From f04235cd7394f6e40142788e24397ae7a2470e80 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2016 06:14:52 +0000 Subject: import scap-security-guide-0.1.30-3.el7 --- diff --git a/.gitignore b/.gitignore index 20df2b2..ea97346 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.25.tar.gz +SOURCES/scap-security-guide-0.1.30.tar.gz diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 7038a45..2d6f46b 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -1dc2e85ad80098968485bc75050697abc40143d4 SOURCES/scap-security-guide-0.1.25.tar.gz +6630e157fce94380bc4610538b1fb8cccfaf5f57 SOURCES/scap-security-guide-0.1.30.tar.gz diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch deleted file mode 100644 index fac759b..0000000 --- a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch +++ /dev/null @@ -1,26 +0,0 @@ ---- scap-security-guide-0.1.19/RHEL/7/input/services/base.xml.orig 2014-09-29 07:29:50.979356661 -0400 -+++ scap-security-guide-0.1.19/RHEL/7/input/services/base.xml 2014-09-29 07:30:23.749395788 -0400 -@@ -91,23 +91,6 @@ service is not necessary. - - - -- --Disable CPU Speed (cpuspeed) --The cpuspeed service can adjust the clock speed of supported CPUs based upon --the current processing load thereby conserving power and reducing heat. -- -- -- --The cpuspeed service is only necessary if adjusting the CPU clock speed --provides benefit. Traditionally this has included laptops (to enhance battery life), --but may also apply to server or desktop environments where conserving power is --highly desirable or necessary. -- -- -- -- -- -- - - Enable IRQ Balance (irqbalance) - The irqbalance service optimizes the balance between diff --git a/SOURCES/scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch b/SOURCES/scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch deleted file mode 100644 index b0b28d6..0000000 --- a/SOURCES/scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch +++ /dev/null @@ -1,135 +0,0 @@ -From bb68e10170f532fed47277d76eb74f4fad498039 Mon Sep 17 00:00:00 2001 -From: Jan Lieskovsky -Date: Fri, 24 Jul 2015 16:21:04 +0200 -Subject: [PATCH] [Enhancement] [RHEL/7] New RHEL-7 audit time remediations for - following rules: * audit_rules_time_adjtimex, * - audit_rules_time_settimeofday, and * audit_rules_time_stime - -Testing report: --------------- -Verified manually on RHEL-7 host the changes are working fine (in both -scenarios, expected rule not at all present in audit.rules configuration, -or expected rule partially present in audit.rules configuration) ---- - .../input/fixes/bash/audit_rules_time_adjtimex.sh | 32 ++++++++++++++++++++++ - .../fixes/bash/audit_rules_time_settimeofday.sh | 32 ++++++++++++++++++++++ - RHEL/7/input/fixes/bash/audit_rules_time_stime.sh | 32 ++++++++++++++++++++++ - 3 files changed, 96 insertions(+) - create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh - create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh - create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_stime.sh - -diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh -new file mode 100644 -index 0000000..43fdfbb ---- /dev/null -+++ b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh -@@ -0,0 +1,32 @@ -+ -+# Include source function library. -+. /usr/share/scap-security-guide/remediation_functions -+ -+# Perform the remediation for the syscall rule -+# Retrieve hardware architecture of the underlying system -+[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") -+ -+for ARCH in "${RULE_ARCHS[@]}" -+do -+ -+ PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" -+ -+ # Create expected audit group and audit rule form for particular system call & architecture -+ if [ ${ARCH} = "b32" ] -+ then -+ # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) -+ # so append it to the list of time group system calls to be audited -+ GROUP="\(adjtimex\|settimeofday\|stime\)" -+ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" -+ elif [ ${ARCH} = "b64" ] -+ then -+ # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) -+ # therefore don't add it to the list of time group system calls to be audited -+ GROUP="\(adjtimex\|settimeofday\)" -+ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" -+ fi -+ -+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -+ fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" -+ fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" -+done -diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh -new file mode 100644 -index 0000000..43fdfbb ---- /dev/null -+++ b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh -@@ -0,0 +1,32 @@ -+ -+# Include source function library. -+. /usr/share/scap-security-guide/remediation_functions -+ -+# Perform the remediation for the syscall rule -+# Retrieve hardware architecture of the underlying system -+[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") -+ -+for ARCH in "${RULE_ARCHS[@]}" -+do -+ -+ PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" -+ -+ # Create expected audit group and audit rule form for particular system call & architecture -+ if [ ${ARCH} = "b32" ] -+ then -+ # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) -+ # so append it to the list of time group system calls to be audited -+ GROUP="\(adjtimex\|settimeofday\|stime\)" -+ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" -+ elif [ ${ARCH} = "b64" ] -+ then -+ # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) -+ # therefore don't add it to the list of time group system calls to be audited -+ GROUP="\(adjtimex\|settimeofday\)" -+ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" -+ fi -+ -+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -+ fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" -+ fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" -+done -diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh -new file mode 100644 -index 0000000..43fdfbb ---- /dev/null -+++ b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh -@@ -0,0 +1,32 @@ -+ -+# Include source function library. -+. /usr/share/scap-security-guide/remediation_functions -+ -+# Perform the remediation for the syscall rule -+# Retrieve hardware architecture of the underlying system -+[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") -+ -+for ARCH in "${RULE_ARCHS[@]}" -+do -+ -+ PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" -+ -+ # Create expected audit group and audit rule form for particular system call & architecture -+ if [ ${ARCH} = "b32" ] -+ then -+ # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) -+ # so append it to the list of time group system calls to be audited -+ GROUP="\(adjtimex\|settimeofday\|stime\)" -+ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" -+ elif [ ${ARCH} = "b64" ] -+ then -+ # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) -+ # therefore don't add it to the list of time group system calls to be audited -+ GROUP="\(adjtimex\|settimeofday\)" -+ FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" -+ fi -+ -+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' -+ fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" -+ fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" -+done diff --git a/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch b/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch deleted file mode 100644 index f4b2d39..0000000 --- a/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch +++ /dev/null @@ -1,249 +0,0 @@ -diff -uNrp scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/pci-dss.xml scap-security-guide-0.1.25/RHEL/7/input/profiles/pci-dss.xml ---- scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/pci-dss.xml 2015-12-08 07:06:53.929233818 -0600 -+++ scap-security-guide-0.1.25/RHEL/7/input/profiles/pci-dss.xml 2015-12-08 07:30:17.747857532 -0600 -@@ -1,5 +1,5 @@ - --Draft PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7 -+Draft PCI-DSS v3 Control Baseline for CentOS Linux 7 - This is a *draft* profile for PCI-DSS v3 - - -@@ -54,20 +54,20 @@ - -- -- -+ -+ - - -- -+ - - -@@ -77,19 +77,19 @@ - - - -- -+ - - - - - -- -+ - - - -- -- -+ -+ - -- -- -- -- -+ -+ -+ -+ - - -- -- -+ -+ - - - -- -+ - - - - - -- -+ - - - - - - -- -+ - - -@@ -78,19 +78,19 @@ - - - -- -+ - - - - - -- -+ - - - - --This requirement does not apply against Red Hat Enterprise Linux 7: -+This requirement does not apply against CentOS Linux 7: - see: https://github.com/OpenSCAP/scap-security-guide/issues/67 for details. - -diff -uNrp scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml scap-security-guide-0.1.25/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml ---- scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml 2015-08-19 10:54:02.000000000 -0500 -+++ scap-security-guide-0.1.25/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml 2015-12-08 07:33:44.930380583 -0600 -@@ -1,5 +1,5 @@ - --Pre-release Draft STIG for Red Hat Enterprise Linux 7 Server -+Pre-release Draft STIG for CentOS Linux 7 Server - This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO. - - - -- - - -+ - - -- -- - - - -- - - diff --git a/SOURCES/scap-security-guide-0.1.30-downstream-rhbz#1357019.patch b/SOURCES/scap-security-guide-0.1.30-downstream-rhbz#1357019.patch new file mode 100644 index 0000000..a3129fa --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.30-downstream-rhbz#1357019.patch @@ -0,0 +1,108 @@ +From bfaac3332c7e06b4252746f6da514fd44e74b0e6 Mon Sep 17 00:00:00 2001 +From: Jan Lieskovsky +Date: Wed, 10 Aug 2016 15:47:58 +0200 +Subject: [PATCH] [BugFix] [RHEL/7] Rewrite RHEL-7 remediation for + 'smartcard_auth' rule since per downstream bug: + https://bugzilla.redhat.com/show_bug.cgi?id=1357019 + +we can't use 'authconfig' binary direct call, because it will +discard the changes as performed and required by other remediation +scripts also touching /etc/pam.d/system-auth{,-ac} file + +Therefore return to previous version updating necessary files +directly via 