diff --git a/.gitignore b/.gitignore index 6d68201..2d690d4 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.36.tar.bz2 +SOURCES/scap-security-guide-0.1.40.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 8589e93..38b0eff 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -1c244d1053d58edb7e5020b7e906b9edc89db48c SOURCES/scap-security-guide-0.1.36.tar.bz2 +0e2850b70814bb080516ed6344d145d834ca12bc SOURCES/scap-security-guide-0.1.40.tar.bz2 diff --git a/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch b/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch index f37821c..6a437b2 100644 --- a/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch +++ b/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch @@ -26,4 +26,4 @@ index 10b83bc..305957b 100644 - .SH EXAMPLES To scan your system utilizing the OpenSCAP utility against the - ospp-rhel7 profile: + ospp profile: diff --git a/SOURCES/scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch b/SOURCES/scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch deleted file mode 100644 index 928131d..0000000 --- a/SOURCES/scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 44d270133421722ac0dfa0af9756b73d582f4d56 Mon Sep 17 00:00:00 2001 -From: Gabe -Date: Fri, 8 Dec 2017 11:59:13 -0700 -Subject: [PATCH] Deprecate RhostsRSAAuthentication as it have been deprecated - in 7.4 - -- Fixes #2478 ---- - shared/checks/oval/sshd_disable_rhosts_rsa.xml | 7 +++++-- - shared/xccdf/services/ssh.xml | 9 +++++++++ - 2 files changed, 14 insertions(+), 2 deletions(-) - -diff --git a/shared/checks/oval/sshd_disable_rhosts_rsa.xml b/shared/checks/oval/sshd_disable_rhosts_rsa.xml -index d7e00fafc..2abf88c70 100644 ---- a/shared/checks/oval/sshd_disable_rhosts_rsa.xml -+++ b/shared/checks/oval/sshd_disable_rhosts_rsa.xml -@@ -15,8 +15,11 @@ - - -- -+ -+ -+ -+ - - - -diff --git a/shared/xccdf/services/ssh.xml b/shared/xccdf/services/ssh.xml -index 6edd47ab8..53c28faa9 100644 ---- a/shared/xccdf/services/ssh.xml -+++ b/shared/xccdf/services/ssh.xml -@@ -603,6 +603,11 @@ following line in /etc/ssh/sshd_config: -
RhostsRSAAuthentication no
- - -+To check which SSH protocol version is allowed, check version of -+openssh-server with following command: -+
$ rpm -qi openssh-server | grep Version
-+Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. -+If version is lower than 7.4, run the following command to check configuration: - -
- -@@ -610,6 +615,10 @@ Configuring this setting for the SSH daemon provides additional - assurance that remove login via SSH will require a password, even - in the event of misconfiguration elsewhere. - -+As of openssh-server version 7.4 and above, -+the RhostsRSAAuthentication option has been deprecated, and the line -+
RhostsRSAAuthentication no
in /etc/ssh/sshd_config is not -+necessary.
- - - diff --git a/SOURCES/scap-security-guide-0.1.37-add-disa-stig-rule-id.patch b/SOURCES/scap-security-guide-0.1.37-add-disa-stig-rule-id.patch deleted file mode 100644 index 16e5eac..0000000 --- a/SOURCES/scap-security-guide-0.1.37-add-disa-stig-rule-id.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 4bfc0f1d9cfe21ec672fc806f5421272f1c0b41f Mon Sep 17 00:00:00 2001 -From: Wesley Ceraso Prudencio -Date: Wed, 1 Nov 2017 14:17:24 +0100 -Subject: [PATCH] Enables the STIG Rule ID to be output - -Signed-off-by: Wesley Ceraso Prudencio ---- - cmake/SSGCommon.cmake | 5 ++++ - shared/utils/add_stig_references.py | 57 +++++++++++++++++++++++++++++++++++++ - 2 files changed, 62 insertions(+) - create mode 100755 shared/utils/add_stig_references.py - -diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake -index 8ac826ef6..786e07532 100644 ---- a/cmake/SSGCommon.cmake -+++ b/cmake/SSGCommon.cmake -@@ -130,10 +130,15 @@ macro(ssg_build_shorthand_xml PRODUCT) - endmacro() - - macro(ssg_build_xccdf_unlinked PRODUCT) -+ file(GLOB STIG_REFERENCE_FILE_LIST "${SSG_SHARED_REFS}/disa-stig-${PRODUCT}-*-xccdf-manual.xml") -+ list(APPEND STIG_REFERENCE_FILE_LIST "not-found") -+ list(GET STIG_REFERENCE_FILE_LIST 0 STIG_REFERENCE_FILE) -+ - add_custom_command( - OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" - COMMAND "${XSLTPROC_EXECUTABLE}" --stringparam ssg_version "${SSG_VERSION}" --output "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/shorthand2xccdf.xslt" "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" - COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" xccdf resolve -o "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" -+ COMMAND "${SSG_SHARED_UTILS}/add_stig_references.py" --disa-stig "${STIG_REFERENCE_FILE}" --unlinked-xccdf "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" - DEPENDS generate-internal-${PRODUCT}-shorthand.xml - DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" - DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/shorthand2xccdf.xslt" -diff --git a/shared/utils/add_stig_references.py b/shared/utils/add_stig_references.py -new file mode 100755 -index 000000000..0ab208793 ---- /dev/null -+++ b/shared/utils/add_stig_references.py -@@ -0,0 +1,57 @@ -+#!/usr/bin/env python2 -+ -+try: -+ from xml.etree import cElementTree as etree -+except ImportError: -+ import cElementTree as etree -+ -+import re -+import sys -+import argparse -+ -+parser = argparse.ArgumentParser( -+ description='Add STIG references to XCCDF files.') -+parser.add_argument( -+ "--disa-stig", help="DISA STIG Reference XCCDF file",dest="reference") -+parser.add_argument( -+ "--unlinked-xccdf", help="unlinked SSG XCCDF file", dest="destination") -+args = parser.parse_args() -+ -+reference = args.reference -+destination = args.destination -+ -+xccdf_namespace = "http://checklists.nist.gov/xccdf/1.1" -+stig_href = 'http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx' -+stig_references_beginning = 'http://iase.disa.mil/stigs/' -+ -+try: -+ reference_root = etree.parse(reference) -+except IOError as exception: -+ print 'INFO: DISA STIG Reference file not found for this platform' -+ sys.exit(0) -+ -+reference_rules = reference_root.findall('.//{%s}Rule' % xccdf_namespace) -+ -+dictionary = {} -+ -+for rule in reference_rules: -+ version = rule.find('.//{%s}version' % xccdf_namespace) -+ if version is not None and version.text: -+ dictionary[version.text] = rule.get('id') -+ -+target_root = etree.parse(destination) -+target_rules = target_root.findall('.//{%s}Rule' % xccdf_namespace) -+ -+for rule in target_rules: -+ refs = rule.findall('.//{%s}reference' % xccdf_namespace) -+ for ref in refs: -+ if (ref.get('href').startswith(stig_references_beginning) and -+ ref.text in dictionary): -+ index = rule.getchildren().index(ref) -+ new_ref = etree.Element( -+ '{%s}reference' % xccdf_namespace, {'href': stig_href}) -+ new_ref.text = dictionary[ref.text] -+ new_ref.tail = ref.tail -+ rule.insert(index + 1, new_ref) -+ -+target_root.write(destination) diff --git a/SOURCES/scap-security-guide-0.1.37-disable-check-libexec_ownership.patch b/SOURCES/scap-security-guide-0.1.37-disable-check-libexec_ownership.patch deleted file mode 100644 index 6289dcb..0000000 --- a/SOURCES/scap-security-guide-0.1.37-disable-check-libexec_ownership.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 6f502074053282dd3afbb5ed1594fbbd524c9bc6 Mon Sep 17 00:00:00 2001 -From: Gabe -Date: Fri, 8 Dec 2017 11:34:50 -0700 -Subject: [PATCH] Do not check library ownership in libexec - -- Fixes #2473 ---- - shared/checks/oval/file_ownership_library_dirs.xml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/checks/oval/file_ownership_library_dirs.xml b/shared/checks/oval/file_ownership_library_dirs.xml -index 41394a01e..186c99012 100644 ---- a/shared/checks/oval/file_ownership_library_dirs.xml -+++ b/shared/checks/oval/file_ownership_library_dirs.xml -@@ -34,7 +34,7 @@ - - - -- ^\/lib(|64)|^\/usr\/lib(|64) -+ ^\/lib(|64)\/|^\/usr\/lib(|64)\/ - ^.*$ - state_owner_libraries_not_root - diff --git a/SOURCES/scap-security-guide-0.1.37-fix-aide-scan-email-notification-remediation.patch b/SOURCES/scap-security-guide-0.1.37-fix-aide-scan-email-notification-remediation.patch deleted file mode 100644 index ba8214d..0000000 --- a/SOURCES/scap-security-guide-0.1.37-fix-aide-scan-email-notification-remediation.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 082b98eca6f4200cf32744582c5ff1b385ea88db Mon Sep 17 00:00:00 2001 -From: Nathan Peters -Date: Wed, 20 Dec 2017 14:36:19 -0800 -Subject: [PATCH 1/2] Updated aide_scan_notification remediation to run cron - job as root - ---- - shared/fixes/bash/aide_scan_notification.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/fixes/bash/aide_scan_notification.sh b/shared/fixes/bash/aide_scan_notification.sh -index ac63227836..3862b21825 100644 ---- a/shared/fixes/bash/aide_scan_notification.sh -+++ b/shared/fixes/bash/aide_scan_notification.sh -@@ -11,6 +11,6 @@ if [ -f /var/spool/cron/root ]; then - fi - - if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*\|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then -- echo '0 5 * * * /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB -+ echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB - fi - - -From 6443aac41c6b28198c762d136805aaab090be45d Mon Sep 17 00:00:00 2001 -From: Nathan Peters -Date: Wed, 20 Dec 2017 14:50:36 -0800 -Subject: [PATCH 2/2] Fixed remediation script aide_scan_notification for - regular grep syntax - ---- - shared/fixes/bash/aide_scan_notification.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/fixes/bash/aide_scan_notification.sh b/shared/fixes/bash/aide_scan_notification.sh -index 3862b21825..f6908bda64 100644 ---- a/shared/fixes/bash/aide_scan_notification.sh -+++ b/shared/fixes/bash/aide_scan_notification.sh -@@ -10,7 +10,7 @@ if [ -f /var/spool/cron/root ]; then - VARSPOOL=/var/spool/cron/root - fi - --if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*\|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then -+if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then - echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB - fi - diff --git a/SOURCES/scap-security-guide-0.1.37-fix-local_d_typos.patch b/SOURCES/scap-security-guide-0.1.37-fix-local_d_typos.patch deleted file mode 100644 index e61027f..0000000 --- a/SOURCES/scap-security-guide-0.1.37-fix-local_d_typos.patch +++ /dev/null @@ -1,106 +0,0 @@ -From dca8feafaa0b9044a0cec24c245eecaf8b7658ab Mon Sep 17 00:00:00 2001 -From: Chuck Atkins -Date: Tue, 12 Dec 2017 14:32:20 -0500 -Subject: [PATCH] Fix typos "local/d" -> "local.d" - ---- - shared/fixes/ansible/dconf_gnome_banner_enabled.yml | 2 +- - .../fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml | 2 +- - shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml | 2 +- - shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml | 2 +- - shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml | 2 +- - shared/fixes/ansible/dconf_gnome_screensaver_mode_blank.yml | 2 +- - shared/fixes/ansible/dconf_gnome_screensaver_user_info.yml | 2 +- - 7 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/shared/fixes/ansible/dconf_gnome_banner_enabled.yml b/shared/fixes/ansible/dconf_gnome_banner_enabled.yml -index abd8a8002b..38cd4d4e99 100644 ---- a/shared/fixes/ansible/dconf_gnome_banner_enabled.yml -+++ b/shared/fixes/ansible/dconf_gnome_banner_enabled.yml -@@ -5,7 +5,7 @@ - # disruption = medium - - name: "Enable GNOME3 Login Warning Banner" - ini_file: -- dest: "/etc/dconf/db/local/d/00-security-settings" -+ dest: "/etc/dconf/db/local.d/00-security-settings" - section: "org/gnome/login-screen" - option: banner-message-enabled - value: true -diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml b/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml -index 20d2013c52..3ed9b78b5a 100644 ---- a/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml -+++ b/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml -@@ -5,7 +5,7 @@ - # disruption = medium - - name: "Enable GNOME3 Screensaver Idle Activation" - ini_file: -- dest: "/etc/dconf/db/local/d/00-security-settings" -+ dest: "/etc/dconf/db/local.d/00-security-settings" - section: "org/gnome/desktop/screensaver" - option: idle_activation_enabled - value: true -diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml b/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml -index a69c86225d..8d4e9d2adc 100644 ---- a/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml -+++ b/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml -@@ -7,7 +7,7 @@ - - - name: "Set GNOME3 Screensaver Inactivity Timeout" - ini_file: -- dest: "/etc/dconf/db/local/d/00-security-settings" -+ dest: "/etc/dconf/db/local.d/00-security-settings" - section: "org/gnome/desktop/screensaver" - option: idle-delay - value: "{{ inactivity_timeout_value }}" -diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml b/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml -index f11b909b65..01dec5ea9b 100644 ---- a/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml -+++ b/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml -@@ -5,7 +5,7 @@ - # disruption = medium - - name: "Set GNOME3 Screensaver Lock Delay After Activation Period" - ini_file: -- dest: "/etc/dconf/db/local/d/00-security-settings" -+ dest: "/etc/dconf/db/local.d/00-security-settings" - section: "org/gnome/desktop/screensaver" - option: lock-delay - value: uint32 5 -diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml b/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml -index be5ffc10eb..5ac6fe6b3f 100644 ---- a/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml -+++ b/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml -@@ -5,7 +5,7 @@ - # disruption = medium - - name: "Enable GNOME3 Screensaver Lock After Idle Period" - ini_file: -- dest: "/etc/dconf/db/local/d/00-security-settings" -+ dest: "/etc/dconf/db/local.d/00-security-settings" - section: "org/gnome/desktop/screensaver" - option: lock-enabled - value: true -diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_mode_blank.yml b/shared/fixes/ansible/dconf_gnome_screensaver_mode_blank.yml -index d2be193fe1..64f6ba5b7e 100644 ---- a/shared/fixes/ansible/dconf_gnome_screensaver_mode_blank.yml -+++ b/shared/fixes/ansible/dconf_gnome_screensaver_mode_blank.yml -@@ -5,7 +5,7 @@ - # disruption = medium - - name: "Implement Blank Screensaver" - ini_file: -- dest: "/etc/dconf/db/local/d/00-security-settings" -+ dest: "/etc/dconf/db/local.d/00-security-settings" - section: "org/gnome/desktop/screensaver" - option: picture-uri - value: string '' -diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_user_info.yml b/shared/fixes/ansible/dconf_gnome_screensaver_user_info.yml -index ee407ad5b1..93873a997a 100644 ---- a/shared/fixes/ansible/dconf_gnome_screensaver_user_info.yml -+++ b/shared/fixes/ansible/dconf_gnome_screensaver_user_info.yml -@@ -5,7 +5,7 @@ - # disruption = medium - - name: "Disable Full Username on Splash Screen" - ini_file: -- dest: "/etc/dconf/db/local/d/00-security-settings" -+ dest: "/etc/dconf/db/local.d/00-security-settings" - section: "org/gnome/desktop/screensaver" - option: show-full-name-in-top-bar - value: false diff --git a/SOURCES/scap-security-guide-0.1.37-fix-missing-bash-remediation-include.patch b/SOURCES/scap-security-guide-0.1.37-fix-missing-bash-remediation-include.patch deleted file mode 100644 index 83822b8..0000000 --- a/SOURCES/scap-security-guide-0.1.37-fix-missing-bash-remediation-include.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 4f9987487d11001ef666408dc88abaf783fa7395 Mon Sep 17 00:00:00 2001 -From: Marek Haicman -Date: Tue, 12 Dec 2017 00:04:39 +0100 -Subject: [PATCH] Fixed few remediation errors caused by missing include. - ---- - ...el7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh | 2 ++ - shared/fixes/bash/disable_ctrlaltdel_burstaction.sh | 3 +++ - 2 files changed, 5 insertions(+) - -diff --git a/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh b/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh -index 26498471e..755d483ac 100644 ---- a/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh -+++ b/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh -@@ -1,3 +1,5 @@ -+source fix_audit_syscall_rule.sh -+ - # Perform the remediation for the 'adjtimex', 'settimeofday', and 'stime' audit - # system calls on Red Hat Enterprise Linux 7 or Fedora OSes - function rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation { -diff --git a/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh b/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh -index ab01748c8..5266cf255 100644 ---- a/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh -+++ b/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh -@@ -1,3 +1,6 @@ - # platform = Red Hat Enterprise Linux 7, multi_platform_fedora - -+# Include source function library. -+. /usr/share/scap-security-guide/remediation_functions -+ - replace_or_append '/etc/systemd/system.conf' '^CtrlAltDelBurstAction=' 'none' '@CCENUM@' '%s=%s' diff --git a/SOURCES/scap-security-guide-0.1.37-fix-rhel7-ansible-role.patch b/SOURCES/scap-security-guide-0.1.37-fix-rhel7-ansible-role.patch deleted file mode 100644 index 988b7d2..0000000 --- a/SOURCES/scap-security-guide-0.1.37-fix-rhel7-ansible-role.patch +++ /dev/null @@ -1,103 +0,0 @@ -diff --git a/shared/fixes/ansible/dconf_gnome_banner_enabled.yml b/shared/fixes/ansible/dconf_gnome_banner_enabled.yml -index b2d79ef04..abd8a8002 100644 ---- a/shared/fixes/ansible/dconf_gnome_banner_enabled.yml -+++ b/shared/fixes/ansible/dconf_gnome_banner_enabled.yml -@@ -18,5 +18,6 @@ - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: '^/org/gnome/login-screen/banner-message-enable' - line: '/org/gnome/login-screen/banner-message-enable' -+ create: yes - tags: - @ANSIBLE_TAGS@ -diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml b/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml -index 3f85b384c..20d2013c5 100644 ---- a/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml -+++ b/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml -@@ -18,5 +18,6 @@ - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: '^/org/gnome/desktop/screensaver/idle-activation-enabled' - line: '/org/gnome/desktop/screensaver/idle-activation-enabled' -+ create: yes - tags: - @ANSIBLE_TAGS@ -diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml b/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml -index 79e48cf63..a69c86225 100644 ---- a/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml -+++ b/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml -@@ -20,5 +20,6 @@ - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: '^/org/gnome/desktop/screensaver/idle-delay' - line: '/org/gnome/desktop/screensaver/idle-delay' -+ create: yes - tags: - @ANSIBLE_TAGS@ -diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml b/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml -index cf73fe111..f11b909b6 100644 ---- a/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml -+++ b/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml -@@ -18,5 +18,6 @@ - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: '^/org/gnome/desktop/screensaver/lock-delay' - line: '/org/gnome/desktop/screensaver/lock-delay' -+ create: yes - tags: - @ANSIBLE_TAGS@ -diff --git a/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml b/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml -index 4b203036b..be5ffc10e 100644 ---- a/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml -+++ b/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml -@@ -18,5 +18,6 @@ - path: /etc/dconf/db/local.d/locks/00-security-settings-lock - regexp: '^/org/gnome/desktop/screensaver/lock-enabled' - line: '/org/gnome/desktop/screensaver/lock-enabled' -+ create: yes - tags: - @ANSIBLE_TAGS@ -diff --git a/shared/fixes/ansible/rsyslog_remote_loghost.yml b/shared/fixes/ansible/rsyslog_remote_loghost.yml -index 16a8e1ab5..b15dcca12 100644 ---- a/shared/fixes/ansible/rsyslog_remote_loghost.yml -+++ b/shared/fixes/ansible/rsyslog_remote_loghost.yml -@@ -10,6 +10,7 @@ - dest: /etc/rsyslog.conf - regexp: "^\\*\\.\\*" - line: "*.* @@{{ rsyslog_remote_loghost_address }}" -+ create: yes - tags: - @ANSIBLE_TAGS@ - -diff --git a/shared/fixes/ansible/selinux_policytype.yml b/shared/fixes/ansible/selinux_policytype.yml -index c68da2c46..57583f94e 100644 ---- a/shared/fixes/ansible/selinux_policytype.yml -+++ b/shared/fixes/ansible/selinux_policytype.yml -@@ -5,8 +5,11 @@ - # disruption = low - - (xccdf-var var_selinux_policy_name) - --- name: "Configure SELinux Policy" -- selinux: -- policy: "{{ var_selinux_policy_name }}" -+- name: "@RULE_TITLE@" -+ lineinfile: -+ path: /etc/sysconfig/selinux -+ regexp: '^SELINUXTYPE=' -+ line: "SELINUXTYPE={{ var_selinux_policy_name }}" -+ create: yes - tags: - @ANSIBLE_TAGS@ -diff --git a/shared/fixes/ansible/selinux_state.yml b/shared/fixes/ansible/selinux_state.yml -index 62889bd4e..3e5b9f1ff 100644 ---- a/shared/fixes/ansible/selinux_state.yml -+++ b/shared/fixes/ansible/selinux_state.yml -@@ -6,7 +6,10 @@ - - (xccdf-var var_selinux_state) - - - name: "@RULE_TITLE@" -- selinux: -- state: "{{ var_selinux_state }}" -+ lineinfile: -+ path: /etc/sysconfig/selinux -+ regexp: '^SELINUX=' -+ line: "SELINUX={{ var_selinux_state }}" -+ create: yes - tags: - @ANSIBLE_TAGS@ diff --git a/SOURCES/scap-security-guide-0.1.37-fix-srg-table-empty-column.path b/SOURCES/scap-security-guide-0.1.37-fix-srg-table-empty-column.path deleted file mode 100644 index 242934a..0000000 --- a/SOURCES/scap-security-guide-0.1.37-fix-srg-table-empty-column.path +++ /dev/null @@ -1,51 +0,0 @@ -From 8b43d43533cf4a00de60da71a8aaa6e87776766f Mon Sep 17 00:00:00 2001 -From: Gabe -Date: Fri, 3 Nov 2017 10:36:57 -0600 -Subject: [PATCH] Remove CCI formatting from shared table-srgmap XSLT - -- CCI formatting is now done in earlier XSLT transformations. -- Fixes #2447 ---- - shared/transforms/shared_table-srgmap.xslt | 14 ++++++-------- - 1 file changed, 6 insertions(+), 8 deletions(-) - -diff --git a/shared/transforms/shared_table-srgmap.xslt b/shared/transforms/shared_table-srgmap.xslt -index 4a50dea33..7179f560e 100644 ---- a/shared/transforms/shared_table-srgmap.xslt -+++ b/shared/transforms/shared_table-srgmap.xslt -@@ -46,7 +46,7 @@ - - - -- -+ - - - -@@ -77,10 +77,9 @@ - - - -- -- -- -- -+ -+ -+ - - - -@@ -100,10 +99,9 @@ - - - -- -- -+ - -- -+ - - - diff --git a/SOURCES/scap-security-guide-0.1.37-fix-sshd_required-unset.patch b/SOURCES/scap-security-guide-0.1.37-fix-sshd_required-unset.patch deleted file mode 100644 index 8aeb431..0000000 --- a/SOURCES/scap-security-guide-0.1.37-fix-sshd_required-unset.patch +++ /dev/null @@ -1,822 +0,0 @@ -From 939d1cfd84b980e3a96dd1d82dfddcabf4b2a34a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 8 Dec 2017 15:14:26 +0100 -Subject: [PATCH 1/6] Drop check of package in sshd_required definitions - -This is not the best place to check if openssh-server is installed. - -We can check for openssh-server package when sshd is required and not -required. -But when sshd_required is not set, we don't check if openssh-server is -installed or not, because both are valid states. - -This gives the impression that when extending sshd_required_or_unset -and sshd_not_required_or_unset there is no need to check for -openssh-server package, which is not true. - -The only purpose of these definitions should be to check for state of -sshd_required value. ---- - shared/checks/oval/sshd_not_required_or_unset.xml | 6 +----- - shared/checks/oval/sshd_required_or_unset.xml | 6 +----- - 2 files changed, 2 insertions(+), 10 deletions(-) - -diff --git a/shared/checks/oval/sshd_not_required_or_unset.xml b/shared/checks/oval/sshd_not_required_or_unset.xml -index 76bf1b9b4..206b1b474 100644 ---- a/shared/checks/oval/sshd_not_required_or_unset.xml -+++ b/shared/checks/oval/sshd_not_required_or_unset.xml -@@ -9,11 +9,7 @@ - If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good. - - -- -- -- -- -+ - - -diff --git a/shared/checks/oval/sshd_required_or_unset.xml b/shared/checks/oval/sshd_required_or_unset.xml -index 04d6a687b..4518b181f 100644 ---- a/shared/checks/oval/sshd_required_or_unset.xml -+++ b/shared/checks/oval/sshd_required_or_unset.xml -@@ -9,11 +9,7 @@ - If SSHD is required, we check it is installed. If SSH requirement is unset, we are good. - - -- -- -- -- -+ - - - -From 0b02493e535e9b529af9eb71bf97f5b02d04c89e Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 13 Dec 2017 18:09:47 +0100 -Subject: [PATCH 2/6] Also check state openssh-server package when - sshd_required is unset - -Explicitly check state of openssh-server package. -When openssh-server is installed, system should be configured, when not -installed, system is ok. -When sshd_required is set, either to required or not required, they act -as selector of openssh-server package state. If sshd_required is unset, -the state of openssh-server package selects whether system should be -configured or not. ---- - rhel7/checks/oval/sshd_disable_compression.xml | 14 ++++++++++---- - rhel7/checks/oval/sshd_disable_gssapi_auth.xml | 14 ++++++++++---- - rhel7/checks/oval/sshd_disable_kerb_auth.xml | 14 ++++++++++---- - rhel7/checks/oval/sshd_enable_strictmodes.xml | 14 ++++++++++---- - rhel7/checks/oval/sshd_use_approved_macs.xml | 14 ++++++++++---- - rhel7/checks/oval/sshd_use_priv_separation.xml | 14 ++++++++++---- - shared/checks/oval/disable_host_auth.xml | 15 +++++++++++---- - shared/checks/oval/sshd_allow_only_protocol2.xml | 15 +++++++++++---- - shared/checks/oval/sshd_disable_empty_passwords.xml | 14 ++++++++++---- - shared/checks/oval/sshd_disable_rhosts.xml | 14 ++++++++++---- - shared/checks/oval/sshd_disable_rhosts_rsa.xml | 14 ++++++++++---- - shared/checks/oval/sshd_disable_root_login.xml | 14 ++++++++++---- - shared/checks/oval/sshd_disable_user_known_hosts.xml | 15 +++++++++++---- - shared/checks/oval/sshd_do_not_permit_user_env.xml | 14 ++++++++++---- - shared/checks/oval/sshd_enable_warning_banner.xml | 14 ++++++++++---- - shared/checks/oval/sshd_enable_x11_forwarding.xml | 14 ++++++++++---- - shared/checks/oval/sshd_print_last_log.xml | 14 ++++++++++---- - shared/checks/oval/sshd_set_idle_timeout.xml | 18 ++++++++++++------ - shared/checks/oval/sshd_set_keepalive.xml | 14 ++++++++++---- - shared/checks/oval/sshd_use_approved_ciphers.xml | 18 ++++++++++++------ - shared/checks/oval/sshd_use_approved_macs.xml | 14 ++++++++++---- - 21 files changed, 217 insertions(+), 88 deletions(-) - -diff --git a/rhel7/checks/oval/sshd_disable_compression.xml b/rhel7/checks/oval/sshd_disable_compression.xml -index 8a4334f06..014741fe1 100644 ---- a/rhel7/checks/oval/sshd_disable_compression.xml -+++ b/rhel7/checks/oval/sshd_disable_compression.xml -@@ -7,13 +7,19 @@ - - SSH should either have compression disabled or set to delayed. - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/rhel7/checks/oval/sshd_disable_gssapi_auth.xml b/rhel7/checks/oval/sshd_disable_gssapi_auth.xml -index ee184b8e8..5f32edc1e 100644 ---- a/rhel7/checks/oval/sshd_disable_gssapi_auth.xml -+++ b/rhel7/checks/oval/sshd_disable_gssapi_auth.xml -@@ -8,13 +8,19 @@ - Unless needed, disable the GSSAPI authentication option for - the SSH Server. - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/rhel7/checks/oval/sshd_disable_kerb_auth.xml b/rhel7/checks/oval/sshd_disable_kerb_auth.xml -index c63cef03e..6f0e0babe 100644 ---- a/rhel7/checks/oval/sshd_disable_kerb_auth.xml -+++ b/rhel7/checks/oval/sshd_disable_kerb_auth.xml -@@ -8,13 +8,19 @@ - Unless needed, disable the Kerberos authentication option for - the SSH Server. - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/rhel7/checks/oval/sshd_enable_strictmodes.xml b/rhel7/checks/oval/sshd_enable_strictmodes.xml -index 1346191d5..7728f6ae6 100644 ---- a/rhel7/checks/oval/sshd_enable_strictmodes.xml -+++ b/rhel7/checks/oval/sshd_enable_strictmodes.xml -@@ -8,13 +8,19 @@ - Enable StrictMode to check users home directory permissions - and configurations. - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/rhel7/checks/oval/sshd_use_approved_macs.xml b/rhel7/checks/oval/sshd_use_approved_macs.xml -index bd05a5152..20b57041b 100644 ---- a/rhel7/checks/oval/sshd_use_approved_macs.xml -+++ b/rhel7/checks/oval/sshd_use_approved_macs.xml -@@ -9,13 +9,19 @@ - - - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/rhel7/checks/oval/sshd_use_priv_separation.xml b/rhel7/checks/oval/sshd_use_priv_separation.xml -index c5ae32c27..2ec883fea 100644 ---- a/rhel7/checks/oval/sshd_use_priv_separation.xml -+++ b/rhel7/checks/oval/sshd_use_priv_separation.xml -@@ -8,13 +8,19 @@ - Use priviledge separation to cause the SSH process to drop - root privileges when not needed. - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/shared/checks/oval/disable_host_auth.xml b/shared/checks/oval/disable_host_auth.xml -index 3e4cc5aea..3a00964ab 100644 ---- a/shared/checks/oval/disable_host_auth.xml -+++ b/shared/checks/oval/disable_host_auth.xml -@@ -7,12 +7,19 @@ - - SSH host-based authentication should be disabled. - -- -- -+ -+ -+ -+ -+ - -- -+ - - -diff --git a/shared/checks/oval/sshd_allow_only_protocol2.xml b/shared/checks/oval/sshd_allow_only_protocol2.xml -index 0a7ace128..224010263 100644 ---- a/shared/checks/oval/sshd_allow_only_protocol2.xml -+++ b/shared/checks/oval/sshd_allow_only_protocol2.xml -@@ -9,12 +9,19 @@ - - The OpenSSH daemon should be running protocol 2. - -- -- -+ -+ -+ -+ -+ - -- -+ - - - Remote connections from accounts with empty passwords should - be disabled (and dependencies are met) - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/shared/checks/oval/sshd_disable_rhosts.xml b/shared/checks/oval/sshd_disable_rhosts.xml -index 86eb94a22..163ccfca5 100644 ---- a/shared/checks/oval/sshd_disable_rhosts.xml -+++ b/shared/checks/oval/sshd_disable_rhosts.xml -@@ -8,13 +8,19 @@ - Emulation of the rsh command through the ssh server should - be disabled (and dependencies are met) - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/shared/checks/oval/sshd_disable_rhosts_rsa.xml b/shared/checks/oval/sshd_disable_rhosts_rsa.xml -index 2abf88c70..e949fb031 100644 ---- a/shared/checks/oval/sshd_disable_rhosts_rsa.xml -+++ b/shared/checks/oval/sshd_disable_rhosts_rsa.xml -@@ -8,13 +8,19 @@ - SSH can allow authentication through the obsolete rsh command - through the use of the authenticating user's SSH keys. This should be disabled. - -- -- -+ -+ -+ -+ - -- -+ - - - Root login via SSH should be disabled (and dependencies are - met) - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/shared/checks/oval/sshd_disable_user_known_hosts.xml b/shared/checks/oval/sshd_disable_user_known_hosts.xml -index cc01ec6ca..0e121d496 100644 ---- a/shared/checks/oval/sshd_disable_user_known_hosts.xml -+++ b/shared/checks/oval/sshd_disable_user_known_hosts.xml -@@ -9,12 +9,19 @@ - to connect to systems if a cache of the remote systems public keys are available. - This should be disabled. - -- -- -+ -+ -+ -+ -+ - -- -+ - - -diff --git a/shared/checks/oval/sshd_do_not_permit_user_env.xml b/shared/checks/oval/sshd_do_not_permit_user_env.xml -index ad8ecdf68..afb799e20 100644 ---- a/shared/checks/oval/sshd_do_not_permit_user_env.xml -+++ b/shared/checks/oval/sshd_do_not_permit_user_env.xml -@@ -7,13 +7,19 @@ - - PermitUserEnvironment should be disabled - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/shared/checks/oval/sshd_enable_warning_banner.xml b/shared/checks/oval/sshd_enable_warning_banner.xml -index 933822eb6..cd14ec9e9 100644 ---- a/shared/checks/oval/sshd_enable_warning_banner.xml -+++ b/shared/checks/oval/sshd_enable_warning_banner.xml -@@ -8,13 +8,19 @@ - SSH warning banner should be enabled (and dependencies are - met) - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/shared/checks/oval/sshd_enable_x11_forwarding.xml b/shared/checks/oval/sshd_enable_x11_forwarding.xml -index 3aa45e51b..0a0e1bafd 100644 ---- a/shared/checks/oval/sshd_enable_x11_forwarding.xml -+++ b/shared/checks/oval/sshd_enable_x11_forwarding.xml -@@ -7,13 +7,19 @@ - - Enable X11Forwarding to encrypt X11 remote connections over SSH. - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/shared/checks/oval/sshd_print_last_log.xml b/shared/checks/oval/sshd_print_last_log.xml -index 29367969d..83bc0df79 100644 ---- a/shared/checks/oval/sshd_print_last_log.xml -+++ b/shared/checks/oval/sshd_print_last_log.xml -@@ -8,13 +8,19 @@ - Enable PrintLastLog to display user's last login time - and date. - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/shared/checks/oval/sshd_set_idle_timeout.xml b/shared/checks/oval/sshd_set_idle_timeout.xml -index a414790a0..180e87d83 100644 ---- a/shared/checks/oval/sshd_set_idle_timeout.xml -+++ b/shared/checks/oval/sshd_set_idle_timeout.xml -@@ -8,14 +8,20 @@ - The SSH idle timeout interval should be set to an - appropriate value. - -- -- -+ -- -- -- -+ -+ -+ -+ -+ - - -diff --git a/shared/checks/oval/sshd_set_keepalive.xml b/shared/checks/oval/sshd_set_keepalive.xml -index 5640638ae..8774e1d25 100644 ---- a/shared/checks/oval/sshd_set_keepalive.xml -+++ b/shared/checks/oval/sshd_set_keepalive.xml -@@ -8,13 +8,19 @@ - The SSH ClientAliveCountMax should be set to an appropriate - value (and dependencies are met) - -- -- -+ -+ -+ -+ - -- -+ - - -diff --git a/shared/checks/oval/sshd_use_approved_ciphers.xml b/shared/checks/oval/sshd_use_approved_ciphers.xml -index 84088aa5c..5a4e3a1f9 100644 ---- a/shared/checks/oval/sshd_use_approved_ciphers.xml -+++ b/shared/checks/oval/sshd_use_approved_ciphers.xml -@@ -9,13 +9,19 @@ - - - -- -- -- -- -+ -+ -+ -+ -+ -+ -+ - - -diff --git a/shared/checks/oval/sshd_use_approved_macs.xml b/shared/checks/oval/sshd_use_approved_macs.xml -index d2f622af1..b403d0449 100644 ---- a/shared/checks/oval/sshd_use_approved_macs.xml -+++ b/shared/checks/oval/sshd_use_approved_macs.xml -@@ -9,13 +9,19 @@ - - - -- -- -+ -+ -+ -+ - -- -+ - - - -From 441881052627a5b14be015d74d36d271f9268908 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 13 Dec 2017 18:22:29 +0100 -Subject: [PATCH 3/6] Remove backslashes from echo command - -Echo command output is literal, there is no need for backslashes ---- - .../rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh -index 227611543..7172539c7 100644 ---- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh -+++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh -@@ -5,5 +5,5 @@ - if grep -q "^Ciphers" /etc/ssh/sshd_config; then - sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config - else -- echo "Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config -+ echo "Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator.liu.se" >> /etc/ssh/sshd_config - fi - -From 995a5e64eb841c73849571395cc985f94607c4cb Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 18 Dec 2017 11:12:13 +0100 -Subject: [PATCH 4/6] Fix test scenarios for sshd_use_priv_separation - -As of PR #2162 the Rule checks for "sandbox" ---- - .../rule_sshd_use_priv_separation/correct_value.pass.sh | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh -index d63caa85b..36e8c1bba 100644 ---- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh -+++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh -@@ -3,7 +3,7 @@ - # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 - - if grep -q "^UsePrivilegeSeparation" /etc/ssh/sshd_config; then -- sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation yes/" /etc/ssh/sshd_config -+ sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation sandbox/" /etc/ssh/sshd_config - else -- echo "UsePrivilegeSeparation yes" >> /etc/ssh/sshd_config -+ echo "UsePrivilegeSeparation sandbox" >> /etc/ssh/sshd_config - fi - -From 877f3620d7462e2af6727a9feff16d6a7f08a239 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 18 Dec 2017 11:40:07 +0100 -Subject: [PATCH 5/6] Fix test scenarios for sshd_disable_kerb_auth - -As of Pr #2463, the definition checks for ausence of -"KerberosAuthentication yes", as default setting is not enabled. ---- - .../group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh | 9 --------- - .../group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh | 9 +++++++++ - .../{line_not_there.fail.sh => line_not_there.pass.sh} | 0 - 3 files changed, 9 insertions(+), 9 deletions(-) - delete mode 100644 tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh - create mode 100644 tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh - rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/{line_not_there.fail.sh => line_not_there.pass.sh} (100%) - -diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh -deleted file mode 100644 -index 3ae082173..000000000 ---- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh -+++ /dev/null -@@ -1,9 +0,0 @@ --#!/bin/bash --# --# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 -- --if grep -q "^KerberosAuthentication" /etc/ssh/sshd_config; then -- sed -i "s/^KerberosAuthentication.*/# KerberosAuthentication no/" /etc/ssh/sshd_config --else -- echo "# KerberosAuthentication no" >> /etc/ssh/sshd_config --fi -diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh -new file mode 100644 -index 000000000..c7d58fbc6 ---- /dev/null -+++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 -+ -+if grep -q "^KerberosAuthentication" /etc/ssh/sshd_config; then -+ sed -i "s/^KerberosAuthentication.