good shape for products/rhel8 +# Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream Patch0: disable-not-in-good-shape-profiles.patch -# Accept sudoers files without includes as compliant -Patch1: scap-security-guide-0.1.64-accept_sudoers_without_includes-PR_9283.patch -# Add -F perm=x filter on RHEL7 privileged commands rules -Patch2: scap-security-guide-0.1.64-add_perm_x_privileged_commands-PR_9289.patch -# Add the AUID filters on RHEL7 audit kernel module rules -Patch3: scap-security-guide-0.1.64-add_auid_filters_kernel_module_rules-PR_9290.patch -# Add AUID filters on audit_rules_kernel_module_loading -Patch4: scap-security-guide-0.1.64-auid_filter_audit_rules_kernel_module_loading-PR_9371.patch -# Update RHEL7 STIG to V3R8 -Patch5: scap-security-guide-0.1.64-update_rhel7_stig_to_v3r8-PR_9317.patch -# add warning to audit_rules_for_ospp -Patch6: scap-security-guide-0.1.64-add_warning_audit_rules_for_ospp-PR_9303.patch -# Don't fail enable_fips_mode if /etc/grubenv is missing on s390x -Patch7: scap-security-guide-0.1.64-fix_fips_enable_fips_mode_x390x-PR_9355.patch -# Put smartcard rules with pam_pkcs11 out of s390x -Patch8: scap-security-guide-0.1.64-pam_pkcs11_not_on_s390x-PR_9389.patch -# GRUB2 is not available on s390x -Patch9: scap-security-guide-0.1.64-grub2_not_on_s390x-PR_9394.patch -# Ensure smartcard_auth check and remediation work on RHEL7 -Patch10: scap-security-guide-0.1.64-fix_smartcard_auth_rhel7-PR_9387.patch +# Rsyslog files rules remediations +Patch1: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch +# Extends rsyslog_logfiles_attributes_modify template for permissions +Patch2: scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch +# Change custom zones check in firewalld_sshd_port_enabled +Patch3: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch +# Accept required and requisite control flag for pam_pwhistory +Patch4: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch +# remove rule logind_session_timeout and associated variable from profiles +Patch5: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch BuildArch: noarch @@ -140,6 +130,16 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{_builddir}/%{name}-%{versio %endif %changelog +* Tue Feb 14 2023 Watson Sato - 0.1.66-1 +- Rebase to a new upstream release 0.1.66 (RHBZ#2158410) +- Update RHEL7 STIG profile to V3R10 (RHBZ#2152657) +- Align file_permissions_sshd_private_key with DISA Benchmark (RHBZ#2123284) +- Fix remediation of audit watch rules (RHBZ#2123367) +- Fix check firewalld_sshd_port_enabled (RHBZ#2158410) +- Fix accepted control flags for pam_pwhistory (RHBZ#2158410) +- Unselect rule logind_session_timeout (RHBZ#2158410) +- Add support rainer scripts in rsyslog rules (RHBZ#2170038) + * Tue Aug 09 2022 Watson Sato - 0.1.63-1 - Update to the latest upstream release (RHBZ#2116359) - Fix SSH Key permissions (RHBZ#2021258)