'sed' tool (rather than using 'authconfig' binary) + +Note: While on the rule also update XCCDF link providing further +info how to setup smartcard auth (since the current one returns +HTTP 404 Not Found) +--- + RHEL/7/input/xccdf/system/accounts/physical.xml | 2 +- + RHEL/7/input/remediations/bash/smartcard_auth.sh | 61 +++++++++++++++++++++++-- + 2 files changed, 58 insertions(+), 5 deletions(-) + +diff --git a/RHEL/7/input/xccdf/system/accounts/physical.xml b/RHEL/7/input/xccdf/system/accounts/physical.xml +index b3ac250..d229469 100644 +--- a/RHEL/7/input/xccdf/system/accounts/physical.xml ++++ b/RHEL/7/input/xccdf/system/accounts/physical.xml +@@ -375,7 +375,7 @@ is not enabled by default and must be enabled in the system settings. + + To enable smart card authentication, consult the documentation at: +
    +-
  • https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#authconfig-smartcard
  • ++
  • https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards
  • +
+ For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: +
    +diff --git a/RHEL/7/input/remediations/bash/smartcard_auth.sh b/RHEL/7/input/remediations/bash/smartcard_auth.sh +index 6292515..2fe5cc8 100644 +--- a/RHEL/7/input/remediations/bash/smartcard_auth.sh ++++ b/RHEL/7/input/remediations/bash/smartcard_auth.sh +@@ -8,11 +8,64 @@ package_command install pam_pkcs11 + # Enable pcscd.socket systemd activation socket + service_command enable pcscd.socket + +-# Enable smartcard authentication (but allow also other ways +-# to login not to possibly cut off the system in question) +-/usr/sbin/authconfig --enablesmartcard --updateall ++# Configure the expected /etc/pam.d/system-auth{,-ac} settings directly ++# ++# The code below will configure system authentication in the way smart card ++# logins will be enabled, but also user login(s) via other method to be allowed ++# ++# NOTE: It is not possible to use the 'authconfig' command to perform the ++# remediation for us, because call of 'authconfig' would discard changes ++# for other remediations (see RH BZ#1357019 for details) ++# ++# Therefore we need to configure the necessary settings directly. ++# + +-# Define constants to be reused below ++# Define system-auth config location ++SYSTEM_AUTH_CONF="/etc/pam.d/system-auth" ++# Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF ++PAM_ENV_SO="auth.*required.*pam_env.so" ++ ++# Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF ++SYSTEM_AUTH_PAM_SUCCEED="\ ++auth \[success=1 default=ignore\] pam_succeed_if.so service notin \ ++login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid" ++# Define 'pam_pkcs11.so' row to be appended past $SYSTEM_AUTH_PAM_SUCCEED ++# row into SYSTEM_AUTH_CONF file ++SYSTEM_AUTH_PAM_PKCS11="\ ++auth \[success=done authinfo_unavail=ignore ignore=ignore default=die\] \ ++pam_pkcs11.so nodebug" ++ ++# Define smartcard-auth config location ++SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth" ++# Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF ++SMARTCARD_AUTH_SECTION="\ ++auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only" ++# Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF ++PAM_PERMIT_SO="account.*required.*pam_permit.so" ++# Define 'pam_pkcs11.so' password section ++SMARTCARD_PASSWORD_SECTION="\ ++password required pam_pkcs11.so" ++ ++# First Correct the SYSTEM_AUTH_CONF configuration ++if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF" ++then ++ # Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file ++ sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SYSTEM_AUTH_PAM_SUCCEED" "$SYSTEM_AUTH_CONF" ++ # Append (expected) pam_pkcs11.so row past the pam_succeed_if.so into SYSTEM_AUTH_CONF file ++ sed -i --follow-symlinks -e '/^'"$SYSTEM_AUTH_PAM_SUCCEED"'/a '"$SYSTEM_AUTH_PAM_PKCS11" "$SYSTEM_AUTH_CONF" ++fi ++ ++# Then also correct the SMARTCARD_AUTH_CONF ++if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF" ++then ++ # Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file ++ sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF" ++ # Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file ++ sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF" ++fi ++ ++# Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below ++# Define selected constants for later reuse + SP="[:space:]" + PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf" + diff --git a/SOURCES/scap-security-guide-0.1.30-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch b/SOURCES/scap-security-guide-0.1.30-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch new file mode 100644 index 0000000..0fc79df --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.30-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch @@ -0,0 +1,10 @@ +--- scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml.orig 2016-06-22 16:59:38.965107812 +0200 ++++ scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml 2016-06-22 17:00:06.538687935 +0200 +@@ -57,7 +57,6 @@ + + + +