*/# KerberosAuthentication yes/" /etc/ssh/sshd_config -+else -+ echo "# KerberosAuthentication yes" >> /etc/ssh/sshd_config -+fi -diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.pass.sh -similarity index 100% -rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.fail.sh -rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.pass.sh - -From 4ebe165ede448c8998251257998cc94ea5cf3786 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 18 Dec 2017 11:52:39 +0100 -Subject: [PATCH 6/6] Fix test scenarios for sshd_enable_strictmodes - -As of Pr #2463, the definition checks fo ausence of "StrictModes no", as -default value is enabled already. ---- - .../rule_sshd_enable_strictmodes/{comment.fail.sh => comment.pass.sh} | 4 ++-- - .../{line_not_there.fail.sh => line_not_there.pass.sh} | 0 - 2 files changed, 2 insertions(+), 2 deletions(-) - rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/{comment.fail.sh => comment.pass.sh} (53%) - rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/{line_not_there.fail.sh => line_not_there.pass.sh} (100%) - -diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh -similarity index 53% -rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh -rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh -index 3d3b90875..bac02cb4f 100644 ---- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh -+++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh -@@ -3,7 +3,7 @@ - # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 - - if grep -q "^StrictModes" /etc/ssh/sshd_config; then -- sed -i "s/^StrictModes.*/# StrictModes yes/" /etc/ssh/sshd_config -+ sed -i "s/^StrictModes.*/# StrictModes no/" /etc/ssh/sshd_config - else -- echo "# StrictModes yes" >> /etc/ssh/sshd_config -+ echo "# StrictModes no" >> /etc/ssh/sshd_config - fi -diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.pass.sh -similarity index 100% -rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.fail.sh -rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.pass.sh diff --git a/SOURCES/scap-security-guide-0.1.37-fix-title.patch b/SOURCES/scap-security-guide-0.1.37-fix-title.patch deleted file mode 100644 index 7d41a1b..0000000 --- a/SOURCES/scap-security-guide-0.1.37-fix-title.patch +++ /dev/null @@ -1,20 +0,0 @@ -From a29a5b25a537298144d43a1deba5f8fe14fd1472 Mon Sep 17 00:00:00 2001 -From: Marek Haicman -Date: Sat, 9 Dec 2017 00:21:10 +0100 -Subject: [PATCH] Fix title of DISA STIG profile in RHEL6 DS. - ---- - rhel6/profiles/stig-rhel6-disa.xml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rhel6/profiles/stig-rhel6-disa.xml b/rhel6/profiles/stig-rhel6-disa.xml -index eec5e92e5..9694d6591 100644 ---- a/rhel6/profiles/stig-rhel6-disa.xml -+++ b/rhel6/profiles/stig-rhel6-disa.xml -@@ -1,5 +1,5 @@ - --DISA STIG for Red Hat Enterprise Linux 6 -+DISA STIG for Red Hat Enterprise Linux 6 - - This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 6. diff --git a/SOURCES/scap-security-guide-0.1.37-fix-umask_for_daemons.patch b/SOURCES/scap-security-guide-0.1.37-fix-umask_for_daemons.patch deleted file mode 100644 index 06a0fa1..0000000 --- a/SOURCES/scap-security-guide-0.1.37-fix-umask_for_daemons.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 810c6774166d8b591300322e269acd6a1d3554ef Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 5 Dec 2017 16:15:46 +0100 -Subject: [PATCH] RHBZ #1520493: Fix umask_for_daemons - -OpenSCAP evaluated this rule as "error" because it tried to evauluate -the variable 'var_umask_for_daemons_umask_as_number', which was defined -as external, but in fact is created in other definition. OpenSCAP -could not find its value. The fix is very similar to PR #1945. ---- - shared/checks/oval/umask_for_daemons.xml | 8 ++------ - 1 file changed, 2 insertions(+), 6 deletions(-) - -diff --git a/shared/checks/oval/umask_for_daemons.xml b/shared/checks/oval/umask_for_daemons.xml -index 7f54e4957..a8ce76275 100644 ---- a/shared/checks/oval/umask_for_daemons.xml -+++ b/shared/checks/oval/umask_for_daemons.xml -@@ -61,12 +61,6 @@ - - - -- -- -- - - -@@ -77,6 +71,8 @@ - var_etc_init_d_functions_umask_as_number - - -+ - - - diff --git a/SOURCES/scap-security-guide-0.1.38-aide-scan-email-notification.patch b/SOURCES/scap-security-guide-0.1.38-aide-scan-email-notification.patch deleted file mode 100644 index 21b2d5a..0000000 --- a/SOURCES/scap-security-guide-0.1.38-aide-scan-email-notification.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 0a88755485a67e1e29c62196cc506763594f2154 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 1 Feb 2018 08:36:18 +0100 -Subject: [PATCH 1/2] Do not fail aide_scan_notification with other email - adresses - -The rule aide_scan_notification says that AIDE should notify appropriate -personnell of the detials of an AIDE scan. The check currently requires -that the email address of the appropriate personell starts with 'root@'. -In practice, the email address could be any email address. The check -should match any email address. -Fixes RHBZ#1540505 ---- - shared/checks/oval/aide_scan_notification.xml | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/shared/checks/oval/aide_scan_notification.xml b/shared/checks/oval/aide_scan_notification.xml -index 3293efb084..3aba02d144 100644 ---- a/shared/checks/oval/aide_scan_notification.xml -+++ b/shared/checks/oval/aide_scan_notification.xml -@@ -23,7 +23,7 @@ - - - /etc/crontab -- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*root@.*$ -+ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$ - 1 - - -@@ -32,7 +32,7 @@ - - - /var/spool/cron/root -- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*root@.*$ -+ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$ - 1 - - -@@ -42,7 +42,7 @@ - - /etc/cron.(d|daily|weekly|monthly) - ^.*$ -- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*root@.*$ -+ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$ - 1 - - - -From 381ca3e54eb2e79c18f613a0d95e187e5e622005 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Mon, 5 Feb 2018 09:58:23 +0100 -Subject: [PATCH 2/2] Match at least 1 character in email address - ---- - shared/checks/oval/aide_scan_notification.xml | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/shared/checks/oval/aide_scan_notification.xml b/shared/checks/oval/aide_scan_notification.xml -index 3aba02d144..b9f8e78929 100644 ---- a/shared/checks/oval/aide_scan_notification.xml -+++ b/shared/checks/oval/aide_scan_notification.xml -@@ -23,7 +23,7 @@ - - - /etc/crontab -- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$ -+ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ - 1 - - -@@ -32,7 +32,7 @@ - - - /var/spool/cron/root -- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$ -+ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ - 1 - - -@@ -42,7 +42,7 @@ - - /etc/cron.(d|daily|weekly|monthly) - ^.*$ -- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$ -+ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ - 1 - - diff --git a/SOURCES/scap-security-guide-0.1.38-audit-kernel-module-loading.patch b/SOURCES/scap-security-guide-0.1.38-audit-kernel-module-loading.patch deleted file mode 100644 index 5101aa7..0000000 --- a/SOURCES/scap-security-guide-0.1.38-audit-kernel-module-loading.patch +++ /dev/null @@ -1,426 +0,0 @@ -From add7cd5c5a99e7b7d546aa0296885d7da1806d5f Mon Sep 17 00:00:00 2001 -From: Marek Haicman -Date: Thu, 22 Feb 2018 22:49:54 +0100 -Subject: [PATCH 1/2] Fix kernel module loading and unloading rules - -Fixed rule descriptions to make more sense, and fixing remediation -of general rule to set auditing of both b32 and b64 syscalls on -64-bit systems. ---- - .../bash/audit_rules_kernel_module_loading.sh | 10 +- - .../audit_rules_kernel_module_loading_delete.sh | 8 +- - .../bash/audit_rules_kernel_module_loading_init.sh | 8 +- - shared/xccdf/system/auditing.xml | 161 ++++++++++----------- - 4 files changed, 91 insertions(+), 96 deletions(-) - -diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading.sh b/shared/fixes/bash/audit_rules_kernel_module_loading.sh -index 12d6dd0181..268da407f7 100644 ---- a/shared/fixes/bash/audit_rules_kernel_module_loading.sh -+++ b/shared/fixes/bash/audit_rules_kernel_module_loading.sh -@@ -5,11 +5,11 @@ - - # First perform the remediation of the syscall rule - # Retrieve hardware architecture of the underlying system --# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel => --# it's not required on a 64-bit system to check also for the presence --# of 32-bit's equivalent of the corresponding rule. Therefore for --# each system it's enought to check presence of system's native rule form. --[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64") -+# Note: 32-bit and 64-bit kernel syscall numbers not always line up => -+# it's required on a 64-bit system to check also for the presence -+# of 32-bit's equivalent of the corresponding rule. -+# (See `man 7 audit.rules` for details ) -+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - - for ARCH in "${RULE_ARCHS[@]}" - do -diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh -index 59aadeeef8..131f1a2819 100644 ---- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh -+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh -@@ -5,10 +5,10 @@ - - # First perform the remediation of the syscall rule - # Retrieve hardware architecture of the underlying system --# If the system has a 32-bit processor, only the 32-bit rule is needed. --# If the system has a 64-bit processor, both arch 32 and 64 need to be included in --# the audit file because it is not possible to know if the computer will be booted --# in 64 or 32 bit mode or for which architecture a binary is compiled. -+# Note: 32-bit and 64-bit kernel syscall numbers not always line up => -+# it's required on a 64-bit system to check also for the presence -+# of 32-bit's equivalent of the corresponding rule. -+# (See `man 7 audit.rules` for details ) - [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - - for ARCH in "${RULE_ARCHS[@]}" -diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh -index 04b06f9dee..c46a854068 100644 ---- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh -+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh -@@ -5,10 +5,10 @@ - - # First perform the remediation of the syscall rule - # Retrieve hardware architecture of the underlying system --# If the system has a 32-bit processor, only the 32-bit rule is needed. --# If the system has a 64-bit processor, both arch 32 and 64 need to be included in --# the audit file because it is not possible to know if the computer will be booted --# in 64 or 32 bit mode or for which architecture a binary is compiled. -+# Note: 32-bit and 64-bit kernel syscall numbers not always line up => -+# it's required on a 64-bit system to check also for the presence -+# of 32-bit's equivalent of the corresponding rule. -+# (See `man 7 audit.rules` for details ) - [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - - for ARCH in "${RULE_ARCHS[@]}" -diff --git a/shared/xccdf/system/auditing.xml b/shared/xccdf/system/auditing.xml -index 85487ee417..b68820fe9b 100644 ---- a/shared/xccdf/system/auditing.xml -+++ b/shared/xccdf/system/auditing.xml -@@ -113,7 +113,7 @@ to establish, correlate, and investigate the events leading up to an outage or a - Ensuring the auditd service is active ensures audit records - generated by the kernel are appropriately recorded. -

--Additionally, a properly configured audit subsystem ensures that actions of -+Additionally, a properly configured audit subsystem ensures that actions of - individual system users can be uniquely traced to those users so they - can be held accountable for their actions. - -@@ -727,7 +727,7 @@ with limited audit storage capacity. - - - -- -+ - - - -@@ -3401,42 +3401,40 @@ of what was executed on the system, as well as, for accountability purposes. - Record Information on Kernel Modules Loading and Unloading --If the auditd daemon is configured to use the augenrules program --to read audit rules during daemon startup (the default), add the following lines to a file --with suffix .rules in the directory /etc/audit/rules.d to capture kernel module --loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: --
-w /usr/sbin/insmod -p x -k modules
---w /usr/sbin/rmmod -p x -k modules
---w /usr/sbin/modprobe -p x -k modules
---a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
--If the auditd daemon is configured to use the auditctl utility to read audit --rules during daemon startup, add the following lines to /etc/audit/audit.rules file --in order to capture kernel module loading and unloading events, setting ARCH to either b32 or --b64 as appropriate for your system: --
-w /usr/sbin/insmod -p x -k modules
-+To capture kernel module loading and unloading events, use following lines, setting ARCH to
-+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-+
-+-w /usr/sbin/insmod -p x -k modules
- -w /usr/sbin/rmmod -p x -k modules
- -w /usr/sbin/modprobe -p x -k modules
---a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
-+-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules -+
-+ -+Place to add the lines depends on a way auditd daemon is configured. If it is configured -+to use the augenrules program (the default), add the lines to a file with suffix -+.rules in the directory /etc/audit/rules.d. -+ -+If the auditd daemon is configured to use the auditctl utility, -+add the lines to file /etc/audit/audit.rules. -
- - - Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading --If the auditd daemon is configured to use the augenrules program --to read audit rules during daemon startup (the default), add the following lines to a file --with suffix .rules in the directory /etc/audit/rules.d to capture kernel module --loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: --
-w /usr/sbin/insmod -p x -k modules
---w /usr/sbin/rmmod -p x -k modules
---w /usr/sbin/modprobe -p x -k modules
---a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
--If the auditd daemon is configured to use the auditctl utility to read audit --rules during daemon startup, add the following lines to /etc/audit/audit.rules file --in order to capture kernel module loading and unloading events, setting ARCH to either b32 or --b64 as appropriate for your system: --
-w /usr/sbin/insmod -p x -k modules
-+To capture kernel module loading and unloading events, use following lines, setting ARCH to
-+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-+
-+-w /usr/sbin/insmod -p x -k modules
- -w /usr/sbin/rmmod -p x -k modules
- -w /usr/sbin/modprobe -p x -k modules
---a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
-+-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules -+
-+ -+Place to add the lines depends on a way auditd daemon is configured. If it is configured -+to use the augenrules program (the default), add the lines to a file with suffix -+.rules in the directory /etc/audit/rules.d. -+ -+If the auditd daemon is configured to use the auditctl utility, -+add the lines to file /etc/audit/audit.rules. -
- - -@@ -3452,22 +3450,22 @@ to have an audit trail of modules that have been introduced into the kernel. - - --Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - init_module --If the auditd daemon is configured to use the augenrules program --to read audit rules during daemon startup (the default), add the following lines to a file --with suffix .rules in the directory /etc/audit/rules.d to capture kernel module --loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: --
-a always,exit -F arch=ARCH -S init_module -F key=modules
--If the auditd daemon is configured to use the auditctl utility to read audit --rules during daemon startup, add the following lines to /etc/audit/audit.rules file --in order to capture kernel module loading and unloading events, setting ARCH to either b32 or --b64 as appropriate for your system: -+Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - init_module -+To capture kernel module loading events, use following line, setting ARCH to -+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -
-a always,exit -F arch=ARCH -S init_module -F key=modules
-+ -+Place to add the line depends on a way auditd daemon is configured. If it is configured -+to use the augenrules program (the default), add the line to a file with suffix -+.rules in the directory /etc/audit/rules.d. -+ -+If the auditd daemon is configured to use the auditctl utility, -+add the line to file /etc/audit/audit.rules. -
- - - --The addition/removal of kernel modules can be used to alter the behavior of -+The addition of kernel modules can be used to alter the behavior of - the kernel and potentially introduce malicious code into kernel space. It is important - to have an audit trail of modules that have been introduced into the kernel. - -@@ -3478,22 +3476,22 @@ to have an audit trail of modules that have been introduced into the kernel. - - --Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - delete_module --If the auditd daemon is configured to use the augenrules program --to read audit rules during daemon startup (the default), add the following lines to a file --with suffix .rules in the directory /etc/audit/rules.d to capture kernel module --loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: --
-a always,exit -F arch=ARCH -S delete_module -F key=modules
--If the auditd daemon is configured to use the auditctl utility to read audit --rules during daemon startup, add the following lines to /etc/audit/audit.rules file --in order to capture kernel module loading and unloading events, setting ARCH to either b32 or --b64 as appropriate for your system: -+Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - delete_module -+To capture kernel module unloading events, use following line, setting ARCH to -+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -
-a always,exit -F arch=ARCH -S delete_module -F key=modules
-+ -+Place to add the line depends on a way auditd daemon is configured. If it is configured -+to use the augenrules program (the default), add the line to a file with suffix -+.rules in the directory /etc/audit/rules.d. -+ -+If the auditd daemon is configured to use the auditctl utility, -+add the line to file /etc/audit/audit.rules. -
- - - --The addition/removal of kernel modules can be used to alter the behavior of -+The removal of kernel modules can be used to alter the behavior of - the kernel and potentially introduce malicious code into kernel space. It is important - to have an audit trail of modules that have been introduced into the kernel. - -@@ -3504,23 +3502,22 @@ to have an audit trail of modules that have been introduced into the kernel. - - --Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - insmod --If the auditd daemon is configured to use the augenrules program --to read audit rules during daemon startup (the default), add the following lines to a file --with suffix .rules in the directory /etc/audit/rules.d to capture kernel module --loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: --
-w /usr/sbin/insmod -p x -k modules
--If the auditd daemon is configured to use the auditctl utility to read audit --rules during daemon startup, add the following lines to /etc/audit/audit.rules file --in order to capture kernel module loading and unloading events, setting ARCH to either b32 or --b64 as appropriate for your system: -+Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading - insmod -+To capture invocation of insmod, utility used to insert modules into kernel, -+use the following line: -
-w /usr/sbin/insmod -p x -k modules
-+Place to add the line depends on a way auditd daemon is configured. If it is configured -+to use the augenrules program (the default), add the line to a file with suffix -+.rules in the directory /etc/audit/rules.d. -+ -+If the auditd daemon is configured to use the auditctl utility, -+add the line to file /etc/audit/audit.rules. -
- - To verify that auditing is configured for system administrator actions, run the following command: -
$ sudo auditctl -l | grep "watch=/usr/sbin/insmod"
-
--The addition/removal of kernel modules can be used to alter the behavior of -+The addition of kernel modules can be used to alter the behavior of - the kernel and potentially introduce malicious code into kernel space. It is important - to have an audit trail of modules that have been introduced into the kernel. - -@@ -3531,23 +3528,22 @@ to have an audit trail of modules that have been introduced into the kernel. - - --Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - rmmod --If the auditd daemon is configured to use the augenrules program --to read audit rules during daemon startup (the default), add the following lines to a file --with suffix .rules in the directory /etc/audit/rules.d to capture kernel module --loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: --
-w /usr/sbin/rmmod -p x -k modules
--If the auditd daemon is configured to use the auditctl utility to read audit --rules during daemon startup, add the following lines to /etc/audit/audit.rules file --in order to capture kernel module loading and unloading events, setting ARCH to either b32 or --b64 as appropriate for your system: -+Ensure <tt>auditd</tt> Collects Information on Kernel Module Unloading - rmmod -+To capture invocation of rmmod, utility used to remove modules from kernel, -+add the following line: -
-w /usr/sbin/rmmod -p x -k modules
-+Place to add the line depends on a way auditd daemon is configured. If it is configured -+to use the augenrules program (the default), add the line to a file with suffix -+.rules in the directory /etc/audit/rules.d. -+ -+If the auditd daemon is configured to use the auditctl utility, -+add the line to file /etc/audit/audit.rules. -
- - To verify that auditing is configured for system administrator actions, run the following command: -
$ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"
-
--The addition/removal of kernel modules can be used to alter the behavior of -+The removal of kernel modules can be used to alter the behavior of - the kernel and potentially introduce malicious code into kernel space. It is important - to have an audit trail of modules that have been introduced into the kernel. - -@@ -3559,16 +3555,15 @@ to have an audit trail of modules that have been introduced into the kernel. - Ensure <tt>auditd</tt> Collects Information on Kernel Module Loading and Unloading - modprobe --If the auditd daemon is configured to use the augenrules program --to read audit rules during daemon startup (the default), add the following lines to a file --with suffix .rules in the directory /etc/audit/rules.d to capture kernel module --loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: --
-w /usr/sbin/modprobe -p x -k modules
--If the auditd daemon is configured to use the auditctl utility to read audit --rules during daemon startup, add the following lines to /etc/audit/audit.rules file --in order to capture kernel module loading and unloading events, setting ARCH to either b32 or --b64 as appropriate for your system: -+To capture invocation of modprobe, utility used to insert / remove modules from kernel, -+add the following line: -
-w /usr/sbin/modprobe -p x -k modules
-+Place to add the line depends on a way auditd daemon is configured. If it is configured -+to use the augenrules program (the default), add the line to a file with suffix -+.rules in the directory /etc/audit/rules.d. -+ -+If the auditd daemon is configured to use the auditctl utility, -+add the line to file /etc/audit/audit.rules. -
- - To verify that auditing is configured for system administrator actions, run the following command: - -From 2a9d3771707c7db41861dbf3ca03c8a455481ba8 Mon Sep 17 00:00:00 2001 -From: Marek Haicman -Date: Thu, 22 Feb 2018 23:13:29 +0100 -Subject: [PATCH 2/2] Add basic tests for kernel module loading and unloading - rules - ---- - .../rule_audit_rules_kernel_module_loading/default.fail.sh | 7 +++++++ - .../rule_audit_rules_kernel_module_loading_delete/default.fail.sh | 7 +++++++ - .../rule_audit_rules_kernel_module_loading_init/default.fail.sh | 7 +++++++ - .../rule_audit_rules_kernel_module_loading_insmod/default.fail.sh | 7 +++++++ - .../default.fail.sh | 7 +++++++ - .../rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh | 7 +++++++ - 6 files changed, 42 insertions(+) - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh - -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh -new file mode 100644 -index 0000000000..48457258e5 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading/default.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S -+# remediation = bash -+ -+rm -f /etc/audit/rules.d/* -+> /etc/audit/audit.rules -+true -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh -new file mode 100644 -index 0000000000..12fe012776 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_delete/default.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 -+# remediation = bash -+ -+rm -f /etc/audit/rules.d/* -+> /etc/audit/audit.rules -+true -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh -new file mode 100644 -index 0000000000..12fe012776 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_init/default.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 -+# remediation = bash -+ -+rm -f /etc/audit/rules.d/* -+> /etc/audit/audit.rules -+true -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh -new file mode 100644 -index 0000000000..12fe012776 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_insmod/default.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 -+# remediation = bash -+ -+rm -f /etc/audit/rules.d/* -+> /etc/audit/audit.rules -+true -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh -new file mode 100644 -index 0000000000..12fe012776 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_modprobe/default.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 -+# remediation = bash -+ -+rm -f /etc/audit/rules.d/* -+> /etc/audit/audit.rules -+true -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh -new file mode 100644 -index 0000000000..12fe012776 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_kernel_module_loading/rule_audit_rules_kernel_module_loading_rmmod/default.