From 2e618f9239de966ec167f7b43ae854650a3421ad Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 3 Apr 2019 18:05:15 +0200 Subject: [PATCH 1/3] Introduce CPE shadow-utils - Add inventory OVAL check for shadow-utils package installed - Add shadow-utils CPE to RHEL7 dictionary --- rhel7/cpe/rhel7-cpe-dictionary.xml | 5 ++++ ...installed_env_has_shadow-utils_package.xml | 24 +++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 shared/checks/oval/installed_env_has_shadow-utils_package.xml diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml index 23541378f8..44fe06f103 100644 --- a/rhel7/cpe/rhel7-cpe-dictionary.xml +++ b/rhel7/cpe/rhel7-cpe-dictionary.xml @@ -47,4 +47,9 @@ installed_env_is_a_machine + + Package shadow-utils is installed + + installed_env_has_shadow-utils_package + diff --git a/shared/checks/oval/installed_env_has_shadow-utils_package.xml b/shared/checks/oval/installed_env_has_shadow-utils_package.xml new file mode 100644 index 0000000000..12dd5bd565 --- /dev/null +++ b/shared/checks/oval/installed_env_has_shadow-utils_package.xml @@ -0,0 +1,24 @@ + + + + Package shadow-utils is installed + + multi_platform_all + + Checks if package shadow-utils is installed. + + + + + + + + + + + + shadow-utils + + + From 06650f96e4e880c90a23eaf565e70d37a175aa47 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 3 Apr 2019 18:10:33 +0200 Subject: [PATCH 2/3] Rules are applicable when shadow-utils installed If package shadow-utils is not installed, the rule will result in notapplicable. --- .../account_disable_post_pw_expiration/rule.yml | 2 ++ .../accounts_maximum_age_login_defs/rule.yml | 2 ++ .../accounts_minimum_age_login_defs/rule.yml | 2 ++ .../accounts_password_minlen_login_defs/rule.yml | 2 ++ .../accounts_password_warn_age_login_defs/rule.yml | 2 ++ .../accounts-session/accounts_logon_fail_delay/rule.yml | 2 ++ 6 files changed, 12 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml index 9d19274f1c..d8b29b6436 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml @@ -62,3 +62,5 @@ ocil: |- to an appropriate integer as shown in the example below:
$ grep "INACTIVE" /etc/default/useradd
     INACTIVE=
+ +platform: shadow-utils diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml index 90dc1b4f2b..de322bc787 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml @@ -55,3 +55,5 @@ ocil: |-
$ grep PASS_MAX_DAYS /etc/login.defs
The DoD and FISMA requirement is 60. A value of 180 days is sufficient for many environments. + +platform: shadow-utils diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml index 88706c8b3e..dd7030cd0a 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml @@ -49,3 +49,5 @@ ocil_clause: 'it is not equal to or greater than the required value' ocil: |- To check the minimum password age, run the command:
$ grep PASS_MIN_DAYS /etc/login.defs
+ +platform: shadow-utils diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml index 814fda94b9..d38ee253fb 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml @@ -51,3 +51,5 @@ ocil: |- To check the minimum password length, run the command:
$ grep PASS_MIN_LEN /etc/login.defs
The DoD requirement is 15. + +platform: shadow-utils diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml index d8947ad9fd..85b5cd762f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml @@ -40,3 +40,5 @@ ocil: |- To check the password warning age, run the command:
$ grep PASS_WARN_AGE /etc/login.defs
The DoD requirement is 7. + +platform: shadow-utils diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml index 171051e138..33fc873e97 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml @@ -37,3 +37,5 @@ ocil: |- All output must show the value of FAIL_DELAY set as shown in the below:
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
     fail_delay 
+ +platform: shadow-utils From 63ab7328a57c185734037a124eab2ab8ac740e82 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 3 Apr 2019 18:14:58 +0200 Subject: [PATCH 3/3] Map shadow-utils platform to CPE name --- ssg/constants.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssg/constants.py b/ssg/constants.py index b80382be3d..f96fd51790 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -375,7 +375,8 @@ XCCDF_PLATFORM_TO_CPE = { "machine": "cpe:/a:machine", - "container": "cpe:/a:container" + "container": "cpe:/a:container", + "shadow-utils": "cpe:/a:shadow-utils", } # Application constants