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 -+# remediation = bash -+ -+rm -f /etc/audit/rules.d/* -+> /etc/audit/audit.rules -+true diff --git a/SOURCES/scap-security-guide-0.1.38-fix-reference-to-pam-config-manual.patch b/SOURCES/scap-security-guide-0.1.38-fix-reference-to-pam-config-manual.patch deleted file mode 100644 index 9e484b4..0000000 --- a/SOURCES/scap-security-guide-0.1.38-fix-reference-to-pam-config-manual.patch +++ /dev/null @@ -1,22 +0,0 @@ -From b0b3bf1153e72f178400ef91b722d7fcdab94277 Mon Sep 17 00:00:00 2001 -From: Marek Haicman -Date: Fri, 5 Jan 2018 22:54:11 +0100 -Subject: [PATCH] Fixing reference to outdated PAM configuration manual - ---- - shared/xccdf/system/accounts/pam.xml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/xccdf/system/accounts/pam.xml b/shared/xccdf/system/accounts/pam.xml -index 5ba904da1..572a1216c 100644 ---- a/shared/xccdf/system/accounts/pam.xml -+++ b/shared/xccdf/system/accounts/pam.xml -@@ -39,7 +39,7 @@ most users. - files, destroying any manually made changes and replacing them with - a series of system defaults. One reference to the configuration - file syntax can be found at -- -+ - . - - -Date: Fri, 5 Jan 2018 17:39:42 -0800 -Subject: [PATCH 1/2] updated kernel module loading init and delete to use b32 - and b64 - ---- - shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh | 2 +- - shared/fixes/bash/audit_rules_kernel_module_loading_init.sh | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh -index 97cdfae457..76a29eedc4 100644 ---- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh -+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh -@@ -9,7 +9,7 @@ - # it's not required on a 64-bit system to check also for the presence - # of 32-bit's equivalent of the corresponding rule. Therefore for - # each system it's enought to check presence of system's native rule form. --[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64") -+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - - for ARCH in "${RULE_ARCHS[@]}" - do -diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh -index 83f904bab7..ec275c91f8 100644 ---- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh -+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh -@@ -9,7 +9,7 @@ - # it's not required on a 64-bit system to check also for the presence - # of 32-bit's equivalent of the corresponding rule. Therefore for - # each system it's enought to check presence of system's native rule form. --[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64") -+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - - for ARCH in "${RULE_ARCHS[@]}" - do - -From 23d66767a7f6100481f985d4282ffe19ab5bc26c Mon Sep 17 00:00:00 2001 -From: Nathan Peters -Date: Fri, 12 Jan 2018 10:31:51 -0800 -Subject: [PATCH 2/2] updated comments to not contradict the remediation code - ---- - shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh | 8 ++++---- - shared/fixes/bash/audit_rules_kernel_module_loading_init.sh | 8 ++++---- - 2 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh -index 76a29eedc4..59aadeeef8 100644 ---- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh -+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh -@@ -5,10 +5,10 @@ - - # First perform the remediation of the syscall rule - # Retrieve hardware architecture of the underlying system --# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel => --# it's not required on a 64-bit system to check also for the presence --# of 32-bit's equivalent of the corresponding rule. Therefore for --# each system it's enought to check presence of system's native rule form. -+# If the system has a 32-bit processor, only the 32-bit rule is needed. -+# If the system has a 64-bit processor, both arch 32 and 64 need to be included in -+# the audit file because it is not possible to know if the computer will be booted -+# in 64 or 32 bit mode or for which architecture a binary is compiled. - [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - - for ARCH in "${RULE_ARCHS[@]}" -diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh -index ec275c91f8..04b06f9dee 100644 ---- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh -+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh -@@ -5,10 +5,10 @@ - - # First perform the remediation of the syscall rule - # Retrieve hardware architecture of the underlying system --# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel => --# it's not required on a 64-bit system to check also for the presence --# of 32-bit's equivalent of the corresponding rule. Therefore for --# each system it's enought to check presence of system's native rule form. -+# If the system has a 32-bit processor, only the 32-bit rule is needed. -+# If the system has a 64-bit processor, both arch 32 and 64 need to be included in -+# the audit file because it is not possible to know if the computer will be booted -+# in 64 or 32 bit mode or for which architecture a binary is compiled. - [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") - - for ARCH in "${RULE_ARCHS[@]}" -From 27363bc92905f8b7a5271480c64051869f2565d8 Mon Sep 17 00:00:00 2001 -From: Nathan Peters -Date: Thu, 18 Jan 2018 17:18:07 -0800 -Subject: [PATCH] fixed syntax issue with sed expression in - auditd_data_retention_space_left.sh - ---- - shared/fixes/bash/auditd_data_retention_space_left.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh -index 1c13cd4e34..f4ae92b044 100644 ---- a/shared/fixes/bash/auditd_data_retention_space_left.sh -+++ b/shared/fixes/bash/auditd_data_retention_space_left.sh -@@ -3,7 +3,7 @@ - populate var_auditd_space_left - - grep -q ^space_left /etc/audit/auditd.conf && \ -- sed -i "s/space_left.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf -+ sed -i "s/^space_left[[:space:]]*=.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf - if ! [ $? -eq 0 ]; then - echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf - fi -From 0aca8aa12b070625f138e4e1f90622e89e8b6f21 Mon Sep 17 00:00:00 2001 -From: OnceUponALoop -Date: Mon, 26 Feb 2018 20:58:06 -0600 -Subject: [PATCH] Fixes #2607 - audit_rules_login_events - ---- - shared/templates/create_audit_rules_login_events.py | 2 +- - shared/templates/csv/audit_rules_login_events.csv | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/shared/templates/create_audit_rules_login_events.py b/shared/templates/create_audit_rules_login_events.py -index 111a27a130..3dc1f5cb0d 100644 ---- a/shared/templates/create_audit_rules_login_events.py -+++ b/shared/templates/create_audit_rules_login_events.py -@@ -14,7 +14,7 @@ - class AuditRulesLoginEventsGenerator(FilesGenerator): - def generate(self, target, args): - path = args[0] -- name = re.sub('[-\./]', '_', os.path.basename(path)) -+ name = re.sub('[-\./]', '_', os.path.basename(os.path.normpath(path))) - if target == "oval": - self.file_from_template( - "./template_OVAL_audit_rules_login_events", -diff --git a/shared/templates/csv/audit_rules_login_events.csv b/shared/templates/csv/audit_rules_login_events.csv -index cdec8d6b8e..5c9793afbe 100644 ---- a/shared/templates/csv/audit_rules_login_events.csv -+++ b/shared/templates/csv/audit_rules_login_events.csv -@@ -1,3 +1,3 @@ --/var/run/faillock -+/var/run/faillock/ - /var/log/lastlog - /var/log/tallylog -From 318cc38b11f8b7fc6d4a30dd7db20f5bc57a4c8d Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 12 Mar 2018 18:37:34 +0100 -Subject: [PATCH 1/4] Add tests for ensure_logrotate_activated - ---- - .../rule_ensure_logrotate_activated/cron_daily_configured.pass.sh | 7 +++++++ - .../logrotate_conf_configured.pass.sh | 8 ++++++++ - .../rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh | 6 ++++++ - .../rule_ensure_logrotate_activated/logrotate_no_config.fail.sh | 6 ++++++ - 4 files changed, 27 insertions(+) - create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh - create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh - create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh - create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh - -diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh -new file mode 100644 -index 0000000000..2debba3186 ---- /dev/null -+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+ -+# make sure config in logrotate conf is misconfigured -+sed -i "s/daily/weekly/" /etc/logrotate.conf -+ -+# default for cron.daily for RHEL7 is already correct -diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh -new file mode 100644 -index 0000000000..0521eac274 ---- /dev/null -+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+ -+# fix logrotate config -+sed -i "s/weekly/daily/" /etc/logrotate.conf -+ -+# remove default for cron.daily -+rm /etc/cron.daily/logrotate -diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh -new file mode 100644 -index 0000000000..671da30c0b ---- /dev/null -+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = none -+ -+sed -i "s/daily/weekly/" /etc/logrotate.conf -+rm /etc/cron.daily/logrotate -diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh -new file mode 100644 -index 0000000000..69c0ca7ee5 ---- /dev/null -+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh -@@ -0,0 +1,6 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = none -+ -+sed -i "/^daily/d" /etc/logrotate.conf -+rm /etc/cron.daily/logrotate - -From 4301c45fffa27dfc03eee6b8b88301d888fb011b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 12 Mar 2018 19:00:03 +0100 -Subject: [PATCH 2/4] Update OVAL check for ensure_logrotate_activated - -Other parameters can be passed to logrotate besides the config file. -And according to logrotate man page, there can be multiple configuration -files, and the later ones override configuration done on earlier files. - -So we allow other parameters between logrotate command and config file, -and ensure that /etc/logrotate.conf is the last file. ---- - shared/checks/oval/ensure_logrotate_activated.xml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/checks/oval/ensure_logrotate_activated.xml b/shared/checks/oval/ensure_logrotate_activated.xml -index 641e4516ae..9feb9b7fdc 100644 ---- a/shared/checks/oval/ensure_logrotate_activated.xml -+++ b/shared/checks/oval/ensure_logrotate_activated.xml -@@ -65,7 +65,7 @@ - - - /etc/cron.daily/logrotate -- ^[\s]*/usr/sbin/logrotate[\s]*/etc/logrotate.conf(?:.*)$ -+ ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ - 1 - - - -From ef15dd31ede1b96aa9b04feece43cc8d6c609ab8 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 12 Mar 2018 19:51:54 +0100 -Subject: [PATCH 3/4] Add remediation for ensure_logrotate_activate - ---- - shared/fixes/bash/ensure_logrotate_activated.sh | 7 +++++++ - .../rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh | 1 - - .../rule_ensure_logrotate_activated/logrotate_no_config.fail.sh | 1 - - 3 files changed, 7 insertions(+), 2 deletions(-) - create mode 100644 shared/fixes/bash/ensure_logrotate_activated.sh - -diff --git a/shared/fixes/bash/ensure_logrotate_activated.sh b/shared/fixes/bash/ensure_logrotate_activated.sh -new file mode 100644 -index 0000000000..2d22e0df8b ---- /dev/null -+++ b/shared/fixes/bash/ensure_logrotate_activated.sh -@@ -0,0 +1,7 @@ -+# platform = multi_platform_rhel -+ -+# daily rotation is configured -+grep -q "^daily$" /etc/logrotate.conf || echo "daily" >> /etc/logrotate.conf -+ -+# remove any line configuring weekly, monthly or yearly rotation -+sed -i -r "/^(weekly|monthly|yearly)$/d" /etc/logrotate.conf -diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh -index 671da30c0b..8c93377e76 100644 ---- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh -+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh -@@ -1,6 +1,5 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss --# remediation = none - - sed -i "s/daily/weekly/" /etc/logrotate.conf - rm /etc/cron.daily/logrotate -diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh -index 69c0ca7ee5..88679f329f 100644 ---- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh -+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh -@@ -1,6 +1,5 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss --# remediation = none - - sed -i "/^daily/d" /etc/logrotate.conf - rm /etc/cron.daily/logrotate - -From 44dc057232f17467597ed03416cd7417fde5430f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 13 Mar 2018 16:45:01 +0100 -Subject: [PATCH 4/4] logrotate needs conf and crontab configured - -- Update OVAL definition to check for both logrotate.conf and cron.daily -- Update remediation to add logrotate to cron.daily -- Update test scenrios accordingly ---- - shared/checks/oval/ensure_logrotate_activated.xml | 2 +- - shared/fixes/bash/ensure_logrotate_activated.sh | 13 +++++++++++-- - .../logrotate_conf_weekly.fail.sh | 1 - - ...aily_configured.pass.sh => logrotate_configured.pass.sh} | 4 ++-- - ...f_configured.pass.sh => logrotate_no_cron_daily.fail.sh} | 0 - 5 files changed, 14 insertions(+), 6 deletions(-) - rename tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/{cron_daily_configured.pass.sh => logrotate_configured.pass.sh} (56%) - rename tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/{logrotate_conf_configured.pass.sh => logrotate_no_cron_daily.fail.sh} (100%) - -diff --git a/shared/checks/oval/ensure_logrotate_activated.xml b/shared/checks/oval/ensure_logrotate_activated.xml -index 9feb9b7fdc..a34caaab5c 100644 ---- a/shared/checks/oval/ensure_logrotate_activated.xml -+++ b/shared/checks/oval/ensure_logrotate_activated.xml -@@ -11,7 +11,7 @@ - The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily -
- -- -+ - - > /etc/logrotate.conf -+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE - - # remove any line configuring weekly, monthly or yearly rotation --sed -i -r "/^(weekly|monthly|yearly)$/d" /etc/logrotate.conf -+sed -i -r "/^(weekly|monthly|yearly)$/d" $LOGROTATE_CONF_FILE -+ -+# configure cron.daily if not already -+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then -+ echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE -+ echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE -+fi -diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh -index 8c93377e76..30d1e29008 100644 ---- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh -+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh -@@ -2,4 +2,3 @@ - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - - sed -i "s/daily/weekly/" /etc/logrotate.conf --rm /etc/cron.daily/logrotate -diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_configured.pass.sh -similarity index 56% -rename from tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh -rename to tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_configured.pass.sh -index 2debba3186..170b8e9ed8 100644 ---- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh -+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_configured.pass.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - # profiles = xccdf_org.ssgproject.content_profile_pci-dss - --# make sure config in logrotate conf is misconfigured --sed -i "s/daily/weekly/" /etc/logrotate.conf -+# fix logrotate config -+sed -i "s/weekly/daily/" /etc/logrotate.conf - - # default for cron.daily for RHEL7 is already correct -diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_cron_daily.fail.sh -similarity index 100% -rename from tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh -rename to tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_cron_daily.fail.sh -From 9b32280bb07c28281f7bd97663e783e1846d4dc9 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 13 Mar 2018 19:54:13 +0100 -Subject: [PATCH 1/8] Add test scenarios for audit_rules_login_events - -- default fail - no rules at all -- default pass - default watch rules for tallylog, faillock and lastlog ---- - .../rule_audit_rules_login_events/default.fail.sh | 7 +++++++ - .../rule_audit_rules_login_events/default.pass.sh | 9 +++++++++ - 2 files changed, 16 insertions(+) - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh - -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh -new file mode 100644 -index 0000000000..ab4dc70c93 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = bash -+ -+rm -f /etc/audit/rules.d/* -+> /etc/audit/audit.rules -+true -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh -new file mode 100644 -index 0000000000..4f81075d4b ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = bash -+ -+echo "-w /var/log/tallylog -p wa -k logins" >> /etc/audit/rules.d/logins.rules -+echo "-w /var/run/faillock/ -p wa -k logins" >> /etc/audit/rules.d/logins.rules -+echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/rules.d/logins.rules -+ -+cat /etc/audit/rules.d/logins.rules - -From 3743d6b1fdc6cfd7b2cdb2d4d934e47d9c456441 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 13 Mar 2018 20:16:20 +0100 -Subject: [PATCH 2/8] Add test scenarios for - auditd_data_retention_space_left_action - -- action_email - configures action to email -- action_not_there - removes any configuration of space_left_action ---- - .../action_email.pass.sh | 5 +++++ - .../action_not_there.fail.sh | 5 +++++ - 2 files changed, 10 insertions(+) - create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh - create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh - -diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh -new file mode 100644 -index 0000000000..e340fef316 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa -+# remediation = bash -+ -+sed -i "s/^space_left_action = .*$/space_left_action = email/" /etc/audit/auditd.conf -diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh -new file mode 100644 -index 0000000000..13707b20da ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa -+# remediation = bash -+ -+sed -i "/^space_left_action = /d" /etc/audit/auditd.conf - -From 580f2d489741e293ceeb4e3863298351d0ac5c29 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 14 Mar 2018 15:47:28 +0100 -Subject: [PATCH 3/8] Add test scenarios for audit_data_retention_space_left - -- space_left pass - auditd.conf configured with enough space -- space_left_not_enough fail - auditd.conf configured with low space -- space_left_not_there fail - auditd.conf without space_left parameter ---- - .../rule_auditd_data_retention_space_left/space_left.pass.sh | 9 +++++++++ - .../space_left_not_enough.fail.sh | 5 +++++ - .../space_left_not_there.fail.sh | 5 +++++ - 3 files changed, 19 insertions(+) - create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh - create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh - create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh - -diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh -new file mode 100644 -index 0000000000..2e24c0ab86 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh -@@ -0,0 +1,9 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa -+# remediation = bash -+ -+if grep -q "^space_left[[:space:]]*= " /etc/audit/auditd.conf; then -+ sed -i "s/^space_left = .*$/space_left = 100/" /etc/audit/auditd.conf -+else -+ echo "space_left = 100" >> /etc/audit/auditd.conf -+fi -diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh -new file mode 100644 -index 0000000000..637d9a0b3f ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa -+# remediation = bash -+ -+sed -i "s/^space_left = .*$/space_left = 15/" /etc/audit/auditd.conf -diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh -new file mode 100644 -index 0000000000..71d459fdec ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa -+# remediation = bash -+ -+sed -i "/^space_left = /d" /etc/audit/auditd.conf - -From 269ab3e0422b97e6c3593850e4fe93020436047b Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 14 Mar 2018 16:30:20 +0100 -Subject: [PATCH 4/8] Fix append scenario in remediation for - audit_data_retention_space_left - -Remediation for auditd_data_retention_space_left could not add -configuration line when it was missing. - -grep command would return 0, sed command would not find the -configuration line to replace and return 0. -Subsequent if would consume $? equal 0 and not append config. - -Use of function replace_or_append is not easy here, [[:space:]] is not -handled correctly. ---- - shared/fixes/bash/auditd_data_retention_space_left.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh -index f4ae92b044..2ed771b2d2 100644 ---- a/shared/fixes/bash/auditd_data_retention_space_left.sh -+++ b/shared/fixes/bash/auditd_data_retention_space_left.sh -@@ -2,7 +2,7 @@ - . /usr/share/scap-security-guide/remediation_functions - populate var_auditd_space_left - --grep -q ^space_left /etc/audit/auditd.conf && \ -+grep -q "^space_left[[:space:]]*=" /etc/audit/auditd.conf && \ - sed -i "s/^space_left[[:space:]]*=.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf - if ! [ $? -eq 0 ]; then - echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf - -From 3afa2f4dad4de2c3d98bf9f1bdf554778f6bc33a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 14 Mar 2018 18:49:36 +0100 -Subject: [PATCH 5/8] Add test scenarios for audit_rules_privileged_commands - -- rules_configure pass - tests audit rules for default installation -- own_key pass - tests audit rules with custom key -- default fail - tests default installation without any configuration -- removes all rules.d fail - tests remediation when rules.d is empty ---- - .../default.fail.sh | 5 ++++ - .../own_key.rules | 30 ++++++++++++++++++++++ - .../privileged.rules | 30 ++++++++++++++++++++++ - .../remove_all_rules.d.fail.sh | 7 +++++ - .../rules_configured.pass.sh | 5 ++++ - .../rules_with_own_key.pass.sh | 5 ++++ - 6 files changed, 82 insertions(+) - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh - create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh - -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh -new file mode 100644 -index 0000000000..96e9f70a89 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = bash -+ -+true -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules -new file mode 100644 -index 0000000000..4df6d4ec8b ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules -@@ -0,0 +1,30 @@ -+-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -+-a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules -new file mode 100644 -index 0000000000..4eb644acbc ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules -@@ -0,0 +1,30 @@ -+-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh -new file mode 100644 -index 0000000000..ab4dc70c93 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = bash -+ -+rm -f /etc/audit/rules.d/* -+> /etc/audit/audit.rules -+true -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh -new file mode 100644 -index 0000000000..1aca5a0c00 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = bash -+ -+cp privileged.rules /etc/audit/rules.d/ -diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh -new file mode 100644 -index 0000000000..4fecb12817 ---- /dev/null -+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_pci-dss -+# remediation = bash -+ -+cp own_key.rules /etc/audit/rules.d/privileged.rules - -From b00609abc38092461e9ab034ed74476772c71761 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 14 Mar 2018 18:55:56 +0100 -Subject: [PATCH 6/8] Enable function perform_audit_rules to handle empty rules - directory - -When /etc/audit/rules.d was empty, the remediation function would not -add any rule into output rules file. ---- - .../perform_audit_rules_privileged_commands_remediation.sh | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh -index 5fac50ef07..3f48afabe3 100644 ---- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh -+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh -@@ -78,6 +78,15 @@ do - # presence of existing audit rule for new sbinary - local count_of_inspected_files=0 - -+ # Define expected rule form for this binary -+ expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged" -+ -+ # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary -+ if [[ ${#files_to_inspect[@]} -eq 0 ]]; then -+ echo "$expected_rule" >> "$output_audit_file" -+ continue -+ fi -+ - # For each audit rules file from the list of files to be inspected - for afile in "${files_to_inspect[@]}" - do -@@ -96,9 +105,6 @@ do - # Increase the count of inspected files for this sbinary - count_of_inspected_files=$((count_of_inspected_files + 1)) - -- # Define expected rule form for this binary -- expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged" -- - # Require execute access type to be set for existing audit rule - exec_access='x' - -@@ -155,6 +161,7 @@ do - # Current audit rules file's content doesn't contain expected rule for this - # SUID/SGID binary yet => append it - echo $expected_rule >> $output_audit_file -+ continue - fi - - done - -From bbdbd508e3c2d60100abe533f50929748f375a2d Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 19 Mar 2018 18:20:05 +0100 -Subject: [PATCH 7/8] Make regexes for space_left tests consistent - ---- - shared/fixes/bash/auditd_data_retention_space_left.sh | 4 ++-- - .../rule_auditd_data_retention_space_left/space_left.pass.sh | 5 +++-- - .../space_left_not_enough.fail.sh | 2 +- - 3 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh -index 2ed771b2d2..3cd4306aa8 100644 ---- a/shared/fixes/bash/auditd_data_retention_space_left.sh -+++ b/shared/fixes/bash/auditd_data_retention_space_left.sh -@@ -2,8 +2,8 @@ - . /usr/share/scap-security-guide/remediation_functions - populate var_auditd_space_left - --grep -q "^space_left[[:space:]]*=" /etc/audit/auditd.conf && \ -- sed -i "s/^space_left[[:space:]]*=.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf -+grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ -+ sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf - if ! [ $? -eq 0 ]; then - echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf - fi -diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh -index 2e24c0ab86..dde1f2be94 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh -@@ -2,8 +2,9 @@ - # profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa - # remediation = bash - --if grep -q "^space_left[[:space:]]*= " /etc/audit/auditd.conf; then -- sed -i "s/^space_left = .*$/space_left = 100/" /etc/audit/auditd.conf -+SPACE_LEFT_REGEX="^space_left[[:space:]]*=.*$" -+if grep -q "$SPACE_LEFT_REGEX" /etc/audit/auditd.conf; then -+ sed -i "s/$SPACE_LEFT_REGEX/space_left = 100/" /etc/audit/auditd.conf - else - echo "space_left = 100" >> /etc/audit/auditd.conf - fi -diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh -index 637d9a0b3f..0d1b1a3911 100644 ---- a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh -+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh -@@ -2,4 +2,4 @@ - # profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa - # remediation = bash - --sed -i "s/^space_left = .*$/space_left = 15/" /etc/audit/auditd.conf -+sed -i "s/^space_left[[:space:]]*=.*$/space_left = 15/" /etc/audit/auditd.conf - -From 9f1569a0a572ae4ac2fa002c622cebbc23ff5a45 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 19 Mar 2018 18:22:24 +0100 -Subject: [PATCH 8/8] Chain echo command with OR - -The remediation will sed or echo the config file. ---- - shared/fixes/bash/auditd_data_retention_space_left.sh | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh -index 3cd4306aa8..67ab813d48 100644 ---- a/shared/fixes/bash/auditd_data_retention_space_left.sh -+++ b/shared/fixes/bash/auditd_data_retention_space_left.sh -@@ -3,7 +3,5 @@ - populate var_auditd_space_left - - grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ -- sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf --if ! [ $? -eq 0 ]; then -- echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf --fi -+ sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \ -+ echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf -From 155b606d318d0995d094183e7278707c310172de Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 15 Mar 2018 17:23:00 +0100 -Subject: [PATCH 1/7] Add tests for network_ipv6_disable_rpc - -- rpc_disabled pass - correct configuration in /etc/netconfig -- default fail - default installation configuration ---- - .../rule_network_ipv6_disable_rpc/default.fail.sh | 7 +++++++ - .../rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh | 7 +++++++ - 2 files changed, 14 insertions(+) - create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh - create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh - -diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh -new file mode 100644 -index 0000000000..ff0a92e368 ---- /dev/null -+++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 -+# remediation = bash -+ -+# default config has rpc enabled -+true -diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh -new file mode 100644 -index 0000000000..0349191dfb ---- /dev/null -+++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh -@@ -0,0 +1,7 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 -+# remediation = bash -+ -+sed -i "/^tcp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig -+sed -i "/^udp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig - -From ab07272905bfb111c7c10dae630e04019d1135b2 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 15 Mar 2018 17:24:50 +0100 -Subject: [PATCH 2/7] Add remediation for network_ipv6_disable_rpc - -This fix script was sourced from RHEL6 product. ---- - shared/fixes/bash/network_ipv6_disable_rpc.sh | 10 ++++++++++ - 1 file changed, 10 insertions(+) - create mode 100644 shared/fixes/bash/network_ipv6_disable_rpc.sh - -diff --git a/shared/fixes/bash/network_ipv6_disable_rpc.sh b/shared/fixes/bash/network_ipv6_disable_rpc.sh -new file mode 100644 -index 0000000000..e4f738780d ---- /dev/null -+++ b/shared/fixes/bash/network_ipv6_disable_rpc.sh -@@ -0,0 +1,10 @@ -+# platform = multi_platform_rhel -+ -+# Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC -+# services for NFSv4 from attempting to start IPv6 network listeners -+declare -a IPV6_RPC_ENTRIES=("tcp6" "udp6") -+ -+for rpc_entry in ${IPV6_RPC_ENTRIES[@]} -+do -+ sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig -+done - -From f9677408a17154278b65ec9d0b4271b8399aa12a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 15 Mar 2018 19:17:15 +0100 -Subject: [PATCH 3/7] Add tests for network_ipv6_privacy_extensions - -- default fail - remove IPV6_PRIVACY from any ifcfg file -- ipv6_privacy_enabled pass - add IPV6_PRIVACY to all ifcfg files ---- - .../rule_network_ipv6_privacy_extensions/default.fail.sh | 5 +++++ - .../ipv6_privacy_enabled.pass.sh | 8 ++++++++ - 2 files changed, 13 insertions(+) - create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh - create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh - -diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh -new file mode 100644 -index 0000000000..4f6cbaca7f ---- /dev/null -+++ b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 -+ -+sed -i "/^IPV6_PRIVACY=rfc3041$/d" /etc/sysconfig/network-scripts/ifcfg-* -diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh -new file mode 100644 -index 0000000000..90eb082745 ---- /dev/null -+++ b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh -@@ -0,0 +1,8 @@ -+#!/bin/bash -+# -+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 -+ -+for file in $(ls /etc/sysconfig/network-scripts/ifcfg-*) -+do -+ echo "IPV6_PRIVACY=rfc3041" >> $file -+done - -From cfccf1711de2ffa9b94019ee96ff63740967ee18 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 15 Mar 2018 19:18:53 +0100 -Subject: [PATCH 4/7] Add remediation for network_ipv6_privacy_extensions - -- adding only bash remediation ---- - shared/fixes/bash/network_ipv6_privacy_extensions.sh | 7 +++++++ - 1 file changed, 7 insertions(+) - create mode 100644 shared/fixes/bash/network_ipv6_privacy_extensions.sh - -diff --git a/shared/fixes/bash/network_ipv6_privacy_extensions.sh b/shared/fixes/bash/network_ipv6_privacy_extensions.sh -new file mode 100644 -index 0000000000..b719fb471f ---- /dev/null -+++ b/shared/fixes/bash/network_ipv6_privacy_extensions.sh -@@ -0,0 +1,7 @@ -+# platform = multi_platform_rhel -+ -+# enable randomness in ipv6 address generation -+for interface in $(ls /etc/sysconfig/network-scripts/ifcfg-*) -+do -+ echo "IPV6_PRIVACY=rfc3041" >> $interface -+done - -From c09b5a38d62c733260c1c29227ec3032ea26e9b1 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 20 Mar 2018 16:52:12 +0100 -Subject: [PATCH 5/7] Bash improvements for remdiation and tests - ---- - shared/fixes/bash/network_ipv6_disable_rpc.sh | 3 +-- - shared/fixes/bash/network_ipv6_privacy_extensions.sh | 2 +- - .../rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh | 4 ++-- - 3 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/shared/fixes/bash/network_ipv6_disable_rpc.sh b/shared/fixes/bash/network_ipv6_disable_rpc.sh -index e4f738780d..5246e14109 100644 ---- a/shared/fixes/bash/network_ipv6_disable_rpc.sh -+++ b/shared/fixes/bash/network_ipv6_disable_rpc.sh -@@ -2,9 +2,8 @@ - - # Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC - # services for NFSv4 from attempting to start IPv6 network listeners --declare -a IPV6_RPC_ENTRIES=("tcp6" "udp6") - --for rpc_entry in ${IPV6_RPC_ENTRIES[@]} -+for rpc_entry in "tcp6" "udp6" - do - sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig - done -diff --git a/shared/fixes/bash/network_ipv6_privacy_extensions.sh b/shared/fixes/bash/network_ipv6_privacy_extensions.sh -index b719fb471f..134bb3f1f9 100644 ---- a/shared/fixes/bash/network_ipv6_privacy_extensions.sh -+++ b/shared/fixes/bash/network_ipv6_privacy_extensions.sh -@@ -1,7 +1,7 @@ - # platform = multi_platform_rhel - - # enable randomness in ipv6 address generation --for interface in $(ls /etc/sysconfig/network-scripts/ifcfg-*) -+for interface in /etc/sysconfig/network-scripts/ifcfg-* - do - echo "IPV6_PRIVACY=rfc3041" >> $interface - done -diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh -index 90eb082745..0982f003c8 100644 ---- a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh -+++ b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh -@@ -2,7 +2,7 @@ - # - # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 - --for file in $(ls /etc/sysconfig/network-scripts/ifcfg-*) -+for interface in /etc/sysconfig/network-scripts/ifcfg-* - do -- echo "IPV6_PRIVACY=rfc3041" >> $file -+ echo "IPV6_PRIVACY=rfc3041" >> $interface - done - -From 77890cd398db61a30f6e20add1067f77f5c0c283 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 20 Mar 2018 16:58:03 +0100 -Subject: [PATCH 6/7] Remove escaped underscore - -No flavor of regular expression needs to escape underscores. ---- - shared/fixes/bash/network_ipv6_disable_rpc.sh | 2 +- - .../rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh | 4 ++-- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/shared/fixes/bash/network_ipv6_disable_rpc.sh b/shared/fixes/bash/network_ipv6_disable_rpc.sh -index 5246e14109..decd74e0cc 100644 ---- a/shared/fixes/bash/network_ipv6_disable_rpc.sh -+++ b/shared/fixes/bash/network_ipv6_disable_rpc.sh -@@ -5,5 +5,5 @@ - - for rpc_entry in "tcp6" "udp6" - do -- sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig -+ sed -i "/^$rpc_entry[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig - done -diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh -index 0349191dfb..5ba5a77784 100644 ---- a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh -+++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh -@@ -3,5 +3,5 @@ - # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 - # remediation = bash - --sed -i "/^tcp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig --sed -i "/^udp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig -+sed -i "/^tcp6[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig -+sed -i "/^udp6[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig - -From 09eeaa1bff9c6203a5dbab18ccec89cc3458c22f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 20 Mar 2018 17:27:19 +0100 -Subject: [PATCH 7/7] Remove redundant profiles in tests for ipv6_disable_rpc - ---- - .../group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh | 2 +- - .../rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh -index ff0a92e368..f834e3f726 100644 ---- a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh -+++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # --# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 -+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 - # remediation = bash - - # default config has rpc enabled -diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh -index 5ba5a77784..c4bdf0a7c6 100644 ---- a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh -+++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh -@@ -1,6 +1,6 @@ - #!/bin/bash - # --# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7 -+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 - # remediation = bash - - sed -i "/^tcp6[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig -From 5f3ceba27b33c3f8c39ff15d894bb9c58fb1b9fa Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 16 Mar 2018 17:38:07 +0100 -Subject: [PATCH] Change id of rule that checks for IPV6 disabled - -The Rule is not following expected pattern. The sysctl in question is -net.ipv6.conf.all.disable_ipv6, so exptected Rule id is -syctl_net_ipv6_conf_all_disable_ipv6. - -This is causing template generated remediation to not be picked up by -build system. - -The used pattern would be for sysctl with name kernel_ipv6_disabled, witch -doesn't exist. ---- - rhel7/profiles/C2S.xml | 2 +- - rhel7/profiles/ospp-rhel7.xml | 2 +- - rhel7/profiles/rht-ccp.xml | 2 +- - shared/xccdf/system/network/ipv6.xml | 6 +++--- - 4 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/rhel7/profiles/C2S.xml b/rhel7/profiles/C2S.xml -index f1798271f9..39dcf9b192 100644 ---- a/rhel7/profiles/C2S.xml -+++ b/rhel7/profiles/C2S.xml -@@ -341,7 +341,7 @@ baseline. - -+ - -- - -